src - FreeBSD source tree

diff options


context:
space:
mode:

author	Enji Cooper <ngie@FreeBSD.org>	2025-05-07 21:18:24 +0000
committer	Enji Cooper <ngie@FreeBSD.org>	2025-05-07 22:37:22 +0000
commit	29536654cc41bf41b92dc836c47496dc6fe0b00c (patch)
tree	368a3c5b14e610bb5f6b71657f61a41e373eaf97 /doc/internal/man3
parent	1c34280346af8284acdc0eae39496811d37df25d (diff)

vendor/openssl/3.5.0

Diffstat (limited to 'doc/internal/man3')

-rw-r--r--

doc/internal/man3/OPTIONS.pod

-rw-r--r--

doc/internal/man3/OSSL_METHOD_STORE.pod

-rw-r--r--

doc/internal/man3/cms_add1_signing_cert.pod

-rw-r--r--

doc/internal/man3/evp_generic_fetch.pod

-rw-r--r--

doc/internal/man3/evp_keymgmt_util_export_to_provider.pod

-rw-r--r--

doc/internal/man3/ossl_DER_w_bn.pod

-rw-r--r--

doc/internal/man3/ossl_cmp_mock_srv_new.pod

-rw-r--r--

doc/internal/man3/ossl_cmp_msg_check_update.pod

-rw-r--r--

doc/internal/man3/ossl_cmp_msg_protect.pod

-rw-r--r--

doc/internal/man3/ossl_lib_ctx_get_data.pod

-rw-r--r--

doc/internal/man3/ossl_method_construct.pod

-rw-r--r--

doc/internal/man3/ossl_namemap_new.pod

-rw-r--r--

doc/internal/man3/ossl_provider_new.pod

-rw-r--r--

doc/internal/man3/ossl_punycode_decode.pod

-rw-r--r--

doc/internal/man3/ossl_rand_get_entropy.pod

-rw-r--r--

doc/internal/man3/ossl_random_add_conf_module.pod

16 files changed, 173 insertions, 169 deletions

diff --git a/doc/internal/man3/OPTIONS.pod b/doc/internal/man3/OPTIONS.pod
index dbdd39a2ee64..acd7a44038da 100644
--- a/doc/internal/man3/OPTIONS.pod
+++ b/doc/internal/man3/OPTIONS.pod

@@ -333,7 +333,7 @@ things very differently.

=head1 COPYRIGHT

Licensed under the Apache License 2.0 (the "License"). You may not use this

file except in compliance with the License. You can obtain a copy in the file

diff --git a/doc/internal/man3/OSSL_METHOD_STORE.pod b/doc/internal/man3/OSSL_METHOD_STORE.pod
index 70f6eb520ff3..1b5c3aaf633b 100644
--- a/doc/internal/man3/OSSL_METHOD_STORE.pod
+++ b/doc/internal/man3/OSSL_METHOD_STORE.pod

@@ -5,7 +5,7 @@

OSSL_METHOD_STORE, ossl_method_store_new, ossl_method_store_free,

ossl_method_store_init, ossl_method_store_cleanup,

ossl_method_store_add, ossl_method_store_fetch,

-ossl_method_store_remove, ossl_method_store_remove_all_provided,

+ossl_method_store_remove, ossl_method_store_remove_all_provided,

ossl_method_store_cache_get, ossl_method_store_cache_set,

ossl_method_store_cache_flush_all

- implementation method store and query

diff --git a/doc/internal/man3/cms_add1_signing_cert.pod b/doc/internal/man3/cms_add1_signing_cert.pod
index cc2747dcde6e..1f5f681c6434 100644
--- a/doc/internal/man3/cms_add1_signing_cert.pod
+++ b/doc/internal/man3/cms_add1_signing_cert.pod

@@ -36,7 +36,7 @@ is added or 0 if an error occurred.

=head1 COPYRIGHT

Licensed under the Apache License 2.0 (the "License"). You may not use

this file except in compliance with the License. You can obtain a copy

diff --git a/doc/internal/man3/evp_generic_fetch.pod b/doc/internal/man3/evp_generic_fetch.pod
index b23d2ec0eaa2..016494239e04 100644
--- a/doc/internal/man3/evp_generic_fetch.pod
+++ b/doc/internal/man3/evp_generic_fetch.pod

@@ -2,7 +2,7 @@

=head1 NAME

-evp_generic_fetch, evp_generic_fetch_by_number, evp_generic_fetch_from_prov

+evp_generic_fetch, evp_generic_fetch_from_prov

- generic algorithm fetchers and method creators for EVP

=head1 SYNOPSIS

@@ -20,15 +20,6 @@ evp_generic_fetch, evp_generic_fetch_by_number, evp_generic_fetch_from_prov

int (*up_ref_method)(void *),

void (*free_method)(void *));

- void *evp_generic_fetch_by_number(OSSL_LIB_CTX *ctx, int operation_id,

- int name_id, const char *properties,

- void *(*new_method)(int name_id,

- const OSSL_DISPATCH *fns,

- OSSL_PROVIDER *prov,

- void *method_data),

- void *method_data,

- int (*up_ref_method)(void *),

- void (*free_method)(void *));

void *evp_generic_fetch_from_prov(OSSL_PROVIDER *prov, int operation_id,

int name_id, const char *properties,

void *(*new_method)(int name_id,

@@ -46,14 +37,6 @@ I<libctx>, I<operation_id>, I<name>, and I<properties> and uses

it to create an EVP method with the help of the functions

I<new_method>, I<up_ref_method>, and I<free_method>.

