diff options
Diffstat (limited to 'doc/man3')
48 files changed, 148 insertions, 117 deletions
diff --git a/doc/man3/ASN1_aux_cb.pod b/doc/man3/ASN1_aux_cb.pod index 12f7ddf82d64..f87b51d5efac 100644 --- a/doc/man3/ASN1_aux_cb.pod +++ b/doc/man3/ASN1_aux_cb.pod @@ -3,7 +3,7 @@ =head1 NAME ASN1_AUX, ASN1_PRINT_ARG, ASN1_STREAM_ARG, ASN1_aux_cb, ASN1_aux_const_cb -- ASN.1 auxilliary data +- ASN.1 auxiliary data =head1 SYNOPSIS @@ -45,7 +45,7 @@ ASN.1 data structures can be associated with an B<ASN1_AUX> object to supply additional information about the ASN.1 structure. An B<ASN1_AUX> structure is associated with the structure during the definition of the ASN.1 template. For example an B<ASN1_AUX> structure will be associated by using one of the various -ASN.1 template definition macros that supply auxilliary information such as +ASN.1 template definition macros that supply auxiliary information such as ASN1_SEQUENCE_enc(), ASN1_SEQUENCE_ref(), ASN1_SEQUENCE_cb_const_cb(), ASN1_SEQUENCE_const_cb(), ASN1_SEQUENCE_cb() or ASN1_NDEF_SEQUENCE_cb(). @@ -274,7 +274,7 @@ B<ASN1_OP_GET0_PROPQ> operation types were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/ASN1_item_sign.pod b/doc/man3/ASN1_item_sign.pod index 407268bf1779..2716bd30ccd4 100644 --- a/doc/man3/ASN1_item_sign.pod +++ b/doc/man3/ASN1_item_sign.pod @@ -62,7 +62,7 @@ I<algor2> are ignored if they are NULL. ASN1_item_sign() is similar to ASN1_item_sign_ex() but uses default values of NULL for the I<id>, I<libctx> and I<propq>. -ASN1_item_sign_ctx() is similiar to ASN1_item_sign() but uses the parameters +ASN1_item_sign_ctx() is similar to ASN1_item_sign() but uses the parameters contained in digest context I<ctx>. ASN1_item_verify_ex() is used to verify the signature I<signature> of internal @@ -77,7 +77,7 @@ See EVP_PKEY_CTX_set1_id() for further info. ASN1_item_verify() is similar to ASN1_item_verify_ex() but uses default values of NULL for the I<id>, I<libctx> and I<propq>. -ASN1_item_verify_ctx() is similiar to ASN1_item_verify() but uses the parameters +ASN1_item_verify_ctx() is similar to ASN1_item_verify() but uses the parameters contained in digest context I<ctx>. @@ -216,7 +216,7 @@ ASN1_item_sign_ex() and ASN1_item_verify_ex() were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/ASYNC_WAIT_CTX_new.pod b/doc/man3/ASYNC_WAIT_CTX_new.pod index 328af9e53a64..7621a8b3a166 100644 --- a/doc/man3/ASYNC_WAIT_CTX_new.pod +++ b/doc/man3/ASYNC_WAIT_CTX_new.pod @@ -83,7 +83,7 @@ will be populated with the list of added and deleted fds respectively. Similarly to ASYNC_WAIT_CTX_get_all_fds() either of these can be NULL, but if they are not NULL then the caller is responsible for ensuring sufficient memory is allocated. -Implementors of async aware code (e.g. engines) are encouraged to return a +Implementers of async aware code (e.g. engines) are encouraged to return a stable fd for the lifetime of the B<ASYNC_WAIT_CTX> in order to reduce the "churn" of regularly changing fds - although no guarantees of this are provided to applications. @@ -216,7 +216,7 @@ were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/BIO_s_core.pod b/doc/man3/BIO_s_core.pod index fbcd0b5c9c07..0b9aefe91e54 100644 --- a/doc/man3/BIO_s_core.pod +++ b/doc/man3/BIO_s_core.pod @@ -22,7 +22,7 @@ libcrypto into a provider supply an OSSL_CORE_BIO parameter. This represents a BIO within libcrypto, but cannot be used directly by a provider. Instead it should be wrapped using a BIO_s_core(). -Once a BIO is contructed based on BIO_s_core(), the associated OSSL_CORE_BIO +Once a BIO is constructed based on BIO_s_core(), the associated OSSL_CORE_BIO object should be set on it using BIO_set_data(3). Note that the BIO will only operate correctly if it is associated with a library context constructed using OSSL_LIB_CTX_new_from_dispatch(3). To associate the BIO with a library context @@ -62,7 +62,7 @@ Create a core BIO and write some data to it: =head1 COPYRIGHT -Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/BN_rand.pod b/doc/man3/BN_rand.pod index aebad1e72eb2..0ad76d6af7e7 100644 --- a/doc/man3/BN_rand.pod +++ b/doc/man3/BN_rand.pod @@ -59,7 +59,7 @@ BN_rand() is the same as BN_rand_ex() except that the default library context is always used. BN_rand_range_ex() generates a cryptographically strong pseudo-random -number I<rnd>, of security stength at least I<strength> bits, +number I<rnd>, of security strength at least I<strength> bits, in the range 0 E<lt>= I<rnd> E<lt> I<range> using the random number generator for the library context associated with I<ctx>. The parameter I<ctx> may be NULL in which case the default library context is used. @@ -119,7 +119,7 @@ BN_priv_rand_range_ex() functions were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/CONF_modules_load_file.pod b/doc/man3/CONF_modules_load_file.pod index f96d9a12938a..620bbfd89861 100644 --- a/doc/man3/CONF_modules_load_file.pod +++ b/doc/man3/CONF_modules_load_file.pod @@ -34,7 +34,7 @@ as determined by calling CONF_get1_default_config_file(). If B<appname> is NULL the standard OpenSSL application name B<openssl_conf> is used. The behaviour can be customized using B<flags>. Note that, the error suppressing -can be overriden by B<config_diagnostics> as described in L<config(5)>. +can be overridden by B<config_diagnostics> as described in L<config(5)>. CONF_modules_load_file() is the same as CONF_modules_load_file_ex() but has a NULL library context. @@ -154,7 +154,7 @@ L<NCONF_new_ex(3)> =head1 COPYRIGHT -Copyright 2004-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2004-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/DH_get0_pqg.pod b/doc/man3/DH_get0_pqg.pod index 2afc35c77f86..6e5b301f6c6e 100644 --- a/doc/man3/DH_get0_pqg.pod +++ b/doc/man3/DH_get0_pqg.pod @@ -40,7 +40,7 @@ see L<openssl_user_macros(7)>: All of the functions