mirror/freebsd
1
0
Fork 0
mirror of https://git.FreeBSD.org/src.git synced 2024-10-18 02:19:39 +00:00
Code Issues Releases Activity

openssl: Import OpenSSL 3.0.15.

Browse Source 
This release incorporates the following bug fixes and mitigations:
- Fixed possible denial of service in X.509 name checks ([CVE-2024-6119])
- Fixed possible buffer overread in SSL_select_next_proto() ([CVE-2024-5535])

Release notes can be found at:
https://openssl-library.org/news/openssl-3.0-notes/index.html

Co-authored-by:	gordon
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D46602

Merge commit '108164cf95d9594884c2dcccba2691335e6f221b'
This commit is contained in:
Enji Cooper 2024-09-07 21:30:17 -07:00
commit a7148ab39c
174 changed files with 2414 additions and 914 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
crypto/openssl/CHANGES.md
View File

@ -28,6 +28,30 @@ breaking changes, and mappings for the large list of deprecated functions.
[Migration guide]: https://github.com/openssl/openssl/tree/master/doc/man7/migration_guide.pod
### Changes between 3.0.14 and 3.0.15 [3 Sep 2024]
* Fixed possible denial of service in X.509 name checks.
Applications performing certificate name checks (e.g., TLS clients checking
server certificates) may attempt to read an invalid memory address when
comparing the expected name with an `otherName` subject alternative name of
an X.509 certificate. This may result in an exception that terminates the
application program.
([CVE-2024-6119])
*Viktor Dukhovni*
* Fixed possible buffer overread in SSL_select_next_proto().
Calling the OpenSSL API function SSL_select_next_proto with an empty
supported client protocols buffer may cause a crash or memory contents
to be sent to the peer.
([CVE-2024-5535])
*Matt Caswell*
### Changes between 3.0.13 and 3.0.14 [4 Jun 2024]
* Fixed potential use after free after SSL_free_buffers() is called.
@ -70,6 +94,14 @@ breaking changes, and mappings for the large list of deprecated functions.
*Tomáš Mráz*
* Improved EC/DSA nonce generation routines to avoid bias and timing
side channel leaks.
Thanks to Florian Sieck from Universität zu Lübeck and George Pantelakis
and Hubert Kario from Red Hat for reporting the issues.
*Tomáš Mráz and Paul Dale*
* Fixed an issue where some non-default TLS server configurations can cause
unbounded memory growth when processing TLSv1.3 sessions. An attacker may
exploit certain server configurations to trigger unbounded memory growth that
@ -19890,6 +19922,8 @@ ndif
<!-- Links -->
[CVE-2024-6119]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-6119
[CVE-2024-5535]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-5535
[CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741
[CVE-2024-4603]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4603
[CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511

6
crypto/openssl/CONTRIBUTING.md
View File

@ -3,7 +3,7 @@ HOW TO CONTRIBUTE TO OpenSSL
Please visit our [Getting Started] page for other ideas about how to contribute.
[Getting Started]: <https://www.openssl.org/community/getting-started.html>
[Getting Started]: <https://openssl-library.org/community/getting-started>
Development is done on GitHub in the [openssl/openssl] repository.
@ -77,8 +77,8 @@ guidelines:
Clean builds via GitHub Actions are required. They are started automatically
whenever a PR is created or updated by committers.
[coding style]: https://www.openssl.org/policies/technical/coding-style.html
[documentation policy]: https://openssl.org/policies/technical/documentation-policy.html
[coding style]: https://openssl-library.org/policies/technical/coding-style/
[documentation policy]: https://openssl-library.org/policies/technical/documentation-policy/
5. When at all possible, code contributions should include tests. These can
either be added to an existing test, or completely new. Please see

36
crypto/openssl/Configurations/10-main.conf
View File

@ -1264,6 +1264,25 @@ my %targets = (
AR => add("-X32"),
RANLIB => add("-X32"),
},
# To enable openxl compiler for aix
# If 17.1 openxl runtime is available, -latomic can be used
# instead of -DBROKEN_CLANG_ATOMICS
"aix-clang" => {
inherit_from => [ "aix-common" ],
CC => "ibm-clang",
CFLAGS => picker(debug => "-O0 -g",
release => "-O"),
cflags => combine("-Wno-implicit-function-declaration -mcmodel=large -DBROKEN_CLANG_ATOMICS",
threads("-pthread")),
ex_libs => add(threads("-pthread")),
bn_ops => "BN_LLONG RC4_CHAR",
asm_arch => 'ppc32',
perlasm_scheme => "aix32",
shared_cflag => "-fpic",
shared_ldflag => add("-shared"),
AR => add("-X32"),
RANLIB => add("-X32"),
},
"aix64-cc" => {
inherit_from => [ "aix-common" ],
CC => "cc",
@ -1282,6 +1301,23 @@ my %targets = (
AR => add("-X64"),
RANLIB => add("-X64"),
},
"aix64-clang" => {
inherit_from => [ "aix-common" ],
CC => "ibm-clang",
CFLAGS => picker(debug => "-O0 -g",
release => "-O"),
cflags => combine("-maix64 -Wno-implicit-function-declaration -mcmodel=large",
threads("-pthread")),
ex_libs => add(threads("-pthread")),
bn_ops => "SIXTY_FOUR_BIT_LONG RC4_CHAR",
asm_arch => 'ppc64',
perlasm_scheme => "aix64",
shared_cflag => "-fpic",
shared_ldflag => add("-shared"),
shared_extension => "64.so.\$(SHLIB_VERSION_NUMBER)",
AR => add("-X64"),
RANLIB => add("-X64"),
},
# SIEMENS BS2000/OSD: an EBCDIC-based mainframe
"BS2000-OSD" => {

2
crypto/openssl/Configurations/15-ios.conf
View File

@ -10,7 +10,7 @@ my %targets = (
template => 1,
inherit_from => [ "darwin-common" ],
sys_id => "iOS",
disable => [ "shared", "async" ],
disable => [ "async" ],
},
"ios-xcrun" => {
inherit_from => [ "ios-common" ],

10
crypto/openssl/Configure
View File

@ -178,7 +178,6 @@ my @gcc_devteam_warn = qw(
# -Wextended-offsetof -- no, needed in CMS ASN1 code
my @clang_devteam_warn = qw(
-Wno-unknown-warning-option
-Wswitch-default
-Wno-parentheses-equality
-Wno-language-extension-token
-Wno-extended-offsetof
@ -1583,7 +1582,7 @@ if (!$disabled{makedepend}) {
disable('unavailable', 'makedepend') unless $config{makedep_scheme};
}
if (!$disabled{asm} && !$predefined_C{__MACH__} && $^O ne 'VMS') {
if (!$disabled{asm} && !$predefined_C{__MACH__} && $^O ne 'VMS' && !$predefined_C{_AIX}) {
# probe for -Wa,--noexecstack option...
if ($predefined_C{__clang__}) {
# clang has builtin assembler, which doesn't recognize --help,
@ -3407,6 +3406,13 @@ sub absolutedir {
return rel2abs($dir);
}
# realpath() on Windows seems to check if the directory actually exists,
# which isn't what is wanted here. All we want to know is if a directory
# spec is absolute, not if it exists.
if ($^O eq "MSWin32") {
return rel2abs($dir);
}
# We use realpath() on Unix, since no other will properly clean out
# a directory spec.
use Cwd qw/realpath/;

6
crypto/openssl/FAQ.md
View File

@ -1,6 +0,0 @@
Frequently Asked Questions (FAQ)
================================
The [Frequently Asked Questions][FAQ] are now maintained on the OpenSSL homepage.
[FAQ]: https://www.openssl.org/docs/faq.html

4
crypto/openssl/INSTALL.md
View File

@ -1164,7 +1164,7 @@ Configure OpenSSL
### Automatic Configuration
In previous version, the `config` script determined the platform type and
compiler and then called `Configure`. Starting with this release, they are
compiler and then called `Configure`. Starting with version 3.0, they are
the same.
#### Unix / Linux / macOS
@ -1618,7 +1618,7 @@ More about our support resources can be found in the [SUPPORT] file.
### Configuration Errors
If the `./Configure` or `./Configure` command fails with an error message,
If the `./config` or `./Configure` command fails with an error message,
read the error message carefully and try to figure out whether you made
a mistake (e.g., by providing a wrong option), or whether the script is
working incorrectly. If you think you encountered a bug, please

15
crypto/openssl/NEWS.md
View File

@ -18,6 +18,19 @@ OpenSSL Releases
OpenSSL 3.0
-----------
### Major changes between OpenSSL 3.0.14 and OpenSSL 3.0.15 [3 Sep 2024]
OpenSSL 3.0.15 is a security patch release. The most severe CVE fixed in this
release is Moderate.
This release incorporates the following bug fixes and mitigations:
* Fixed possible denial of service in X.509 name checks
([CVE-2024-6119])
* Fixed possible buffer overread in SSL_select_next_proto()
([CVE-2024-5535])
### Major changes between OpenSSL 3.0.13 and OpenSSL 3.0.14 [4 Jun 2024]
* Fixed potential use after free after SSL_free_buffers() is called
@ -1482,6 +1495,8 @@ OpenSSL 0.9.x
<!-- Links -->
[CVE-2024-6119]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-6119
[CVE-2024-5535]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-5535
[CVE-2024-4741]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4741
[CVE-2024-4603]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-4603
[CVE-2024-2511]: https://www.openssl.org/news/vulnerabilities.html#CVE-2024-2511

4
crypto/openssl/VERSION.dat
View File

@ -1,7 +1,7 @@
MAJOR=3
MINOR=0
PATCH=14
PATCH=15
PRE_RELEASE_TAG=
BUILD_METADATA=
RELEASE_DATE="4 Jun 2024"
RELEASE_DATE="3 Sep 2024"
SHLIB_VERSION=3

4
crypto/openssl/apps/cms.c
View File

@ -1,5 +1,5 @@
/*
* Copyright 2008-2023 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2008-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -132,7 +132,7 @@ const OPTIONS cms_options[] = {
{"binary", OPT_BINARY, '-',
"Treat input as binary: do not translate to canonical form"},
{"crlfeol", OPT_CRLFEOL, '-',
"Use CRLF as EOL termination instead of CR only" },
"Use CRLF as EOL termination instead of LF only" },
{"asciicrlf", OPT_ASCIICRLF, '-',
"Perform CRLF canonicalisation when signing"},

9
crypto/openssl/apps/dgst.c
View File

@ -1,5 +1,5 @@
/*
* Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -478,7 +478,7 @@ int dgst_main(int argc, char **argv)
static void show_digests(const OBJ_NAME *name, void *arg)
{
struct doall_dgst_digests *dec = (struct doall_dgst_digests *)arg;
const EVP_MD *md = NULL;
EVP_MD *md = NULL;
/* Filter out signed digests (a.k.a signature algorithms) */
if (strstr(name->name, "rsa") != NULL || strstr(name->name, "RSA") != NULL)
@ -490,8 +490,7 @@ static void show_digests(const OBJ_NAME *name, void *arg)
/* Filter out message digests that we cannot use */
md = EVP_MD_fetch(app_get0_libctx(), name->name, app_get0_propq());
if (md == NULL) {
md = EVP_get_digestbyname(name->name);
if (md == NULL)
if (EVP_get_digestbyname(name->name) == NULL)
return;
}
@ -502,6 +501,8 @@ static void show_digests(const OBJ_NAME *name, void *arg)
} else {
BIO_printf(dec->bio, " ");
}
EVP_MD_free(md);
}
/*

4
crypto/openssl/apps/lib/opt.c
View File

@ -1,5 +1,5 @@
/*
* Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2015-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -616,7 +616,7 @@ int opt_uintmax(const char *value, ossl_uintmax_t *result)
opt_number_error(value);
return 0;
}
*result = (ossl_intmax_t)m;
*result = (ossl_uintmax_t)m;
errno = oerrno;
return 1;
}

3
crypto/openssl/apps/lib/s_cb.c
View File

@ -649,7 +649,7 @@ void msg_cb(int write_p, int version, int content_type, const void *buf,
(void)BIO_flush(bio);
}
static STRINT_PAIR tlsext_types[] = {
static const STRINT_PAIR tlsext_types[] = {
{"server name", TLSEXT_TYPE_server_name},
{"max fragment length", TLSEXT_TYPE_max_fragment_length},
{"client certificate URL", TLSEXT_TYPE_client_certificate_url},
@ -688,6 +688,7 @@ static STRINT_PAIR tlsext_types[] = {
{"psk kex modes", TLSEXT_TYPE_psk_kex_modes},
{"certificate authorities", TLSEXT_TYPE_certificate_authorities},
{"post handshake auth", TLSEXT_TYPE_post_handshake_auth},
{"early_data", TLSEXT_TYPE_early_data},
{NULL}
};

4
crypto/openssl/apps/smime.c
View File

@ -1,5 +1,5 @@
/*
* Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1999-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -118,7 +118,7 @@ const OPTIONS smime_options[] = {
"Do not load certificates from the default certificates store"},
{"nochain", OPT_NOCHAIN, '-',
"set PKCS7_NOCHAIN so certificates contained in the message are not used as untrusted CAs" },
{"crlfeol", OPT_CRLFEOL, '-', "Use CRLF as EOL termination instead of CR only"},
{"crlfeol", OPT_CRLFEOL, '-', "Use CRLF as EOL termination instead of LF only"},
OPT_R_OPTIONS,
OPT_V_OPTIONS,

