openssl: import 3.5.3 - src - FreeBSD source tree

diff options


context:
space:
mode:

author	Enji Cooper <ngie@FreeBSD.org>	2025-09-16 23:42:52 +0000
committer	Enji Cooper <ngie@FreeBSD.org>	2025-09-16 23:42:52 +0000
commit	aed904c48f330dc76da942a8ee2d6eef9d11f572 (patch)
tree	6d2b955e05a5ada50ef6aa3fca7153baaa2850a6 /doc
parent	fbc35f82f0eca4571df0d753da74571e01ace763 (diff)

vendor/openssl/3.5.3

Diffstat (limited to 'doc')

-rw-r--r--

doc/man1/openssl-enc.pod.in

-rw-r--r--

doc/man3/BN_generate_prime.pod

-rw-r--r--

doc/man3/EVP_EncryptInit.pod

-rw-r--r--

doc/man3/EVP_aes_128_gcm.pod

-rw-r--r--

doc/man3/EVP_aria_128_gcm.pod

-rw-r--r--

doc/man3/EVP_chacha20.pod

-rw-r--r--

doc/man3/OSSL_CALLBACK.pod

-rw-r--r--

doc/man3/RAND_load_file.pod

-rw-r--r--

doc/man3/SSL_CTX_set_domain_flags.pod

-rw-r--r--

doc/man3/SSL_CTX_set_tmp_dh_callback.pod

-rw-r--r--

doc/man3/SSL_poll.pod

-rw-r--r--

doc/man3/d2i_X509.pod

-rw-r--r--

doc/man7/EVP_PKEY-DSA.pod

-rw-r--r--

doc/man7/EVP_PKEY-FFC.pod

-rw-r--r--

doc/man7/EVP_SIGNATURE-ML-DSA.pod

-rw-r--r--

doc/man7/EVP_SIGNATURE-SLH-DSA.pod

-rw-r--r--

doc/man7/OSSL_PROVIDER-FIPS.pod

17 files changed, 59 insertions, 46 deletions

diff --git a/doc/man1/openssl-enc.pod.in b/doc/man1/openssl-enc.pod.in
index 4d7ff3dc77e7..fb4f72ed8a19 100644
--- a/doc/man1/openssl-enc.pod.in
+++ b/doc/man1/openssl-enc.pod.in

@@ -193,9 +193,12 @@ Print out the key and IV used.

Print out the key and IV used then immediately exit: don't do any encryption

or decryption.

-=item B<-bufsize> I<number>

+=item B<-bufsize> I<number>[B<k>]

Set the buffer size for I/O.

+The maximum size that can be specified is B<2^31-1> (2147483647) bytes.

+The B<k> suffix can be specified to indicate that I<number> is provided

+in kibibytes (multiples of 1024 bytes).

=item B<-nopad>

@@ -279,7 +282,7 @@ Some of the ciphers do not have large keys and others have security

implications if not used correctly. A beginner is advised to just use

a strong block cipher, such as AES, in CBC mode.

-All the block ciphers normally use PKCS#5 padding, also known as standard

+All the block ciphers normally use PKCS#7 padding, also known as standard

block padding. This allows a rudimentary integrity or password check to

be performed. However, since the chance of random data passing the test

is better than 1 in 256 it isn't a very good test.

diff --git a/doc/man3/BN_generate_prime.pod b/doc/man3/BN_generate_prime.pod
index accc8a749f0c..6b8d1de19cd8 100644
--- a/doc/man3/BN_generate_prime.pod
+++ b/doc/man3/BN_generate_prime.pod

@@ -130,7 +130,7 @@ or all the tests passed.

If B<p> passes all these tests, it is considered a probable prime.

The test performed on B<p> are trial division by a number of small primes

-and rounds of the of the Miller-Rabin probabilistic primality test.

+and rounds of the Miller-Rabin probabilistic primality test.

The functions do at least 64 rounds of the Miller-Rabin test giving a maximum

false positive rate of 2^-128.

@@ -148,7 +148,7 @@ and BN_is_prime_fasttest() are deprecated.

BN_is_prime_fasttest() and BN_is_prime() behave just like

BN_is_prime_fasttest_ex() and BN_is_prime_ex() respectively, but with the old

-style call back.

+style callback.

B<ctx> is a preallocated B<BN_CTX> (to save the overhead of allocating and

freeing the structure in a loop), or B<NULL>.

@@ -246,7 +246,7 @@ BN_check_prime() was added in OpenSSL 3.0.