described on this page are deprecated. Applications should instead use L<EVP_PKEY_get_bn_param(3)> for any methods that -return a B<BIGNUM>. Refer to L<EVP_PKEY-DH(7)> for more infomation. +return a B<BIGNUM>. Refer to L<EVP_PKEY-DH(7)> for more information. A DH object contains the parameters I<p>, I<q> and I<g>. Note that the I<q> parameter is optional. It also contains a public key (I<pub_key>) and @@ -141,7 +141,7 @@ All of these functions were deprecated in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_EncryptInit.pod b/doc/man3/EVP_EncryptInit.pod index e469f28a7b54..886cbdfbd3f5 100644 --- a/doc/man3/EVP_EncryptInit.pod +++ b/doc/man3/EVP_EncryptInit.pod @@ -665,7 +665,7 @@ Note that the block size for a cipher may be different to the block size for the underlying encryption/decryption primitive. For example AES in CTR mode has a block size of 1 (because it operates like a stream cipher), even though AES has a block size of 16. -Use EVP_CIPHER_get_block_size() to retreive the cached value. +Use EVP_CIPHER_get_block_size() to retrieve the cached value. =item "aead" (B<OSSL_CIPHER_PARAM_AEAD>) <integer> @@ -1192,10 +1192,11 @@ EVP_DecryptFinal_ex() returns 0 if the decrypt failed or 1 for success. EVP_CipherInit_ex2() and EVP_CipherUpdate() return 1 for success and 0 for failure. EVP_CipherFinal_ex() returns 0 for a decryption failure or 1 for success. -EVP_Cipher() returns the amount of encrypted / decrypted bytes, or -1 -on failure if the flag B<EVP_CIPH_FLAG_CUSTOM_CIPHER> is set for the -cipher. EVP_Cipher() returns 1 on success or 0 on failure, if the flag +EVP_Cipher() returns 1 on success or 0 on failure, if the flag B<EVP_CIPH_FLAG_CUSTOM_CIPHER> is not set for the cipher. +EVP_Cipher() returns the number of bytes written to I<out> for encryption / decryption, or +the number of bytes authenticated in a call specifying AAD for an AEAD cipher, if the flag +B<EVP_CIPH_FLAG_CUSTOM_CIPHER> is set for the cipher. EVP_CIPHER_CTX_reset() returns 1 for success and 0 for failure. @@ -1266,7 +1267,8 @@ depending on the mode specified. To specify additional authenticated data (AAD), a call to EVP_CipherUpdate(), EVP_EncryptUpdate() or EVP_DecryptUpdate() should be made with the output -parameter I<out> set to B<NULL>. +parameter I<out> set to B<NULL>. In this case, on success, the parameter +I<outl> is set to the number of bytes authenticated. When decrypting, the return value of EVP_DecryptFinal() or EVP_CipherFinal() indicates whether the operation was successful. If it does not indicate success, diff --git a/doc/man3/EVP_KDF.pod b/doc/man3/EVP_KDF.pod index 3b4e2b79aa14..31d61b2a3df0 100644 --- a/doc/man3/EVP_KDF.pod +++ b/doc/man3/EVP_KDF.pod @@ -191,7 +191,7 @@ For those KDF implementations that support it, this parameter sets the password. =item "salt" (B<OSSL_KDF_PARAM_SALT>) <octet string> -Some KDF implementations can take a salt. +Some KDF implementations can take a non-secret unique cryptographic salt. For those KDF implementations that support it, this parameter sets the salt. The default value, if any, is implementation dependent. @@ -227,6 +227,15 @@ Some KDF implementations require a key. For those KDF implementations that support it, this octet string parameter sets the key. +=item "info" (B<OSSL_KDF_PARAM_INFO>) <octet string> + +Some KDF implementations, such as L<EVP_KDF-HKDF(7)>, take an 'info' parameter +for binding the derived key material +to application- and context-specific information. +This parameter sets the info, fixed info, other info or shared info argument. +You can specify this parameter multiple times, and each instance will +be concatenated to form the final value. + =item "maclen" (B<OSSL_KDF_PARAM_MAC_SIZE>) <unsigned integer> Used by implementations that use a MAC with a variable output size (KMAC). @@ -295,7 +304,7 @@ This functionality was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_KEYMGMT.pod b/doc/man3/EVP_KEYMGMT.pod index f81fc9efb00b..455ffadce5ec 100644 --- a/doc/man3/EVP_KEYMGMT.pod +++ b/doc/man3/EVP_KEYMGMT.pod @@ -123,7 +123,7 @@ otherwise 0. EVP_KEYMGMT_get0_name() returns the algorithm name, or NULL on error. -EVP_KEYMGMT_get0_description() returns a pointer to a decription, or NULL if +EVP_KEYMGMT_get0_description() returns a pointer to a description, or NULL if there isn't one. EVP_KEYMGMT_gettable_params(), EVP_KEYMGMT_settable_params() and @@ -140,7 +140,7 @@ The functions described here were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_PKEY2PKCS8.pod b/doc/man3/EVP_PKEY2PKCS8.pod index 290a3ba3593e..1129a5c75c4b 100644 --- a/doc/man3/EVP_PKEY2PKCS8.pod +++ b/doc/man3/EVP_PKEY2PKCS8.pod @@ -21,7 +21,7 @@ EVP_PKEY2PKCS8() converts a private key I<pkey> into a returned PKCS8 object. EVP_PKCS82PKEY_ex() converts a PKCS8 object I<p8> into a returned private key. It uses I<libctx> and I<propq> when fetching algorithms. -EVP_PKCS82PKEY() is similiar to EVP_PKCS82PKEY_ex() but uses default values of +EVP_PKCS82PKEY() is similar to EVP_PKCS82PKEY_ex() but uses default values of NULL for the I<libctx> and I<propq>. =head1 RETURN VALUES @@ -37,7 +37,7 @@ L<PKCS8_pkey_add1_attr(3)>, =head1 COPYRIGHT -Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_PKEY_decapsulate.pod b/doc/man3/EVP_PKEY_decapsulate.pod index 529e318f9eba..819291627bb8 100644 --- a/doc/man3/EVP_PKEY_decapsulate.pod +++ b/doc/man3/EVP_PKEY_decapsulate.pod @@ -3,7 +3,7 @@ =head1 NAME EVP_PKEY_decapsulate_init, EVP_PKEY_decapsulate -- Key decapsulation using a private key algorithm +- Key decapsulation using a KEM algorithm with a private key =head1 SYNOPSIS @@ -11,7 +11,7 @@ EVP_PKEY_decapsulate_init, EVP_PKEY_decapsulate int EVP_PKEY_decapsulate_init(EVP_PKEY_CTX *ctx, const OSSL_PARAM params[]); int EVP_PKEY_decapsulate(EVP_PKEY_CTX *ctx, - unsigned char *secret, size_t *secretlen, + unsigned char *unwrapped, size_t *unwrappedlen, const unsigned char *wrapped, size_t wrappedlen); =head1 DESCRIPTION @@ -19,18 +19,20 @@ EVP_PKEY_decapsulate_init, EVP_PKEY_decapsulate The EVP_PKEY_decapsulate_init() function initializes a private key algorithm context I<ctx> for a decapsulation operation and then sets the I<params> on the context in the same way as calling L<EVP_PKEY_CTX_set_params(3)>. +Note that I<ctx> usually is produced using L<EVP_PKEY_CTX_new_from_pkey(3)>, +specifying the private key to use. The EVP_PKEY_decapsulate() function performs a private key decapsulation operation using I<ctx>. The data to be decapsulated is specified using the I<wrapped> and I<wrappedlen> parameters. -If I<secret> is I<NULL> then the maximum size of the output secret buffer -is written to the I<*secretlen> parameter. If I<secret> is not B<NULL> and the -call is successful then the decapsulated secret data is written to I<secret> and -the amount of data written to I<secretlen>. +If I<unwrapped> is NULL then the maximum size of the output secret buffer +is written to I<*unwrappedlen>. If I<unwrapped> is not NULL and the +call is successful then the decapsulated secret data is written to I<unwrapped> +and the amount of data written to I<*unwrappedlen>. =head1 NOTES -After the call to EVP_PKEY_decapsulate_init() algorithm specific parameters +After the call to EVP_PKEY_decapsulate_init() algorithm-specific parameters for the operation may be set or modified using L<EVP_PKEY_CTX_set_params(3)>. =head1 RETURN VALUES @@ -79,7 +81,7 @@ Decapsulate data using RSA: =head1 SEE ALSO -L<EVP_PKEY_CTX_new(3)>, +L<EVP_PKEY_CTX_new_from_pkey(3)>, L<EVP_PKEY_encapsulate(3)>, L<EVP_KEM-RSA(7)>, @@ -89,7 +91,7 @@ These functions were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_PKEY_derive.pod b/doc/man3/EVP_PKEY_derive.pod index d61bb5512f62..bfbe14b1ffff 100644 --- a/doc/man3/EVP_PKEY_derive.pod +++ b/doc/man3/EVP_PKEY_derive.pod @@ -32,7 +32,7 @@ EVP_PKEY_derive_set_peer_ex() sets the peer key: this will normally be a public key. The I<validate_peer> will validate the public key if this value is non zero. -EVP_PKEY_derive_set_peer() is similiar to EVP_PKEY_derive_set_peer_ex() with +EVP_PKEY_derive_set_peer() is similar to EVP_PKEY_derive_set_peer_ex() with I<validate_peer> set to 1. EVP_PKEY_derive() derives a shared secret using I<ctx>. @@ -114,7 +114,7 @@ added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_PKEY_encapsulate.pod b/doc/man3/EVP_PKEY_encapsulate.pod index 9baf88d07bef..0ee7d627904d 100644 --- a/doc/man3/EVP_PKEY_encapsulate.pod +++ b/doc/man3/EVP_PKEY_encapsulate.pod @@ -3,7 +3,7 @@ =head1 NAME EVP_PKEY_encapsulate_init, EVP_PKEY_encapsulate -- Key encapsulation using a public key algorithm +- Key encapsulation using a KEM algorithm with a public key =head1 SYNOPSIS @@ -11,7 +11,7 @@ EVP_PKEY_encapsulate_init, EVP_PKEY_encapsulate int EVP_PKEY_encapsulate_init(EVP_PKEY_CTX *ctx, const OSSL_PARAM params[]); int EVP_PKEY_encapsulate(EVP_PKEY_CTX *ctx, - unsigned char *out, size_t *outlen, + unsigned char *wrappedkey, size_t *wrappedkeylen, unsigned char *genkey, size_t *genkeylen); =head1 DESCRIPTION @@ -19,19 +19,27 @@ EVP_PKEY_encapsulate_init, EVP_PKEY_encapsulate The EVP_PKEY_encapsulate_init() function initializes a public key algorithm context I<ctx> for an encapsulation operation and then sets the I<params> on the context in the same way as calling L<EVP_PKEY_CTX_set_params(3)>. +Note that I<ctx> is usually is produced using L<EVP_PKEY_CTX_new_from_pkey(3)>, +specifying the public key to use. The EVP_PKEY_encapsulate() function performs a public key encapsulation -operation using I<ctx> with the name I<name>. -If I<out> is B<NULL> then the maximum size of the output buffer is written to the -I<*outlen> parameter and the maximum size of the generated key buffer is written -to I<*genkeylen>. If I<out> is not B<NULL> and the call is successful then the +operation using I<ctx>. +The symmetric secret generated in I<genkey> can be used as key material. +The ciphertext in I<wrappedkey> is its encapsulated form, which can be sent +to another party, who can use L<EVP_PKEY_decapsulate(3)> to retrieve it +using their private key. +If I<wrappedkey> is NULL then the maximum size of the output buffer +is written to the I<*wrappedkeylen> parameter unless I<wrappedkeylen> is NULL +and the maximum size of the generated key buffer is written to I<*genkeylen> +unless I<genkeylen> is NULL. +If I<wrappedkey> is not NULL and the call is successful then the internally generated key is written to I<genkey> and its size is written to I<*genkeylen>. The encapsulated version of the generated key is written to -I<out> and its size is written to I<*outlen>. +I<wrappedkey> and its size is written to I<*wrappedkeylen>. =head1 NOTES -After the call to EVP_PKEY_encapsulate_init() algorithm specific parameters +After the call to EVP_PKEY_encapsulate_init() algorithm-specific parameters for the operation may be set or modified using L<EVP_PKEY_CTX_set_params(3)>. =head1 RETURN VALUES @@ -82,7 +90,7 @@ Encapsulate an RSASVE key (for RSA keys). =head1 SEE ALSO -L<EVP_PKEY_CTX_new(3)>, +L<EVP_PKEY_CTX_new_from_pkey(3)>, L<EVP_PKEY_decapsulate(3)>, L<EVP_KEM-RSA(7)>, @@ -92,7 +100,7 @@ These functions were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_PKEY_get_default_digest_nid.pod b/doc/man3/EVP_PKEY_get_default_digest_nid.pod index ddabac8ff8e4..e22a3e7b4717 100644 --- a/doc/man3/EVP_PKEY_get_default_digest_nid.pod +++ b/doc/man3/EVP_PKEY_get_default_digest_nid.pod @@ -18,8 +18,8 @@ EVP_PKEY_get_default_digest_nid, EVP_PKEY_get_default_digest_name EVP_PKEY_get_default_digest_name() fills in the default message digest name for the public key signature operations associated with key I<pkey> into I<mdname>, up to at most I<mdname_sz> bytes including the -ending NUL