147
crypto/openssl/crypto/aes/asm/aesp8-ppc.pl
View File

@ -1,5 +1,5 @@
#! /usr/bin/env perl
# Copyright 2014-2020 The OpenSSL Project Authors. All Rights Reserved.
# Copyright 2014-2024 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@ -99,11 +99,12 @@ rcon:
.long 0x1b000000, 0x1b000000, 0x1b000000, 0x1b000000 ?rev
.long 0x0d0e0f0c, 0x0d0e0f0c, 0x0d0e0f0c, 0x0d0e0f0c ?rev
.long 0,0,0,0 ?asis
.long 0x0f102132, 0x43546576, 0x8798a9ba, 0xcbdcedfe
Lconsts:
mflr r0
bcl 20,31,\$+4
mflr $ptr #vvvvv "distance between . and rcon
addi $ptr,$ptr,-0x48
addi $ptr,$ptr,-0x58
mtlr r0
blr
.long 0
@ -2405,7 +2406,7 @@ ___
my $key_=$key2;
my ($x00,$x10,$x20,$x30,$x40,$x50,$x60,$x70)=map("r$_",(0,3,26..31));
$x00=0 if ($flavour =~ /osx/);
my ($in0, $in1, $in2, $in3, $in4, $in5 )=map("v$_",(0..5));
my ($in0, $in1, $in2, $in3, $in4, $in5)=map("v$_",(0..5));
my ($out0, $out1, $out2, $out3, $out4, $out5)=map("v$_",(7,12..16));
my ($twk0, $twk1, $twk2, $twk3, $twk4, $twk5)=map("v$_",(17..22));
my $rndkey0="v23"; # v24-v25 rotating buffer for first found keys
@ -2460,6 +2461,18 @@ _aesp8_xts_encrypt6x:
li $x70,0x70
mtspr 256,r0
# Reverse eighty7 to 0x010101..87
xxlor 2, 32+$eighty7, 32+$eighty7
vsldoi $eighty7,$tmp,$eighty7,1 # 0x010101..87
xxlor 1, 32+$eighty7, 32+$eighty7
# Load XOR contents. 0xf102132435465768798a9bacbdcedfe
mr $x70, r6
bl Lconsts
lxvw4x 0, $x40, r6 # load XOR contents
mr r6, $x70
li $x70,0x70
subi $rounds,$rounds,3 # -4 in total
lvx $rndkey0,$x00,$key1 # load key schedule
@ -2502,69 +2515,77 @@ Load_xts_enc_key:
?vperm v31,v31,$twk5,$keyperm
lvx v25,$x10,$key_ # pre-load round[2]
# Switch to use the following codes with 0x010101..87 to generate tweak.
# eighty7 = 0x010101..87
# vsrab tmp, tweak, seven # next tweak value, right shift 7 bits
# vand tmp, tmp, eighty7 # last byte with carry
# vaddubm tweak, tweak, tweak # left shift 1 bit (x2)
# xxlor vsx, 0, 0
# vpermxor tweak, tweak, tmp, vsx
vperm $in0,$inout,$inptail,$inpperm
subi $inp,$inp,31 # undo "caller"
vxor $twk0,$tweak,$rndkey0
vsrab $tmp,$tweak,$seven # next tweak value
vaddubm $tweak,$tweak,$tweak
vsldoi $tmp,$tmp,$tmp,15
vand $tmp,$tmp,$eighty7
vxor $out0,$in0,$twk0
vxor $tweak,$tweak,$tmp
xxlor 32+$in1, 0, 0
vpermxor $tweak, $tweak, $tmp, $in1
lvx_u $in1,$x10,$inp
vxor $twk1,$tweak,$rndkey0
vsrab $tmp,$tweak,$seven # next tweak value
vaddubm $tweak,$tweak,$tweak
vsldoi $tmp,$tmp,$tmp,15
le?vperm $in1,$in1,$in1,$leperm
vand $tmp,$tmp,$eighty7
vxor $out1,$in1,$twk1
vxor $tweak,$tweak,$tmp
xxlor 32+$in2, 0, 0
vpermxor $tweak, $tweak, $tmp, $in2
lvx_u $in2,$x20,$inp
andi. $taillen,$len,15
vxor $twk2,$tweak,$rndkey0
vsrab $tmp,$tweak,$seven # next tweak value
vaddubm $tweak,$tweak,$tweak
vsldoi $tmp,$tmp,$tmp,15
le?vperm $in2,$in2,$in2,$leperm
vand $tmp,$tmp,$eighty7
vxor $out2,$in2,$twk2
vxor $tweak,$tweak,$tmp
xxlor 32+$in3, 0, 0
vpermxor $tweak, $tweak, $tmp, $in3
lvx_u $in3,$x30,$inp
sub $len,$len,$taillen
vxor $twk3,$tweak,$rndkey0
vsrab $tmp,$tweak,$seven # next tweak value
vaddubm $tweak,$tweak,$tweak
vsldoi $tmp,$tmp,$tmp,15
le?vperm $in3,$in3,$in3,$leperm
vand $tmp,$tmp,$eighty7
vxor $out3,$in3,$twk3
vxor $tweak,$tweak,$tmp
xxlor 32+$in4, 0, 0
vpermxor $tweak, $tweak, $tmp, $in4
lvx_u $in4,$x40,$inp
subi $len,$len,0x60
vxor $twk4,$tweak,$rndkey0
vsrab $tmp,$tweak,$seven # next tweak value
vaddubm $tweak,$tweak,$tweak
vsldoi $tmp,$tmp,$tmp,15
le?vperm $in4,$in4,$in4,$leperm
vand $tmp,$tmp,$eighty7
vxor $out4,$in4,$twk4
vxor $tweak,$tweak,$tmp
xxlor 32+$in5, 0, 0
vpermxor $tweak, $tweak, $tmp, $in5
lvx_u $in5,$x50,$inp
addi $inp,$inp,0x60
vxor $twk5,$tweak,$rndkey0
vsrab $tmp,$tweak,$seven # next tweak value
vaddubm $tweak,$tweak,$tweak
vsldoi $tmp,$tmp,$tmp,15
le?vperm $in5,$in5,$in5,$leperm
vand $tmp,$tmp,$eighty7
vxor $out5,$in5,$twk5
vxor $tweak,$tweak,$tmp
xxlor 32+$in0, 0, 0
vpermxor $tweak, $tweak, $tmp, $in0
vxor v31,v31,$rndkey0
mtctr $rounds
@ -2590,6 +2611,8 @@ Loop_xts_enc6x:
lvx v25,$x10,$key_ # round[4]
bdnz Loop_xts_enc6x
xxlor 32+$eighty7, 1, 1 # 0x010101..87
subic $len,$len,96 # $len-=96
vxor $in0,$twk0,v31 # xor with last round key
vcipher $out0,$out0,v24
@ -2599,7 +2622,6 @@ Loop_xts_enc6x:
vaddubm $tweak,$tweak,$tweak
vcipher $out2,$out2,v24
vcipher $out3,$out3,v24
vsldoi $tmp,$tmp,$tmp,15
vcipher $out4,$out4,v24
vcipher $out5,$out5,v24
@ -2607,7 +2629,8 @@ Loop_xts_enc6x:
vand $tmp,$tmp,$eighty7
vcipher $out0,$out0,v25
vcipher $out1,$out1,v25
vxor $tweak,$tweak,$tmp
xxlor 32+$in1, 0, 0
vpermxor $tweak, $tweak, $tmp, $in1
vcipher $out2,$out2,v25
vcipher $out3,$out3,v25
vxor $in1,$twk1,v31
@ -2618,13 +2641,13 @@ Loop_xts_enc6x:
and r0,r0,$len
vaddubm $tweak,$tweak,$tweak
vsldoi $tmp,$tmp,$tmp,15
vcipher $out0,$out0,v26
vcipher $out1,$out1,v26
vand $tmp,$tmp,$eighty7
vcipher $out2,$out2,v26
vcipher $out3,$out3,v26
vxor $tweak,$tweak,$tmp
xxlor 32+$in2, 0, 0
vpermxor $tweak, $tweak, $tmp, $in2
vcipher $out4,$out4,v26
vcipher $out5,$out5,v26
@ -2638,7 +2661,6 @@ Loop_xts_enc6x:
vaddubm $tweak,$tweak,$tweak
vcipher $out0,$out0,v27
vcipher $out1,$out1,v27
vsldoi $tmp,$tmp,$tmp,15
vcipher $out2,$out2,v27
vcipher $out3,$out3,v27
vand $tmp,$tmp,$eighty7
@ -2646,7 +2668,8 @@ Loop_xts_enc6x:
vcipher $out5,$out5,v27
addi $key_,$sp,$FRAME+15 # rewind $key_
vxor $tweak,$tweak,$tmp
xxlor 32+$in3, 0, 0
vpermxor $tweak, $tweak, $tmp, $in3
vcipher $out0,$out0,v28
vcipher $out1,$out1,v28
vxor $in3,$twk3,v31
@ -2655,7 +2678,6 @@ Loop_xts_enc6x:
vcipher $out2,$out2,v28
vcipher $out3,$out3,v28
vaddubm $tweak,$tweak,$tweak
vsldoi $tmp,$tmp,$tmp,15
vcipher $out4,$out4,v28
vcipher $out5,$out5,v28
lvx v24,$x00,$key_ # re-pre-load round[1]
@ -2663,7 +2685,8 @@ Loop_xts_enc6x:
vcipher $out0,$out0,v29
vcipher $out1,$out1,v29
vxor $tweak,$tweak,$tmp
xxlor 32+$in4, 0, 0
vpermxor $tweak, $tweak, $tmp, $in4
vcipher $out2,$out2,v29
vcipher $out3,$out3,v29
vxor $in4,$twk4,v31
@ -2673,14 +2696,14 @@ Loop_xts_enc6x:
vcipher $out5,$out5,v29
lvx v25,$x10,$key_ # re-pre-load round[2]
vaddubm $tweak,$tweak,$tweak
vsldoi $tmp,$tmp,$tmp,15
vcipher $out0,$out0,v30
vcipher $out1,$out1,v30
vand $tmp,$tmp,$eighty7
vcipher $out2,$out2,v30
vcipher $out3,$out3,v30
vxor $tweak,$tweak,$tmp
xxlor 32+$in5, 0, 0
vpermxor $tweak, $tweak, $tmp, $in5
vcipher $out4,$out4,v30
vcipher $out5,$out5,v30
vxor $in5,$twk5,v31
@ -2690,7 +2713,6 @@ Loop_xts_enc6x:
vcipherlast $out0,$out0,$in0
lvx_u $in0,$x00,$inp # load next input block
vaddubm $tweak,$tweak,$tweak
vsldoi $tmp,$tmp,$tmp,15
vcipherlast $out1,$out1,$in1
lvx_u $in1,$x10,$inp
vcipherlast $out2,$out2,$in2
@ -2703,7 +2725,10 @@ Loop_xts_enc6x:
vcipherlast $out4,$out4,$in4
le?vperm $in2,$in2,$in2,$leperm
lvx_u $in4,$x40,$inp
vxor $tweak,$tweak,$tmp
xxlor 10, 32+$in0, 32+$in0
xxlor 32+$in0, 0, 0
vpermxor $tweak, $tweak, $tmp, $in0
xxlor 32+$in0, 10, 10
vcipherlast $tmp,$out5,$in5 # last block might be needed
# in stealing mode
le?vperm $in3,$in3,$in3,$leperm
@ -2736,6 +2761,8 @@ Loop_xts_enc6x:
mtctr $rounds
beq Loop_xts_enc6x # did $len-=96 borrow?
xxlor 32+$eighty7, 2, 2 # 0x870101..01
addic. $len,$len,0x60
beq Lxts_enc6x_zero
cmpwi $len,0x20
@ -3112,6 +3139,18 @@ _aesp8_xts_decrypt6x:
li $x70,0x70
mtspr 256,r0
# Reverse eighty7 to 0x010101..87
xxlor 2, 32+$eighty7, 32+$eighty7
vsldoi $eighty7,$tmp,$eighty7,1 # 0x010101..87
xxlor 1, 32+$eighty7, 32+$eighty7
# Load XOR contents. 0xf102132435465768798a9bacbdcedfe
mr $x70, r6
bl Lconsts
lxvw4x 0, $x40, r6 # load XOR contents
mr r6, $x70
li $x70,0x70
subi $rounds,$rounds,3 # -4 in total
lvx $rndkey0,$x00,$key1 # load key schedule
@ -3159,64 +3198,64 @@ Load_xts_dec_key:
vxor $twk0,$tweak,$rndkey0
vsrab $tmp,$tweak,$seven # next tweak value
vaddubm $tweak,$tweak,$tweak
vsldoi $tmp,$tmp,$tmp,15
vand $tmp,$tmp,$eighty7
vxor $out0,$in0,$twk0
vxor $tweak,$tweak,$tmp
xxlor 32+$in1, 0, 0
vpermxor $tweak, $tweak, $tmp, $in1
lvx_u $in1,$x10,$inp
vxor $twk1,$tweak,$rndkey0
vsrab $tmp,$tweak,$seven # next tweak value
vaddubm $tweak,$tweak,$tweak
vsldoi $tmp,$tmp,$tmp,15
le?vperm $in1,$in1,$in1,$leperm
vand $tmp,$tmp,$eighty7
vxor $out1,$in1,$twk1
vxor $tweak,$tweak,$tmp
xxlor 32+$in2, 0, 0
vpermxor $tweak, $tweak, $tmp, $in2
lvx_u $in2,$x20,$inp
andi. $taillen,$len,15
vxor $twk2,$tweak,$rndkey0
vsrab $tmp,$tweak,$seven # next tweak value
vaddubm $tweak,$tweak,$tweak
vsldoi $tmp,$tmp,$tmp,15
le?vperm $in2,$in2,$in2,$leperm
vand $tmp,$tmp,$eighty7
vxor $out2,$in2,$twk2
vxor $tweak,$tweak,$tmp
xxlor 32+$in3, 0, 0
vpermxor $tweak, $tweak, $tmp, $in3
lvx_u $in3,$x30,$inp
sub $len,$len,$taillen
vxor $twk3,$tweak,$rndkey0
vsrab $tmp,$tweak,$seven # next tweak value
vaddubm $tweak,$tweak,$tweak
vsldoi $tmp,$tmp,$tmp,15
le?vperm $in3,$in3,$in3,$leperm
vand $tmp,$tmp,$eighty7
vxor $out3,$in3,$twk3
vxor $tweak,$tweak,$tmp
xxlor 32+$in4, 0, 0
vpermxor $tweak, $tweak, $tmp, $in4
lvx_u $in4,$x40,$inp
subi $len,$len,0x60
vxor $twk4,$tweak,$rndkey0
vsrab $tmp,$tweak,$seven # next tweak value
vaddubm $tweak,$tweak,$tweak
vsldoi $tmp,$tmp,$tmp,15
le?vperm $in4,$in4,$in4,$leperm
vand $tmp,$tmp,$eighty7
vxor $out4,$in4,$twk4
vxor $tweak,$tweak,$tmp
xxlor 32+$in5, 0, 0
vpermxor $tweak, $tweak, $tmp, $in5
lvx_u $in5,$x50,$inp
addi $inp,$inp,0x60
vxor $twk5,$tweak,$rndkey0
vsrab $tmp,$tweak,$seven # next tweak value
vaddubm $tweak,$tweak,$tweak
vsldoi $tmp,$tmp,$tmp,15
le?vperm $in5,$in5,$in5,$leperm
vand $tmp,$tmp,$eighty7
vxor $out5,$in5,$twk5
vxor $tweak,$tweak,$tmp
xxlor 32+$in0, 0, 0
vpermxor $tweak, $tweak, $tmp, $in0
vxor v31,v31,$rndkey0
mtctr $rounds
@ -3242,6 +3281,8 @@ Loop_xts_dec6x:
lvx v25,$x10,$key_ # round[4]
bdnz Loop_xts_dec6x
xxlor 32+$eighty7, 1, 1
subic $len,$len,96 # $len-=96
vxor $in0,$twk0,v31 # xor with last round key
vncipher $out0,$out0,v24
@ -3251,7 +3292,6 @@ Loop_xts_dec6x:
vaddubm $tweak,$tweak,$tweak
vncipher $out2,$out2,v24
vncipher $out3,$out3,v24
vsldoi $tmp,$tmp,$tmp,15
vncipher $out4,$out4,v24
vncipher $out5,$out5,v24
@ -3259,7 +3299,8 @@ Loop_xts_dec6x:
vand $tmp,$tmp,$eighty7
vncipher $out0,$out0,v25
vncipher $out1,$out1,v25
vxor $tweak,$tweak,$tmp
xxlor 32+$in1, 0, 0
vpermxor $tweak, $tweak, $tmp, $in1
vncipher $out2,$out2,v25
vncipher $out3,$out3,v25
vxor $in1,$twk1,v31
@ -3270,13 +3311,13 @@ Loop_xts_dec6x:
and r0,r0,$len
vaddubm $tweak,$tweak,$tweak
vsldoi $tmp,$tmp,$tmp,15
vncipher $out0,$out0,v26
vncipher $out1,$out1,v26
vand $tmp,$tmp,$eighty7
vncipher $out2,$out2,v26
vncipher $out3,$out3,v26
vxor $tweak,$tweak,$tmp
xxlor 32+$in2, 0, 0
vpermxor $tweak, $tweak, $tmp, $in2
vncipher $out4,$out4,v26
vncipher $out5,$out5,v26
@ -3290,7 +3331,6 @@ Loop_xts_dec6x:
vaddubm $tweak,$tweak,$tweak
vncipher $out0,$out0,v27
vncipher $out1,$out1,v27
vsldoi $tmp,$tmp,$tmp,15
vncipher $out2,$out2,v27
vncipher $out3,$out3,v27
vand $tmp,$tmp,$eighty7
@ -3298,7 +3338,8 @@ Loop_xts_dec6x:
vncipher $out5,$out5,v27
addi $key_,$sp,$FRAME+15 # rewind $key_
vxor $tweak,$tweak,$tmp
xxlor 32+$in3, 0, 0
vpermxor $tweak, $tweak, $tmp, $in3
vncipher $out0,$out0,v28
vncipher $out1,$out1,v28
vxor $in3,$twk3,v31
@ -3307,7 +3348,6 @@ Loop_xts_dec6x:
vncipher $out2,$out2,v28
vncipher $out3,$out3,v28
vaddubm $tweak,$tweak,$tweak
vsldoi $tmp,$tmp,$tmp,15
vncipher $out4,$out4,v28
vncipher $out5,$out5,v28
lvx v24,$x00,$key_ # re-pre-load round[1]
@ -3315,7 +3355,8 @@ Loop_xts_dec6x:
vncipher $out0,$out0,v29
vncipher $out1,$out1,v29
vxor $tweak,$tweak,$tmp
xxlor 32+$in4, 0, 0
vpermxor $tweak, $tweak, $tmp, $in4
vncipher $out2,$out2,v29
vncipher $out3,$out3,v29
vxor $in4,$twk4,v31
@ -3325,14 +3366,14 @@ Loop_xts_dec6x:
vncipher $out5,$out5,v29
lvx v25,$x10,$key_ # re-pre-load round[2]
vaddubm $tweak,$tweak,$tweak
vsldoi $tmp,$tmp,$tmp,15
vncipher $out0,$out0,v30
vncipher $out1,$out1,v30
vand $tmp,$tmp,$eighty7
vncipher $out2,$out2,v30
vncipher $out3,$out3,v30
vxor $tweak,$tweak,$tmp
xxlor 32+$in5, 0, 0
vpermxor $tweak, $tweak, $tmp, $in5
vncipher $out4,$out4,v30
vncipher $out5,$out5,v30
vxor $in5,$twk5,v31
@ -3342,7 +3383,6 @@ Loop_xts_dec6x:
vncipherlast $out0,$out0,$in0
lvx_u $in0,$x00,$inp # load next input block
vaddubm $tweak,$tweak,$tweak
vsldoi $tmp,$tmp,$tmp,15
vncipherlast $out1,$out1,$in1
lvx_u $in1,$x10,$inp
vncipherlast $out2,$out2,$in2
@ -3355,7 +3395,10 @@ Loop_xts_dec6x:
vncipherlast $out4,$out4,$in4
le?vperm $in2,$in2,$in2,$leperm
lvx_u $in4,$x40,$inp
vxor $tweak,$tweak,$tmp
xxlor 10, 32+$in0, 32+$in0
xxlor 32+$in0, 0, 0
vpermxor $tweak, $tweak, $tmp, $in0
xxlor 32+$in0, 10, 10
vncipherlast $out5,$out5,$in5
le?vperm $in3,$in3,$in3,$leperm
lvx_u $in5,$x50,$inp
@ -3386,6 +3429,8 @@ Loop_xts_dec6x:
mtctr $rounds
beq Loop_xts_dec6x # did $len-=96 borrow?
xxlor 32+$eighty7, 2, 2
addic. $len,$len,0x60
beq Lxts_dec6x_zero
cmpwi $len,0x20