-evp_generic_fetch_by_number() does the same thing as evp_generic_fetch(),

-but takes a numeric I<name_id> instead of a name.

-I<name_id> must always be nonzero; as a matter of fact, it being zero

-is considered a programming error.

-This is meant to be used when one method needs to fetch an associated

-method, and is typically called from inside the given function

-I<new_method>.

evp_generic_fetch_from_prov() does the same thing as evp_generic_fetch(),

but limits the search of methods to the provider given with I<prov>.

This is meant to be used when one method needs to fetch an associated

@@ -138,6 +121,9 @@ And here's the implementation of the FOO method fetcher:

if ((foo = OPENSSL_zalloc(sizeof(*foo))) == NULL)

return NULL;

+ if (!CRYPTO_NEW_REF(&foo->refcnt, 1))

+ goto err;

foo->name_id = name_id;

for (; fns->function_id != 0; fns++) {

@@ -159,18 +145,32 @@ And here's the implementation of the FOO method fetcher:

break;

}

+ if (prov != NULL && !ossl_provider_up_ref(prov))

+ goto err;

foo->prov = prov;

- if (prov)

- ossl_provider_up_ref(prov);

return foo;

+ err:

+ if (foo != NULL)

+ CRYPTO_FREE_REF(&foo->refcnt);

+ OPENSSL_free(foo);

+ return NULL

}

EVP_FOO_meth_free(EVP_FOO *foo)

{

+ int i;

if (foo != NULL) {

OSSL_PROVIDER *prov = foo->prov;

+ CRYPTO_DOWN_REF(&foo->refcnt, &i);

+ if (i > 0)

+ return;

+ CRYPTO_FREE_REF(&foo->refcnt);

OPENSSL_free(foo);

ossl_provider_free(prov);

}

@@ -187,7 +187,7 @@ And here's the implementation of the FOO method fetcher:

EVP_FOO *foo = vfoo;

int ref = 0;

- CRYPTO_UP_REF(&foo->refcnt, &ref, foo_lock);

+ CRYPTO_UP_REF(&foo->refcnt, &ref);

return 1;

}

@@ -275,7 +275,7 @@ The functions described here were all added in OpenSSL 3.0.

=head1 COPYRIGHT

Licensed under the Apache License 2.0 (the "License"). You may not use

this file except in compliance with the License. You can obtain a copy

diff --git a/doc/internal/man3/evp_keymgmt_util_export_to_provider.pod b/doc/internal/man3/evp_keymgmt_util_export_to_provider.pod
index 7099e4496473..1008d2113149 100644
--- a/doc/internal/man3/evp_keymgmt_util_export_to_provider.pod
+++ b/doc/internal/man3/evp_keymgmt_util_export_to_provider.pod

@@ -25,7 +25,7 @@ OP_CACHE_ELEM

OP_CACHE_ELEM *evp_keymgmt_util_find_operation_cache(EVP_PKEY *pk,

EVP_KEYMGMT *keymgmt,

int selection);

- int evp_keymgmt_util_clear_operation_cache(EVP_PKEY *pk, int locking);

+ int evp_keymgmt_util_clear_operation_cache(EVP_PKEY *pk);

int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt,

void *keydata, int selection);

void evp_keymgmt_util_cache_keyinfo(EVP_PKEY *pk);

@@ -52,9 +52,8 @@ I<keymgmt> in I<pk>'s cache of provided keys for operations.

It should only be called while holding I<pk>'s lock (read or write).

evp_keymgmt_util_clear_operation_cache() can be used to explicitly

-clear the cache of operation key references. If I<locking> is set to 1 then

-then I<pk>'s lock will be obtained while doing the clear. Otherwise it will be

-assumed that the lock has already been obtained or is not required.

+clear the cache of operation key references. If required the lock must already

+have been obtained.

evp_keymgmt_util_cache_keydata() can be used to add a provider key

object to a B<PKEY>.

@@ -96,7 +95,7 @@ L<EVP_PKEY_ASN1_METHOD(3)>, L<EVP_PKEY_assign_RSA(3)>

=head1 COPYRIGHT

Licensed under the Apache License 2.0 (the "License"). You may not use

this file except in compliance with the License. You can obtain a copy

diff --git a/doc/internal/man3/ossl_DER_w_bn.pod b/doc/internal/man3/ossl_DER_w_bn.pod
index 49644ffd058f..3d67067a9e8b 100644
--- a/doc/internal/man3/ossl_DER_w_bn.pod
+++ b/doc/internal/man3/ossl_DER_w_bn.pod

