src - FreeBSD source tree

diff options


context:
space:
mode:

author	Enji Cooper <ngie@FreeBSD.org>	2025-07-11 00:18:38 +0000
committer	Enji Cooper <ngie@FreeBSD.org>	2025-07-11 00:18:38 +0000
commit	ecf8229ffeb17a05c78fab6b973b0cccb84e25c5 (patch)
tree	da8cf5ccc84d9bc3fbadcf674c7d501f9ca7ab5d /doc/man3
parent	1c34280346af8284acdc0eae39496811d37df25d (diff)

vendor/openssl/3.0.17 vendor/openssl-3.0

Diffstat (limited to 'doc/man3')

-rw-r--r--

doc/man3/CMS_sign.pod

-rw-r--r--

doc/man3/DTLS_set_timer_cb.pod

-rw-r--r--

doc/man3/EVP_PKEY_CTX_new.pod

-rw-r--r--

doc/man3/EVP_RAND.pod

-rw-r--r--

doc/man3/OSSL_PARAM.pod

-rw-r--r--

doc/man3/OSSL_PARAM_int.pod

-rw-r--r--

doc/man3/PKCS7_sign.pod

-rw-r--r--

doc/man3/SSL_CONF_cmd.pod

-rw-r--r--

doc/man3/SSL_CTX_set_min_proto_version.pod

-rw-r--r--

doc/man3/SSL_CTX_set_options.pod

-rw-r--r--

doc/man3/SSL_SESSION_get0_hostname.pod

-rw-r--r--

doc/man3/SSL_key_update.pod

-rw-r--r--

doc/man3/X509_VERIFY_PARAM_set_flags.pod

13 files changed, 70 insertions, 35 deletions

diff --git a/doc/man3/CMS_sign.pod b/doc/man3/CMS_sign.pod
index 03bfc6fce16a..9e28d6b7d3b5 100644
--- a/doc/man3/CMS_sign.pod
+++ b/doc/man3/CMS_sign.pod

@@ -96,7 +96,7 @@ can be performed by obtaining the streaming ASN1 B<BIO> directly using

BIO_new_CMS().

If a signer is specified it will use the default digest for the signing

-algorithm. This is B<SHA1> for both RSA and DSA keys.

+algorithm. This is B<SHA256> for both RSA and DSA keys.

If B<signcert> and B<pkey> are NULL then a certificates only CMS structure is

output.

@@ -132,7 +132,7 @@ The CMS_sign_ex() method was added in OpenSSL 3.0.

=head1 COPYRIGHT

Licensed under the Apache License 2.0 (the "License"). You may not use

this file except in compliance with the License. You can obtain a copy

diff --git a/doc/man3/DTLS_set_timer_cb.pod b/doc/man3/DTLS_set_timer_cb.pod
index 5014e77d0fc8..618fd1f6ff0e 100644
--- a/doc/man3/DTLS_set_timer_cb.pod
+++ b/doc/man3/DTLS_set_timer_cb.pod

@@ -20,6 +20,17 @@ This function sets an optional callback function for controlling the

timeout interval on the DTLS protocol. The callback function will be

called by DTLS for every new DTLS packet that is sent.

+The callback should return the timeout interval in micro seconds.

+The I<timer_us> parameter of the callback is the last set timeout

+interval returned. On the first invocation of the callback,

+this value will be 0.

+At the beginning of the connection, if no timeout callback has been

+set via DTLS_set_timer_cb(), the default timeout value is 1 second.

+For all subsequent timeouts, the default behavior is to double the

+duration up to a maximum of 1 minute.

=head1 RETURN VALUES

Returns void.

@@ -30,7 +41,7 @@ The DTLS_set_timer_cb() function was added in OpenSSL 1.1.1.

=head1 COPYRIGHT

Licensed under the Apache License 2.0 (the "License"). You may not use

this file except in compliance with the License. You can obtain a copy

diff --git a/doc/man3/EVP_PKEY_CTX_new.pod b/doc/man3/EVP_PKEY_CTX_new.pod
index d7ac221f7c19..a15abc2c3e17 100644
--- a/doc/man3/EVP_PKEY_CTX_new.pod
+++ b/doc/man3/EVP_PKEY_CTX_new.pod

@@ -49,8 +49,11 @@ used when no B<EVP_PKEY> structure is associated with the operations,

for example during parameter generation or key generation for some

algorithms.