4
crypto/openssl/crypto/aes/build.info
View File

@ -38,7 +38,11 @@ IF[{- !$disabled{asm} -}]
$AESASM_parisc20_64=$AESASM_parisc11
$AESDEF_parisc20_64=$AESDEF_parisc11
IF[{- $target{sys_id} ne "MACOSX" -}]
$AESASM_ppc32=aes_core.c aes_cbc.c aes-ppc.s vpaes-ppc.s aesp8-ppc.s
ELSE
$AESASM_ppc32=aes_core.c aes_cbc.c aes-ppc.s vpaes-ppc.s
ENDIF
$AESDEF_ppc32=AES_ASM VPAES_ASM
$AESASM_ppc64=$AESASM_ppc32
$AESDEF_ppc64=$AESDEF_ppc32

5
crypto/openssl/crypto/asn1/a_d2i_fp.c
View File

@ -1,5 +1,5 @@
/*
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -148,6 +148,9 @@ int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
goto err;
}
len += i;
if ((size_t)i < want)
continue;
}
}
/* else data already loaded */

14
crypto/openssl/crypto/asn1/a_mbstr.c
View File

@ -1,5 +1,5 @@
/*
* Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1999-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -139,9 +139,7 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len,
if (*out) {
free_out = 0;
dest = *out;
OPENSSL_free(dest->data);
dest->data = NULL;
dest->length = 0;
ASN1_STRING_set0(dest, NULL, 0);
dest->type = str_type;
} else {
free_out = 1;
@ -155,6 +153,10 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len,
/* If both the same type just copy across */
if (inform == outform) {
if (!ASN1_STRING_set(dest, in, len)) {
if (free_out) {
ASN1_STRING_free(dest);
*out = NULL;
}
ERR_raise(ERR_LIB_ASN1, ERR_R_MALLOC_FAILURE);
return -1;
}
@ -185,8 +187,10 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len,
break;
}
if ((p = OPENSSL_malloc(outlen + 1)) == NULL) {
if (free_out)
if (free_out) {
ASN1_STRING_free(dest);
*out = NULL;
}
ERR_raise(ERR_LIB_ASN1, ERR_R_MALLOC_FAILURE);
return -1;
}

11
crypto/openssl/crypto/asn1/a_strex.c
View File

@ -1,5 +1,5 @@
/*
* Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -10,6 +10,7 @@
#include <stdio.h>
#include <string.h>
#include "internal/cryptlib.h"
#include "internal/sizes.h"
#include "crypto/asn1.h"
#include <openssl/crypto.h>
#include <openssl/x509.h>
@ -345,8 +346,10 @@ static int do_print_ex(char_io *io_ch, void *arg, unsigned long lflags,
if (lflags & ASN1_STRFLGS_SHOW_TYPE) {
const char *tagname;
tagname = ASN1_tag2str(type);
outlen += strlen(tagname);
/* We can directly cast here as tagname will never be too large. */
outlen += (int)strlen(tagname);
if (!io_ch(arg, tagname, outlen) || !io_ch(arg, ":", 1))
return -1;
outlen++;
@ -372,7 +375,7 @@ static int do_print_ex(char_io *io_ch, void *arg, unsigned long lflags,
if (type == -1) {
len = do_dump(lflags, io_ch, arg, str);
if (len < 0)
if (len < 0 || len > INT_MAX - outlen)
return -1;
outlen += len;
return outlen;
@ -391,7 +394,7 @@ static int do_print_ex(char_io *io_ch, void *arg, unsigned long lflags,
}
len = do_buf(str->data, str->length, type, flags, &quotes, io_ch, NULL);
if (len < 0)
if (len < 0 || len > INT_MAX - 2 - outlen)
return -1;
outlen += len;
if (quotes)

4
crypto/openssl/crypto/asn1/a_verify.c
View File

@ -1,5 +1,5 @@
/*
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -203,10 +203,12 @@ int ASN1_item_verify_ctx(const ASN1_ITEM *it, const X509_ALGOR *alg,
inl = ASN1_item_i2d(data, &buf_in, it);
if (inl <= 0) {
ERR_raise(ERR_LIB_ASN1, ERR_R_INTERNAL_ERROR);
ret = -1;
goto err;
}
if (buf_in == NULL) {
ERR_raise(ERR_LIB_ASN1, ERR_R_MALLOC_FAILURE);
ret = -1;
goto err;
}
inll = inl;

8
crypto/openssl/crypto/asn1/tasn_fre.c
View File

@ -1,5 +1,5 @@
/*
* Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -85,8 +85,12 @@ void ossl_asn1_item_embed_free(ASN1_VALUE **pval, const ASN1_ITEM *it, int embed
case ASN1_ITYPE_NDEF_SEQUENCE:
case ASN1_ITYPE_SEQUENCE:
if (ossl_asn1_do_lock(pval, -1, it) != 0) /* if error or ref-counter > 0 */
if (ossl_asn1_do_lock(pval, -1, it) != 0) {
/* if error or ref-counter > 0 */
OPENSSL_assert(embed == 0);
*pval = NULL;
return;
}
if (asn1_cb) {
i = asn1_cb(ASN1_OP_FREE_PRE, pval, it, NULL);
if (i == 2)