@@ -56,7 +56,7 @@ L<DERlib(7)>

=head1 COPYRIGHT

Licensed under the Apache License 2.0 (the "License"). You may not use

this file except in compliance with the License. You can obtain a copy

diff --git a/doc/internal/man3/ossl_cmp_mock_srv_new.pod b/doc/internal/man3/ossl_cmp_mock_srv_new.pod
index 7bc449a84352..6f4f4fe86ba0 100644
--- a/doc/internal/man3/ossl_cmp_mock_srv_new.pod
+++ b/doc/internal/man3/ossl_cmp_mock_srv_new.pod

@@ -4,9 +4,13 @@

ossl_cmp_mock_srv_new,

ossl_cmp_mock_srv_free,

+ossl_cmp_mock_srv_set1_refCert,

ossl_cmp_mock_srv_set1_certOut,

ossl_cmp_mock_srv_set1_chainOut,

ossl_cmp_mock_srv_set1_caPubsOut,

+ossl_cmp_mock_srv_set1_newWithNew,

+ossl_cmp_mock_srv_set1_newWithOld,

+ossl_cmp_mock_srv_set1_oldWithNew,

ossl_cmp_mock_srv_set_statusInfo,

ossl_cmp_mock_srv_set_sendError,

ossl_cmp_mock_srv_set_pollCount,

@@ -20,11 +24,15 @@ ossl_cmp_mock_srv_set_checkAfterTime

OSSL_CMP_SRV_CTX *ossl_cmp_mock_srv_new(OSSL_LIB_CTX *libctx, const char *propq);

void ossl_cmp_mock_srv_free(OSSL_CMP_SRV_CTX *srv_ctx);

- int ossl_cmp_mock_srv_set1_certOut(OSSL_CMP_SRV_CTX *srv_ctx, X509 *cert);

+ int ossl_cmp_mock_srv_set1_refCert(OSSL_CMP_SRV_CTX *ctx, const X509 *cert);

+ int ossl_cmp_mock_srv_set1_certOut(OSSL_CMP_SRV_CTX *ctx, const X509 *cert);

int ossl_cmp_mock_srv_set1_chainOut(OSSL_CMP_SRV_CTX *srv_ctx,

- STACK_OF(X509) *chain);

+ const STACK_OF(X509) *chain);

int ossl_cmp_mock_srv_set1_caPubsOut(OSSL_CMP_SRV_CTX *srv_ctx,

- STACK_OF(X509) *caPubs);

+ const STACK_OF(X509) *caPubs);

+ int ossl_cmp_mock_srv_set1_newWithNew(OSSL_CMP_SRV_CTX *ctx, const X509 *cert);

+ int ossl_cmp_mock_srv_set1_newWithOld(OSSL_CMP_SRV_CTX *ctx, const X509 *cert);

+ int ossl_cmp_mock_srv_set1_oldWithNew(OSSL_CMP_SRV_CTX *ctx, const X509 *cert);

int ossl_cmp_mock_srv_set_statusInfo(OSSL_CMP_SRV_CTX *srv_ctx, int status,

int fail_info, const char *text);

int ossl_cmp_mock_srv_set_sendError(OSSL_CMP_SRV_CTX *srv_ctx, int bodytype);

@@ -39,15 +47,30 @@ I<propq>, both of which may be NULL to select the defaults.

ossl_cmp_mock_srv_free() deallocates the contexts for the CMP mock server.

-ossl_cmp_mock_srv_set1_certOut() sets the certificate to be returned in

-cp/ip/kup.

+ossl_cmp_mock_srv_set1_refCert() sets the reference certificate (or NULL)

+to be expected for rr messages and for any oldCertID included in kur messages.

-ossl_cmp_mock_srv_set1_chainOut() sets the certificate chain to be added to

-the extraCerts in a cp/ip/kup.

+ossl_cmp_mock_srv_set1_certOut() sets the certificate (or NULL)

+to be returned in cp/ip/kup messages.

+Note that on each certificate request the mock server does not produce

+a fresh certificate but just returns the same pre-existing certificate.

+ossl_cmp_mock_srv_set1_chainOut() sets the certificate chain (or NULL)

+to be added to the extraCerts in a cp/ip/kup message.

It should be useful for the validation of the certificate given via

ossl_cmp_mock_srv_set1_certOut().

-ossl_cmp_mock_srv_set1_caPubsOut() sets the caPubs to be returned in an ip.

+ossl_cmp_mock_srv_set1_caPubsOut() sets list of certificates (or NULL) to be

+returned in the caPubs field an ip message and in a genp of infoType caCerts.

+ossl_cmp_mock_srv_set1_newWithNew() sets the value (which may be NULL)

+of the newWithNew field to be returned in a genp of infoType rootCaKeyUpdate.

+ossl_cmp_mock_srv_set1_newWithOld() sets the value (which may be NULL)

+of the newWithOld field to be returned in a genp of infoType rootCaKeyUpdate.

