From 5256b021f3f41396763cb4a93653460a396f393e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lutz=20J=C3=A4nicke?= Date: Fri, 4 Jan 2002 15:05:51 +0000 Subject: Tsss, SSLeay_version() was already documented, it just was not linked in. --- doc/crypto/OPENSSL_VERSION_NUMBER.pod | 4 +-- doc/crypto/SSLeay_version.pod | 65 ----------------------------------- doc/crypto/crypto.pod | 2 +- 3 files changed, 3 insertions(+), 68 deletions(-) delete mode 100644 doc/crypto/SSLeay_version.pod (limited to 'doc') diff --git a/doc/crypto/OPENSSL_VERSION_NUMBER.pod b/doc/crypto/OPENSSL_VERSION_NUMBER.pod index 68ea723259..6ee8ad634f 100644 --- a/doc/crypto/OPENSSL_VERSION_NUMBER.pod +++ b/doc/crypto/OPENSSL_VERSION_NUMBER.pod @@ -2,7 +2,7 @@ =head1 NAME -OPENSSL_VERSION_NUMBER, SSLeay SSLeay_version - get OpenSSL version number +OPENSSL_VERSION_NUMBER, SSLeay, SSLeay_version - get OpenSSL version number =head1 SYNOPSIS @@ -11,7 +11,7 @@ OPENSSL_VERSION_NUMBER, SSLeay SSLeay_version - get OpenSSL version number #include long SSLeay(void); - char *SSLeay_version(int t); + const char *SSLeay_version(int t); =head1 DESCRIPTION diff --git a/doc/crypto/SSLeay_version.pod b/doc/crypto/SSLeay_version.pod deleted file mode 100644 index 6fa5aa109a..0000000000 --- a/doc/crypto/SSLeay_version.pod +++ /dev/null @@ -1,65 +0,0 @@ -=pod - -=head1 NAME - -SSLeay_version - retrieve version/build information about OpenSSL library - -=head1 SYNOPSIS - - #include - - const char *SSLeay_version(int type); - -=head1 DESCRIPTION - -SSLeay_version() returns a pointer to a constant string describing the -version of the OpenSSL library or giving information about the library -build. - -The following B values are supported: - -=over 4 - -=item SSLEAY_VERSION - -The version of the OpenSSL library including the release date. - -=item SSLEAY_CFLAGS - -The compiler flags set for the compilation process in the form -"compiler: ..." if available or "compiler: information not available" -otherwise. - -=item SSLEAY_BUILT_ON - -The date of the build process in the form "built on: ..." if available -or "built on: date not available" otherwise. - -=item SSLEAY_PLATFORM - -The "Configure" target of the library build in the form "platform: ..." -if available or "platform: information not available" otherwise. - -=back - -=head1 RETURN VALUES - -The following return values can occur: - -=over 4 - -=item "not available" - -An invalid value for B was given. - -=item Pointer to constant string - -Textual description. - -=back - -=head1 SEE ALSO - -L - -=cut diff --git a/doc/crypto/crypto.pod b/doc/crypto/crypto.pod index 0256d226cc..c12eec1409 100644 --- a/doc/crypto/crypto.pod +++ b/doc/crypto/crypto.pod @@ -47,7 +47,7 @@ L =item AUXILIARY FUNCTIONS L, L, L, -L +L =item INPUT/OUTPUT, DATA ENCODING -- cgit v1.2.3 From dc4ddcd2bb8c20f711b1aad9a79cbcaf6d53cccd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bodo=20M=C3=B6ller?= Date: Fri, 4 Jan 2002 15:17:09 +0000 Subject: add documentation for SSLeay_version(SSLEAY_DIR) and 'openssl version -d' use some descriptions from Lutz' redundant manual page instead of the previous ones --- doc/apps/version.pod | 8 ++++ doc/crypto/OPENSSL_VERSION_NUMBER.pod | 25 ++++++++---- doc/crypto/SSLeay_version.pod | 74 +++++++++++++++++++++++++++++++++++ 3 files changed, 100 insertions(+), 7 deletions(-) create mode 100644 doc/crypto/SSLeay_version.pod (limited to 'doc') diff --git a/doc/apps/version.pod b/doc/apps/version.pod index 5d261a6405..e00324c446 100644 --- a/doc/apps/version.pod +++ b/doc/apps/version.pod @@ -46,6 +46,10 @@ compilation flags. platform setting. +=item B<-d> + +OPENSSLDIR setting. + =back =head1 NOTES @@ -53,4 +57,8 @@ platform setting. The output of B would typically be used when sending in a bug report. +=head1 HISTORY + +The B<-d> option