7
crypto/openssl/crypto/bio/bf_readbuff.c
View File

@ -1,5 +1,5 @@
/*
* Copyright 2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2021-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -222,10 +222,13 @@ static int readbuffer_gets(BIO *b, char *buf, int size)
char *p;
int i, j;
if (size == 0)
if (buf == NULL || size == 0)
return 0;
--size; /* the passed in size includes the terminator - so remove it here */
ctx = (BIO_F_BUFFER_CTX *)b->ptr;
if (ctx == NULL || b->next_bio == NULL)
return 0;
BIO_clear_retry_flags(b);
/* If data is already buffered then use this first */

12
crypto/openssl/crypto/bio/bio_addr.c
View File

@ -1,5 +1,5 @@
/*
* Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -778,14 +778,12 @@ int BIO_lookup_ex(const char *host, const char *service, int lookup_type,
if (!RUN_ONCE(&bio_lookup_init, do_bio_lookup_init)) {
ERR_raise(ERR_LIB_BIO, ERR_R_MALLOC_FAILURE);
ret = 0;
goto err;
return 0;
}
if (!CRYPTO_THREAD_write_lock(bio_lookup_lock)) {
ret = 0;
goto err;
}
if (!CRYPTO_THREAD_write_lock(bio_lookup_lock))
return 0;
he_fallback_address = INADDR_ANY;
if (host == NULL) {
he = &he_fallback;

4
crypto/openssl/crypto/cmp/cmp_vfy.c
View File

@ -1,5 +1,5 @@
/*
* Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2007-2024 The OpenSSL Project Authors. All Rights Reserved.
* Copyright Nokia 2007-2020
* Copyright Siemens AG 2015-2020
*
@ -619,7 +619,7 @@ int OSSL_CMP_validate_msg(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg)
default:
scrt = ctx->srvCert;
if (scrt == NULL) {
if (ctx->trusted == NULL) {
if (ctx->trusted == NULL && ctx->secretValue != NULL) {
ossl_cmp_info(ctx, "no trust store nor pinned server cert available for verifying signature-based CMP message protection");
ERR_raise(ERR_LIB_CMP, CMP_R_MISSING_TRUST_ANCHOR);
return 0;

4
crypto/openssl/crypto/conf/conf_def.c
View File

@ -1,5 +1,5 @@
/*
* Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -332,7 +332,7 @@ static int def_load_bio(CONF *conf, BIO *in, long *line)
v = NULL;
/* check for line continuation */
if (bufnum >= 1) {
if (!again && bufnum >= 1) {
/*
* If we have bytes and the last char '\\' and second last char
* is not '\\'

5
crypto/openssl/crypto/conf/conf_lib.c
View File

@ -1,5 +1,5 @@
/*
* Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -464,6 +464,9 @@ int OPENSSL_INIT_set_config_appname(OPENSSL_INIT_SETTINGS *settings,
void OPENSSL_INIT_free(OPENSSL_INIT_SETTINGS *settings)
{
if (settings == NULL)
return;
free(settings->filename);
free(settings->appname);
free(settings);

4
crypto/openssl/crypto/conf/conf_sap.c
View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2023 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2002-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -38,6 +38,8 @@ void OPENSSL_config(const char *appname)
settings.appname = strdup(appname);
settings.flags = DEFAULT_CONF_MFLAGS;
OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, &settings);
free(settings.appname);
}
#endif

4
crypto/openssl/crypto/context.c
View File

@ -1,5 +1,5 @@
/*
* Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -240,7 +240,7 @@ int OSSL_LIB_CTX_load_config(OSSL_LIB_CTX *ctx, const char *config_file)
void OSSL_LIB_CTX_free(OSSL_LIB_CTX *ctx)
{
if (ossl_lib_ctx_is_default(ctx))
if (ctx == NULL || ossl_lib_ctx_is_default(ctx))
return;
#ifndef FIPS_MODULE

12
crypto/openssl/crypto/ec/ecdsa_ossl.c
View File

@ -130,7 +130,11 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in,
ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
goto err;
}
order = EC_GROUP_get0_order(group);
if ((order = EC_GROUP_get0_order(group)) == NULL) {
ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
goto err;
}
/* Preallocate space */
order_bits = BN_num_bits(order);
@ -255,7 +259,11 @@ ECDSA_SIG *ossl_ecdsa_simple_sign_sig(const unsigned char *dgst, int dgst_len,
goto err;
}
order = EC_GROUP_get0_order(group);
if ((order = EC_GROUP_get0_order(group)) == NULL) {
ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB);
goto err;
}
i = BN_num_bits(order);
/*
* Need to truncate digest if it is too long: first truncate whole bytes.

8
crypto/openssl/crypto/engine/eng_table.c
View File

@ -1,5 +1,5 @@
/*
* Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2001-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -215,9 +215,11 @@ ENGINE *ossl_engine_table_select(ENGINE_TABLE **table, int nid,
f, l, nid);
return NULL;
}
ERR_set_mark();
if (!CRYPTO_THREAD_write_lock(global_engine_lock))
goto end;
return NULL;
ERR_set_mark();
/*
* Check again inside the lock otherwise we could race against cleanup
* operations. But don't worry about a debug printout

5
crypto/openssl/crypto/evp/ctrl_params_translate.c
View File

@ -1,5 +1,5 @@
/*
* Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2021-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -2777,7 +2777,7 @@ static int evp_pkey_ctx_setget_params_to_ctrl(EVP_PKEY_CTX *pctx,
fixup_args_fn *fixup = default_fixup_args;
int ret;
tmpl.action_type = action_type;
ctx.action_type = tmpl.action_type = action_type;
tmpl.keytype1 = tmpl.keytype2 = keytype;
tmpl.optype = optype;
tmpl.param_key = params->key;
@ -2786,7 +2786,6 @@ static int evp_pkey_ctx_setget_params_to_ctrl(EVP_PKEY_CTX *pctx,
if (translation != NULL) {
if (translation->fixup_args != NULL)
fixup = translation->fixup_args;
ctx.action_type = translation->action_type;
ctx.ctrl_cmd = translation->ctrl_num;
}
ctx.pctx = pctx;

4
crypto/openssl/crypto/evp/digest.c
View File

@ -1,5 +1,5 @@
/*
* Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -409,7 +409,7 @@ int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data, size_t count)
/* Code below to be removed when legacy support is dropped. */
legacy:
return ctx->update(ctx, data, count);
return ctx->update != NULL ? ctx->update(ctx, data, count) : 0;
}
/* The caller can assume that this removes any secret data from the context */

36
crypto/openssl/crypto/evp/names.c
View File

@ -1,5 +1,5 @@
/*
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -78,6 +78,7 @@ const EVP_CIPHER *evp_get_cipherbyname_ex(OSSL_LIB_CTX *libctx,
const EVP_CIPHER *cp;
OSSL_NAMEMAP *namemap;
int id;
int do_retry = 1;
if (!OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS, NULL))
return NULL;
@ -94,9 +95,21 @@ const EVP_CIPHER *evp_get_cipherbyname_ex(OSSL_LIB_CTX *libctx,
*/
namemap = ossl_namemap_stored(libctx);
retry:
id = ossl_namemap_name2num(namemap, name);
if (id == 0)
return NULL;
if (id == 0) {
EVP_CIPHER *fetched_cipher;
/* Try to fetch it because the name might not be known yet. */
if (!do_retry)
return NULL;
do_retry = 0;
ERR_set_mark();
fetched_cipher = EVP_CIPHER_fetch(libctx, name, NULL);
EVP_CIPHER_free(fetched_cipher);
ERR_pop_to_mark();
goto retry;
}
if (!ossl_namemap_doall_names(namemap, id, cipher_from_name, &cp))
return NULL;
@ -124,6 +137,7 @@ const EVP_MD *evp_get_digestbyname_ex(OSSL_LIB_CTX *libctx, const char *name)
const EVP_MD *dp;
OSSL_NAMEMAP *namemap;
int id;
int do_retry = 1;
if (!OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_DIGESTS, NULL))
return NULL;
@ -140,9 +154,21 @@ const EVP_MD *evp_get_digestbyname_ex(OSSL_LIB_CTX *libctx, const char *name)
*/
namemap = ossl_namemap_stored(libctx);
retry:
id = ossl_namemap_name2num(namemap, name);
if (id == 0)
return NULL;
if (id == 0) {
EVP_MD *fetched_md;
/* Try to fetch it because the name might not be known yet. */
if (!do_retry)
return NULL;
do_retry = 0;
ERR_set_mark();
fetched_md = EVP_MD_fetch(libctx, name, NULL);
EVP_MD_free(fetched_md);
ERR_pop_to_mark();
goto retry;
}
if (!ossl_namemap_doall_names(namemap, id, digest_from_name, &dp))
return NULL;

11
crypto/openssl/crypto/evp/pmeth_lib.c
View File

@ -1034,6 +1034,7 @@ static int evp_pkey_ctx_add1_octet_string(EVP_PKEY_CTX *ctx, int fallback,
int datalen)
{
OSSL_PARAM os_params[2];
const OSSL_PARAM *gettables;
unsigned char *info = NULL;
size_t info_len = 0;
size_t info_alloc = 0;
@ -1057,6 +1058,12 @@ static int evp_pkey_ctx_add1_octet_string(EVP_PKEY_CTX *ctx, int fallback,
return 1;
}
/* Check for older provider that doesn't support getting this parameter */
gettables = EVP_PKEY_CTX_gettable_params(ctx);
if (gettables == NULL || OSSL_PARAM_locate_const(gettables, param) == NULL)
return evp_pkey_ctx_set1_octet_string(ctx, fallback, param, op, ctrl,
data, datalen);
/* Get the original value length */
os_params[0] = OSSL_PARAM_construct_octet_string(param, NULL, 0);
os_params[1] = OSSL_PARAM_construct_end();
@ -1064,9 +1071,9 @@ static int evp_pkey_ctx_add1_octet_string(EVP_PKEY_CTX *ctx, int fallback,
if (!EVP_PKEY_CTX_get_params(ctx, os_params))
return 0;
/* Older provider that doesn't support getting this parameter */
/* This should not happen but check to be sure. */
if (os_params[0].return_size == OSSL_PARAM_UNMODIFIED)
return evp_pkey_ctx_set1_octet_string(ctx, fallback, param, op, ctrl, data, datalen);
return 0;
info_alloc = os_params[0].return_size + datalen;
if (info_alloc == 0)

6
crypto/openssl/crypto/o_str.c
View File

@ -229,12 +229,14 @@ static int buf2hexstr_sep(char *str, size_t str_n, size_t *strlength,
int has_sep = (sep != CH_ZERO);
size_t len = has_sep ? buflen * 3 : 1 + buflen * 2;
if (len == 0)
++len;
if (strlength != NULL)
*strlength = len;
if (str == NULL)
return 1;
if (str_n < (unsigned long)len) {
if (str_n < len) {
ERR_raise(ERR_LIB_CRYPTO, CRYPTO_R_TOO_SMALL_BUFFER);
return 0;
}
@ -246,7 +248,7 @@ static int buf2hexstr_sep(char *str, size_t str_n, size_t *strlength,
if (has_sep)
*q++ = sep;
}
if (has_sep)
if (has_sep && buflen > 0)
--q;
*q = CH_ZERO;

17
crypto/openssl/crypto/pkcs12/p12_crt.c
View File

@ -1,5 +1,5 @@
/*
* Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1999-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -213,16 +213,19 @@ PKCS12_SAFEBAG *PKCS12_add_key_ex(STACK_OF(PKCS12_SAFEBAG) **pbags,
if (key_usage && !PKCS8_add_keyusage(p8, key_usage))
goto err;
if (nid_key != -1) {
/* This call does not take ownership of p8 */
bag = PKCS12_SAFEBAG_create_pkcs8_encrypt_ex(nid_key, pass, -1, NULL, 0,
iter, p8, ctx, propq);
PKCS8_PRIV_KEY_INFO_free(p8);
} else
} else {
bag = PKCS12_SAFEBAG_create0_p8inf(p8);
if (bag != NULL)
p8 = NULL; /* bag takes ownership of p8 */
}
/* This does not need to be in the error path */
if (p8 != NULL)
PKCS8_PRIV_KEY_INFO_free(p8);
if (!bag)
goto err;
if (!pkcs12_add_bag(pbags, bag))
if (bag == NULL || !pkcs12_add_bag(pbags, bag))
goto err;
return bag;

45
crypto/openssl/crypto/pkcs7/pk7_doit.c
View File

@ -1,5 +1,5 @@
/*
* Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -1239,36 +1239,29 @@ static int add_attribute(STACK_OF(X509_ATTRIBUTE) **sk, int nid, int atrtype,
void *value)
{
X509_ATTRIBUTE *attr = NULL;
int i, n;
if (*sk == NULL) {
if ((*sk = sk_X509_ATTRIBUTE_new_null()) == NULL)
return 0;
new_attrib:
if ((attr = X509_ATTRIBUTE_create(nid, atrtype, value)) == NULL)
return 0;
if (!sk_X509_ATTRIBUTE_push(*sk, attr)) {
X509_ATTRIBUTE_free(attr);
return 0;
}
} else {
int i;
for (i = 0; i < sk_X509_ATTRIBUTE_num(*sk); i++) {
attr = sk_X509_ATTRIBUTE_value(*sk, i);
if (OBJ_obj2nid(X509_ATTRIBUTE_get0_object(attr)) == nid) {
X509_ATTRIBUTE_free(attr);
attr = X509_ATTRIBUTE_create(nid, atrtype, value);
if (attr == NULL)
return 0;
if (!sk_X509_ATTRIBUTE_set(*sk, i, attr)) {
X509_ATTRIBUTE_free(attr);
return 0;
}
goto end;
}
}
goto new_attrib;
}
n = sk_X509_ATTRIBUTE_num(*sk);
for (i = 0; i < n; i++) {
attr = sk_X509_ATTRIBUTE_value(*sk, i);
if (OBJ_obj2nid(X509_ATTRIBUTE_get0_object(attr)) == nid)
goto end;
}
if (!sk_X509_ATTRIBUTE_push(*sk, NULL))
return 0;
end:
attr = X509_ATTRIBUTE_create(nid, atrtype, value);
if (attr == NULL) {
if (i == n)
sk_X509_ATTRIBUTE_pop(*sk);
return 0;
}
X509_ATTRIBUTE_free(sk_X509_ATTRIBUTE_value(*sk, i));
(void) sk_X509_ATTRIBUTE_set(*sk, i, attr);
return 1;
}