=head1 COPYRIGHT

Licensed under the Apache License 2.0 (the "License"). You may not use

this file except in compliance with the License. You can obtain a copy

diff --git a/doc/man3/EVP_EncryptInit.pod b/doc/man3/EVP_EncryptInit.pod
index 2c42e3969e03..3c62659319c2 100644
--- a/doc/man3/EVP_EncryptInit.pod
+++ b/doc/man3/EVP_EncryptInit.pod

@@ -850,7 +850,7 @@ See also EVP_CIPHER_CTX_get_key_length() and EVP_CIPHER_CTX_set_key_length().

=item "tag" (B<OSSL_CIPHER_PARAM_AEAD_TAG>) <octet string>

Gets or sets the AEAD tag for the associated cipher context I<ctx>.

-See L<EVP_EncryptInit(3)/AEAD Interface>.

+See L<EVP_EncryptInit(3)/AEAD INTERFACE>.

=item "pipeline-tag" (B<OSSL_CIPHER_PARAM_PIPELINE_AEAD_TAG>) <octet ptr>

diff --git a/doc/man3/EVP_aes_128_gcm.pod b/doc/man3/EVP_aes_128_gcm.pod
index 485705ea7889..9bac62b10b32 100644
--- a/doc/man3/EVP_aes_128_gcm.pod
+++ b/doc/man3/EVP_aes_128_gcm.pod

@@ -127,7 +127,7 @@ EVP_aes_256_ocb()

AES for 128, 192 and 256 bit keys in CBC-MAC Mode (CCM), Galois Counter Mode

(GCM) and OCB Mode respectively. These ciphers require additional control

-operations to function correctly, see the L<EVP_EncryptInit(3)/AEAD Interface>

+operations to function correctly, see the L<EVP_EncryptInit(3)/AEAD INTERFACE>

section for details.

=item EVP_aes_128_wrap(),

@@ -184,7 +184,7 @@ L<EVP_CIPHER_meth_new(3)>

=head1 COPYRIGHT

Licensed under the Apache License 2.0 (the "License"). You may not use

this file except in compliance with the License. You can obtain a copy

diff --git a/doc/man3/EVP_aria_128_gcm.pod b/doc/man3/EVP_aria_128_gcm.pod
index 91aa75ec3871..74e21444db8f 100644
--- a/doc/man3/EVP_aria_128_gcm.pod
+++ b/doc/man3/EVP_aria_128_gcm.pod

@@ -88,7 +88,7 @@ EVP_aria_256_gcm(),

ARIA for 128, 192 and 256 bit keys in CBC-MAC Mode (CCM) and Galois Counter

Mode (GCM). These ciphers require additional control operations to function

-correctly, see the L<EVP_EncryptInit(3)/AEAD Interface> section for details.

+correctly, see the L<EVP_EncryptInit(3)/AEAD INTERFACE> section for details.

=back

@@ -113,7 +113,7 @@ L<EVP_CIPHER_meth_new(3)>

=head1 COPYRIGHT

Licensed under the Apache License 2.0 (the "License"). You may not use

this file except in compliance with the License. You can obtain a copy

diff --git a/doc/man3/EVP_chacha20.pod b/doc/man3/EVP_chacha20.pod
index 7e80c8de40c9..0dfce7389b78 100644
--- a/doc/man3/EVP_chacha20.pod
+++ b/doc/man3/EVP_chacha20.pod

@@ -36,7 +36,7 @@ With an initial counter of 42 (2a in hex) would be expressed as:

Authenticated encryption with ChaCha20-Poly1305. Like EVP_chacha20(), the key

is 256 bits and the IV is 96 bits. This supports additional authenticated data

(AAD) and produces a 128-bit authentication tag. See the

-L<EVP_EncryptInit(3)/AEAD Interface> section for more information.

+L<EVP_EncryptInit(3)/AEAD INTERFACE> section for more information.

=back

@@ -64,7 +64,7 @@ L<EVP_CIPHER_meth_new(3)>

=head1 COPYRIGHT

Licensed under the Apache License 2.0 (the "License"). You may not use

this file except in compliance with the License. You can obtain a copy

diff --git a/doc/man3/OSSL_CALLBACK.pod b/doc/man3/OSSL_CALLBACK.pod
index 5fa8a8f08916..5550819a94b4 100644
--- a/doc/man3/OSSL_CALLBACK.pod
+++ b/doc/man3/OSSL_CALLBACK.pod

@@ -47,15 +47,10 @@ Additional parameters can be passed with the L<OSSL_PARAM(3)> array I<params>,

=back

-=begin comment RETURN VALUES doesn't make sense for a manual that only

-describes a type, but document checkers still want that section, and

-to have more than just the section title.