was added in OpenSSL 0.9.7. + =cut diff --git a/doc/crypto/OPENSSL_VERSION_NUMBER.pod b/doc/crypto/OPENSSL_VERSION_NUMBER.pod index 6ee8ad634f..7a468003e9 100644 --- a/doc/crypto/OPENSSL_VERSION_NUMBER.pod +++ b/doc/crypto/OPENSSL_VERSION_NUMBER.pod @@ -55,22 +55,32 @@ SSLeay_version() returns different strings depending on B: =over 4 =item SSLEAY_VERSION + The text variant of the version number and the release date. For example, "OpenSSL 0.9.5a 1 Apr 2000". =item SSLEAY_CFLAGS -The flags given to the C compiler when compiling OpenSSL are returned in a -string. + +The compiler flags set for the compilation process in the form +"compiler: ..." if available or "compiler: information not available" +otherwise. + +=item SSLEAY_BUILT_ON + +The date of the build process in the form "built on: ..." if available +or "built on: date not available" otherwise. =item SSLEAY_PLATFORM -The platform name used when OpenSSL was configured is returned. -=back +The "Configure" target of the library build in the form "platform: ..." +if available or "platform: information not available" otherwise. + +=item SSLEAY_DIR -If the data request isn't available, a text saying that the information is -not available is returned. +The "OPENSSLDIR" setting of the library build in the form "OPENSSLDIR: "..."" +if available or "OPENSSLDIR: N/A" otherwise. -For an unknown B, the text "not available" is returned. +=back =head1 RETURN VALUE @@ -84,5 +94,6 @@ L SSLeay() and SSLEAY_VERSION_NUMBER are available in all versions of SSLeay and OpenSSL. OPENSSL_VERSION_NUMBER is available in all versions of OpenSSL. +B was added in OpenSSL 0.9.7. =cut diff --git a/doc/crypto/SSLeay_version.pod b/doc/crypto/SSLeay_version.pod new file mode 100644 index 0000000000..1500c2af91 --- /dev/null +++ b/doc/crypto/SSLeay_version.pod @@ -0,0 +1,74 @@ +=pod + +=head1 NAME + +SSLeay_version - retrieve version/build information about OpenSSL library + +=head1 SYNOPSIS + + #include + + const char *SSLeay_version(int type); + +=head1 DESCRIPTION + +SSLeay_version() returns a pointer to a constant string describing the +version of the OpenSSL library or giving information about the library +build. + +The following B values are supported: + +=over 4 + +=item SSLEAY_VERSION + +The version of the OpenSSL library including the release date. + +=item SSLEAY_CFLAGS + +The compiler flags set for the compilation process in the form +"compiler: ..." if available or "compiler: information not available" +otherwise. + +=item SSLEAY_BUILT_ON + +The date of the build process in the form "built on: ..." if available +or "built on: date not available" otherwise. + +=item SSLEAY_PLATFORM + +The "Configure" target of the library build in the form "platform: ..." +if available or "platform: information not available" otherwise. + +=item SSLEAY_DIR + +The "OPENSSLDIR" setting of the library build in the form "OPENSSLDIR: "..."" +if available or "OPENSSLDIR: N/A" otherwise. + +=back + +=head1 RETURN VALUES + +The following return values can occur: + +=over 4 + +=item "not available" + +An invalid value for B was given. + +=item Pointer to constant string + +Textual description. + +=back + +=head1 SEE ALSO + +L + +=head1 HISTORY + +B was added in OpenSSL 0.9.7. + +=cut -- cgit v1.2.3 From 31cafe53c928e02d6351dc9a827e95bccd9b807d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bodo=20M=C3=B6ller?= Date: Fri, 4 Jan 2002 15:22:40 +0000 Subject: add a sentence previously deleted by accident --- doc/crypto/OPENSSL_VERSION_NUMBER.pod | 2 ++ 1 file changed, 2 insertions(+) (limited to 'doc') diff --git a/doc/crypto/OPENSSL_VERSION_NUMBER.pod b/doc/crypto/OPENSSL_VERSION_NUMBER.pod index 7a468003e9..c39ac35e78 100644 --- a/doc/crypto/OPENSSL_VERSION_NUMBER.pod +++ b/doc/crypto/OPENSSL_VERSION_NUMBER.pod @@ -82,6 +82,8 @@ if available or "OPENSSLDIR: N/A" otherwise. =back +For an unknown B, the text "not available" is returned. + =head1 RETURN VALUE The version number. -- cgit v1.2.3 From 6ce46d69f5d940b07e8f4f191121546c3f33ada6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lutz=20J=C3=A4nicke?