byte. The name could be C<"UNDEF">, signifying that no digest -should be used. +ending NUL byte. The name could be C<"UNDEF">, signifying that a digest +must (for return value 2) or may (for return value 1) be left unspecified. EVP_PKEY_get_default_digest_nid() sets I<pnid> to the default message digest NID for the public key signature operations associated with key @@ -57,7 +57,7 @@ This function was added in OpenSSL 1.0.0. =head1 COPYRIGHT -Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2006-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_PKEY_gettable_params.pod b/doc/man3/EVP_PKEY_gettable_params.pod index b51e4c4de185..acf20b54e554 100644 --- a/doc/man3/EVP_PKEY_gettable_params.pod +++ b/doc/man3/EVP_PKEY_gettable_params.pod @@ -60,7 +60,7 @@ is allocated by the method. EVP_PKEY_get_utf8_string_param() get a key I<pkey> UTF8 string value into a buffer I<str> of maximum size I<max_buf_sz> associated with a name of -I<key_name>. The maximum size must be large enough to accomodate the string +I<key_name>. The maximum size must be large enough to accommodate the string value including a terminating NUL byte, or this function will fail. If I<out_len> is not NULL, I<*out_len> is set to the length of the string not including the terminating NUL byte. The required buffer size not including @@ -125,7 +125,7 @@ These functions were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_PKEY_new.pod b/doc/man3/EVP_PKEY_new.pod index 0ea7062f0182..1c75c7571994 100644 --- a/doc/man3/EVP_PKEY_new.pod +++ b/doc/man3/EVP_PKEY_new.pod @@ -62,7 +62,7 @@ see L<openssl_user_macros(7)>: B<EVP_PKEY> is a generic structure to hold diverse types of asymmetric keys (also known as "key pairs"), and can be used for diverse operations, like signing, verifying signatures, key derivation, etc. The asymmetric keys -themselves are often refered to as the "internal key", and are handled by +themselves are often referred to as the "internal key", and are handled by backends, such as providers (through L<EVP_KEYMGMT(3)>) or B<ENGINE>s. Conceptually, an B<EVP_PKEY> internal key may hold a private key, a public @@ -210,7 +210,7 @@ previously implied to be disallowed. =head1 COPYRIGHT -Copyright 2002-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2002-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_PKEY_todata.pod b/doc/man3/EVP_PKEY_todata.pod index dedfb1b0cf8a..71867236f987 100644 --- a/doc/man3/EVP_PKEY_todata.pod +++ b/doc/man3/EVP_PKEY_todata.pod @@ -23,7 +23,7 @@ I<selection> is described in L<EVP_PKEY_fromdata(3)/Selections>. L<OSSL_PARAM_free(3)> should be used to free the returned parameters in I<*params>. -EVP_PKEY_export() is similiar to EVP_PKEY_todata() but uses a callback +EVP_PKEY_export() is similar to EVP_PKEY_todata() but uses a callback I<export_cb> that gets passed the value of I<export_cbarg>. See L<openssl-core.h(7)> for more information about the callback. Note that the L<OSSL_PARAM(3)> array that is passed to the callback is not persistent after the @@ -53,7 +53,7 @@ These functions were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_chacha20.pod b/doc/man3/EVP_chacha20.pod index 28ab25bf7188..683faa326e14 100644 --- a/doc/man3/EVP_chacha20.pod +++ b/doc/man3/EVP_chacha20.pod @@ -22,10 +22,10 @@ The ChaCha20 stream cipher for EVP. =item EVP_chacha20() The ChaCha20 stream cipher. The key length is 256 bits, the IV is 128 bits long. -The first 32 bits consists of a counter in little-endian order followed by a 96 +The first 64 bits consists of a counter in little-endian order followed by a 64 bit nonce. For example a nonce of: -000000000000000000000002 +0000000000000002 With an initial counter of 42 (2a in hex) would be expressed as: @@ -47,6 +47,9 @@ calling these functions multiple times and should consider using L<EVP_CIPHER_fetch(3)> instead. See L<crypto(7)/Performance> for further information. +L<RFC 7539|https://www.rfc-editor.org/rfc/rfc7539.html#section-2.4> +uses a 32 bit counter and a 96 bit nonce for the IV. + =head1 RETURN VALUES These functions return an B<EVP_CIPHER> structure that contains the diff --git a/doc/man3/OCSP_resp_find_status.pod b/doc/man3/OCSP_resp_find_status.pod index f4afddcdefe9..0fa1a3cf249a 100644 --- a/doc/man3/OCSP_resp_find_status.pod +++ b/doc/man3/OCSP_resp_find_status.pod @@ -131,7 +131,7 @@ in L<X509_VERIFY_PARAM_set_flags(3)/VERIFICATION FLAGS>. If I<flags> contains B<OCSP_NOCHAIN> it ignores all certificates in I<certs> and in I<bs>, else it takes them as untrusted intermediate CA certificates and uses them for constructing the validation path for the signer certificate. -Certicate revocation status checks using CRLs is disabled during path validation +Certificate revocation status checks using CRLs is disabled during path validation if the signer certificate contains the B<id-pkix-ocsp-no-check> extension. After successful path validation the function returns success if the B<OCSP_NOCHECKS> flag is set. @@ -210,7 +210,7 @@ L<X509_VERIFY_PARAM_set_flags(3)> =head1 COPYRIGHT -Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OCSP_sendreq_new.pod b/doc/man3/OCSP_sendreq_new.pod index 6e4c8110f1f0..ce2749ed1ba6 100644 --- a/doc/man3/OCSP_sendreq_new.pod +++ b/doc/man3/OCSP_sendreq_new.pod @@ -40,7 +40,7 @@ These functions perform an OCSP POST request / response transfer over HTTP, using the HTTP request functions described in L<OSSL_HTTP_REQ_CTX(3)>. The function OCSP_sendreq_new() builds a complete B<OSSL_HTTP_REQ_CTX> structure -with the B<BIO> I<io> to be used for requests and reponse, the URL path I<path>, +with the B<BIO> I<io> to be used for requests and response, the URL path I<path>, optionally the OCSP request I<req>, and a response header maximum line length of I<buf_size>. If I<buf_size> is zero a default value of 4KiB is used. The I<req> may be set to NULL and provided