1 files changed, 137 insertions, 3 deletions
diff --git a/src/lib/libssl/src/doc/apps/config.pod b/src/lib/libssl/src/doc/apps/config.pod
index ce874a42ce..8f823fa6d6 100644
--- a/src/lib/libssl/src/doc/apps/config.pod
+++ b/src/lib/libssl/src/doc/apps/config.pod
@@ -10,7 +10,8 @@ config - OpenSSL CONF library configuration files
 The OpenSSL CONF library can be used to read configuration files.
 It is used for the OpenSSL master configuration file B<openssl.cnf>
 and in a few other places like B<SPKAC> files and certificate extension
-files for the B<x509> utility.
+files for the B<x509> utility. OpenSSL applications can also use the
+CONF library for their own purposes.
 A configuration file is divided into a number of sections. Each section
 starts with a line B<[ section_name ]> and ends when a new section is
@@ -51,13 +52,146 @@ or the B<\> character. By making the last character of a line a B<\>
 a B<value> string can be spread across multiple lines. In addition
 the sequences B<\n>, B<\r>, B<\b> and B<\t> are recognized.
+=head1 OPENSSL LIBRARY CONFIGURATION
+In OpenSSL 0.9.7 and later applications can automatically configure certain
+aspects of OpenSSL using the master OpenSSL configuration file, or optionally
+an alternative configuration file. The B<openssl> utility includes this
+functionality: any sub command uses the master OpenSSL configuration file
+unless an option is used in the sub command to use an alternative configuration
+file.
+To enable library configuration the default section needs to contain an 
+appropriate line which points to the main configuration section. The default
+name is B<openssl_conf> which is used by the B<openssl> utility. Other
+applications may use an alternative name such as B<myapplicaton_conf>.
+The configuration section should consist of a set of name value pairs which
+contain specific module configuration information. The B<name> represents
+the name of the I<configuration module> the meaning of the B<value> is 
+module specific: it may, for example, represent a further configuration
+section containing configuration module specific information. E.g.
+ openssl_conf = openssl_init
+ [openssl_init]
+ oid_section = new_oids
+ engines = engine_section
+ [new_oids]
+ ... new oids here ...
+ [engine_section]
+ ... engine stuff here ...
+Currently there are two configuration modules. One for ASN1 objects another
+for ENGINE configuration.
+=head2 ASN1 OBJECT CONFIGURATION MODULE
+This module has the name B<oid_section>. The value of this variable points
+to a section containing name value pairs of OIDs: the name is the OID short
+and long name, the value is the numerical form of the OID. Although some of
+the B<openssl> utility sub commands already have their own ASN1 OBJECT section
+functionality not all do. By using the ASN1 OBJECT configuration module
+B<all> the B<openssl> utility sub commands can see the new objects as well
+as any compliant applications. For example:
+ [new_oids]
+ 
+ some_new_oid = 1.2.3.4
+ some_other_oid = 1.2.3.5
+=head2 ENGINE CONFIGURATION MODULE
+This ENGINE configuration module has the name B<engines>. The value of this
+variable points to a section containing further ENGINE configuration
+information.
+The section pointed to by B<engines> is a table of engine names (though see
+B<engine_id> below) and further sections containing configuration informations
+specific to each ENGINE.
+Each ENGINE specific section is used to set default algorithms, load
+dynamic, perform initialization and send ctrls. The actual operation performed
+depends on the I<command> name which is the name of the name value pair. The
+currently supported commands are listed below.
+For example:
+ [engine_section]
+ # Configure ENGINE named "foo"
+ foo = foo_section
+ # Configure ENGINE named "bar"
+ bar = bar_section
+ [foo_section]
+ ... foo ENGINE specific commands ...
+ [bar_section]
+ ... "bar" ENGINE specific commands ...
+The command B<engine_id> is used to give the ENGINE name. If used this 
+command must be first. For example:
+ [engine_section]
+ # This would normally handle an ENGINE named "foo"
+ foo = foo_section
+ [foo_section]
+ # Override default name and use "myfoo" instead.
+ engine_id = myfoo
+The command B<dynamic_path> loads and adds an ENGINE from the given path. It
+is equivalent to sending the ctrls B<SO_PATH> with the path argument followed
+by B<LIST_ADD> with value 2 and B<LOAD> to the dynamic ENGINE. If this is
+not the required behaviour then alternative ctrls can be sent directly
+to the dynamic ENGINE using ctrl commands.