+ossl_cmp_mock_srv_set1_oldWithNew() sets the value (which may be NULL)

+of the oldWithNew field to be returned in a genp of infoType rootCaKeyUpdate.

ossl_cmp_mock_srv_set_statusInfo() sets the status info to be returned.

diff --git a/doc/internal/man3/ossl_cmp_msg_check_update.pod b/doc/internal/man3/ossl_cmp_msg_check_update.pod
index 4e7a9224afdd..d1513bf34f0c 100644
--- a/doc/internal/man3/ossl_cmp_msg_check_update.pod
+++ b/doc/internal/man3/ossl_cmp_msg_check_update.pod

@@ -33,7 +33,7 @@ The B<msg> is checked for the following:

=item its protection is present and valid (or a callback function B<cb>

is present and indicates that a missing or invalid protection is acceptable),

-=item its CMP protocol version is acceptable, namely B<OSSL_CMP_PVNO>,

+=item its CMP protocol version is acceptable,

=item its body type is valid,

@@ -66,7 +66,7 @@ and learns the transaction ID if none is currently present in B<ctx>.

Moreover, according to RFC 4210 section 5.3.2, if the message protection is

PBM-based then any certificates in the caPubs field are added to the list of

-trusted certificates (if set via L<OSSL_CMP_CTX_set0_trustedStore(3)>).

+trusted certificates (if set via L<OSSL_CMP_CTX_set0_trusted(3)>).

This way these certs are available for validating subsequent messages in the

same context and could apply to any Polling Response (pollRep), error, or PKI

Confirmation (PKIConf) messages following in the same or future transactions.

diff --git a/doc/internal/man3/ossl_cmp_msg_protect.pod b/doc/internal/man3/ossl_cmp_msg_protect.pod
index 744fbce576ca..7e14274f584a 100644
--- a/doc/internal/man3/ossl_cmp_msg_protect.pod
+++ b/doc/internal/man3/ossl_cmp_msg_protect.pod

@@ -21,6 +21,9 @@ ossl_cmp_msg_add_extraCerts

ossl_cmp_calc_protection() calculates the protection for the given I<msg>

according to the algorithm and parameters in the message header's protectionAlg

using the credentials, library context, and property criteria in the I<ctx>.

+Unless I<msg->header->protectionAlg> is B<PasswordBasedMAC>,

+its value is completed according to I<ctx->pkey> and I<ctx->digest>,

+where the latter irrelevant in the case of Edwards curves.

ossl_cmp_msg_protect() (re-)protects the given message I<msg> using an algorithm

depending on the available context information given in the I<ctx>.

diff --git a/doc/internal/man3/ossl_lib_ctx_get_data.pod b/doc/internal/man3/ossl_lib_ctx_get_data.pod
index faedf7275f08..2780c7b91706 100644
--- a/doc/internal/man3/ossl_lib_ctx_get_data.pod
+++ b/doc/internal/man3/ossl_lib_ctx_get_data.pod

@@ -11,14 +11,7 @@ ossl_lib_ctx_is_child

#include <openssl/types.h>

#include "internal/cryptlib.h"

- typedef struct ossl_lib_ctx_method {

- int priority;

- void *(*new_func)(OSSL_LIB_CTX *ctx);

- void (*free_func)(void *);

- } OSSL_LIB_CTX_METHOD;

- void *ossl_lib_ctx_get_data(OSSL_LIB_CTX *ctx, int index,

- const OSSL_LIB_CTX_METHOD *meth);

+ void *ossl_lib_ctx_get_data(OSSL_LIB_CTX *ctx, int index);

int ossl_lib_ctx_run_once(OSSL_LIB_CTX *ctx, unsigned int idx,

ossl_lib_ctx_run_once_fn run_once_fn);

@@ -28,38 +21,24 @@ ossl_lib_ctx_is_child

=head1 DESCRIPTION

-Internally, the OpenSSL library context B<OSSL_LIB_CTX> is implemented

-as a B<CRYPTO_EX_DATA>, which allows data from diverse parts of the

-library to be added and removed dynamically.

-Each such data item must have a corresponding CRYPTO_EX_DATA index

-associated with it. Unlike normal CRYPTO_EX_DATA objects we use static indexes

-to identify data items. These are mapped transparently to CRYPTO_EX_DATA dynamic

-indexes internally to the implementation.

-See the example further down to see how that's done.

-ossl_lib_ctx_get_data() is used to retrieve a pointer to the data in

-the library context I<ctx> associated with the given I<index>. An

-OSSL_LIB_CTX_METHOD must be defined and given in the I<meth> parameter. The index

-for it should be defined in cryptlib.h. The functions through the method are

-used to create or free items that are stored at that index whenever a library

-context is created or freed, meaning that the code that use a data item of that

-index doesn't have to worry about that, just use the data available.

-Deallocation of an index happens automatically when the library

-context is freed.

-ossl_lib_ctx_run_once is used to run some initialisation routine I<run_once_fn>

+ossl_lib_ctx_run_once() is used to run some initialisation routine I<run_once_fn>

exactly once per library context I<ctx> object. Each initialisation routine

should be allocate a unique run once index in cryptlib.h.

Any resources allocated via a run once initialisation routine can be cleaned up

-using ossl_lib_ctx_onfree. This associates an "on free" routine I<onfreefn> with

+using ossl_lib_ctx_onfree(). This associates an "on free" routine I<onfreefn> with

the library context I<ctx>. When I<ctx> is freed all associated "on free"

routines are called.

ossl_lib_ctx_is_child() returns 1 if this library context is a child and 0

otherwise.