=head1 RETURN VALUES

-txt

-=end comment

+Functions of type B<OSSL_CALLBACK> and B<OSSL_PASSPHRASE_CALLBACK>

+must return 1 on success and 0 on failure.

=head1 SEE ALSO

@@ -67,7 +62,7 @@ The types described here were added in OpenSSL 3.0.

=head1 COPYRIGHT

Licensed under the Apache License 2.0 (the "License"). You may not use

this file except in compliance with the License. You can obtain a copy

diff --git a/doc/man3/RAND_load_file.pod b/doc/man3/RAND_load_file.pod
index baca54cb3c89..45570920ca95 100644
--- a/doc/man3/RAND_load_file.pod
+++ b/doc/man3/RAND_load_file.pod

@@ -19,7 +19,11 @@ RAND_load_file, RAND_write_file, RAND_file_name - PRNG seed file

RAND_load_file() reads a number of bytes from file B<filename> and

adds them to the PRNG. If B<max_bytes> is nonnegative,

up to B<max_bytes> are read;

-if B<max_bytes> is -1, the complete file is read.

+if B<max_bytes> is -1, the complete file is read (unless the file

+is not a regular file, in that case a fixed number of bytes,

+256 in the current implementation, is attempted to be read).

+RAND_load_file() can read less than the complete file or the requested number

+of bytes if it doesn't fit in the return value type.

Do not load the same file multiple times unless its contents have

been updated by RAND_write_file() between reads.

Also, note that B<filename> should be adequately protected so that an

@@ -77,7 +81,7 @@ L<RAND(7)>

=head1 COPYRIGHT

Licensed under the Apache License 2.0 (the "License"). You may not use

this file except in compliance with the License. You can obtain a copy

diff --git a/doc/man3/SSL_CTX_set_domain_flags.pod b/doc/man3/SSL_CTX_set_domain_flags.pod
index 2f0911608435..cc9ad5911498 100644
--- a/doc/man3/SSL_CTX_set_domain_flags.pod
+++ b/doc/man3/SSL_CTX_set_domain_flags.pod

@@ -106,7 +106,7 @@ L<SSL_new_domain(3)>, L<openssl-quic-concurrency(7)>

=head1 HISTORY

-These functions were added in @QUIC_SERVER_VERSION@.

+These functions were added in OpenSSL 3.5.

=head1 COPYRIGHT

diff --git a/doc/man3/SSL_CTX_set_tmp_dh_callback.pod b/doc/man3/SSL_CTX_set_tmp_dh_callback.pod
index a14f334cfca8..902cefdfa366 100644
--- a/doc/man3/SSL_CTX_set_tmp_dh_callback.pod
+++ b/doc/man3/SSL_CTX_set_tmp_dh_callback.pod

@@ -58,9 +58,11 @@ the actual key is newly generated during the negotiation.

Typically applications should use well known DH parameters that have built-in

support in OpenSSL. The macros SSL_CTX_set_dh_auto() and SSL_set_dh_auto()

configure OpenSSL to use the default built-in DH parameters for the B<SSL_CTX>

-and B<SSL> objects respectively. Passing a value of 1 in the I<onoff> parameter

-switches the feature on, and passing a value of 0 switches it off. The default

-setting is off.

+and B<SSL> objects respectively. Passing a value of 2 or 1 in the I<onoff>

+parameter switches it on. If the I<onoff> parameter is set to 2, it will force

+the DH key size to 1024 if the B<SSL_CTX> or B<SSL> security level

+L<SSL_CTX_set_security_level(3)> is 0 or 1. Passing a value of 0 switches

+it off. The default setting is off.

If "auto" DH parameters are switched on then the parameters will be selected to

be consistent with the size of the key associated with the server's certificate.