+The command B<init> determines whether to initialize the ENGINE. If the value
+is B<0> the ENGINE will not be initialized, if B<1> and attempt it made to
+initialized the ENGINE immediately. If the B<init> command is not present
+then an attempt will be made to initialize the ENGINE after all commands in
+its section have been processed.
+The command B<default_algorithms> sets the default algorithms an ENGINE will
+supply using the functions B<ENGINE_set_default_string()>
+If the name matches none of the above command names it is assumed to be a
+ctrl command which is sent to the ENGINE. The value of the command is the 
+argument to the ctrl command. If the value is the string B<EMPTY> then no
+value is sent to the command.
+For example:
+ [engine_section]
+ # Configure ENGINE named "foo"
+ foo = foo_section
+ [foo_section]
+ # Load engine from DSO
+ dynamic_path = /some/path/fooengine.so
+ # A foo specific ctrl.
+ some_ctrl = some_value
+ # Another ctrl that doesn't take a value.
+ other_ctrl = EMPTY
+ # Supply all default algorithms
+ default_algorithms = ALL
 =head1 NOTES
 If a configuration file attempts to expand a variable that doesn't exist
 then an error is flagged and the file will not load. This can happen
 if an attempt is made to expand an environment variable that doesn't
-exist. For example the default OpenSSL master configuration file used
+exist. For example in a previous version of OpenSSL the default OpenSSL
-the value of B<HOME> which may not be defined on non Unix systems.
+master configuration file used the value of B<HOME> which may not be
+defined on non Unix systems and would cause an error.
 This can be worked around by including a B<default> section to provide
 a default value: then if the environment lookup fails the default value

diff --git a/src/lib/libssl/src/doc/apps/config.pod b/src/lib/libssl/src/doc/apps/config.pod index ce874a42ce..8f823fa6d6 100644 --- a/src/lib/libssl/src/doc/apps/config.pod +++ b/src/lib/libssl/src/doc/apps/config.pod
@@ -10,7 +10,8 @@ config - OpenSSL CONF library configuration files
10	The OpenSSL CONF library can be used to read configuration files.	10	The OpenSSL CONF library can be used to read configuration files.
11	It is used for the OpenSSL master configuration file B<openssl.cnf>	11	It is used for the OpenSSL master configuration file B<openssl.cnf>
12	and in a few other places like B<SPKAC> files and certificate extension	12	and in a few other places like B<SPKAC> files and certificate extension
13	files for the B<x509> utility.	13	files for the B<x509> utility. OpenSSL applications can also use the
		14	CONF library for their own purposes.
14		15
15	A configuration file is divided into a number of sections. Each section	16	A configuration file is divided into a number of sections. Each section
16	starts with a line B<[ section_name ]> and ends when a new section is	17	starts with a line B<[ section_name ]> and ends when a new section is
@@ -51,13 +52,146 @@ or the B<\> character. By making the last character of a line a B<\>
51	a B<value> string can be spread across multiple lines. In addition	52	a B<value> string can be spread across multiple lines. In addition
52	the sequences B<\n>, B<\r>, B<\b> and B<\t> are recognized.	53	the sequences B<\n>, B<\r>, B<\b> and B<\t> are recognized.
53		54
		55	=head1 OPENSSL LIBRARY CONFIGURATION
		56
		57	In OpenSSL 0.9.7 and later applications can automatically configure certain
		58	aspects of OpenSSL using the master OpenSSL configuration file, or optionally
		59	an alternative configuration file. The B<openssl> utility includes this
		60	functionality: any sub command uses the master OpenSSL configuration file
		61	unless an option is used in the sub command to use an alternative configuration
		62	file.
		63
		64	To enable library configuration the default section needs to contain an
		65	appropriate line which points to the main configuration section. The default
		66	name is B<openssl_conf> which is used by the B<openssl> utility. Other
		67	applications may use an alternative name such as B<myapplicaton_conf>.
		68
		69	The configuration section should consist of a set of name value pairs which
		70	contain specific module configuration information. The B<name> represents
		71	the name of the I<configuration module> the meaning of the B<value> is
		72	module specific: it may, for example, represent a further configuration
		73	section containing configuration module specific information. E.g.
		74
		75	openssl_conf = openssl_init
		76
		77	[openssl_init]
		78
		79	oid_section = new_oids
		80	engines = engine_section
		81
		82	[new_oids]
		83
		84	... new oids here ...
		85
		86	[engine_section]
		87
		88	... engine stuff here ...
		89
		90	Currently there are two configuration modules. One for ASN1 objects another
		91	for ENGINE configuration.