+ossl_lib_ctx_get_data() allows different parts of the library to retrieve

+pointers to structures used in diverse parts of the library. The lifetime of

+these structures is managed by B<OSSL_LIB_CTX>. The different objects which can

+be retrieved are specified with the given argument I<index>. The valid values of

+I<index> are specified in cryptlib.h.

=head1 RETURN VALUES

ossl_lib_ctx_get_data() returns a pointer on success, or NULL on

@@ -67,51 +46,15 @@ failure.

=head1 EXAMPLES

-=head2 Initialization

-For a type C<FOO> that should end up in the OpenSSL library context, a

-small bit of initialization is needed, i.e. to associate a constructor

-and a destructor to an index.

- typedef struct foo_st {

- int i;

- void *data;

- } FOO;

- static void *foo_new(OSSL_LIB_CTX *ctx)

- {

- FOO *ptr = OPENSSL_zalloc(sizeof(*foo));

- if (ptr != NULL)

- ptr->i = 42;

- return ptr;

- }

- static void foo_free(void *ptr)

- {

- OPENSSL_free(ptr);

- }

- /*

- * Include a reference to this in the methods table in context.c

- * OSSL_LIB_CTX_FOO_INDEX should be added to internal/cryptlib.h

- * Priorities can be OSSL_LIB_CTX_METHOD_DEFAULT_PRIORITY,

- * OSSL_LIB_CTX_METHOD_PRIORITY_1, OSSL_LIB_CTX_METHOD_PRIORITY_2, etc.

- * Default priority is low (0). The higher the priority the earlier the

- * method's destructor will be called when the library context is cleaned up.

- */

- const OSSL_LIB_CTX_METHOD foo_method = {

- OSSL_LIB_CTX_METHOD_DEFAULT_PRIORITY,

- foo_new,

- foo_free

- };

=head2 Usage

-To get and use the data stored in the library context, simply do this:

+To obtain a pointer for an object managed by the library context, simply do

+this:

* ctx is received from a caller,

- FOO *data = ossl_lib_ctx_get_data(ctx, OSSL_LIB_CTX_FOO_INDEX, &foo_method);

+ FOO *data = ossl_lib_ctx_get_data(ctx, OSSL_LIB_CTX_FOO_INDEX);

=head2 Run Once

@@ -144,7 +87,7 @@ L<OSSL_LIB_CTX(3)>

=head1 COPYRIGHT

Licensed under the Apache License 2.0 (the "License"). You may not use

this file except in compliance with the License. You can obtain a copy

diff --git a/doc/internal/man3/ossl_method_construct.pod b/doc/internal/man3/ossl_method_construct.pod
index 422d7a5b6850..603930dc1f69 100644
--- a/doc/internal/man3/ossl_method_construct.pod
+++ b/doc/internal/man3/ossl_method_construct.pod

@@ -148,7 +148,7 @@ This functionality was added to OpenSSL 3.0.

=head1 COPYRIGHT

Licensed under the Apache License 2.0 (the "License"). You may not use this

file except in compliance with the License. You can obtain a copy in the file

diff --git a/doc/internal/man3/ossl_namemap_new.pod b/doc/internal/man3/ossl_namemap_new.pod
index ff247e87b03c..7f4940fc9341 100644
--- a/doc/internal/man3/ossl_namemap_new.pod
+++ b/doc/internal/man3/ossl_namemap_new.pod

@@ -3,7 +3,7 @@

=head1 NAME

ossl_namemap_new, ossl_namemap_free, ossl_namemap_stored, ossl_namemap_empty,

-ossl_namemap_add_name, ossl_namemap_add_name_n, ossl_namemap_add_names,

+ossl_namemap_add_name, ossl_namemap_add_names,

ossl_namemap_name2num, ossl_namemap_name2num_n,

ossl_namemap_doall_names

- internal number E<lt>-E<gt> name map

@@ -19,8 +19,6 @@ ossl_namemap_doall_names

int ossl_namemap_empty(OSSL_NAMEMAP *namemap);

int ossl_namemap_add_name(OSSL_NAMEMAP *namemap, int number, const char *name);

- int ossl_namemap_add_name_n(OSSL_NAMEMAP *namemap, int number,

- const char *name, size_t name_len);

int ossl_namemap_name2num(const OSSL_NAMEMAP *namemap, const char *name);

int ossl_namemap_name2num_n(const OSSL_NAMEMAP *namemap,

@@ -62,10 +60,9 @@ names already associated with that number.

ossl_namemap_name2num() finds the number corresponding to the given

I<name>.

-ossl_namemap_add_name_n() and ossl_namemap_name2num_n() do the same thing

-as ossl_namemap_add_name() and ossl_namemap_name2num(), but take a string

-length I<name_len> as well, allowing the caller to use a fragment of

-a string as a name.