later using OCSP_REQ_CTX_set1_req() @@ -115,7 +115,7 @@ were deprecated in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OSSL_CMP_CTX_new.pod b/doc/man3/OSSL_CMP_CTX_new.pod index c0c41a226bfe..e81fb08b00d6 100644 --- a/doc/man3/OSSL_CMP_CTX_new.pod +++ b/doc/man3/OSSL_CMP_CTX_new.pod @@ -627,7 +627,7 @@ OSSL_CMP_CTX_set_certConf_cb_arg(), or NULL if unset. OSSL_CMP_CTX_get_status() returns for client contexts the PKIstatus from the last received CertRepMessage or Revocation Response or error message: -=item B<OSSL_CMP_PKISTATUS_accepted> on sucessful receipt of a GENP message: +=item B<OSSL_CMP_PKISTATUS_accepted> on successful receipt of a GENP message: =over 4 diff --git a/doc/man3/OSSL_CMP_log_open.pod b/doc/man3/OSSL_CMP_log_open.pod index 9a55370e3c0c..f540c1938297 100644 --- a/doc/man3/OSSL_CMP_log_open.pod +++ b/doc/man3/OSSL_CMP_log_open.pod @@ -89,7 +89,7 @@ As long as neither if the two is used any logging output is ignored. OSSL_CMP_log_close() may be called when all activities are finished to flush any pending CMP-specific log output and deallocate related resources. -It may be called multiple times. It does get called at OpenSSL stutdown. +It may be called multiple times. It does get called at OpenSSL shutdown. OSSL_CMP_print_to_bio() prints the given component info, filename, line number, severity level, and log message or error queue message to the given I<bio>. @@ -114,7 +114,7 @@ The OpenSSL CMP support was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OSSL_DECODER.pod b/doc/man3/OSSL_DECODER.pod index 334f955e16f9..dcfd72bf9738 100644 --- a/doc/man3/OSSL_DECODER.pod +++ b/doc/man3/OSSL_DECODER.pod @@ -116,7 +116,7 @@ multiple synonyms associated with it. In this case the first name from the algorithm definition is returned. Ownership of the returned string is retained by the I<decoder> object and should not be freed by the caller. -OSSL_DECODER_get0_description() returns a pointer to a decription, or NULL if +OSSL_DECODER_get0_description() returns a pointer to a description, or NULL if there isn't one. OSSL_DECODER_names_do_all() returns 1 if the callback was called for all @@ -180,7 +180,7 @@ The functions described here were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OSSL_DECODER_CTX_new_for_pkey.pod b/doc/man3/OSSL_DECODER_CTX_new_for_pkey.pod index 213791404c77..acb04bc37623 100644 --- a/doc/man3/OSSL_DECODER_CTX_new_for_pkey.pod +++ b/doc/man3/OSSL_DECODER_CTX_new_for_pkey.pod @@ -41,7 +41,7 @@ them up, so all the caller has to do next is call functions like L<OSSL_DECODER_from_bio(3)>. The caller may use the optional I<input_type>, I<input_struct>, I<keytype> and I<selection> to specify what the input is expected to contain. The I<pkey> must reference an B<EVP_PKEY *> variable -that will be set to the newly created B<EVP_PKEY> on succesfull decoding. +that will be set to the newly created B<EVP_PKEY> on successful decoding. The referenced variable must be initialized to NULL before calling the function. @@ -135,7 +135,7 @@ The functions described here were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OSSL_ENCODER.pod b/doc/man3/OSSL_ENCODER.pod index cfabba2e1d02..06d8f80f8812 100644 --- a/doc/man3/OSSL_ENCODER.pod +++ b/doc/man3/OSSL_ENCODER.pod @@ -117,7 +117,7 @@ multiple synonyms associated with it. In this case the first name from the algorithm definition is returned. Ownership of the returned string is retained by the I<encoder> object and should not be freed by the caller. -OSSL_ENCODER_get0_description() returns a pointer to a decription, or NULL if +OSSL_ENCODER_get0_description() returns a pointer to a description, or NULL if there isn't one. OSSL_ENCODER_names_do_all() returns 1 if the callback was called for all @@ -134,7 +134,7 @@ The functions described here were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OSSL_ENCODER_CTX.pod b/doc/man3/OSSL_ENCODER_CTX.pod index 2d7a6a298f85..7f3915fda882 100644 --- a/doc/man3/OSSL_ENCODER_CTX.pod +++ b/doc/man3/OSSL_ENCODER_CTX.pod @@ -80,7 +80,7 @@ as DER to PEM, as well as more specialized encoders like RSA to DER. The final output type must be given, and a chain of encoders must end with an implementation that produces that output type. -At the beginning of the encoding process, a contructor provided by the +At the beginning of the encoding process, a constructor provided by the caller is called to ensure that there is an appropriate provider-side object to start with. The constructor is set with OSSL_ENCODER_CTX_set_construct(). @@ -148,7 +148,7 @@ The pointer that was set with OSSL_ENCODE_CTX_set_construct_data(). The constructor is expected to return a valid (non-NULL) pointer to a provider-native object that can be used as first input of an encoding chain, -or NULL to indicate that an error has occured. +or NULL to indicate that an error has occurred. These utility functions may be used by a constructor: @@ -211,7 +211,7 @@ The functions described here were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OSSL_ESS_check_signing_certs.pod b/doc/man3/OSSL_ESS_check_signing_certs.pod index bff26193d758..24145ead1728 100644 --- a/doc/man3/OSSL_ESS_check_signing_certs.pod +++ b/doc/man3/OSSL_ESS_check_signing_certs.pod @@ -46,7 +46,7 @@ while the list contained in I<ssv2> is of type B<ESS_CERT_ID_V2>. As far as these lists are present, they must be nonempty. The certificate identified by their first entry must be the first element of I<chain>, i.e. the signer certificate. -Any further certficates referenced in the list must also be found in I<chain>. +Any further certificates referenced in the list must also be found in I<chain>. The matching is done using the given certificate hash algorithm and value. In addition to the checks required by RFCs 2624 and 5035, if the B<issuerSerial> field is included in an B<ESSCertID> or