= Date: Mon, 21 Jan 2002 18:01:46 +0000 Subject: Typos (jsyn ). --- doc/crypto/blowfish.pod | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'doc') diff --git a/doc/crypto/blowfish.pod b/doc/crypto/blowfish.pod index 65b8be388c..ed71334f56 100644 --- a/doc/crypto/blowfish.pod +++ b/doc/crypto/blowfish.pod @@ -27,7 +27,7 @@ BF_cfb64_encrypt, BF_ofb64_encrypt, BF_options - Blowfish encryption =head1 DESCRIPTION -This library implements the Blowfish cipher, which is invented and described +This library implements the Blowfish cipher, which was invented and described by Counterpane (see http://www.counterpane.com/blowfish.html ). Blowfish is a block cipher that operates on 64 bit (8 byte) blocks of data. @@ -57,7 +57,7 @@ for the same message. B may be initialized with anything, but the recipient needs to know what it was initialized with, or it won't be able to decrypt. Some programs and protocols simplify this, like SSH, where B is simply initialized to zero. -BF_cbc_encrypt() operates of data that is a multiple of 8 bytes long, while +BF_cbc_encrypt() operates on data that is a multiple of 8 bytes long, while BF_cfb64_encrypt() and BF_ofb64_encrypt() are used to encrypt an variable number of bytes (the amount does not have to be an exact multiple of 8). The purpose of the latter two is to simulate stream ciphers, and therefore, they -- cgit v1.2.3 From a14e2d9dfe0bc17800a5ab6b0439a3db50702586 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bodo=20M=C3=B6ller?= Date: Thu, 24 Jan 2002 16:16:43 +0000 Subject: New functions ERR_peek_last_error ERR_peek_last_error_line ERR_peek_last_error_line_data (supersedes ERR_peek_top_error). Rename OPENSSL_NO_OLD_DES_SUPPORT into OPENSSL_DISABLE_OLD_DES_SUPPORT because OPENSSL_NO_... indicates disabled algorithms (according to mkdef.pl). --- doc/crypto/ERR_get_error.pod | 29 +++++++++++++++++++++-------- 1 file changed, 21 insertions(+), 8 deletions(-) (limited to 'doc') diff --git a/doc/crypto/ERR_get_error.pod b/doc/crypto/ERR_get_error.pod index 3551bacb8d..9fdedbcb91 100644 --- a/doc/crypto/ERR_get_error.pod +++ b/doc/crypto/ERR_get_error.pod @@ -2,8 +2,10 @@ =head1 NAME -ERR_get_error, ERR_peek_error, ERR_get_error_line, ERR_peek_error_line, -ERR_get_error_line_data, ERR_peek_error_line_data - obtain error code and data +ERR_get_error, ERR_peek_error, ERR_peek_last_error, +ERR_get_error_line, ERR_peek_error_line, ERR_peek_last_error_line, +ERR_get_error_line_data, ERR_peek_error_line_data, +ERR_peek_error_line_data - obtain error code and data =head1 SYNOPSIS @@ -11,22 +13,29 @@ ERR_get_error_line_data, ERR_peek_error_line_data - obtain error code and data unsigned long ERR_get_error(void); unsigned long ERR_peek_error(void); + unsigned long ERR_peek_last_error(void); unsigned long ERR_get_error_line(const char **file, int *line); unsigned long ERR_peek_error_line(const char **file, int *line); + unsigned long ERR_peek_last_error_line(const char **file, int *line); unsigned long ERR_get_error_line_data(const char **file, int *line, const char **data, int *flags); unsigned long ERR_peek_error_line_data(const char **file, int *line, const char **data, int *flags); + unsigned long ERR_peek_last_error_line_data(const char **file, int *line, + const char **data, int *flags); =head1 DESCRIPTION -ERR_get_error() returns the last error code from the thread's error +ERR_get_error() returns the earliest error code from the thread's error queue and removes the entry. This function can be called repeatedly until there are no