+ossl_namemap_name2num_n() does the same thing as

+ossl_namemap_name2num(), but takes a string length I<name_len> as well,

+allowing the caller to use a fragment of a string as a name.

ossl_namemap_doall_names() walks through all names associated with

I<number> in the given I<namemap> and calls the function I<fn> for

@@ -88,8 +85,8 @@ ossl_namemap_empty() returns 1 if the B<OSSL_NAMEMAP> is NULL or

empty, 0 if it's not empty, or -1 on internal error (such as inability

to lock).

-ossl_namemap_add_name() and ossl_namemap_add_name_n() return the number

-associated with the added string, or zero on error.

+ossl_namemap_add_name() returns the number associated with the added

+string, or zero on error.

ossl_namemap_num2names() returns a pointer to a NULL-terminated list of

pointers to the names corresponding to the given number, or NULL if

diff --git a/doc/internal/man3/ossl_provider_new.pod b/doc/internal/man3/ossl_provider_new.pod
index 193472462b38..3e3694b79cae 100644
--- a/doc/internal/man3/ossl_provider_new.pod
+++ b/doc/internal/man3/ossl_provider_new.pod

@@ -3,9 +3,8 @@

=head1 NAME

ossl_provider_find, ossl_provider_new, ossl_provider_up_ref,

-ossl_provider_free,

-ossl_provider_set_fallback, ossl_provider_set_module_path,

-ossl_provider_add_parameter, ossl_provider_set_child, ossl_provider_get_parent,

+ossl_provider_free, ossl_provider_set_module_path,

+ossl_provider_set_child, ossl_provider_get_parent,

ossl_provider_up_ref_parent, ossl_provider_free_parent,

ossl_provider_default_props_update, ossl_provider_get0_dispatch,

ossl_provider_init_as_child, ossl_provider_deinit_child,

@@ -18,6 +17,7 @@ ossl_provider_libctx,

ossl_provider_teardown, ossl_provider_gettable_params,

ossl_provider_get_params,

ossl_provider_query_operation, ossl_provider_unquery_operation,

+ossl_provider_random_bytes,

ossl_provider_set_operation_bit, ossl_provider_test_operation_bit,

ossl_provider_get_capabilities

- internal provider routines

@@ -35,10 +35,7 @@ ossl_provider_get_capabilities

void ossl_provider_free(OSSL_PROVIDER *prov);

/* Setters */

- int ossl_provider_set_fallback(OSSL_PROVIDER *prov);

int ossl_provider_set_module_path(OSSL_PROVIDER *prov, const char *path);

- int ossl_provider_add_parameter(OSSL_PROVIDER *prov, const char *name,

- const char *value);

/* Child Providers */

int ossl_provider_set_child(OSSL_PROVIDER *prov,

@@ -90,6 +87,8 @@ ossl_provider_get_capabilities

void ossl_provider_unquery_operation(const OSSL_PROVIDER *prov,

int operation_id,

const OSSL_ALGORITHM *algs);

+ int ossl_provider_random_bytes(const OSSL_PROVIDER *prov, int which,

+ void *buf, size_t n, unsigned int strength);

int ossl_provider_set_operation_bit(OSSL_PROVIDER *provider, size_t bitnum);

int ossl_provider_test_operation_bit(OSSL_PROVIDER *provider, size_t bitnum,

@@ -159,11 +158,6 @@ to have fallen out of use and will be deinitialized (its I<teardown>

function is called), and the associated module will be unloaded if one

was loaded, and I<prov> itself will be freed.

-ossl_provider_set_fallback() marks an available provider I<prov> as

-fallback.

-Note that after this call, the provider object pointer that was

-used can simply be dropped, but not freed.

ossl_provider_set_module_path() sets the module path to load the

provider module given the provider object I<prov>.

This will be used in preference to automatically trying to figure out

@@ -173,13 +167,6 @@ on this in L</NOTES>).

ossl_provider_libctx() returns the library context the given

provider I<prov> is registered in.

-ossl_provider_add_parameter() adds a global parameter for the provider

-to retrieve as it sees fit.

-The parameters are a combination of I<name> and I<value>, and the

-provider will use the name to find the value it wants.

-Only text parameters can be given, and it's up to the provider to

-interpret them.

ossl_provider_set_child() marks this provider as a child of a provider in the

parent library context. I<handle> is the B<OSSL_CORE_HANDLE> object passed to

the provider's B<OSSL_provider_init> function.

@@ -292,6 +279,26 @@ ossl_provider_unquery_operation() informs the provider that the result of

ossl_provider_query_operation() is no longer going to be directly accessed and

that all relevant information has been copied.

+ossl_provider_random_bytes() queries the provider, I<prov>, randomness

+source for I<n> bytes of entropy which are returned in the buffer

+I<buf>, the returned entropy will have a number of bits of I<strength>.

+The entropy is drawn from the source, I<which>, which can be:

+=over 4

+=item *

+OSSL_PROV_RANDOM_PUBLIC for a source equivalent to L<RAND_bytes(3)> or

+=item *

+.OSSL_PROV_RANDOM_PRIVATE for a source equivalent to L<RAND_priv_bytes(3)>.

+=back

+Specifying other values for I<which> will result in an unspecified source but will

+not result in an error.

ossl_provider_set_operation_bit() registers a 1 for operation I<bitnum>

in a bitstring that's internal to I<provider>.

@@ -350,7 +357,7 @@ ossl_provider_doall_activated() returns 1 if the callback was called for all

activated providers. A return value of 0 means that the callback was not

called for any activated providers.

-ossl_provider_set_module_path(), ossl_provider_set_fallback(),

+ossl_provider_set_module_path(),

ossl_provider_activate(), ossl_provider_activate_leave_fallbacks() and

ossl_provider_deactivate(), ossl_provider_add_to_store(),

ossl_provider_default_props_update() return 1 on success, or 0 on error.

@@ -380,6 +387,9 @@ ossl_provider_get_capabilities() returns 1 on success, or 0 on error.

If this function isn't available in the provider or the provider does not

support the requested capability then 0 is returned.

+ossl_provider_random_bytes() returns 1 on success or 0 or -1 on error as per

+L<RAND_bytes(3)>.

=head1 SEE ALSO

L<OSSL_PROVIDER(3)>, L<provider(7)>, L<openssl(1)>

@@ -390,7 +400,7 @@ The functions described here were all added in OpenSSL 3.0.

=head1 COPYRIGHT

Licensed under the Apache License 2.0 (the "License"). You may not use

this file except in compliance with the License. You can obtain a copy

diff --git a/doc/internal/man3/ossl_punycode_decode.pod b/doc/internal/man3/ossl_punycode_decode.pod
index 652626159e3a..64fe670ac6ae 100644
--- a/doc/internal/man3/ossl_punycode_decode.pod
+++ b/doc/internal/man3/ossl_punycode_decode.pod

@@ -2,7 +2,7 @@

=head1 NAME

-ossl_punycode_decode, ossl_a2ulabel, ossl_a2ucompare

+ossl_punycode_decode, ossl_a2ulabel

- internal punycode-related functions

=head1 SYNOPSIS

@@ -12,33 +12,24 @@ ossl_punycode_decode, ossl_a2ulabel, ossl_a2ucompare

int ossl_punycode_decode(const char *pEncoded, const size_t enc_len,

unsigned int *pDecoded, unsigned int *pout_length);

- int ossl_a2ulabel(const char *in, char *out, size_t *outlen);

- int ossl_a2ucompare(const char *a, const char *u);

+ int ossl_a2ulabel(const char *in, char *out, size_t outlen);

=head1 DESCRIPTION

PUNYCODE encoding introduced in RFCs 3490-3492 is widely used for

-representation of host names in ASCII-only format. Some specifications,

-such as RFC 8398, require comparison of host names encoded in UTF-8 charset.

+representation of hostnames in ASCII-only format. Some specifications,

+such as RFC 8398, require comparison of hostnames encoded in UTF-8 charset.

ossl_a2ulabel() decodes NUL-terminated hostname from PUNYCODE to UTF-8,

-using a provided buffer for output.

-ossl_a2ucompare() accepts two NUL-terminated hostnames, decodes the 1st

-from PUNYCODE to UTF-8 and compares it with the 2nd one as is.

+using a provided buffer for output. The output buffer is NUL-terminated.

ossl_punycode_decode() decodes one label (one dot-separated part) from

a hostname, with stripped PUNYCODE marker I<xn-->.

=head1 RETURN VALUES

-ossl_a2ulabel() returns 1 on success, 0 on not enough buf passed,

--1 on invalid PUNYCODE string passed. When valid string is provided, it sets the

-I<*outlen> to the length of required buffer to perform correct decoding.

-ossl_a2ucompare() returns 1 on non-equal strings, 0 on equal strings,

--1 when invalid PUNYCODE string passed.

+ossl_a2ulabel() returns 1 on success, 0 if the output buffer is too small and

+-1 if an invalid PUNYCODE string is passed or another error occurs.

ossl_punycode_decode() returns 1 on success, 0 on error. On success,

*pout_length contains the number of codepoints decoded.

@@ -49,7 +40,7 @@ The functions described here were all added in OpenSSL 3.0.

=head1 COPYRIGHT

Licensed under the Apache License 2.0 (the "License"). You may not use

this file except in compliance with the License. You can obtain a copy

diff --git a/doc/internal/man3/ossl_rand_get_entropy.pod b/doc/internal/man3/ossl_rand_get_entropy.pod
index 4da3f1f4d9db..be39369f2b70 100644
--- a/doc/internal/man3/ossl_rand_get_entropy.pod
+++ b/doc/internal/man3/ossl_rand_get_entropy.pod

@@ -2,8 +2,10 @@

=head1 NAME

-ossl_rand_get_entropy, ossl_rand_cleanup_entropy,

-ossl_rand_get_nonce, ossl_rand_cleanup_nonce

+ossl_rand_get_entropy, ossl_rand_get_user_entropy,

+ossl_rand_cleanup_entropy, ossl_rand_cleanup_user_entropy,

+ossl_rand_get_nonce, ossl_rand_get_user_nonce,

+ossl_rand_cleanup_nonce, ossl_rand_cleanup_user_nonce

- get seed material from the operating system

=head1 SYNOPSIS

@@ -13,13 +15,23 @@ ossl_rand_get_nonce, ossl_rand_cleanup_nonce

size_t ossl_rand_get_entropy(OSSL_CORE_HANDLE *handle,

unsigned char **pout, int entropy,

size_t min_len, size_t max_len);