B<ESSCertIDv2> @@ -78,7 +78,7 @@ OSSL_ESS_check_signing_certs() were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OSSL_HTTP_REQ_CTX.pod b/doc/man3/OSSL_HTTP_REQ_CTX.pod index fbe1a152b80c..ee61034aa731 100644 --- a/doc/man3/OSSL_HTTP_REQ_CTX.pod +++ b/doc/man3/OSSL_HTTP_REQ_CTX.pod @@ -133,7 +133,7 @@ The function may need to be called again if its result is -1, which indicates L<BIO_should_retry(3)>. In such a case it is advisable to sleep a little in between, using L<BIO_wait(3)> on the read BIO to prevent a busy loop. -OSSL_HTTP_REQ_CTX_nbio_d2i() is like OSSL_HTTP_REQ_CTX_nbio() but on successs +OSSL_HTTP_REQ_CTX_nbio_d2i() is like OSSL_HTTP_REQ_CTX_nbio() but on success in addition parses the response, which must be a DER-encoded ASN.1 structure, using the ASN.1 template I<it> and places the result in I<*pval>. @@ -256,7 +256,7 @@ The functions described here were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2015-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OSSL_HTTP_parse_url.pod b/doc/man3/OSSL_HTTP_parse_url.pod index 945e981a73fa..768f0acdb14c 100644 --- a/doc/man3/OSSL_HTTP_parse_url.pod +++ b/doc/man3/OSSL_HTTP_parse_url.pod @@ -57,7 +57,7 @@ The path component is also optional and defaults to C</>. Each non-NULL result pointer argument I<pscheme>, I<puser>, I<phost>, I<pport>, I<ppath>, I<pquery>, and I<pfrag>, is assigned the respective url component. On success, they are guaranteed to contain non-NULL string pointers, else NULL. -It is the reponsibility of the caller to free them using L<OPENSSL_free(3)>. +It is the responsibility of the caller to free them using L<OPENSSL_free(3)>. If I<pquery> is NULL, any given query component is handled as part of the path. A string returned via I<*ppath> is guaranteed to begin with a C</> character. For absent scheme, userinfo, port, query, and fragment components @@ -97,7 +97,7 @@ OCSP_parse_url() was deprecated in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OSSL_PARAM.pod b/doc/man3/OSSL_PARAM.pod index 3939ddc74296..1e5bf06cf767 100644 --- a/doc/man3/OSSL_PARAM.pod +++ b/doc/man3/OSSL_PARAM.pod @@ -108,7 +108,7 @@ B<OSSL_PARAM_UTF8_STRING> in relation to C strings. When setting parameters, the size should be set to the length of the string, not counting the terminating NUL byte. When requesting parameters, the size should be set to the size of the buffer to be populated, which -should accomodate enough space for a terminating NUL byte. +should accommodate enough space for a terminating NUL byte. When I<requesting parameters>, it's acceptable for I<data> to be NULL. This can be used by the I<requester> to figure out dynamically exactly diff --git a/doc/man3/OSSL_PARAM_int.pod b/doc/man3/OSSL_PARAM_int.pod index c03e30f83965..d357818ff14b 100644 --- a/doc/man3/OSSL_PARAM_int.pod +++ b/doc/man3/OSSL_PARAM_int.pod @@ -241,7 +241,7 @@ will be assigned the size the parameter's I<data> buffer should have. OSSL_PARAM_get_utf8_string() retrieves a UTF8 string from the parameter pointed to by I<p>. The string is stored into I<*val> with a size limit of I<max_len>, -which must be large enough to accomodate a terminating NUL byte, +which must be large enough to accommodate a terminating NUL byte, otherwise this function will fail. If I<*val> is NULL, memory is allocated for the string (including the terminating NUL byte) and I<max_len> is ignored. @@ -250,14 +250,14 @@ If memory is allocated by this function, it must be freed by the caller. OSSL_PARAM_set_utf8_string() sets a UTF8 string from the parameter pointed to by I<p> to the value referenced by I<val>. If the parameter's I<data> field isn't NULL, its I<data_size> must indicate -that the buffer is large enough to accomodate the string that I<val> points at, +that the buffer is large enough to accommodate the string that I<val> points at, not including the terminating NUL byte, or this function will fail. A terminating NUL byte is added only if the parameter's I<data_size> indicates the buffer is longer than the string length, otherwise the string will not be NUL terminated. If the parameter's I<data> field is NULL, then only its I<return_size> field will be assigned the minimum size the parameter's I<data> buffer should have -to accomodate the string, not including a terminating NUL byte. +to accommodate the string, not including a terminating NUL byte. OSSL_PARAM_get_octet_string() retrieves an OCTET string from the parameter pointed to by I<p>. diff --git a/doc/man3/OSSL_PROVIDER.pod b/doc/man3/OSSL_PROVIDER.pod index 9710469e07f2..40a4ea100572 100644 --- a/doc/man3/OSSL_PROVIDER.pod +++ b/doc/man3/OSSL_PROVIDER.pod @@ -90,8 +90,8 @@ the environment variable OPENSSL_MODULES if set. OSSL_PROVIDER_try_load() functions like OSSL_PROVIDER_load(), except that it does not disable the fallback providers if the provider cannot be -loaded and initialized or if I<retain_fallbacks> is zero. -If the provider loads successfully and I<retain_fallbacks> is nonzero, the +loaded and initialized or if I<retain_fallbacks> is nonzero. +If the provider loads successfully and I<retain_fallbacks> is zero, the fallback providers are disabled. OSSL_PROVIDER_unload() unloads the given provider. @@ -213,7 +213,7 @@ The type and functions described here were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OSSL_SELF_TEST_new.pod b/doc/man3/OSSL_SELF_TEST_new.pod index 5fe838351908..4c4b10fca96a 100644 --- a/doc/man3/OSSL_SELF_TEST_new.pod +++ b/doc/man3/OSSL_SELF_TEST_new.pod @@ -22,7 +22,7 @@ OSSL_SELF_TEST_onend - functionality to trigger a callback during a self test =head1 DESCRIPTION -These methods are intended for use by provider implementors, to display +These methods are intended for use by provider implementers, to display diagnostic information during self testing. OSSL_SELF_TEST_new() allocates an opaque B<OSSL_SELF_TEST> object