more error codes to return. -ERR_peek_error() returns the last error code from the thread's +ERR_peek_error() returns the earliest error code from the thread's +error queue without modifying it. + +ERR_peek_last_error() returns the latest error code from the thread's error queue without modifying it. See L for obtaining information about @@ -34,12 +43,14 @@ location and reason of the error, and L for human-readable error messages. -ERR_get_error_line() and ERR_peek_error_line() are the same as the -above, but they additionally store the file name and line number where +ERR_get_error_line(), ERR_peek_error_line() and +ERR_peek_last_error_line() are the same as the above, but they +additionally store the file name and line number where the error occurred in *B and *B, unless these are B. -ERR_get_error_line_data() and ERR_peek_error_line_data() store -additional data and flags associated with the error code in *B +ERR_get_error_line_data(), ERR_peek_error_line_data() and +ERR_get_last_error_line_data() store additional data and flags +associated with the error code in *B and *B, unless these are B. *B contains a string if *B&B. If it has been allocated by OPENSSL_malloc(), *B&B is true. @@ -59,5 +70,7 @@ ERR_get_error(), ERR_peek_error(), ERR_get_error_line() and ERR_peek_error_line() are available in all versions of SSLeay and OpenSSL. ERR_get_error_line_data() and ERR_peek_error_line_data() were added in SSLeay 0.9.0. +ERR_peek_last_error(), ERR_peek_last_error_line() and +ERR_peek_last_error_line_data() were added in OpenSSL 0.9.7. =cut -- cgit v1.2.3 From f0d6ee6be8b2faac9fa37be0086fafbc001307f3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lutz=20J=C3=A4nicke?= Date: Fri, 15 Feb 2002 07:41:42 +0000 Subject: Even though it is not really practical people should know about it. --- doc/ssl/SSL_CTX_add_extra_chain_cert.pod | 1 + doc/ssl/SSL_CTX_set_client_cert_cb.pod | 90 ++++++++++++++++++++++++++++++++ doc/ssl/SSL_CTX_use_certificate.pod | 1 + doc/ssl/SSL_clear.pod | 3 +- doc/ssl/SSL_get_client_CA_list.pod | 3 +- doc/ssl/ssl.pod | 1 + 6 files changed, 97 insertions(+), 2 deletions(-) create mode 100644 doc/ssl/SSL_CTX_set_client_cert_cb.pod (limited to 'doc') diff --git a/doc/ssl/SSL_CTX_add_extra_chain_cert.pod b/doc/ssl/SSL_CTX_add_extra_chain_cert.pod index 21a9db0e2a..ee28f5ccc3 100644 --- a/doc/ssl/SSL_CTX_add_extra_chain_cert.pod +++ b/doc/ssl/SSL_CTX_add_extra_chain_cert.pod @@ -33,6 +33,7 @@ error stack to find out the reason for failure otherwise. L, L, +L, L =cut diff --git a/doc/ssl/SSL_CTX_set_client_cert_cb.pod b/doc/ssl/SSL_CTX_set_client_cert_cb.pod new file mode 100644 index 0000000000..53e1827713 --- /dev/null +++ b/doc/ssl/SSL_CTX_set_client_cert_cb.pod @@ -0,0 +1,90 @@ +=pod + +=head1 NAME + +SSL_CTX_set_client_cert_cb, SSL_CTX_get_client_cert_cb - handle client certificate callback function + +=head1 SYNOPSIS + + #include + + void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx, int (*client_cert_cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey)); + int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL *ssl, X509 **x509, EVP_PKEY **pkey); + int (*client_cert_cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey); + +=head1 DESCRIPTION + +SSL_CTX_set_client_cert_cb() sets the B callback, that is +called when a client certificate is requested by a server. +When B is NULL, not callback function is used. + +SSL_CTX_get_client_cert_cb() returns a pointer to the currently set callback +function. + +client_cert_cb() is the application defined callback. If it wants to +set a certificate, a certificate/private key combination must be set +using the B and B arguments and "1" must be returned. The +certificate will be installed into B, see the NOTES and BUGS sections. +If no certificate should be set, "0" has