-EVP_PKEY_CTX_dup() duplicates the context I<ctx>. It is not supported for a

-keygen operation.

+EVP_PKEY_CTX_dup() duplicates the context I<ctx>.

+It is not supported for a keygen operation.

+It is however possible to duplicate a context freshly created via any of the

+above C<new> functions, provided L<EVP_PKEY_keygen_init(3)> has not yet been

+called on the source context, and then use the copy for key generation.

EVP_PKEY_CTX_free() frees up the context I<ctx>.

If I<ctx> is NULL, nothing is done.

@@ -122,7 +125,7 @@ added in OpenSSL 3.0.

=head1 COPYRIGHT

Licensed under the Apache License 2.0 (the "License"). You may not use

this file except in compliance with the License. You can obtain a copy

diff --git a/doc/man3/EVP_RAND.pod b/doc/man3/EVP_RAND.pod
index e5f75010499c..667599273cdc 100644
--- a/doc/man3/EVP_RAND.pod
+++ b/doc/man3/EVP_RAND.pod

@@ -151,11 +151,8 @@ operating system. If I<prediction_resistance> is specified, fresh entropy

from a live source will be sought. This call operates as per NIST SP 800-90A

and SP 800-90C.

-EVP_RAND_nonce() creates a nonce in I<out> of maximum length I<outlen>

-bytes from the RAND I<ctx>. The function returns the length of the generated

-nonce. If I<out> is NULL, the length is still returned but no generation

-takes place. This allows a caller to dynamically allocate a buffer of the

-appropriate size.

+EVP_RAND_nonce() creates a nonce in I<out> of length I<outlen>

+bytes from the RAND I<ctx>.

EVP_RAND_enable_locking() enables locking for the RAND I<ctx> and all of

its parents. After this I<ctx> will operate in a thread safe manner, albeit

@@ -376,7 +373,7 @@ B<EVP_RAND_CTX> structure or NULL if an error occurred.

EVP_RAND_CTX_free() does not return a value.

-EVP_RAND_nonce() returns the length of the nonce.

+EVP_RAND_nonce() returns 1 on success, 0 on error.

EVP_RAND_get_strength() returns the strength of the random number generator

in bits.

@@ -406,7 +403,7 @@ This functionality was added to OpenSSL 3.0.

=head1 COPYRIGHT

Licensed under the Apache License 2.0 (the "License"). You may not use

this file except in compliance with the License. You can obtain a copy

diff --git a/doc/man3/OSSL_PARAM.pod b/doc/man3/OSSL_PARAM.pod
index 22fd0f0d7dd7..8a50db2b94d4 100644
--- a/doc/man3/OSSL_PARAM.pod
+++ b/doc/man3/OSSL_PARAM.pod

@@ -356,7 +356,7 @@ could fill in the parameters like this:

=head1 SEE ALSO

-L<openssl-core.h(7)>, L<OSSL_PARAM_get_int(3)>, L<OSSL_PARAM_dup(3)>

+L<openssl-core.h(7)>, L<OSSL_PARAM_get_int(3)>, L<OSSL_PARAM_dup(3)>, L<OSSL_PARAM_construct_utf8_string(3)>

=head1 HISTORY

@@ -364,7 +364,7 @@ B<OSSL_PARAM> was added in OpenSSL 3.0.

=head1 COPYRIGHT

Licensed under the Apache License 2.0 (the "License"). You may not use

this file except in compliance with the License. You can obtain a copy

diff --git a/doc/man3/OSSL_PARAM_int.pod b/doc/man3/OSSL_PARAM_int.pod
index 105fe3241f87..aaecd0a87ce9 100644
--- a/doc/man3/OSSL_PARAM_int.pod
+++ b/doc/man3/OSSL_PARAM_int.pod

@@ -393,6 +393,29 @@ could fill in the parameters like this:

if ((p = OSSL_PARAM_locate(params, "cookie")) != NULL)

OSSL_PARAM_set_utf8_ptr(p, "cookie value");

+=head2 Example 3

+This example shows a special case where

+I<-Wincompatible-pointer-types-discards-qualifiers> may be set during

+compilation. The value for I<buf> cannot be a I<const char *> type string. An

+alternative in this case would be to use B<OSSL_PARAM> macro abbreviated calls

+rather than the specific callers which allows you to define the sha1 argument

+as a standard character array (I<char[]>).