55
crypto/openssl/crypto/property/property.c
View File

@ -1,5 +1,5 @@
/*
* Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
@ -95,6 +95,8 @@ typedef struct {
DEFINE_SPARSE_ARRAY_OF(ALGORITHM);
DEFINE_STACK_OF(ALGORITHM)
typedef struct ossl_global_properties_st {
OSSL_PROPERTY_LIST *list;
#ifndef FIPS_MODULE
@ -469,33 +471,45 @@ static void alg_do_one(ALGORITHM *alg, IMPLEMENTATION *impl,
fn(alg->nid, impl->method.method, fnarg);
}
struct alg_do_each_data_st {
void (*fn)(int id, void *method, void *fnarg);
void *fnarg;
};
static void alg_do_each(ossl_uintmax_t idx, ALGORITHM *alg, void *arg)
static void alg_copy(ossl_uintmax_t idx, ALGORITHM *alg, void *arg)
{
struct alg_do_each_data_st *data = arg;
int i, end = sk_IMPLEMENTATION_num(alg->impls);
STACK_OF(ALGORITHM) *newalg = arg;
for (i = 0; i < end; i++) {
IMPLEMENTATION *impl = sk_IMPLEMENTATION_value(alg->impls, i);
alg_do_one(alg, impl, data->fn, data->fnarg);
}
(void)sk_ALGORITHM_push(newalg, alg);
}
void ossl_method_store_do_all(OSSL_METHOD_STORE *store,
void (*fn)(int id, void *method, void *fnarg),
void *fnarg)
{
struct alg_do_each_data_st data;
int i, j;
int numalgs, numimps;
STACK_OF(ALGORITHM) *tmpalgs;
ALGORITHM *alg;
data.fn = fn;
data.fnarg = fnarg;
if (store != NULL)
ossl_sa_ALGORITHM_doall_arg(store->algs, alg_do_each, &data);
if (store != NULL) {
if (!ossl_property_read_lock(store))
return;
tmpalgs = sk_ALGORITHM_new_reserve(NULL,
ossl_sa_ALGORITHM_num(store->algs));
if (tmpalgs == NULL) {
ossl_property_unlock(store);
return;
}
ossl_sa_ALGORITHM_doall_arg(store->algs, alg_copy, tmpalgs);
ossl_property_unlock(store);
numalgs = sk_ALGORITHM_num(tmpalgs);
for (i = 0; i < numalgs; i++) {
alg = sk_ALGORITHM_value(tmpalgs, i);
numimps = sk_IMPLEMENTATION_num(alg->impls);
for (j = 0; j < numimps; j++)
alg_do_one(alg, sk_IMPLEMENTATION_value(alg->impls, j), fn, fnarg);
}
sk_ALGORITHM_free(tmpalgs);
}
}
int ossl_method_store_fetch(OSSL_METHOD_STORE *store,
@ -651,10 +665,13 @@ static void impl_cache_flush_one_alg(ossl_uintmax_t idx, ALGORITHM *alg,
void *v)
{
IMPL_CACHE_FLUSH *state = (IMPL_CACHE_FLUSH *)v;
unsigned long orig_down_load = lh_QUERY_get_down_load(alg->cache);
state->cache = alg->cache;
lh_QUERY_set_down_load(alg->cache, 0);
lh_QUERY_doall_IMPL_CACHE_FLUSH(state->cache, &impl_cache_flush_cache,
state);
lh_QUERY_set_down_load(alg->cache, orig_down_load);
}
static void ossl_method_cache_flush_some(OSSL_METHOD_STORE *store)

13
crypto/openssl/crypto/rand/randfile.c
View File

@ -1,5 +1,5 @@
/*
* Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -16,6 +16,7 @@
# include <sys/stat.h>
#endif
#include "e_os.h"
#include "internal/cryptlib.h"
#include <errno.h>
@ -208,8 +209,16 @@ int RAND_write_file(const char *file)
* should be restrictive from the start
*/
int fd = open(file, O_WRONLY | O_CREAT | O_BINARY, 0600);
if (fd != -1)
if (fd != -1) {
out = fdopen(fd, "wb");
if (out == NULL) {
close(fd);
ERR_raise_data(ERR_LIB_RAND, RAND_R_CANNOT_OPEN_FILE,
"Filename=%s", file);
return -1;
}
}
}
#endif

4
crypto/openssl/crypto/rsa/rsa_oaep.c
View File

@ -1,5 +1,5 @@
/*
* Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1999-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -186,7 +186,7 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
mdlen = EVP_MD_get_size(md);
if (tlen <= 0 || flen <= 0)
if (tlen <= 0 || flen <= 0 || mdlen <= 0)
return -1;
/*
* |num| is the length of the modulus; |flen| is the length of the

2
crypto/openssl/crypto/x509/v3_utl.c
View File

@ -1,5 +1,5 @@
/*
* Copyright 1999-2022 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1999-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy

6
crypto/openssl/crypto/x509/x_name.c
View File

@ -1,5 +1,5 @@
/*
* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -476,8 +476,8 @@ static int i2d_name_canon(const STACK_OF(STACK_OF_X509_NAME_ENTRY) * _intname,
v = sk_ASN1_VALUE_value(intname, i);
ltmp = ASN1_item_ex_i2d(&v, in,
ASN1_ITEM_rptr(X509_NAME_ENTRIES), -1, -1);
if (ltmp < 0)
return ltmp;
if (ltmp < 0 || len > INT_MAX - ltmp)
return -1;
len += ltmp;
}
return len;

2
crypto/openssl/doc/HOWTO/certificates.txt
View File

@ -89,7 +89,7 @@ was kind enough, your certificate is a raw DER thing in PEM format.
Your key most definitely is if you have followed the examples above.
However, some (most?) certificate authorities will encode them with
things like PKCS7 or PKCS12, or something else. Depending on your
applications, this may be perfectly OK, it all depends on what they
applications, this may be perfectly OK. It all depends on what they
know how to decode. If not, there are a number of OpenSSL tools to
convert between some (most?) formats.

3
crypto/openssl/doc/fingerprints.txt
View File

@ -12,9 +12,6 @@ in the file named openssl-1.0.1h.tar.gz.asc.
The following is the list of fingerprints for the keys that are
currently in use to sign OpenSSL distributions:
OpenSSL OMC:
EFC0 A467 D613 CB83 C7ED 6D30 D894 E2CE 8B3D 79F5
OpenSSL:
BA54 73A2 B058 7B07 FB27 CF2D 2160 94DF D0CB 81EF

13
crypto/openssl/doc/man1/openssl-enc.pod.in
View File

@ -97,13 +97,19 @@ Base64 process the data. This means that if encryption is taking place
the data is base64 encoded after encryption. If decryption is set then
the input data is base64 decoded before being decrypted.
When the B<-A> option not given,
on encoding a newline is inserted after each 64 characters, and
on decoding a newline is expected among the first 1024 bytes of input.
=item B<-base64>
Same as B<-a>
=item B<-A>
If the B<-a> option is set then base64 process the data on one line.
If the B<-a> option is set then base64 encoding produces output without any
newline character, and base64 decoding does not require any newlines.
Therefore it can be helpful to use the B<-A> option when decoding unknown input.
=item B<-k> I<password>
@ -434,6 +440,9 @@ Base64 decode a file then decrypt it using a password supplied in a file:
=head1 BUGS
The B<-A> option when used with large files doesn't work properly.
On the other hand, when base64 decoding without the B<-A> option,
if the first 1024 bytes of input do not include a newline character
the first two lines of input are ignored.
The B<openssl enc> command only supports a fixed number of algorithms with
certain parameters. So if, for example, you want to use RC2 with a
@ -449,7 +458,7 @@ The B<-ciphers> and B<-engine> options were deprecated in OpenSSL 3.0.
=head1 COPYRIGHT
Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

24
crypto/openssl/doc/man1/openssl-passphrase-options.pod
View File

@ -46,26 +46,32 @@ the environment of other processes is visible on certain platforms
=item B<file:>I<pathname>
The first line of I<pathname> is the password. If the same I<pathname>
argument is supplied to B<-passin> and B<-passout> arguments then the first
line will be used for the input password and the next line for the output
password. I<pathname> need not refer to a regular file: it could for example
refer to a device or named pipe.
Reads the password from the specified file I<pathname>, which can be a regular
file, device, or named pipe. Only the first line, up to the newline character,
is read from the stream.
If the same I<pathname> argument is supplied to both B<-passin> and B<-passout>
arguments, the first line will be used for the input password, and the next
line will be used for the output password.
=item B<fd:>I<number>
Read the password from the file descriptor I<number>. This can be used to
send the data via a pipe for example.
Reads the password from the file descriptor I<number>. This can be useful for
sending data via a pipe, for example. The same line handling as described for
B<file:> applies to passwords read from file descriptors.
B<fd:> is not supported on Windows.
=item B<stdin>
Read the password from standard input.
Reads the password from standard input. The same line handling as described for
B<file:> applies to passwords read from standard input.
=back
=head1 COPYRIGHT
Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

8
crypto/openssl/doc/man1/openssl-s_client.pod.in
View File

@ -616,7 +616,11 @@ For example strings, see L<SSL_CTX_set1_sigalgs(3)>
=item B<-curves> I<curvelist>
Specifies the list of supported curves to be sent by the client. The curve is
ultimately selected by the server. For a list of all curves, use:
ultimately selected by the server.
The list of all supported groups includes named EC parameters as well as X25519
and X448 or FFDHE groups, and may also include groups implemented in 3rd-party
providers. For a list of named EC parameters, use:
$ openssl ecparam -list_curves
@ -910,7 +914,7 @@ The B<-engine> option was deprecated in OpenSSL 3.0.
=head1 COPYRIGHT
Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

7
crypto/openssl/doc/man1/openssl-s_server.pod.in
View File

@ -641,7 +641,10 @@ Signature algorithms to support for client certificate authentication
=item B<-named_curve> I<val>
Specifies the elliptic curve to use. NOTE: this is single curve, not a list.
For a list of all possible curves, use:
The list of all supported groups includes named EC parameters as well as X25519
and X448 or FFDHE groups, and may also include groups implemented in 3rd-party
providers. For a list of named EC parameters, use:
$ openssl ecparam -list_curves
@ -930,7 +933,7 @@ option were deprecated in OpenSSL 3.0.
=head1 COPYRIGHT
Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

4
crypto/openssl/doc/man1/openssl-verification-options.pod
View File

@ -430,7 +430,7 @@ This option may be used multiple times.
=item B<-policy> I<arg>
Enable policy processing and add I<arg> to the user-initial-policy-set (see
RFC5280). The policy I<arg> can be an object name an OID in numeric form.
RFC5280). The policy I<arg> can be an object name or an OID in numeric form.
This argument can appear more than once.
=item B<-explicit_policy>
@ -686,7 +686,7 @@ The checks enabled by B<-x509_strict> have been extended in OpenSSL 3.0.
=head1 COPYRIGHT
Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

3
crypto/openssl/doc/man3/ASN1_INTEGER_new.pod
View File

@ -18,6 +18,7 @@ ASN1_INTEGER_new, ASN1_INTEGER_free - ASN1_INTEGER allocation functions
ASN1_INTEGER_new() returns an allocated B<ASN1_INTEGER> structure.
ASN1_INTEGER_free() frees up a single B<ASN1_INTEGER> object.
If the argument is NULL, nothing is done.
B<ASN1_INTEGER> structure representing the ASN.1 INTEGER type
@ -34,7 +35,7 @@ L<ERR_get_error(3)>
=head1 COPYRIGHT
Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2020-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

5
crypto/openssl/doc/man3/ASYNC_WAIT_CTX_new.pod
View File

@ -178,6 +178,9 @@ operation, normally it is detected by a polling function or an interrupt, as the
user code set a callback by calling ASYNC_WAIT_CTX_set_callback() previously,
then the registered callback will be called.
ASYNC_WAIT_CTX_free() frees up a single B<ASYNC_WAIT_CTX> object.
If the argument is NULL, nothing is done.
=head1 RETURN VALUES
ASYNC_WAIT_CTX_new() returns a pointer to the newly allocated B<ASYNC_WAIT_CTX>
@ -216,7 +219,7 @@ were added in OpenSSL 3.0.
=head1 COPYRIGHT
Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