to be returned and the default +certificate will be sent. A fatal error can be indicated by returning +a negative value, in which case the handshake will be canceled. + +=head1 NOTES + +During a handshake (or renegotiation) a server may request a certificate +from the client. A client certificate must only be sent, when the server +did send the request. + +When no callback function is set, an OpenSSL client will send the certificate +that was set using the +L family of functions. +The TLS standard requires that only a certificate is sent, if it matches +the list of acceptable CAs sent by the server. This constraint is +violated by the default behavior of the OpenSSL library. Using the +callback function it is possible to implement a proper selection routine +or to allow a user interaction to choose the certificate to be sent. +The callback function can obtain the list of acceptable CAs using the +L function. + +If a callback function is defined, the callback function will be called. +If the callback function returns a certificate, the OpenSSL library +will try to load the private key and certificate data into the SSL +object using SSL_use_certificate() and SSL_use_private_key() functions. +Thus it will permanently override the certificate and key previously +installed and will not be reset by calling L. +If the callback returns no certificate, the OpenSSL library will send +the certificate previously installed for the SSL_CTX object or the specific +certificate of the SSL object, if available. + +=head1 BUGS + +The client_cert_cb() cannot return a complete certificate chain, it can +only return one client certificate. If the chain only has a length of 2, +the root CA certificate may be omitted according to the TLS standard and +thus a standard conforming answer can be sent to the server. For a +longer chain, the client must send the complete chain (with the option +to leave out the root CA certificate). This can only be accomplished by +either adding the intermediate CA certificates into the trusted +certificate store for the SSL_CTX object (resulting in having to add +CA certificates that otherwise maybe would not be trusted), or by adding +the chain certificates using the +L +function, which is only available for the SSL_CTX object as a whole and that +therefore probably can only apply for one client certificate, making +the concept of the callback function (to allow the choice from several +certificates) questionable. + +Once the SSL object has been used in conjunction with the callback function, +the certificate will be set for the SSL object and will not be cleared +even when L is being called. It is therefore +mandatory to destroy the SSL object using L +and create a new one to return to the previous state. + +=head1 SEE ALSO + +L, L, +L, +L, +L, L + +=cut diff --git a/doc/ssl/SSL_CTX_use_certificate.pod b/doc/ssl/SSL_CTX_use_certificate.pod index 3b2fe6fc50..b8868f18bf 100644 --- a/doc/ssl/SSL_CTX_use_certificate.pod +++ b/doc/ssl/SSL_CTX_use_certificate.pod @@ -149,6 +149,7 @@ L, L, L, L, L, L, +L, L =cut diff --git a/doc/ssl/SSL_clear.pod b/doc/ssl/SSL_clear.pod index 8b735d81dc..f0aa5e94eb 100644 --- a/doc/ssl/SSL_clear.pod +++ b/doc/ssl/SSL_clear.pod @@ -44,6 +44,7 @@ The SSL_clear() operation was successful. L, L, L, L, -L, L +L, L, +L =cut diff --git a/doc/ssl/SSL_get_client_CA_list.pod b/doc/ssl/SSL_get_client_CA_list.pod index 40e01cf9c8..5693fdebb2 100644 --- a/doc/ssl/SSL_get_client_CA_list.pod +++ b/doc/ssl/SSL_get_client_CA_list.pod @@ -47,6 +47,7 @@ the server did not send a list of CAs (client mode). =head1 SEE ALSO L, -L +L, +L =cut diff --git a/doc/ssl/ssl.pod b/doc/ssl/ssl.pod index b948d59e59..d0525582b0 100644 --- a/doc/ssl/ssl.pod +++ b/doc/ssl/ssl.pod @@ -675,6 +675,7 @@ L, L, L, L, +L, L, L, L, -- cgit v1.2.3