		92
		93	=head2 ASN1 OBJECT CONFIGURATION MODULE
		94
		95	This module has the name B<oid_section>. The value of this variable points
		96	to a section containing name value pairs of OIDs: the name is the OID short
		97	and long name, the value is the numerical form of the OID. Although some of
		98	the B<openssl> utility sub commands already have their own ASN1 OBJECT section
		99	functionality not all do. By using the ASN1 OBJECT configuration module
		100	B<all> the B<openssl> utility sub commands can see the new objects as well
		101	as any compliant applications. For example:
		102
		103	[new_oids]
		104
		105	some_new_oid = 1.2.3.4
		106	some_other_oid = 1.2.3.5
		107
		108	=head2 ENGINE CONFIGURATION MODULE
		109
		110	This ENGINE configuration module has the name B<engines>. The value of this
		111	variable points to a section containing further ENGINE configuration
		112	information.
		113
		114	The section pointed to by B<engines> is a table of engine names (though see
		115	B<engine_id> below) and further sections containing configuration informations
		116	specific to each ENGINE.
		117
		118	Each ENGINE specific section is used to set default algorithms, load
		119	dynamic, perform initialization and send ctrls. The actual operation performed
		120	depends on the I<command> name which is the name of the name value pair. The
		121	currently supported commands are listed below.
		122
		123	For example:
		124
		125	[engine_section]
		126
		127	# Configure ENGINE named "foo"
		128	foo = foo_section
		129	# Configure ENGINE named "bar"
		130	bar = bar_section
		131
		132	[foo_section]
		133	... foo ENGINE specific commands ...
		134
		135	[bar_section]
		136	... "bar" ENGINE specific commands ...
		137
		138	The command B<engine_id> is used to give the ENGINE name. If used this
		139	command must be first. For example:
		140
		141	[engine_section]
		142	# This would normally handle an ENGINE named "foo"
		143	foo = foo_section
		144
		145	[foo_section]
		146	# Override default name and use "myfoo" instead.
		147	engine_id = myfoo
		148
		149	The command B<dynamic_path> loads and adds an ENGINE from the given path. It
		150	is equivalent to sending the ctrls B<SO_PATH> with the path argument followed
		151	by B<LIST_ADD> with value 2 and B<LOAD> to the dynamic ENGINE. If this is
		152	not the required behaviour then alternative ctrls can be sent directly
		153	to the dynamic ENGINE using ctrl commands.
		154
		155	The command B<init> determines whether to initialize the ENGINE. If the value
		156	is B<0> the ENGINE will not be initialized, if B<1> and attempt it made to
		157	initialized the ENGINE immediately. If the B<init> command is not present
		158	then an attempt will be made to initialize the ENGINE after all commands in
		159	its section have been processed.
		160
		161	The command B<default_algorithms> sets the default algorithms an ENGINE will
		162	supply using the functions B<ENGINE_set_default_string()>
		163
		164	If the name matches none of the above command names it is assumed to be a
		165	ctrl command which is sent to the ENGINE. The value of the command is the
		166	argument to the ctrl command. If the value is the string B<EMPTY> then no
		167	value is sent to the command.
		168
		169	For example:
		170
		171
		172	[engine_section]
		173
		174	# Configure ENGINE named "foo"
		175	foo = foo_section
		176
		177	[foo_section]
		178	# Load engine from DSO
		179	dynamic_path = /some/path/fooengine.so
		180	# A foo specific ctrl.
		181	some_ctrl = some_value
		182	# Another ctrl that doesn't take a value.
		183	other_ctrl = EMPTY
		184	# Supply all default algorithms
		185	default_algorithms = ALL
		186
54	=head1 NOTES	187	=head1 NOTES
55		188
56	If a configuration file attempts to expand a variable that doesn't exist	189	If a configuration file attempts to expand a variable that doesn't exist
57	then an error is flagged and the file will not load. This can happen	190	then an error is flagged and the file will not load. This can happen
58	if an attempt is made to expand an environment variable that doesn't	191	if an attempt is made to expand an environment variable that doesn't
59	exist. For example the default OpenSSL master configuration file used	192	exist. For example in a previous version of OpenSSL the default OpenSSL
60	the value of B<HOME> which may not be defined on non Unix systems.	193	master configuration file used the value of B<HOME> which may not be
		194	defined on non Unix systems and would cause an error.
61		195
62	This can be worked around by including a B<default> section to provide	196	This can be worked around by including a B<default> section to provide
63	a default value: then if the environment lookup fails the default value	197	a default value: then if the environment lookup fails the default value