@@ -112,7 +114,7 @@ L<openssl-ciphers(1)>, L<openssl-dhparam(1)>

=head1 COPYRIGHT

Licensed under the Apache License 2.0 (the "License"). You may not use

this file except in compliance with the License. You can obtain a copy

diff --git a/doc/man3/SSL_poll.pod b/doc/man3/SSL_poll.pod
index 87a1e42b1720..6047bd6750f8 100644
--- a/doc/man3/SSL_poll.pod
+++ b/doc/man3/SSL_poll.pod

@@ -5,12 +5,14 @@

SSL_poll,

SSL_POLL_EVENT_NONE,

SSL_POLL_EVENT_F,

+SSL_POLL_EVENT_EL,

SSL_POLL_EVENT_EC,

SSL_POLL_EVENT_ECD,

SSL_POLL_EVENT_ER,

SSL_POLL_EVENT_EW,

SSL_POLL_EVENT_R,

SSL_POLL_EVENT_W,

+SSL_POLL_EVENT_IC,

SSL_POLL_EVENT_ISB,

SSL_POLL_EVENT_ISU,

SSL_POLL_EVENT_OSB,

@@ -35,27 +37,29 @@ SSL_POLL_FLAG_NO_HANDLE_EVENTS

#define SSL_POLL_EVENT_NONE 0

#define SSL_POLL_EVENT_F /* F (Failure) */

+ #define SSL_POLL_EVENT_EL /* EL (Exception on Listener) */

#define SSL_POLL_EVENT_EC /* EC (Exception on Conn) */

#define SSL_POLL_EVENT_ECD /* ECD (Exception on Conn Drained) */

#define SSL_POLL_EVENT_ER /* ER (Exception on Read) */

#define SSL_POLL_EVENT_EW /* EW (Exception on Write) */

#define SSL_POLL_EVENT_R /* R (Readable) */

#define SSL_POLL_EVENT_W /* W (Writable) */

+ #define SSL_POLL_EVENT_IC /* IC (Incoming Connection) */

#define SSL_POLL_EVENT_ISB /* ISB (Incoming Stream: Bidi) */

#define SSL_POLL_EVENT_ISU /* ISU (Incoming Stream: Uni) */

#define SSL_POLL_EVENT_OSB /* OSB (Outgoing Stream: Bidi) */

#define SSL_POLL_EVENT_OSU /* OSU (Outgoing Stream: Uni) */

- #define SSL_POLL_EVENT_RW /* R | W */

- #define SSL_POLL_EVENT_RE /* R | ER */

- #define SSL_POLL_EVENT_WE /* W | EW */

- #define SSL_POLL_EVENT_RWE /* RE | WE */

- #define SSL_POLL_EVENT_E /* EC | ER | EW */

- #define SSL_POLL_EVENT_IS /* ISB | ISU */

- #define SSL_POLL_EVENT_ISE /* IS | EC */

- #define SSL_POLL_EVENT_I /* IS */

- #define SSL_POLL_EVENT_OS /* OSB | OSU */

- #define SSL_POLL_EVENT_OSE /* OS | EC */

+ #define SSL_POLL_EVENT_RW /* R | W */

+ #define SSL_POLL_EVENT_RE /* R | ER */

+ #define SSL_POLL_EVENT_WE /* W | EW */

+ #define SSL_POLL_EVENT_RWE /* RE | WE */

+ #define SSL_POLL_EVENT_E /* EL | EC | ER | EW */

+ #define SSL_POLL_EVENT_IS /* ISB | ISU */

+ #define SSL_POLL_EVENT_ISE /* IS | EC */

+ #define SSL_POLL_EVENT_I /* IS */

+ #define SSL_POLL_EVENT_OS /* OSB | OSU */

+ #define SSL_POLL_EVENT_OSE /* OS | EC */

typedef struct ssl_poll_item_st {

BIO_POLL_DESCRIPTOR desc;

diff --git a/doc/man3/d2i_X509.pod b/doc/man3/d2i_X509.pod
index df5ea65e596e..8e04c2286c57 100644
--- a/doc/man3/d2i_X509.pod
+++ b/doc/man3/d2i_X509.pod

@@ -588,8 +588,9 @@ freed in the event of error and I<*a> is set to NULL.

B<i2d_I<TYPE>>() returns the number of bytes successfully encoded or a negative

value if an error occurs.

-B<i2d_I<TYPE>_bio>() and B<i2d_I<TYPE>_fp>() return 1 for success and 0 if an

-error occurs.

+B<i2d_I<TYPE>_bio>() and B<i2d_I<TYPE>_fp>(),

+as well as i2d_ASN1_bio_stream(),

+return 1 for success and 0 if an error occurs.