3
crypto/openssl/doc/man3/BIO_ADDR.pod
View File

@ -38,6 +38,7 @@ with routines that will fill it with information, such as
BIO_accept_ex().
BIO_ADDR_free() frees a B<BIO_ADDR> created with BIO_ADDR_new().
If the argument is NULL, nothing is done.
BIO_ADDR_clear() clears any data held within the provided B<BIO_ADDR> and sets
it back to an uninitialised state.
@ -115,7 +116,7 @@ L<BIO_connect(3)>, L<BIO_s_connect(3)>
=head1 COPYRIGHT
Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

4
crypto/openssl/doc/man3/BIO_ADDRINFO.pod
View File

@ -78,7 +78,7 @@ BIO_ADDRINFO_next() returns the next B<BIO_ADDRINFO> in the chain
from the given one.
BIO_ADDRINFO_free() frees the chain of B<BIO_ADDRINFO> starting
with the given one.
with the given one. If the argument is NULL, nothing is done.
=head1 RETURN VALUES
@ -103,7 +103,7 @@ The BIO_lookup_ex() function was added in OpenSSL 1.1.1.
=head1 COPYRIGHT
Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

26
crypto/openssl/doc/man3/BIO_f_base64.pod
View File

@ -21,25 +21,23 @@ any data read through it.
Base64 BIOs do not support BIO_gets() or BIO_puts().
For writing, output is by default divided to lines of length 64
characters and there is always a newline at the end of output.
For writing, by default output is divided to lines of length 64
characters and there is a newline at the end of output.
This behavior can be changed with B<BIO_FLAGS_BASE64_NO_NL> flag.
For reading, first line should be at most 1024
characters long. If it is longer then it is ignored completely.
Other input lines can be of any length. There must be a newline
at the end of input.
This behavior can be changed with BIO_FLAGS_BASE64_NO_NL flag.
For reading, first line should be at most 1024 bytes long including newline
unless the flag B<BIO_FLAGS_BASE64_NO_NL> is set.
Further input lines can be of any length (i.e., newlines may appear anywhere
in the input) and a newline at the end of input is not needed.
BIO_flush() on a base64 BIO that is being written through is
used to signal that no more data is to be encoded: this is used
to flush the final block through the BIO.
The flag BIO_FLAGS_BASE64_NO_NL can be set with BIO_set_flags().
The flag B<BIO_FLAGS_BASE64_NO_NL> can be set with BIO_set_flags().
For writing, it causes all data to be written on one line without
newline at the end.
For reading, it expects the data to be all on one line (with or
without a trailing newline).
For reading, it removes all expectations on newlines in the input data.
=head1 NOTES
@ -85,6 +83,10 @@ data to standard output:
=head1 BUGS
On decoding, if the flag B<BIO_FLAGS_BASE64_NO_NL> is not set and
the first 1024 bytes of input do not include a newline character
the first two lines of input are ignored.
The ambiguity of EOF in base64 encoded data can cause additional
data following the base64 encoded block to be misinterpreted.
@ -93,7 +95,7 @@ to reliably determine EOF (for example a MIME boundary).
=head1 COPYRIGHT
Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

4
crypto/openssl/doc/man3/BIO_meth_new.pod
View File

@ -76,7 +76,7 @@ additionally have the "descriptor" bit set (B<BIO_TYPE_DESCRIPTOR>). See the
L<BIO_find_type(3)> page for more information.
BIO_meth_free() destroys a B<BIO_METHOD> structure and frees up any memory
associated with it.
associated with it. If the argument is NULL, nothing is done.
BIO_meth_get_write_ex() and BIO_meth_set_write_ex() get and set the function
used for writing arbitrary length data to the BIO respectively. This function
@ -157,7 +157,7 @@ The functions described here were added in OpenSSL 1.1.0.
=head1 COPYRIGHT
Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

22
crypto/openssl/doc/man3/BN_add.pod
View File

@ -14,9 +14,9 @@ arithmetic operations on BIGNUMs
int BN_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b);
int BN_mul(BIGNUM *r, BIGNUM *a, BIGNUM *b, BN_CTX *ctx);
int BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx);
int BN_sqr(BIGNUM *r, BIGNUM *a, BN_CTX *ctx);
int BN_sqr(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx);
int BN_div(BIGNUM *dv, BIGNUM *rem, const BIGNUM *a, const BIGNUM *d,
BN_CTX *ctx);
@ -25,25 +25,25 @@ arithmetic operations on BIGNUMs
int BN_nnmod(BIGNUM *r, const BIGNUM *a, const BIGNUM *m, BN_CTX *ctx);
int BN_mod_add(BIGNUM *r, BIGNUM *a, BIGNUM *b, const BIGNUM *m,
int BN_mod_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m,
BN_CTX *ctx);
int BN_mod_sub(BIGNUM *r, BIGNUM *a, BIGNUM *b, const BIGNUM *m,
int BN_mod_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m,
BN_CTX *ctx);
int BN_mod_mul(BIGNUM *r, BIGNUM *a, BIGNUM *b, const BIGNUM *m,
int BN_mod_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m,
BN_CTX *ctx);
int BN_mod_sqr(BIGNUM *r, BIGNUM *a, const BIGNUM *m, BN_CTX *ctx);
int BN_mod_sqr(BIGNUM *r, const BIGNUM *a, const BIGNUM *m, BN_CTX *ctx);
BIGNUM *BN_mod_sqrt(BIGNUM *in, BIGNUM *a, const BIGNUM *p, BN_CTX *ctx);
BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx);
int BN_exp(BIGNUM *r, BIGNUM *a, BIGNUM *p, BN_CTX *ctx);
int BN_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx);
int BN_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p,
int BN_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
const BIGNUM *m, BN_CTX *ctx);
int BN_gcd(BIGNUM *r, BIGNUM *a, BIGNUM *b, BN_CTX *ctx);
int BN_gcd(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx);
=head1 DESCRIPTION
@ -135,7 +135,7 @@ L<BN_add_word(3)>, L<BN_set_bit(3)>
=head1 COPYRIGHT
Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

5
crypto/openssl/doc/man3/BN_generate_prime.pod
View File

@ -167,7 +167,8 @@ programs should prefer the "new" style, whilst the "old" style is provided
for backwards compatibility purposes.
A B<BN_GENCB> structure should be created through a call to BN_GENCB_new(),
and freed through a call to BN_GENCB_free().
and freed through a call to BN_GENCB_free(). If the argument is NULL,
nothing is done.
For "new" style callbacks a BN_GENCB structure should be initialised with a
call to BN_GENCB_set(), where B<gencb> is a B<BN_GENCB *>, B<callback> is of
@ -245,7 +246,7 @@ BN_check_prime() was added in OpenSSL 3.0.
=head1 COPYRIGHT
Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

9
crypto/openssl/doc/man3/BN_set_bit.pod
View File

@ -33,8 +33,11 @@ error occurs if B<a> is shorter than B<n> bits.
BN_is_bit_set() tests if bit B<n> in B<a> is set.
BN_mask_bits() truncates B<a> to an B<n> bit number
(C<a&=~((~0)E<lt>E<lt>n)>). An error occurs if B<a> already is
shorter than B<n> bits.
(C<a&=~((~0)E<lt>E<lt>n)>). An error occurs if B<n> is negative. An error is
also returned if the internal representation of B<a> is already shorter than
B<n> bits. The internal representation depends on the platform's word size, and
this error can be safely ignored. Use L<BN_num_bits(3)> to determine the exact
number of bits if needed.
BN_lshift() shifts B<a> left by B<n> bits and places the result in
B<r> (C<r=a*2^n>). Note that B<n> must be nonnegative. BN_lshift1() shifts
@ -59,7 +62,7 @@ L<BN_num_bytes(3)>, L<BN_add(3)>
=head1 COPYRIGHT
Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

3
crypto/openssl/doc/man3/BUF_MEM_new.pod
View File

@ -34,6 +34,7 @@ should be allocated on the secure heap; see L<CRYPTO_secure_malloc(3)>.
BUF_MEM_free() frees up an already existing buffer. The data is zeroed
before freeing up in case the buffer contains sensitive data.
If the argument is NULL, nothing is done.
BUF_MEM_grow() changes the size of an already existing buffer to
B<len>. Any data already in the buffer is preserved if it increases in
@ -65,7 +66,7 @@ The BUF_MEM_new_ex() function was added in OpenSSL 1.1.0.
=head1 COPYRIGHT
Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

12
crypto/openssl/doc/man3/CRYPTO_THREAD_run_once.pod
View File

@ -69,6 +69,7 @@ CRYPTO_THREAD_unlock() unlocks the previously locked I<lock>.
=item *
CRYPTO_THREAD_lock_free() frees the provided I<lock>.
If the argument is NULL, nothing is done.
=item *
@ -163,10 +164,13 @@ This example safely initializes and uses a lock.
{
int ret = 0;
if (mylock()) {
/* Your code here, do not return without releasing the lock! */
ret = ... ;
if (!mylock()) {
/* Do not unlock unless the lock was successfully acquired. */
return 0;
}
/* Your code here, do not return without releasing the lock! */
ret = ... ;
myunlock();
return ret;
}
@ -183,7 +187,7 @@ L<crypto(7)>, L<openssl-threads(7)>.
=head1 COPYRIGHT
Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

4
crypto/openssl/doc/man3/CTLOG_STORE_new.pod
View File

@ -52,7 +52,7 @@ The expected format of the file is:
Once a CTLOG_STORE is no longer required, it should be passed to
CTLOG_STORE_free(). This will delete all of the CTLOGs stored within, along
with the CTLOG_STORE itself.
with the CTLOG_STORE itself. If the argument is NULL, nothing is done.
=head1 NOTES
@ -78,7 +78,7 @@ added in OpenSSL 1.1.0.
=head1 COPYRIGHT
Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

4
crypto/openssl/doc/man3/CTLOG_new.pod
View File

@ -50,7 +50,7 @@ property query string are used.
Regardless of whether CTLOG_new() or CTLOG_new_from_base64() is used, it is the
caller's responsibility to pass the CTLOG to CTLOG_free() once it is no longer
needed. This will delete it and, if created by CTLOG_new(), the EVP_PKEY that
was passed to it.
was passed to it. If the argument to CTLOG_free() is NULL, nothing is done.
CTLOG_get0_name() returns the name of the log, as provided when the CTLOG was
created. Ownership of the string remains with the CTLOG.
@ -80,7 +80,7 @@ were added in OpenSSL 3.0. All other functions were added in OpenSSL 1.1.0.
=head1 COPYRIGHT
Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

5
crypto/openssl/doc/man3/CT_POLICY_EVAL_CTX_new.pod
View File

@ -105,7 +105,8 @@ The time should be in milliseconds since the Unix Epoch.
Each setter has a matching getter for accessing the current value.
When no longer required, the B<CT_POLICY_EVAL_CTX> should be passed to
CT_POLICY_EVAL_CTX_free() to delete it.
CT_POLICY_EVAL_CTX_free() to delete it. If the argument to
CT_POLICY_EVAL_CTX_free() is NULL, nothing is done.
=head1 NOTES
@ -130,7 +131,7 @@ functions were added in OpenSSL 1.1.0.
=head1 COPYRIGHT
Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

4
crypto/openssl/doc/man3/DH_meth_new.pod
View File

@ -81,7 +81,7 @@ parameter. This might be useful for creating a new B<DH_METHOD> based on an
existing one, but with some differences.
DH_meth_free() destroys a B<DH_METHOD> structure and frees up any memory
associated with it.
associated with it. If the argument is NULL, nothing is done.
DH_meth_get0_name() will return a pointer to the name of this DH_METHOD. This
is a pointer to the internal name string and so should not be freed by the
@ -166,7 +166,7 @@ The functions described here were added in OpenSSL 1.1.0.
=head1 COPYRIGHT
Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

3
crypto/openssl/doc/man3/DSA_SIG_new.pod
View File

@ -20,6 +20,7 @@ DSA_SIG_new() allocates an empty B<DSA_SIG> structure.
DSA_SIG_free() frees the B<DSA_SIG> structure and its components. The
values are erased before the memory is returned to the system.
If the argument is NULL, nothing is done.
DSA_SIG_get0() returns internal pointers to the B<r> and B<s> values contained
in B<sig>.
@ -48,7 +49,7 @@ L<ERR_get_error(3)>
=head1 COPYRIGHT
Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

4
crypto/openssl/doc/man3/DSA_meth_new.pod
View File

@ -110,7 +110,7 @@ parameter. This might be useful for creating a new B<DSA_METHOD> based on an
existing one, but with some differences.
DSA_meth_free() destroys a B<DSA_METHOD> structure and frees up any memory
associated with it.
associated with it. If the argument is NULL, nothing is done.
DSA_meth_get0_name() will return a pointer to the name of this DSA_METHOD. This
is a pointer to the internal name string and so should not be freed by the
@ -214,7 +214,7 @@ The functions described here were added in OpenSSL 1.1.0.
=head1 COPYRIGHT
Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

3
crypto/openssl/doc/man3/ECDSA_SIG_new.pod
View File

@ -31,6 +31,7 @@ ECDSA_SIG_new() allocates an empty B<ECDSA_SIG> structure.
Note: before OpenSSL 1.1.0, the I<r> and I<s> components were initialised.
ECDSA_SIG_free() frees the B<ECDSA_SIG> structure I<sig>.
If the argument is NULL, nothing is done.
ECDSA_SIG_get0() returns internal pointers the I<r> and I<s> values contained
in I<sig> and stores them in I<*pr> and I<*ps>, respectively.
@ -136,7 +137,7 @@ L<ECDSA_sign(3)>
=head1 COPYRIGHT
Copyright 2004-2022 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2004-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