+For example, this code:

+ OSSL_PARAM params[2];

+ params[0] = OSSL_PARAM_construct_utf8_string("digest", "SHA1", 0);

+ params[1] = OSSL_PARAM_construct_end();

+Can be made compatible with the following version:

+ char sha1[] = "SHA1"; /* sha1 is defined as char[] in this case */

+ OSSL_PARAM params[2];

+ params[0] = OSSL_PARAM_construct_utf8_string("digest", sha1, 0);

+ params[1] = OSSL_PARAM_construct_end();

=head1 SEE ALSO

L<openssl-core.h(7)>, L<OSSL_PARAM(3)>

@@ -403,7 +426,7 @@ These APIs were introduced in OpenSSL 3.0.

=head1 COPYRIGHT

Licensed under the Apache License 2.0 (the "License"). You may not use

this file except in compliance with the License. You can obtain a copy

diff --git a/doc/man3/PKCS7_sign.pod b/doc/man3/PKCS7_sign.pod
index 1d997045fe14..5c55aa191def 100644
--- a/doc/man3/PKCS7_sign.pod
+++ b/doc/man3/PKCS7_sign.pod

@@ -80,7 +80,7 @@ can be performed by obtaining the streaming ASN1 B<BIO> directly using

BIO_new_PKCS7().

If a signer is specified it will use the default digest for the signing

-algorithm. This is B<SHA1> for both RSA and DSA keys.

+algorithm. This is B<SHA256> for both RSA and DSA keys.

The I<certs>, I<signcert> and I<pkey> parameters can all be

NULL if the B<PKCS7_PARTIAL> flag is set. One or more signers can be added

@@ -122,7 +122,7 @@ The B<PKCS7_STREAM> flag was added in OpenSSL 1.0.0.

=head1 COPYRIGHT

Licensed under the Apache License 2.0 (the "License"). You may not use

this file except in compliance with the License. You can obtain a copy

diff --git a/doc/man3/SSL_CONF_cmd.pod b/doc/man3/SSL_CONF_cmd.pod
index ae6ca432829e..0645c75d9878 100644
--- a/doc/man3/SSL_CONF_cmd.pod
+++ b/doc/man3/SSL_CONF_cmd.pod

@@ -71,7 +71,7 @@ B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION>.

=item B<-no_renegotiation>

-Disables all attempts at renegotiation in TLSv1.2 and earlier, same as setting

+Disables all attempts at renegotiation in (D)TLSv1.2 and earlier, same as setting

B<SSL_OP_NO_RENEGOTIATION>.

=item B<-no_resumption_on_reneg>

@@ -735,7 +735,7 @@ OpenSSL 3.0.

=head1 COPYRIGHT

Licensed under the Apache License 2.0 (the "License"). You may not use

this file except in compliance with the License. You can obtain a copy

diff --git a/doc/man3/SSL_CTX_set_min_proto_version.pod b/doc/man3/SSL_CTX_set_min_proto_version.pod
index 2adf9acce00a..a4a49d8549e6 100644
--- a/doc/man3/SSL_CTX_set_min_proto_version.pod
+++ b/doc/man3/SSL_CTX_set_min_proto_version.pod

@@ -31,9 +31,10 @@ L<SSL_CTX_set_options(3)> that also make it possible to disable

specific protocol versions.

Use these functions instead of disabling specific protocol versions.

-Setting the minimum or maximum version to 0, will enable protocol

+Setting the minimum or maximum version to 0 (default), will enable protocol

versions down to the lowest version, or up to the highest version

-supported by the library, respectively.

+supported by the library, respectively. The supported versions might be

+controlled by system configuration.

Getters return 0 in case B<ctx> or B<ssl> have been configured to

automatically use the lowest or highest version supported by the library.

@@ -64,7 +65,7 @@ were added in OpenSSL 1.1.1.

=head1 COPYRIGHT

Licensed under the Apache License 2.0 (the "License"). You may not use

this file except in compliance with the License. You can obtain a copy

diff --git a/doc/man3/SSL_CTX_set_options.pod b/doc/man3/SSL_CTX_set_options.pod
index 176f8d25fc31..93e7198166f7 100644
--- a/doc/man3/SSL_CTX_set_options.pod
+++ b/doc/man3/SSL_CTX_set_options.pod

@@ -241,7 +241,7 @@ Do not query the MTU. Only affects DTLS connections.