that has a @@ -165,7 +165,7 @@ The functions described here were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OSSL_STORE_LOADER.pod b/doc/man3/OSSL_STORE_LOADER.pod index b1d838604bad..9cd016be158a 100644 --- a/doc/man3/OSSL_STORE_LOADER.pod +++ b/doc/man3/OSSL_STORE_LOADER.pod @@ -327,7 +327,7 @@ definition string, or NULL on error. OSSL_STORE_LOADER_is_a() returns 1 if I<loader> was identifiable, otherwise 0. -OSSL_STORE_LOADER_get0_description() returns a pointer to a decription, or NULL if +OSSL_STORE_LOADER_get0_description() returns a pointer to a description, or NULL if there isn't one. The functions with the types B<OSSL_STORE_open_fn>, @@ -380,7 +380,7 @@ were added in OpenSSL 1.1.1, and became deprecated in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/OSSL_trace_set_channel.pod b/doc/man3/OSSL_trace_set_channel.pod index 3b9c64e5412f..f93242643c40 100644 --- a/doc/man3/OSSL_trace_set_channel.pod +++ b/doc/man3/OSSL_trace_set_channel.pod @@ -48,7 +48,7 @@ so the caller must not free it directly. OSSL_trace_set_prefix() and OSSL_trace_set_suffix() can be used to add an extra line for each channel, to be output before and after group of tracing output. -What constitues an output group is decided by the code that produces +What constitutes an output group is decided by the code that produces the output. The lines given here are considered immutable; for more dynamic tracing prefixes, consider setting a callback with diff --git a/doc/man3/PKCS12_decrypt_skey.pod b/doc/man3/PKCS12_decrypt_skey.pod index 7a41b2b06c2f..97c6823a3c74 100644 --- a/doc/man3/PKCS12_decrypt_skey.pod +++ b/doc/man3/PKCS12_decrypt_skey.pod @@ -21,7 +21,7 @@ decrypt functions PKCS12_decrypt_skey() Decrypt the PKCS#8 shrouded keybag contained within I<bag> using the supplied password I<pass> of length I<passlen>. -PKCS12_decrypt_skey_ex() is similar to the above but allows for a library contex +PKCS12_decrypt_skey_ex() is similar to the above but allows for a library context I<ctx> and property query I<propq> to be used to select algorithm implementations. =head1 RETURN VALUES @@ -45,7 +45,7 @@ PKCS12_decrypt_skey_ex() was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/PKCS12_gen_mac.pod b/doc/man3/PKCS12_gen_mac.pod index 53b55e870303..37bcd572d841 100644 --- a/doc/man3/PKCS12_gen_mac.pod +++ b/doc/man3/PKCS12_gen_mac.pod @@ -21,7 +21,7 @@ PKCS12_verify_mac - Functions to create and manipulate a PKCS#12 structure =head1 DESCRIPTION PKCS12_gen_mac() generates an HMAC over the entire PKCS#12 object using the -supplied password along with a set of already configured paramters. +supplied password along with a set of already configured parameters. PKCS12_verify_mac() verifies the PKCS#12 object's HMAC using the supplied password. @@ -62,7 +62,7 @@ L<passphrase-encoding(7)> =head1 COPYRIGHT -Copyright 2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/RAND_bytes.pod b/doc/man3/RAND_bytes.pod index ee7ed4af860c..8440a7318564 100644 --- a/doc/man3/RAND_bytes.pod +++ b/doc/man3/RAND_bytes.pod @@ -37,7 +37,7 @@ and L<EVP_RAND(7)>. RAND_bytes_ex() and RAND_priv_bytes_ex() are the same as RAND_bytes() and RAND_priv_bytes() except that they both take additional I<strength> and -I<ctx> parameters. The bytes genreated will have a security strength of at +I<ctx> parameters. The bytes generated will have a security strength of at least I<strength> bits. The DRBG used for the operation is the public or private DRBG associated with the specified I<ctx>. The parameter can be NULL, in which case @@ -101,7 +101,7 @@ The RAND_bytes_ex() and RAND_priv_bytes_ex() functions were added in OpenSSL 3.0 =head1 COPYRIGHT -Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/RSA_get0_key.pod b/doc/man3/RSA_get0_key.pod index 0a0f79125a32..1c1fa5bfcda3 100644 --- a/doc/man3/RSA_get0_key.pod +++ b/doc/man3/RSA_get0_key.pod @@ -54,7 +54,7 @@ see L<openssl_user_macros(7)>: All of the functions described on this page are deprecated. Applications should instead use L<EVP_PKEY_get_bn_param(3)> for any methods that -return a B<BIGNUM>. Refer to L<EVP_PKEY-DH(7)> for more infomation. +return a B<BIGNUM>. Refer to L<EVP_PKEY-DH(7)> for more information. An RSA object contains the components for the public and private key, B<n>, B<e>, B<d>, B<p>, B<q>, B<dmp1>, B<dmq1> and B<iqmp>. B<n> is @@ -184,7 +184,7 @@ All of these functions were deprecated in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/SSL_CTX_new.pod b/doc/man3/SSL_CTX_new.pod index 61de1a655164..f467f93659b5 100644 --- a/doc/man3/SSL_CTX_new.pod +++ b/doc/man3/SSL_CTX_new.pod @@ -100,7 +100,7 @@ provide serialization of access for these cases. =head1 NOTES -On session estabilishment, by default, no peer credentials verification is done. +On session establishment, by default, no peer credentials verification is done. This must be explicitly requested, typically using L<SSL_CTX_set_verify(3)>. For verifying peer certificates many options can be set using various functions such as L<SSL_CTX_load_verify_locations(3)> and L<SSL_CTX_set1_param(3)>. @@ -249,7 +249,7 @@ SSL_CTX_new_ex() was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/SSL_CTX_set_tmp_dh_callback.pod b/doc/man3/SSL_CTX_set_tmp_dh_callback.pod index 4daf78b8d334..0c6694d4c6a7 100644 --- a/doc/man3/SSL_CTX_set_tmp_dh_callback.pod +++ b/doc/man3/SSL_CTX_set_tmp_dh_callback.pod @@ -73,9 +73,9 @@ the built-in parameter support described above. Applications wishing to supply their own DH parameters should call SSL_CTX_set0_tmp_dh_pkey() or SSL_set0_tmp_dh_pkey() to supply the parameters for the B<SSL_CTX> or B<SSL> respectively. The parameters should be supplied in the I<dhpkey> argument as -an B<EVP_PKEY> containg DH parameters. Ownership of the I<dhpkey> value is +an B<EVP_PKEY> containing DH parameters. Ownership of the I<dhpkey> value is