5
crypto/openssl/doc/man3/ENGINE_add.pod
View File

@ -227,7 +227,8 @@ references such as; ENGINE_by_id(), ENGINE_get_first(), ENGINE_get_last(),
ENGINE_get_next(), ENGINE_get_prev(). All structural references should be
released by a corresponding to call to the ENGINE_free() function - the
ENGINE object itself will only actually be cleaned up and deallocated when
the last structural reference is released.
the last structural reference is released. If the argument to ENGINE_free()
is NULL, nothing is done.
It should also be noted that many ENGINE API function calls that accept a
structural reference will internally obtain another reference - typically
@ -665,7 +666,7 @@ and should not be used.
=head1 COPYRIGHT
Copyright 2002-2021 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2002-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

4
crypto/openssl/doc/man3/EVP_ASYM_CIPHER_free.pod
View File

@ -45,7 +45,7 @@ The returned value must eventually be freed with EVP_ASYM_CIPHER_free().
EVP_ASYM_CIPHER_free() decrements the reference count for the B<EVP_ASYM_CIPHER>
structure. Typically this structure will have been obtained from an earlier call
to EVP_ASYM_CIPHER_fetch(). If the reference count drops to 0 then the
structure is freed.
structure is freed. If the argument is NULL, nothing is done.
EVP_ASYM_CIPHER_up_ref() increments the reference count for an
B<EVP_ASYM_CIPHER> structure.
@ -102,7 +102,7 @@ The functions described here were added in OpenSSL 3.0.
=head1 COPYRIGHT
Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

3
crypto/openssl/doc/man3/EVP_CIPHER_meth_new.pod
View File

@ -80,6 +80,7 @@ EVP_CIPHER_meth_new() creates a new B<EVP_CIPHER> structure.
EVP_CIPHER_meth_dup() creates a copy of B<cipher>.
EVP_CIPHER_meth_free() destroys a B<EVP_CIPHER> structure.
If the argument is NULL, nothing is done.
EVP_CIPHER_meth_set_iv_length() sets the length of the IV.
This is only needed when the implemented cipher mode requires it.
@ -249,7 +250,7 @@ counted in OpenSSL 3.0.
=head1 COPYRIGHT
Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

10
crypto/openssl/doc/man3/EVP_DigestInit.pod
View File

@ -157,6 +157,7 @@ Increments the reference count for an B<EVP_MD> structure.
Decrements the reference count for the fetched B<EVP_MD> structure.
If the reference count drops to 0 then the structure is freed.
If the argument is NULL, nothing is done.
=item EVP_MD_CTX_new()
@ -170,6 +171,7 @@ existing context.
=item EVP_MD_CTX_free()
Cleans up digest context I<ctx> and frees up the space allocated to it.
If the argument is NULL, nothing is done.
=item EVP_MD_CTX_ctrl()
@ -529,9 +531,13 @@ can be used the manipulate and test these B<EVP_MD_CTX> flags:
This flag instructs the digest to optimize for one update only, if possible.
=for comment EVP_MD_CTX_FLAG_CLEANED is internal, don't mention it
=item EVP_MD_CTX_FLAG_CLEANED
=for comment EVP_MD_CTX_FLAG_REUSE is internal, don't mention it
This flag is for internal use only and I<must not> be used in user code.
=item EVP_MD_CTX_FLAG_REUSE
This flag is for internal use only and I<must not> be used in user code.
=for comment We currently avoid documenting flags that are only bit holder:
EVP_MD_CTX_FLAG_NON_FIPS_ALLOW, EVP_MD_CTX_FLAGS_PAD_*

4
crypto/openssl/doc/man3/EVP_EncodeInit.pod
View File

@ -41,7 +41,7 @@ EVP_ENCODE_CTX_new() allocates, initializes and returns a context to be used for
the encode/decode functions.
EVP_ENCODE_CTX_free() cleans up an encode/decode context B<ctx> and frees up the
space allocated to it.
space allocated to it. If the argument is NULL, nothing is done.
Encoding of binary data is performed in blocks of 48 input bytes (or less for
the final block). For each 48 byte input block encoded 64 bytes of base 64 data
@ -151,7 +151,7 @@ L<evp(7)>
=head1 COPYRIGHT
Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

19
crypto/openssl/doc/man3/EVP_EncryptInit.pod
View File

@ -268,6 +268,7 @@ Increments the reference count for an B<EVP_CIPHER> structure.
Decrements the reference count for the fetched B<EVP_CIPHER> structure.
If the reference count drops to 0 then the structure is freed.
If the argument is NULL, nothing is done.
=item EVP_CIPHER_CTX_new()
@ -276,9 +277,9 @@ Allocates and returns a cipher context.
=item EVP_CIPHER_CTX_free()
Clears all information from a cipher context and frees any allocated memory
associated with it, including I<ctx> itself. This function should be called after
all operations using a cipher are complete so sensitive information does not
remain in memory.
associated with it, including I<ctx> itself. This function should be called
after all operations using a cipher are complete so sensitive information does
not remain in memory. If the argument is NULL, nothing is done.
=item EVP_CIPHER_CTX_ctrl()
@ -360,9 +361,13 @@ exists.
Encrypts I<inl> bytes from the buffer I<in> and writes the encrypted version to
I<out>. The pointers I<out> and I<in> may point to the same location, in which
case the encryption will be done in-place. If I<out> and I<in> point to different
locations, the two buffers must be disjoint, otherwise the operation might fail
or the outcome might be undefined.
case the encryption will be done in-place. However, in-place encryption is
guaranteed to work only if the encryption context (I<ctx>) has processed data in
multiples of the block size. If the context contains an incomplete data block
from previous operations, in-place encryption will fail.
If I<out> and I<in> point to different locations, the two buffers must be
disjoint, otherwise the operation might fail or the outcome might be undefined.
This function can be called multiple times to encrypt successive blocks
of data. The amount of data written depends on the block alignment of the
@ -1733,7 +1738,7 @@ The EVP_CIPHER_CTX_flags() macro was deprecated in OpenSSL 1.1.0.
=head1 COPYRIGHT
Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

3
crypto/openssl/doc/man3/EVP_KEM_free.pod
View File

@ -41,6 +41,7 @@ The returned value must eventually be freed with EVP_KEM_free().
EVP_KEM_free() decrements the reference count for the B<EVP_KEM> structure.
Typically this structure will have been obtained from an earlier call to
EVP_KEM_fetch(). If the reference count drops to 0 then the structure is freed.
If the argument is NULL, nothing is done.
EVP_KEM_up_ref() increments the reference count for an B<EVP_KEM> structure.
@ -95,7 +96,7 @@ The functions described here were added in OpenSSL 3.0.
=head1 COPYRIGHT
Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2020-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

4
crypto/openssl/doc/man3/EVP_KEYEXCH_free.pod
View File

@ -41,7 +41,7 @@ The returned value must eventually be freed with EVP_KEYEXCH_free().
EVP_KEYEXCH_free() decrements the reference count for the B<EVP_KEYEXCH>
structure. Typically this structure will have been obtained from an earlier call
to EVP_KEYEXCH_fetch(). If the reference count drops to 0 then the
structure is freed.
structure is freed. If the argument is NULL, nothing is done.
EVP_KEYEXCH_up_ref() increments the reference count for an B<EVP_KEYEXCH>
structure.
@ -101,7 +101,7 @@ The functions described here were added in OpenSSL 3.0.
=head1 COPYRIGHT
Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

3
crypto/openssl/doc/man3/EVP_KEYMGMT.pod
View File

@ -62,6 +62,7 @@ B<EVP_KEYMGMT> I<keymgmt>.
EVP_KEYMGMT_free() decrements the reference count for the given
B<EVP_KEYMGMT> I<keymgmt>, and when the count reaches zero, frees it.
If the argument is NULL, nothing is done.
EVP_KEYMGMT_get0_provider() returns the provider that has this particular
implementation.
@ -140,7 +141,7 @@ The functions described here were added in OpenSSL 3.0.
=head1 COPYRIGHT
Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

3
crypto/openssl/doc/man3/EVP_MD_meth_new.pod
View File

@ -74,6 +74,7 @@ EVP_MD_meth_dup() creates a copy of B<md>.
EVP_MD_meth_free() decrements the reference count for the B<EVP_MD> structure.
If the reference count drops to 0 then the structure is freed.
If the argument is NULL, nothing is done.
EVP_MD_meth_set_input_blocksize() sets the internal input block size
for the method B<md> to B<blocksize> bytes.
@ -194,7 +195,7 @@ counted in OpenSSL 3.0.
=head1 COPYRIGHT
Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2015-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

4
crypto/openssl/doc/man3/EVP_PKEY_ASN1_METHOD.pod
View File

@ -393,7 +393,7 @@ This function is not thread safe, it's recommended to only use this
when initializing the application.
EVP_PKEY_asn1_free() frees an existing B<EVP_PKEY_ASN1_METHOD> pointed
by B<ameth>.
by B<ameth>. If the argument is NULL, nothing is done.
EVP_PKEY_asn1_add0() adds B<ameth> to the user defined stack of
methods unless another B<EVP_PKEY_ASN1_METHOD> with the same NID is
@ -439,7 +439,7 @@ parameter is now constified.
=head1 COPYRIGHT
Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2017-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

4
crypto/openssl/doc/man3/EVP_PKEY_meth_new.pod
View File

@ -407,7 +407,7 @@ of an B<EVP_PKEY_METHOD> is always called by the EVP framework while doing a
digest signing operation by calling L<EVP_DigestSignFinal(3)>.
EVP_PKEY_meth_free() frees an existing B<EVP_PKEY_METHOD> pointed by
B<pmeth>.
B<pmeth>. If the argument is NULL, nothing is done.
EVP_PKEY_meth_copy() copies an B<EVP_PKEY_METHOD> object from B<src>
to B<dst>.
@ -456,7 +456,7 @@ has changed in OpenSSL 3.0 so its I<src> parameter is now constified.
=head1 COPYRIGHT
Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2017-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

4
crypto/openssl/doc/man3/EVP_RAND.pod
View File

@ -284,7 +284,7 @@ associated RAND ctx.
Reads or set the number of elapsed seconds before reseeding the
associated RAND ctx.
=item "max_request" (B<OSSL_DRBG_PARAM_RESEED_REQUESTS>) <unsigned integer>
=item "max_request" (B<OSSL_RAND_PARAM_MAX_REQUEST>) <unsigned integer>
Specifies the maximum number of bytes that can be generated in a single
call to OSSL_FUNC_rand_generate.
@ -406,7 +406,7 @@ This functionality was added to OpenSSL 3.0.
=head1 COPYRIGHT
Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2020-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

4
crypto/openssl/doc/man3/EVP_SIGNATURE.pod
View File

@ -49,7 +49,7 @@ The returned value must eventually be freed with EVP_SIGNATURE_free().
EVP_SIGNATURE_free() decrements the reference count for the B<EVP_SIGNATURE>
structure. Typically this structure will have been obtained from an earlier call
to EVP_SIGNATURE_fetch(). If the reference count drops to 0 then the
structure is freed.
structure is freed. If the argument is NULL, nothing is done.
EVP_SIGNATURE_up_ref() increments the reference count for an B<EVP_SIGNATURE>
structure.
@ -106,7 +106,7 @@ The functions described here were added in OpenSSL 3.0.
=head1 COPYRIGHT
Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

4
crypto/openssl/doc/man3/HMAC.pod
View File

@ -87,7 +87,7 @@ created with HMAC_CTX_new().
HMAC_CTX_free() erases the key and other data from the B<HMAC_CTX>,
releases any associated resources and finally frees the B<HMAC_CTX>
itself.
itself. If the argument is NULL, nothing is done.
The following functions may be used if the message is not completely
stored in memory:
@ -163,7 +163,7 @@ OpenSSL before version 1.0.0.
=head1 COPYRIGHT
Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

15
crypto/openssl/doc/man3/MD5.pod
View File

@ -7,12 +7,12 @@ MD4_Final, MD5_Init, MD5_Update, MD5_Final - MD2, MD4, and MD5 hash functions
=head1 SYNOPSIS
#include <openssl/md2.h>
The following functions have been deprecated since OpenSSL 3.0, and can be
hidden entirely by defining B<OPENSSL_API_COMPAT> with a suitable version value,
see L<openssl_user_macros(7)>:
#include <openssl/md2.h>
unsigned char *MD2(const unsigned char *d, unsigned long n, unsigned char *md);
int MD2_Init(MD2_CTX *c);
@ -20,25 +20,24 @@ see L<openssl_user_macros(7)>:
int MD2_Final(unsigned char *md, MD2_CTX *c);
#include <openssl/md4.h>
The following functions have been deprecated since OpenSSL 3.0, and can be
hidden entirely by defining B<OPENSSL_API_COMPAT> with a suitable version value,
see L<openssl_user_macros(7)>:
#include <openssl/md4.h>
unsigned char *MD4(const unsigned char *d, unsigned long n, unsigned char *md);
int MD4_Init(MD4_CTX *c);
int MD4_Update(MD4_CTX *c, const void *data, unsigned long len);
int MD4_Final(unsigned char *md, MD4_CTX *c);
#include <openssl/md5.h>
The following functions have been deprecated since OpenSSL 3.0, and can be
hidden entirely by defining B<OPENSSL_API_COMPAT> with a suitable version value,
see L<openssl_user_macros(7)>:
#include <openssl/md5.h>
unsigned char *MD5(const unsigned char *d, unsigned long n, unsigned char *md);
int MD5_Init(MD5_CTX *c);
@ -105,7 +104,7 @@ All of these functions were deprecated in OpenSSL 3.0.
=head1 COPYRIGHT
Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