=head1 EXAMPLES

diff --git a/doc/man7/EVP_PKEY-DSA.pod b/doc/man7/EVP_PKEY-DSA.pod
index f3bed36f88a4..d386d8868a1c 100644
--- a/doc/man7/EVP_PKEY-DSA.pod
+++ b/doc/man7/EVP_PKEY-DSA.pod

@@ -119,7 +119,7 @@ The following sections of FIPS186-4:

=head1 SEE ALSO

L<EVP_PKEY-FFC(7)>,

-L<EVP_SIGNATURE-DSA(7)>

+L<EVP_SIGNATURE-DSA(7)>,

L<EVP_PKEY(3)>,

L<provider-keymgmt(7)>,

L<EVP_KEYMGMT(3)>,

@@ -133,7 +133,7 @@ OpenSSL 3.4. See L<fips_module(7)/FIPS indicators> for more information.

=head1 COPYRIGHT

Licensed under the Apache License 2.0 (the "License"). You may not use

this file except in compliance with the License. You can obtain a copy

diff --git a/doc/man7/EVP_PKEY-FFC.pod b/doc/man7/EVP_PKEY-FFC.pod
index 7c9848676b8c..a28bb84e0a36 100644
--- a/doc/man7/EVP_PKEY-FFC.pod
+++ b/doc/man7/EVP_PKEY-FFC.pod

@@ -213,7 +213,7 @@ The following sections of FIPS186-4:

L<EVP_PKEY-DSA(7)>,

L<EVP_PKEY-DH(7)>,

L<EVP_SIGNATURE-DSA(7)>,

-L<EVP_KEYEXCH-DH(7)>

+L<EVP_KEYEXCH-DH(7)>,

L<EVP_KEYMGMT(3)>,

L<EVP_PKEY(3)>,

L<provider-keymgmt(7)>,

@@ -222,7 +222,7 @@ L<OSSL_PROVIDER-FIPS(7)>,

=head1 COPYRIGHT

Licensed under the Apache License 2.0 (the "License"). You may not use

this file except in compliance with the License. You can obtain a copy

diff --git a/doc/man7/EVP_SIGNATURE-ML-DSA.pod b/doc/man7/EVP_SIGNATURE-ML-DSA.pod
index 3e7cc41b2424..3b6e795f0709 100644
--- a/doc/man7/EVP_SIGNATURE-ML-DSA.pod
+++ b/doc/man7/EVP_SIGNATURE-ML-DSA.pod

@@ -113,7 +113,7 @@ To sign a message using an ML-DSA EVP_PKEY structure:

EVP_PKEY_sign(sctx, sig, &sig_len, msg, msg_len);

...

OPENSSL_free(sig);

- EVP_SIGNATURE(sig_alg);

+ EVP_SIGNATURE_free(sig_alg);

EVP_PKEY_CTX_free(sctx);

}

diff --git a/doc/man7/EVP_SIGNATURE-SLH-DSA.pod b/doc/man7/EVP_SIGNATURE-SLH-DSA.pod
index 9ca1e077484a..de2be646ed64 100644
--- a/doc/man7/EVP_SIGNATURE-SLH-DSA.pod
+++ b/doc/man7/EVP_SIGNATURE-SLH-DSA.pod

@@ -109,7 +109,7 @@ To sign a message using an SLH-DSA EVP_PKEY structure:

EVP_PKEY_sign(sctx, sig, &sig_len, msg, msg_len);

...

OPENSSL_free(sig);

- EVP_SIGNATURE(sig_alg);

+ EVP_SIGNATURE_free(sig_alg);

EVP_PKEY_CTX_free(sctx);

}

diff --git a/doc/man7/OSSL_PROVIDER-FIPS.pod b/doc/man7/OSSL_PROVIDER-FIPS.pod
index b338d1c35f1b..d14005a89a1c 100644
--- a/doc/man7/OSSL_PROVIDER-FIPS.pod
+++ b/doc/man7/OSSL_PROVIDER-FIPS.pod

@@ -356,7 +356,11 @@ Known answer test for a Deterministic Random Bit Generator.

=item "Conditional_PCT" (B<OSSL_SELF_TEST_TYPE_PCT>)

-Conditional test that is run during the generation or importing of key pairs.

+Conditional test that is run during the generation of key pairs.

+=item "Import_PCT" (B<OSSL_SELF_TEST_TYPE_PCT_IMPORT>)

+Conditional test that is run during the import of key pairs.

=item "Conditional_KAT" (B<OSSL_SELF_TEST_TYPE_PCT_KAT>)