passed to the B<SSL_CTX> or B<SSL> object as a result of this call, and so the -caller should not free it if the function call is succesful. +caller should not free it if the function call is successful. The deprecated macros SSL_CTX_set_tmp_dh() and SSL_set_tmp_dh() do the same thing as SSL_CTX_set0_tmp_dh_pkey() and SSL_set0_tmp_dh_pkey() except that the @@ -112,7 +112,7 @@ L<openssl-ciphers(1)>, L<openssl-dhparam(1)> =head1 COPYRIGHT -Copyright 2001-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2001-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/SSL_get_verify_result.pod b/doc/man3/SSL_get_verify_result.pod index ac37408748b2..08c46c0576ba 100644 --- a/doc/man3/SSL_get_verify_result.pod +++ b/doc/man3/SSL_get_verify_result.pod @@ -22,6 +22,13 @@ of a certificate can fail because of many reasons at the same time. Only the last verification error that occurred during the processing is available from SSL_get_verify_result(). +Sometimes there can be a sequence of errors leading to the verification +failure as reported by SSL_get_verify_result(). +To get the errors, it is necessary to setup a verify callback via +L<SSL_CTX_set_verify(3)> or L<SSL_set_verify(3)> and retrieve the errors +from the error stack there, because once L<SSL_connect(3)> returns, +these errors may no longer be available. + The verification result is part of the established session and is restored when a session is reused. @@ -56,7 +63,7 @@ L<openssl-verify(1)> =head1 COPYRIGHT -Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/X509_STORE_CTX_new.pod b/doc/man3/X509_STORE_CTX_new.pod index 2319012a98e1..c508a1d3fc1b 100644 --- a/doc/man3/X509_STORE_CTX_new.pod +++ b/doc/man3/X509_STORE_CTX_new.pod @@ -177,7 +177,7 @@ administrator might only trust it for the former. An X.509 certificate extension exists that can record extended key usage information to supplement the purpose information described above. This extended mechanism is arbitrarily extensible and not well suited for a generic library API; applications that need to -validate extended key usage information in certifiates will need to define a +validate extended key usage information in certificates will need to define a custom "purpose" (see below) or supply a nondefault verification callback (L<X509_STORE_set_verify_cb_func(3)>). @@ -273,7 +273,7 @@ There is no need to call X509_STORE_CTX_cleanup() explicitly since OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2009-2022 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2009-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/X509_VERIFY_PARAM_set_flags.pod b/doc/man3/X509_VERIFY_PARAM_set_flags.pod index 43c1900bca78..4627206174a5 100644 --- a/doc/man3/X509_VERIFY_PARAM_set_flags.pod +++ b/doc/man3/X509_VERIFY_PARAM_set_flags.pod @@ -223,7 +223,7 @@ X509_VERIFY_PARAM_set1_ip_asc() return 1 for success and 0 for failure. X509_VERIFY_PARAM_get0_host(), X509_VERIFY_PARAM_get0_email(), and -X509_VERIFY_PARAM_get1_ip_asc(), return the string pointers pecified above +X509_VERIFY_PARAM_get1_ip_asc(), return the string pointer specified above or NULL if the respective value has not been set or on error. X509_VERIFY_PARAM_get_flags() returns the current verification flags. diff --git a/doc/man3/X509_add_cert.pod b/doc/man3/X509_add_cert.pod index 1512d81701b8..907164e9710e 100644 --- a/doc/man3/X509_add_cert.pod +++ b/doc/man3/X509_add_cert.pod @@ -31,7 +31,7 @@ The value B<X509_ADD_FLAG_DEFAULT>, which equals 0, means no special semantics. If B<X509_ADD_FLAG_UP_REF> is set then the reference counts of those certificates added successfully are increased. -If B<X509_ADD_FLAG_PREPEND> is set then the certifcates are prepended to I<sk>. +If B<X509_ADD_FLAG_PREPEND> is set then the certificates are prepended to I<sk>. By default they are appended to I<sk>. In both cases the original order of the added certificates is preserved. @@ -66,7 +66,7 @@ were added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/X509_digest.pod b/doc/man3/X509_digest.pod index f4921dbc187b..29cce96370c6 100644 --- a/doc/man3/X509_digest.pod +++ b/doc/man3/X509_digest.pod @@ -44,9 +44,9 @@ X509_digest_sig() calculates a digest of the given certificate I<cert> using the same hash algorithm as in its signature, if the digest is an integral part of the certificate signature algorithm identifier. Otherwise, a fallback hash algorithm is determined as follows: -SHA512 if the signature alorithm is ED25519, +SHA512 if the signature algorithm is ED25519, SHAKE256 if it is ED448, otherwise SHA256. -The output parmeters are assigned as follows. +The output parameters are assigned as follows. Unless I<md_used> is NULL, the hash algorithm used is provided in I<*md_used> and must be freed by the caller (if it is not NULL). Unless I<md_is_fallback> is NULL, @@ -81,7 +81,7 @@ The X509_digest_sig() function was added in OpenSSL 3.0. =head1 COPYRIGHT -Copyright 2017-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/X509_dup.pod b/doc/man3/X509_dup.pod index 9fc355c7ce34..1c9e4b95bc7b 100644 --- a/doc/man3/X509_dup.pod +++ b/doc/man3/X509_dup.pod @@ -350,7 +350,7 @@ to generate the function bodies. B<I<TYPE>_new>() allocates an empty object of the indicated type. The object returned must be released by calling B<I<TYPE>_free>(). -B<I<TYPE>_new_ex>() is similiar to B<I<TYPE>_new>() but also passes the +B<I<TYPE>_new_ex>() is similar to B<I<TYPE>_new>() but also passes the library context I<libctx> and the property query I<propq> to use when retrieving algorithms from providers. This created object can then be used when loading binary data using B<d2i_I<TYPE>>(). @@ -383,7 +383,7 @@ deprecated in 3.0. =head1 COPYRIGHT -Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2016-2023 The OpenSSL Project Authors. All Rights Reserved. Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy |