1 files changed, 127 insertions, 19 deletions
diff --git a/src/lib/libcrypto/man/PEM_read.3 b/src/lib/libcrypto/man/PEM_read.3
index 1469ccd558..49cdd0f3c5 100644
--- a/src/lib/libcrypto/man/PEM_read.3
+++ b/src/lib/libcrypto/man/PEM_read.3
@@ -1,7 +1,24 @@
-.\"     $OpenBSD: PEM_read.3,v 1.10 2020/06/12 11:37:42 schwarze Exp $
+.\" $OpenBSD: PEM_read.3,v 1.11 2020/06/15 14:13:14 schwarze Exp $
-.\"     OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
+.\" full merge up to: OpenSSL 83cf7abf May 29 13:07:08 2018 +0100
 .\"
-.\" This file was written by Viktor Dukhovni
+.\" This file is a derived work.
+.\" The changes are covered by the following Copyright and license:
+.\"
+.\" Copyright (c) 2020 Ingo Schwarze <schwarze@openbsd.org>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" The original file was written by Viktor Dukhovni
 .\" and by Rich Salz <rsalz@openssl.org>.
 .\" Copyright (c) 2016 The OpenSSL Project.  All rights reserved.
 .\"
@@ -49,7 +66,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 12 2020 $
+.Dd $Mdocdate: June 15 2020 $
 .Dt PEM_READ 3
 .Os
 .Sh NAME
@@ -57,8 +74,10 @@
 .Nm PEM_write_bio ,
 .Nm PEM_read ,
 .Nm PEM_read_bio ,
+.Nm PEM_get_EVP_CIPHER_INFO ,
 .Nm PEM_do_header ,
-.Nm PEM_get_EVP_CIPHER_INFO
+.Nm PEM_def_callback ,
+.Nm pem_password_cb
 .Nd PEM encoding routines
 .Sh SYNOPSIS
 .In openssl/pem.h
@@ -107,6 +126,20 @@
 .Fa "pem_password_cb *cb"
 .Fa "void *u"
 .Fc
+.Ft int
+.Fo PEM_def_callback
+.Fa "char *password"
+.Fa "int size"
+.Fa "int verify"
+.Fa "void *u"
+.Fc
+.Ft typedef int
+.Fo pem_password_cb
+.Fa "char *password"
+.Fa "int size"
+.Fa "int verify"
+.Fa "void *u"
+.Fc
 .Sh DESCRIPTION
 These functions read and write PEM-encoded objects, using the PEM type
 .Fa name ,
@@ -224,34 +257,83 @@ unknown or some internal error happens, 0 is returned.
 can then be used to decrypt the data if the header indicates encryption.
 The
 .Fa cinfo
-argument is a pointer to the structure initialized by the previous call
+argument is a pointer to the structure initialized by a preceding call
 to
 .Fn PEM_get_EVP_CIPHER_INFO .
+If that structure indicates the absence of encryption,
+.Fn PEM_do_header
+returns sucessfully without taking any action.
 The
 .Fa data
 and
 .Fa len
-arguments are those returned by the previous call to
+arguments are used both to pass in the encrypted data that was
+returned in the same arguments from the preceding call to
 .Fn PEM_read
 or
-.Fn PEM_read_bio .
+.Fn PEM_read_bio
+and to pass out the decrypted data.
+.Pp
+The callback function
+.Fa cb
+is used to obtain the encryption
+.Fa password ;
+if
+.Fa cb
+is
+.Dv NULL ,
+.Fn PEM_def_callback
+is used instead.
 The
+.Fa password
+buffer needs to be at least
+.Fa size
+bytes long.
+.Fn PEM_def_callback
+silently truncates the NUL-terminated byte string
+.Fa u
+to at most
+.Fa num
+bytes and copies it into
+.Fa password
+without a terminating NUL byte.
+If
+.Fa u
+is
+.Dv NULL ,
+.Fn PEM_def_callback
+instead prompts the user for the password with echoing turned off
+by calling
+.Xr EVP_read_pw_string_min 3
+internally.
+In this case, the
+.Fa size
+is silently reduced to at most
+.Dv BUFSIZ
+and at most
+.Fa size No \- 1
+bytes are accepted from the user and copied into the byte string buffer
+.Fa password .
+A callback function
 .Fa cb
-and
+supplied by the application may use
 .Fa u
-arguments make it possible to override the default password prompt
+for a different purpose than
-function as described in
+.Fn PEM_def_callback
-.Xr PEM_read_PrivateKey 3 .
+does, e.g., as auxiliary data to use while acquiring the password.
-On successful completion, the
+For example, a GUI application might pass a window handle.
-.Fa data
+If the
-is decrypted in place, and
+.Fa verify
-.Fa len
+flag is non-zero, the user is prompted twice for the password to
-is updated to indicate the plaintext length.
+make typos less likely and it is checked that both inputs agree.
+This flag is not set by
+.Fn PEM_do_header
+nor by other read functions.
 .Pp
 If the data is a priori known to not be encrypted, then neither
-.Fn PEM_do_header
-nor
 .Fn PEM_get_EVP_CIPHER_INFO
+nor
+.Fn PEM_do_header
 need to be called.
 .Sh RETURN VALUES
 .Fn PEM_read
@@ -276,6 +358,28 @@ return 1 on success or 0 on failure.
 The
 .Fa data
 is likely meaningless if these functions fail.
+.Pp
+.Fn PEM_def_callback
+returns the number of bytes stored into
+.Fa buf
+or a negative value on failure, and
+.Fa cb
+is expected to behave in the same way.
+If
+.Fa u
+is
+.Dv NULL ,
+.Fn PEM_def_callback
+fails if
+.Fa num
+is less than 5
+or if an error occurs trying to prompt the user for the password.
+Otherwise, it fails when
+.Fa num
+is negative.
+The details of the circumstances that cause
+.Fa cb
+to fail may differ.
 .Sh SEE ALSO
 .Xr crypto 3 ,
 .Xr d2i_PKCS8PrivateKey_bio 3 ,
@@ -299,3 +403,7 @@ and
 first appeared in SSLeay 0.6.0.
 These functions have been available since
 .Ox 2.4 .
+.Pp
+.Fn PEM_def_callback
+first appeared in OpenSSL 0.9.7 and has been available since
+.Ox 3.2 .

diff --git a/src/lib/libcrypto/man/PEM_read.3 b/src/lib/libcrypto/man/PEM_read.3 index 1469ccd558..49cdd0f3c5 100644 --- a/src/lib/libcrypto/man/PEM_read.3 +++ b/src/lib/libcrypto/man/PEM_read.3
@@ -1,7 +1,24 @@
1	.\" $OpenBSD: PEM_read.3,v 1.10 2020/06/12 11:37:42 schwarze Exp $	1	.\" $OpenBSD: PEM_read.3,v 1.11 2020/06/15 14:13:14 schwarze Exp $
2	.\" OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400	2	.\" full merge up to: OpenSSL 83cf7abf May 29 13:07:08 2018 +0100
3	.\"	3	.\"
4	.\" This file was written by Viktor Dukhovni	4	.\" This file is a derived work.
		5	.\" The changes are covered by the following Copyright and license:
		6	.\"
		7	.\" Copyright (c) 2020 Ingo Schwarze <schwarze@openbsd.org>
		8	.\"
		9	.\" Permission to use, copy, modify, and distribute this software for any
		10	.\" purpose with or without fee is hereby granted, provided that the above
		11	.\" copyright notice and this permission notice appear in all copies.
		12	.\"
		13	.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
		14	.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
		15	.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
		16	.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
		17	.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
		18	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
		19	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
		20	.\"
		21	.\" The original file was written by Viktor Dukhovni
5	.\" and by Rich Salz <rsalz@openssl.org>.	22	.\" and by Rich Salz <rsalz@openssl.org>.
6	.\" Copyright (c) 2016 The OpenSSL Project. All rights reserved.	23	.\" Copyright (c) 2016 The OpenSSL Project. All rights reserved.
7	.\"	24	.\"
@@ -49,7 +66,7 @@
49	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED	66	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50	.\" OF THE POSSIBILITY OF SUCH DAMAGE.	67	.\" OF THE POSSIBILITY OF SUCH DAMAGE.
51	.\"	68	.\"
52	.Dd $Mdocdate: June 12 2020 $	69	.Dd $Mdocdate: June 15 2020 $
53	.Dt PEM_READ 3	70	.Dt PEM_READ 3
54	.Os	71	.Os
55	.Sh NAME	72	.Sh NAME
@@ -57,8 +74,10 @@
57	.Nm PEM_write_bio ,	74	.Nm PEM_write_bio ,
58	.Nm PEM_read ,	75	.Nm PEM_read ,
59	.Nm PEM_read_bio ,	76	.Nm PEM_read_bio ,
		77	.Nm PEM_get_EVP_CIPHER_INFO ,
60	.Nm PEM_do_header ,	78	.Nm PEM_do_header ,
61	.Nm PEM_get_EVP_CIPHER_INFO	79	.Nm PEM_def_callback ,
		80	.Nm pem_password_cb
62	.Nd PEM encoding routines	81	.Nd PEM encoding routines
63	.Sh SYNOPSIS	82	.Sh SYNOPSIS
64	.In openssl/pem.h	83	.In openssl/pem.h
@@ -107,6 +126,20 @@
107	.Fa "pem_password_cb *cb"	126	.Fa "pem_password_cb *cb"
108	.Fa "void *u"	127	.Fa "void *u"
109	.Fc	128	.Fc
		129	.Ft int
		130	.Fo PEM_def_callback
		131	.Fa "char *password"
		132	.Fa "int size"
		133	.Fa "int verify"
		134	.Fa "void *u"
		135	.Fc
		136	.Ft typedef int
		137	.Fo pem_password_cb
		138	.Fa "char *password"
		139	.Fa "int size"
		140	.Fa "int verify"
		141	.Fa "void *u"
		142	.Fc
110	.Sh DESCRIPTION	143	.Sh DESCRIPTION
111	These functions read and write PEM-encoded objects, using the PEM type	144	These functions read and write PEM-encoded objects, using the PEM type
112	.Fa name ,	145	.Fa name ,
@@ -224,34 +257,83 @@ unknown or some internal error happens, 0 is returned.
224	can then be used to decrypt the data if the header indicates encryption.	257	can then be used to decrypt the data if the header indicates encryption.
225	The	258	The
226	.Fa cinfo	259	.Fa cinfo
227	argument is a pointer to the structure initialized by the previous call	260	argument is a pointer to the structure initialized by a preceding call
228	to	261	to
229	.Fn PEM_get_EVP_CIPHER_INFO .	262	.Fn PEM_get_EVP_CIPHER_INFO .
		263	If that structure indicates the absence of encryption,
		264	.Fn PEM_do_header
		265	returns sucessfully without taking any action.
230	The	266	The
231	.Fa data	267	.Fa data
232	and	268	and
233	.Fa len	269	.Fa len
234	arguments are those returned by the previous call to	270	arguments are used both to pass in the encrypted data that was
		271	returned in the same arguments from the preceding call to
235	.Fn PEM_read	272	.Fn PEM_read
236	or	273	or
237	.Fn PEM_read_bio .	274	.Fn PEM_read_bio
		275	and to pass out the decrypted data.
		276	.Pp
		277	The callback function
		278	.Fa cb
		279	is used to obtain the encryption
		280	.Fa password ;
		281	if
		282	.Fa cb
		283	is
		284	.Dv NULL ,
		285	.Fn PEM_def_callback
		286	is used instead.