4
crypto/openssl/doc/man3/NCONF_new_ex.pod
View File

@ -35,7 +35,7 @@ I<meth> is set to NULL then the default value of NCONF_default() is used.
NCONF_new() is similar to NCONF_new_ex() but sets the I<libctx> to NULL.
NCONF_free() frees the data associated with I<conf> and then frees the I<conf>
object.
object. If the argument is NULL, nothing is done.
NCONF_load() parses the file named I<filename> and adds the values found to
I<conf>. If an error occurs I<file> and I<eline> list the file and line that
@ -74,7 +74,7 @@ in OpenSSL 3.0.
=head1 COPYRIGHT
Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2020-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

3
crypto/openssl/doc/man3/OCSP_REQUEST_new.pod
View File

@ -29,6 +29,7 @@ OCSP_request_onereq_get0 - OCSP request functions
OCSP_REQUEST_new() allocates and returns an empty B<OCSP_REQUEST> structure.
OCSP_REQUEST_free() frees up the request structure B<req>.
If the argument is NULL, nothing is done.
OCSP_request_add0_id() adds certificate ID B<cid> to B<req>. It returns
the B<OCSP_ONEREQ> structure added so an application can add additional
@ -108,7 +109,7 @@ L<OCSP_sendreq_new(3)>
=head1 COPYRIGHT
Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2015-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

3
crypto/openssl/doc/man3/OCSP_cert_to_id.pod
View File

@ -38,6 +38,7 @@ issuer name B<issuerName>, issuer key hash B<issuerKey> and serial number
B<serialNumber>.
OCSP_CERTID_free() frees up B<id>.
If the argument is NULL, nothing is done.
OCSP_id_cmp() compares B<OCSP_CERTID> B<a> and B<b>.
@ -79,7 +80,7 @@ L<OCSP_sendreq_new(3)>
=head1 COPYRIGHT
Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2015-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

3
crypto/openssl/doc/man3/OCSP_response_status.pod
View File

@ -46,6 +46,7 @@ OCSP_response_create() creates and returns an I<OCSP_RESPONSE> structure for
I<status> and optionally including basic response I<bs>.
OCSP_RESPONSE_free() frees up OCSP response I<resp>.
If the argument is NULL, nothing is done.
OCSP_RESPID_set_by_name() sets the name of the OCSP_RESPID to be the same as the
subject name in the supplied X509 certificate I<cert> for the OCSP responder.
@ -123,7 +124,7 @@ The OCSP_basic_sign_ctx() function was added in OpenSSL 1.1.1.
=head1 COPYRIGHT
Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2015-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

4
crypto/openssl/doc/man3/OPENSSL_LH_COMPFUNC.pod
View File

@ -123,7 +123,7 @@ Then a hash table of B<I<TYPE>> objects can be created using this:
B<lh_I<TYPE>_free>() frees the B<LHASH_OF>(B<I<TYPE>>) structure
I<table>. Allocated hash table entries will not be freed; consider
using B<lh_I<TYPE>_doall>() to deallocate any remaining entries in the
hash table (see below).
hash table (see below). If the argument is NULL, nothing is done.
B<lh_I<TYPE>_flush>() empties the B<LHASH_OF>(B<I<TYPE>>) structure I<table>. New
entries can be added to the flushed table. Allocated hash table entries
@ -299,7 +299,7 @@ type checking.
=head1 COPYRIGHT
Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2000-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

3
crypto/openssl/doc/man3/OPENSSL_init_crypto.pod
View File

@ -249,6 +249,7 @@ If the B<CONF_MFLAGS_IGNORE_RETURN_CODES> flag is not included, any errors in
the configuration file will cause an error return from B<OPENSSL_init_crypto>
or indirectly L<OPENSSL_init_ssl(3)>.
The object can be released with OPENSSL_INIT_free() when done.
If the argument to OPENSSL_INIT_free() is NULL, nothing is done.
=head1 NOTES
@ -289,7 +290,7 @@ and OPENSSL_INIT_free() functions were added in OpenSSL 1.1.0.
=head1 COPYRIGHT
Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

5
crypto/openssl/doc/man3/OPENSSL_malloc.pod
View File

@ -99,7 +99,8 @@ OPENSSL_zalloc() calls memset() to zero the memory before returning.
OPENSSL_clear_realloc() and OPENSSL_clear_free() should be used
when the buffer at B<addr> holds sensitive information.
The old buffer is filled with zero's by calling OPENSSL_cleanse()
before ultimately calling OPENSSL_free().
before ultimately calling OPENSSL_free(). If the argument to OPENSSL_free() is
NULL, nothing is done.
OPENSSL_cleanse() fills B<ptr> of size B<len> with a string of 0's.
Use OPENSSL_cleanse() with care if the memory is a mapping of a file.
@ -198,7 +199,7 @@ clang's memory and leak sanitizer.
=head1 COPYRIGHT
Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

8
crypto/openssl/doc/man3/OPENSSL_secure_malloc.pod
View File

@ -82,13 +82,15 @@ If CRYPTO_secure_malloc_init() is not called, this is equivalent to
calling OPENSSL_free().
It exists for consistency with OPENSSL_secure_malloc() , and
is a macro that expands to CRYPTO_secure_free() and adds the C<__FILE__>
and C<__LINE__> parameters..
and C<__LINE__> parameters.. If the argument to OPENSSL_secure_free()
is NULL, nothing is done.
OPENSSL_secure_clear_free() is similar to OPENSSL_secure_free() except
that it has an additional C<num> parameter which is used to clear
the memory if it was not allocated from the secure heap.
If CRYPTO_secure_malloc_init() is not called, this is equivalent to
calling OPENSSL_clear_free().
calling OPENSSL_clear_free(). If the argument to OPENSSL_secure_clear_free()
is NULL, nothing is done.
OPENSSL_secure_actual_size() tells the actual size allocated to the
pointer; implementations may allocate more space than initially
@ -133,7 +135,7 @@ a B<size_t> in OpenSSL 3.0.
=head1 COPYRIGHT
Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2015-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

8
crypto/openssl/doc/man3/OSSL_CMP_CTX_new.pod
View File

@ -176,6 +176,7 @@ the message timeout is set to 120 seconds,
and the proof-of-possession method is set to OSSL_CRMF_POPO_SIGNATURE.
OSSL_CMP_CTX_free() deallocates an OSSL_CMP_CTX structure.
If the argument is NULL, nothing is done.
OSSL_CMP_CTX_reinit() prepares the given I<ctx> for a further transaction by
clearing the internal CMP transaction (aka session) status, PKIStatusInfo,
@ -312,6 +313,11 @@ RFC 4210.
Allow retrieving a trust anchor from extraCerts and using that
to validate the certificate chain of an IP message.
This is a quirk option added to support 3GPP TS 33.310.
Note that using this option is dangerous as the certificate obtained
this way has not been authenticated (at least not at CMP level).
Taking it over as a trust anchor implements trust-on-first-use (TOFU).
=back
@ -796,7 +802,7 @@ OSSL_CMP_CTX_reset_geninfo_ITAVs() was added in OpenSSL 3.0.8.
=head1 COPYRIGHT
Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2007-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

3
crypto/openssl/doc/man3/OSSL_CMP_SRV_CTX_new.pod
View File

@ -104,6 +104,7 @@ associated with the library context I<libctx> and property query string
I<propq>, both of which may be NULL to select the defaults.
OSSL_CMP_SRV_CTX_free() deletes the given I<srv_ctx>.
If the argument is NULL, nothing is done.
OSSL_CMP_SRV_CTX_init() sets in the given I<srv_ctx> a custom server context
pointer as well as callback functions performing the specific processing of CMP
@ -158,7 +159,7 @@ The OpenSSL CMP support was added in OpenSSL 3.0.
=head1 COPYRIGHT
Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2007-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

9
crypto/openssl/doc/man3/OSSL_CMP_validate_msg.pod
View File

@ -40,11 +40,14 @@ using any trust store set via L<OSSL_CMP_CTX_set0_trustedStore(3)>.
If the option OSSL_CMP_OPT_PERMIT_TA_IN_EXTRACERTS_FOR_IR was set by calling
L<OSSL_CMP_CTX_set_option(3)>, for an Initialization Response (IP) message
any self-issued certificate from the I<msg> extraCerts field may also be used
as trust anchor for the path verification of an acceptable cert if it can be
any self-issued certificate from the I<msg> extraCerts field may be used
as a trust anchor for the path verification of an 'acceptable' cert if it can be
used also to validate the issued certificate returned in the IP message. This is
according to TS 33.310 [Network Domain Security (NDS); Authentication Framework
(AF)] document specified by the The 3rd Generation Partnership Project (3GPP).
Note that using this option is dangerous as the certificate obtained this way
has not been authenticated (at least not at CMP level).
Taking it over as a trust anchor implements trust-on-first-use (TOFU).
Any cert that has been found as described above is cached and tried first when
validating the signatures of subsequent messages in the same transaction.
@ -74,7 +77,7 @@ The OpenSSL CMP support was added in OpenSSL 3.0.
=head1 COPYRIGHT
Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2007-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

3
crypto/openssl/doc/man3/OSSL_DECODER.pod
View File

@ -61,6 +61,7 @@ I<decoder>.
OSSL_DECODER_free() decrements the reference count for the given
I<decoder>, and when the count reaches zero, frees it.
If the argument is NULL, nothing is done.
OSSL_DECODER_get0_provider() returns the provider of the given
I<decoder>.
@ -180,7 +181,7 @@ The functions described here were added in OpenSSL 3.0.
=head1 COPYRIGHT
Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2020-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

3
crypto/openssl/doc/man3/OSSL_DECODER_CTX.pod
View File

@ -126,6 +126,7 @@ decoders that have been added to the I<ctx> so far. Parameters that an
implementation doesn't recognise should be ignored by it.
OSSL_DECODER_CTX_free() frees the given context I<ctx>.
If the argument is NULL, nothing is done.
OSSL_DECODER_CTX_add_decoder() populates the B<OSSL_DECODER_CTX> I<ctx> with
a decoder, to be used to attempt to decode some encoded input.
@ -249,7 +250,7 @@ The functions described here were added in OpenSSL 3.0.
=head1 COPYRIGHT
Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2020-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

4
crypto/openssl/doc/man3/OSSL_DECODER_CTX_new_for_pkey.pod
View File

@ -82,7 +82,7 @@ choice of preferred pass phrase callback form. These are called indirectly,
through an internal L<OSSL_PASSPHRASE_CALLBACK(3)> function.
The internal L<OSSL_PASSPHRASE_CALLBACK(3)> function caches the pass phrase, to
be re-used in all decodings that are performed in the same decoding run (for
be reused in all decodings that are performed in the same decoding run (for
example, within one L<OSSL_DECODER_from_bio(3)> call).
=head2 Input Types
@ -135,7 +135,7 @@ The functions described here were added in OpenSSL 3.0.
=head1 COPYRIGHT
Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2020-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

3
crypto/openssl/doc/man3/OSSL_ENCODER.pod
View File

@ -61,6 +61,7 @@ I<encoder>.
OSSL_ENCODER_free() decrements the reference count for the given
I<encoder>, and when the count reaches zero, frees it.
If the argument is NULL, nothing is done.
OSSL_ENCODER_get0_provider() returns the provider of the given
I<encoder>.
@ -134,7 +135,7 @@ The functions described here were added in OpenSSL 3.0.
=head1 COPYRIGHT
Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

3
crypto/openssl/doc/man3/OSSL_ENCODER_CTX.pod
View File

@ -102,6 +102,7 @@ with an L<OSSL_PARAM(3)> array I<params>. Parameters that the
implementation doesn't recognise should be ignored.
OSSL_ENCODER_CTX_free() frees the given context I<ctx>.
If the argument is NULL, nothing is done.
OSSL_ENCODER_CTX_add_encoder() populates the B<OSSL_ENCODER_CTX>
I<ctx> with a encoder, to be used to encode an input object.
@ -211,7 +212,7 @@ The functions described here were added in OpenSSL 3.0.
=head1 COPYRIGHT
Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

3
crypto/openssl/doc/man3/OSSL_HTTP_REQ_CTX.pod
View File

@ -71,6 +71,7 @@ which collects the HTTP request header lines.
OSSL_HTTP_REQ_CTX_free() frees up the HTTP request context I<rctx>.
The I<rbio> is not free'd, I<wbio> will be free'd if I<free_wbio> is set.
If the argument is NULL, nothing is done.
OSSL_HTTP_REQ_CTX_set_request_line() adds the 1st HTTP request line to I<rctx>.
The HTTP method is determined by I<method_POST>,
@ -260,7 +261,7 @@ The functions described here were added in OpenSSL 3.0.
=head1 COPYRIGHT
Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved.
Copyright 2015-2024 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy

Some files were not shown because too many files have changed in this diff Show More