=item SSL_OP_NO_RENEGOTIATION

-Disable all renegotiation in TLSv1.2 and earlier. Do not send HelloRequest

+Disable all renegotiation in (D)TLSv1.2 and earlier. Do not send HelloRequest

messages, and ignore renegotiation requests via ClientHello.

=item SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION

@@ -456,7 +456,7 @@ whether these macros are defined or not.

=head1 COPYRIGHT

Licensed under the Apache License 2.0 (the "License"). You may not use

this file except in compliance with the License. You can obtain a copy

diff --git a/doc/man3/SSL_SESSION_get0_hostname.pod b/doc/man3/SSL_SESSION_get0_hostname.pod
index f560e7751d84..f7add16d7bdd 100644
--- a/doc/man3/SSL_SESSION_get0_hostname.pod
+++ b/doc/man3/SSL_SESSION_get0_hostname.pod

@@ -24,10 +24,8 @@ SSL_SESSION_set1_alpn_selected

=head1 DESCRIPTION

SSL_SESSION_get0_hostname() retrieves the SNI value that was sent by the

-client when the session was created if it was accepted by the server and TLSv1.2

-or below was negotiated. Otherwise NULL is returned. Note that in TLSv1.3 the

-SNI hostname is negotiated with each handshake including resumption handshakes

-and is therefore never associated with the session.

+client when the session was created if it was accepted by the server. Otherwise

+NULL is returned.

The value returned is a pointer to memory maintained within B<s> and

should not be free'd.

@@ -67,7 +65,7 @@ SSL_SESSION_set1_alpn_selected() functions were added in OpenSSL 1.1.1.

=head1 COPYRIGHT

Licensed under the Apache License 2.0 (the "License"). You may not use

this file except in compliance with the License. You can obtain a copy

diff --git a/doc/man3/SSL_key_update.pod b/doc/man3/SSL_key_update.pod
index 6d5b42e0b166..5ce47b337387 100644
--- a/doc/man3/SSL_key_update.pod
+++ b/doc/man3/SSL_key_update.pod

@@ -53,7 +53,9 @@ such as SSL_read_ex() or SSL_write_ex() takes place on the connection a check

will be performed to confirm that it is a suitable time to start a

renegotiation. If so, then it will be initiated immediately. OpenSSL will not

attempt to resume any session associated with the connection in the new

-handshake.

+handshake. Note that some servers will respond to reneogitation attempts with

+a "no_renegotiation" alert. An OpenSSL will immediately fail the connection in

+this case.

When called from the client side, SSL_renegotiate_abbreviated() works in the

same was as SSL_renegotiate() except that OpenSSL will attempt to resume the

@@ -101,7 +103,7 @@ OpenSSL 1.1.1.

=head1 COPYRIGHT

Licensed under the Apache License 2.0 (the "License"). You may not use

this file except in compliance with the License. You can obtain a copy

diff --git a/doc/man3/X509_VERIFY_PARAM_set_flags.pod b/doc/man3/X509_VERIFY_PARAM_set_flags.pod
index 4627206174a5..b06bedc2e7bc 100644
--- a/doc/man3/X509_VERIFY_PARAM_set_flags.pod
+++ b/doc/man3/X509_VERIFY_PARAM_set_flags.pod

@@ -248,8 +248,8 @@ ored together.

B<X509_V_FLAG_CRL_CHECK> enables CRL checking for the certificate chain leaf

certificate. An error occurs if a suitable CRL cannot be found.

-B<X509_V_FLAG_CRL_CHECK_ALL> enables CRL checking for the entire certificate

-chain.

+B<X509_V_FLAG_CRL_CHECK_ALL> expands CRL checking to the entire certificate

+chain if B<X509_V_FLAG_CRL_CHECK> has also been enabled, and is otherwise ignored.

B<X509_V_FLAG_IGNORE_CRITICAL> disables critical extension checking. By default

any unhandled critical extensions in certificates or (if checked) CRLs result

@@ -407,7 +407,7 @@ The documentation was changed to align with the implementation.

=head1 COPYRIGHT

Licensed under the Apache License 2.0 (the "License"). You may not use

this file except in compliance with the License. You can obtain a copy