238	The	287	The
		288	.Fa password
		289	buffer needs to be at least
		290	.Fa size
		291	bytes long.
		292	.Fn PEM_def_callback
		293	silently truncates the NUL-terminated byte string
		294	.Fa u
		295	to at most
		296	.Fa num
		297	bytes and copies it into
		298	.Fa password
		299	without a terminating NUL byte.
		300	If
		301	.Fa u
		302	is
		303	.Dv NULL ,
		304	.Fn PEM_def_callback
		305	instead prompts the user for the password with echoing turned off
		306	by calling
		307	.Xr EVP_read_pw_string_min 3
		308	internally.
		309	In this case, the
		310	.Fa size
		311	is silently reduced to at most
		312	.Dv BUFSIZ
		313	and at most
		314	.Fa size No \- 1
		315	bytes are accepted from the user and copied into the byte string buffer
		316	.Fa password .
		317	A callback function
239	.Fa cb	318	.Fa cb
240	and	319	supplied by the application may use
241	.Fa u	320	.Fa u
242	arguments make it possible to override the default password prompt	321	for a different purpose than
243	function as described in	322	.Fn PEM_def_callback
244	.Xr PEM_read_PrivateKey 3 .	323	does, e.g., as auxiliary data to use while acquiring the password.
245	On successful completion, the	324	For example, a GUI application might pass a window handle.
246	.Fa data	325	If the
247	is decrypted in place, and	326	.Fa verify
248	.Fa len	327	flag is non-zero, the user is prompted twice for the password to
249	is updated to indicate the plaintext length.	328	make typos less likely and it is checked that both inputs agree.
		329	This flag is not set by
		330	.Fn PEM_do_header
		331	nor by other read functions.
250	.Pp	332	.Pp
251	If the data is a priori known to not be encrypted, then neither	333	If the data is a priori known to not be encrypted, then neither
252	.Fn PEM_do_header
253	nor
254	.Fn PEM_get_EVP_CIPHER_INFO	334	.Fn PEM_get_EVP_CIPHER_INFO
		335	nor
		336	.Fn PEM_do_header
255	need to be called.	337	need to be called.
256	.Sh RETURN VALUES	338	.Sh RETURN VALUES
257	.Fn PEM_read	339	.Fn PEM_read
@@ -276,6 +358,28 @@ return 1 on success or 0 on failure.
276	The	358	The
277	.Fa data	359	.Fa data
278	is likely meaningless if these functions fail.	360	is likely meaningless if these functions fail.
		361	.Pp
		362	.Fn PEM_def_callback
		363	returns the number of bytes stored into
		364	.Fa buf
		365	or a negative value on failure, and
		366	.Fa cb
		367	is expected to behave in the same way.
		368	If
		369	.Fa u
		370	is
		371	.Dv NULL ,
		372	.Fn PEM_def_callback
		373	fails if
		374	.Fa num
		375	is less than 5
		376	or if an error occurs trying to prompt the user for the password.
		377	Otherwise, it fails when
		378	.Fa num
		379	is negative.
		380	The details of the circumstances that cause
		381	.Fa cb
		382	to fail may differ.
279	.Sh SEE ALSO	383	.Sh SEE ALSO
280	.Xr crypto 3 ,	384	.Xr crypto 3 ,
281	.Xr d2i_PKCS8PrivateKey_bio 3 ,	385	.Xr d2i_PKCS8PrivateKey_bio 3 ,
@@ -299,3 +403,7 @@ and
299	first appeared in SSLeay 0.6.0.	403	first appeared in SSLeay 0.6.0.
300	These functions have been available since	404	These functions have been available since
301	.Ox 2.4 .	405	.Ox 2.4 .
		406	.Pp
		407	.Fn PEM_def_callback
		408	first appeared in OpenSSL 0.9.7 and has been available since
		409	.Ox 3.2 .