+ size_t ossl_rand_get_user_entropy(OSSL_CORE_HANDLE *handle,

+ unsigned char **pout, int entropy,

+ size_t min_len, size_t max_len);

void ossl_rand_cleanup_entropy(OSSL_CORE_HANDLE *handle,

unsigned char *buf, size_t len);

+ void ossl_rand_cleanup_user_entropy(OSSL_CORE_HANDLE *handle,

+ unsigned char *buf, size_t len);

size_t ossl_rand_get_nonce(OSSL_CORE_HANDLE *handle,

unsigned char **pout, size_t min_len,

size_t max_len, const void *salt, size_t salt_len);

+ size_t ossl_rand_get_user_nonce(OSSL_CORE_HANDLE *handle, unsigned char **pout,

+ size_t min_len, size_t max_len,

+ const void *salt, size_t salt_len);

void ossl_rand_cleanup_nonce(OSSL_CORE_HANDLE *handle,

unsigned char *buf, size_t len);

+ void ossl_rand_cleanup_user_nonce(OSSL_CORE_HANDLE *handle,

+ unsigned char *buf, size_t len);

=head1 DESCRIPTION

@@ -29,9 +41,18 @@ stored in a buffer which contains at least I<min_len> and at most I<max_len>

bytes. The buffer address is stored in I<*pout> and the buffer length is

returned to the caller.

+ossl_rand_get_user_entropy() is the same as ossl_rand_get_entropy()

+except that it retrieves the seeding material from the library context's

+DRBG seed source. By default this is the operating system but it can

+be changed by calling L<RAND_set_seed_source_type(3)>.

ossl_rand_cleanup_entropy() cleanses and frees any storage allocated by

-ossl_rand_get_entropy(). The seeding buffer is pointed to by I<buf> and is

-of length I<len> bytes.

+ossl_rand_get_entropy(). The entropy buffer is pointed to by I<buf>

+and is of length I<len> bytes.

+ossl_rand_cleanup_user_entropy() cleanses and frees any storage allocated by

+ossl_rand_get_user_entropy(). The entropy buffer is pointed to by I<buf>

+and is of length I<len> bytes.

ossl_rand_get_nonce() retrieves a nonce using the passed I<salt> parameter

of length I<salt_len> and operating system specific information.

@@ -41,22 +62,39 @@ The output is stored in a buffer which contains at least I<min_len> and at

most I<max_len> bytes. The buffer address is stored in I<*pout> and the

buffer length returned to the caller.

+ossl_rand_get_user_nonce() is the same as ossl_rand_get_nonce() except

+that it retrieves the seeding material from the library context's DRBG

+seed source. By default this is the operating system but it can be

+changed by calling L<RAND_set_seed_source_type(3)>.

ossl_rand_cleanup_nonce() cleanses and frees any storage allocated by

-ossl_rand_get_nonce(). The nonce buffer is pointed to by I<buf> and is

-of length I<len> bytes.

+ossl_rand_get_nonce() or ossl_rand_get_user_nonce(). The nonce buffer

+is pointed to by I<buf> and is of length I<len> bytes.

+=head1 NOTES

+FIPS providers 3.0.0, 3.0.8 and 3.0.9 incorrectly pass a provider

+internal pointer to ossl_rand_get_entropy(), ossl_rand_cleanup_entropy(),

+ossl_rand_get_nonce() and ossl_rand_cleanup_nonce(). This pointer cannot

+be safely dereferenced.

=head1 RETURN VALUES

-ossl_rand_get_entropy() and ossl_rand_get_nonce() return the number of bytes

-in I<*pout> or 0 on error.

+ossl_rand_get_entropy(), ossl_rand_get_user_entropy(),

+ossl_rand_get_nonce() and ossl_rand_get_user_nonce() return the number

+of bytes in I<*pout> or 0 on error.

=head1 HISTORY

-The functions described here were all added in OpenSSL 3.0.

+The functions ossl_rand_get_user_entropy(), ossl_rand_get_user_nonce(),

+ossl_rand_cleanup_user_entropy(), and ossl_rand_cleanup_user_nonce()

+were added in OpenSSL 3.1.4 and 3.2.0.

+The remaining functions described here were all added in OpenSSL 3.0.

=head1 COPYRIGHT

Licensed under the Apache License 2.0 (the "License"). You may not use

this file except in compliance with the License. You can obtain a copy

diff --git a/doc/internal/man3/ossl_random_add_conf_module.pod b/doc/internal/man3/ossl_random_add_conf_module.pod
index a3c1285fe01b..f1fd22be10fa 100644
--- a/doc/internal/man3/ossl_random_add_conf_module.pod
+++ b/doc/internal/man3/ossl_random_add_conf_module.pod

@@ -32,7 +32,7 @@ The functions described here were all added in OpenSSL 3.0.

=head1 COPYRIGHT

Licensed under the Apache License 2.0 (the "License"). You may not use

this file except in compliance with the License. You can obtain a copy