From e2496982472bdf233be95c5ea72d1c4dc6c91db3 Mon Sep 17 00:00:00 2001 From: cvs2svn Date: Sun, 23 Apr 2023 13:43:47 +0000 Subject: This commit was manufactured by cvs2git to create tag 'tb_20230422'. --- src/lib/libssl/man/BIO_f_ssl.3 | 632 --------------------- src/lib/libssl/man/DTLSv1_listen.3 | 187 ------ src/lib/libssl/man/Makefile | 134 ----- src/lib/libssl/man/OPENSSL_init_ssl.3 | 76 --- src/lib/libssl/man/PEM_read_SSL_SESSION.3 | 147 ----- src/lib/libssl/man/SSL_CIPHER_get_name.3 | 378 ------------ .../libssl/man/SSL_COMP_add_compression_method.3 | 58 -- src/lib/libssl/man/SSL_CTX_add1_chain_cert.3 | 222 -------- src/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3 | 160 ------ src/lib/libssl/man/SSL_CTX_add_session.3 | 132 ----- src/lib/libssl/man/SSL_CTX_ctrl.3 | 122 ---- src/lib/libssl/man/SSL_CTX_flush_sessions.3 | 100 ---- src/lib/libssl/man/SSL_CTX_free.3 | 101 ---- src/lib/libssl/man/SSL_CTX_get0_certificate.3 | 51 -- src/lib/libssl/man/SSL_CTX_get_ex_new_index.3 | 124 ---- src/lib/libssl/man/SSL_CTX_get_verify_mode.3 | 131 ----- src/lib/libssl/man/SSL_CTX_load_verify_locations.3 | 238 -------- src/lib/libssl/man/SSL_CTX_new.3 | 345 ----------- src/lib/libssl/man/SSL_CTX_sess_number.3 | 168 ------ src/lib/libssl/man/SSL_CTX_sess_set_cache_size.3 | 109 ---- src/lib/libssl/man/SSL_CTX_sess_set_get_cb.3 | 221 ------- src/lib/libssl/man/SSL_CTX_sessions.3 | 86 --- src/lib/libssl/man/SSL_CTX_set1_groups.3 | 163 ------ src/lib/libssl/man/SSL_CTX_set_alpn_select_cb.3 | 277 --------- src/lib/libssl/man/SSL_CTX_set_cert_store.3 | 130 ----- .../libssl/man/SSL_CTX_set_cert_verify_callback.3 | 163 ------ src/lib/libssl/man/SSL_CTX_set_cipher_list.3 | 391 ------------- src/lib/libssl/man/SSL_CTX_set_client_CA_list.3 | 183 ------ src/lib/libssl/man/SSL_CTX_set_client_cert_cb.3 | 191 ------- src/lib/libssl/man/SSL_CTX_set_default_passwd_cb.3 | 171 ------ .../libssl/man/SSL_CTX_set_generate_session_id.3 | 221 ------- src/lib/libssl/man/SSL_CTX_set_info_callback.3 | 233 -------- src/lib/libssl/man/SSL_CTX_set_keylog_callback.3 | 56 -- src/lib/libssl/man/SSL_CTX_set_max_cert_list.3 | 154 ----- src/lib/libssl/man/SSL_CTX_set_min_proto_version.3 | 156 ----- src/lib/libssl/man/SSL_CTX_set_mode.3 | 204 ------- src/lib/libssl/man/SSL_CTX_set_msg_callback.3 | 183 ------ src/lib/libssl/man/SSL_CTX_set_num_tickets.3 | 63 -- src/lib/libssl/man/SSL_CTX_set_options.3 | 374 ------------ src/lib/libssl/man/SSL_CTX_set_quiet_shutdown.3 | 161 ------ src/lib/libssl/man/SSL_CTX_set_read_ahead.3 | 144 ----- src/lib/libssl/man/SSL_CTX_set_security_level.3 | 159 ------ .../libssl/man/SSL_CTX_set_session_cache_mode.3 | 198 ------- .../libssl/man/SSL_CTX_set_session_id_context.3 | 160 ------ src/lib/libssl/man/SSL_CTX_set_ssl_version.3 | 146 ----- src/lib/libssl/man/SSL_CTX_set_timeout.3 | 118 ---- .../man/SSL_CTX_set_tlsext_servername_callback.3 | 247 -------- src/lib/libssl/man/SSL_CTX_set_tlsext_status_cb.3 | 238 -------- .../libssl/man/SSL_CTX_set_tlsext_ticket_key_cb.3 | 300 ---------- src/lib/libssl/man/SSL_CTX_set_tlsext_use_srtp.3 | 197 ------- src/lib/libssl/man/SSL_CTX_set_tmp_dh_callback.3 | 230 -------- src/lib/libssl/man/SSL_CTX_set_tmp_rsa_callback.3 | 114 ---- src/lib/libssl/man/SSL_CTX_set_verify.3 | 479 ---------------- src/lib/libssl/man/SSL_CTX_use_certificate.3 | 451 --------------- src/lib/libssl/man/SSL_SESSION_free.3 | 148 ----- src/lib/libssl/man/SSL_SESSION_get0_cipher.3 | 94 --- src/lib/libssl/man/SSL_SESSION_get0_peer.3 | 80 --- src/lib/libssl/man/SSL_SESSION_get_compress_id.3 | 78 --- src/lib/libssl/man/SSL_SESSION_get_ex_new_index.3 | 134 ----- src/lib/libssl/man/SSL_SESSION_get_id.3 | 112 ---- .../libssl/man/SSL_SESSION_get_protocol_version.3 | 84 --- src/lib/libssl/man/SSL_SESSION_get_time.3 | 165 ------ src/lib/libssl/man/SSL_SESSION_has_ticket.3 | 85 --- src/lib/libssl/man/SSL_SESSION_is_resumable.3 | 81 --- src/lib/libssl/man/SSL_SESSION_new.3 | 78 --- src/lib/libssl/man/SSL_SESSION_print.3 | 74 --- src/lib/libssl/man/SSL_SESSION_set1_id_context.3 | 113 ---- src/lib/libssl/man/SSL_accept.3 | 155 ----- src/lib/libssl/man/SSL_alert_type_string.3 | 244 -------- src/lib/libssl/man/SSL_clear.3 | 144 ----- src/lib/libssl/man/SSL_connect.3 | 154 ----- src/lib/libssl/man/SSL_copy_session_id.3 | 79 --- src/lib/libssl/man/SSL_do_handshake.3 | 152 ----- src/lib/libssl/man/SSL_dup.3 | 62 -- src/lib/libssl/man/SSL_dup_CA_list.3 | 54 -- src/lib/libssl/man/SSL_export_keying_material.3 | 133 ----- src/lib/libssl/man/SSL_free.3 | 115 ---- src/lib/libssl/man/SSL_get_SSL_CTX.3 | 79 --- src/lib/libssl/man/SSL_get_certificate.3 | 64 --- src/lib/libssl/man/SSL_get_ciphers.3 | 249 -------- src/lib/libssl/man/SSL_get_client_CA_list.3 | 96 ---- src/lib/libssl/man/SSL_get_client_random.3 | 150 ----- src/lib/libssl/man/SSL_get_current_cipher.3 | 122 ---- src/lib/libssl/man/SSL_get_default_timeout.3 | 85 --- src/lib/libssl/man/SSL_get_error.3 | 217 ------- .../man/SSL_get_ex_data_X509_STORE_CTX_idx.3 | 116 ---- src/lib/libssl/man/SSL_get_ex_new_index.3 | 136 ----- src/lib/libssl/man/SSL_get_fd.3 | 103 ---- src/lib/libssl/man/SSL_get_finished.3 | 77 --- src/lib/libssl/man/SSL_get_peer_cert_chain.3 | 107 ---- src/lib/libssl/man/SSL_get_peer_certificate.3 | 105 ---- src/lib/libssl/man/SSL_get_rbio.3 | 98 ---- src/lib/libssl/man/SSL_get_server_tmp_key.3 | 89 --- src/lib/libssl/man/SSL_get_session.3 | 163 ------ src/lib/libssl/man/SSL_get_shared_ciphers.3 | 103 ---- src/lib/libssl/man/SSL_get_state.3 | 161 ------ src/lib/libssl/man/SSL_get_verify_result.3 | 102 ---- src/lib/libssl/man/SSL_get_version.3 | 123 ---- src/lib/libssl/man/SSL_library_init.3 | 98 ---- src/lib/libssl/man/SSL_load_client_CA_file.3 | 185 ------ src/lib/libssl/man/SSL_new.3 | 110 ---- src/lib/libssl/man/SSL_num_renegotiations.3 | 75 --- src/lib/libssl/man/SSL_pending.3 | 90 --- src/lib/libssl/man/SSL_read.3 | 278 --------- src/lib/libssl/man/SSL_read_early_data.3 | 174 ------ src/lib/libssl/man/SSL_renegotiate.3 | 166 ------ src/lib/libssl/man/SSL_rstate_string.3 | 108 ---- src/lib/libssl/man/SSL_session_reused.3 | 84 --- src/lib/libssl/man/SSL_set1_host.3 | 172 ------ src/lib/libssl/man/SSL_set1_param.3 | 137 ----- src/lib/libssl/man/SSL_set_SSL_CTX.3 | 67 --- src/lib/libssl/man/SSL_set_bio.3 | 99 ---- src/lib/libssl/man/SSL_set_connect_state.3 | 153 ----- src/lib/libssl/man/SSL_set_fd.3 | 129 ----- src/lib/libssl/man/SSL_set_max_send_fragment.3 | 97 ---- .../libssl/man/SSL_set_psk_use_session_callback.3 | 86 --- src/lib/libssl/man/SSL_set_session.3 | 119 ---- src/lib/libssl/man/SSL_set_shutdown.3 | 138 ----- src/lib/libssl/man/SSL_set_tmp_ecdh.3 | 119 ---- src/lib/libssl/man/SSL_set_verify_result.3 | 90 --- src/lib/libssl/man/SSL_shutdown.3 | 253 --------- src/lib/libssl/man/SSL_state_string.3 | 110 ---- src/lib/libssl/man/SSL_want.3 | 161 ------ src/lib/libssl/man/SSL_write.3 | 249 -------- src/lib/libssl/man/d2i_SSL_SESSION.3 | 181 ------ src/lib/libssl/man/ssl.3 | 367 ------------ 126 files changed, 19835 deletions(-) delete mode 100644 src/lib/libssl/man/BIO_f_ssl.3 delete mode 100644 src/lib/libssl/man/DTLSv1_listen.3 delete mode 100644 src/lib/libssl/man/Makefile delete mode 100644 src/lib/libssl/man/OPENSSL_init_ssl.3 delete mode 100644 src/lib/libssl/man/PEM_read_SSL_SESSION.3 delete mode 100644 src/lib/libssl/man/SSL_CIPHER_get_name.3 delete mode 100644 src/lib/libssl/man/SSL_COMP_add_compression_method.3 delete mode 100644 src/lib/libssl/man/SSL_CTX_add1_chain_cert.3 delete mode 100644 src/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3 delete mode 100644 src/lib/libssl/man/SSL_CTX_add_session.3 delete mode 100644 src/lib/libssl/man/SSL_CTX_ctrl.3 delete mode 100644 src/lib/libssl/man/SSL_CTX_flush_sessions.3 delete mode 100644 src/lib/libssl/man/SSL_CTX_free.3 delete mode 100644 src/lib/libssl/man/SSL_CTX_get0_certificate.3 delete mode 100644 src/lib/libssl/man/SSL_CTX_get_ex_new_index.3 delete mode 100644 src/lib/libssl/man/SSL_CTX_get_verify_mode.3 delete mode 100644 src/lib/libssl/man/SSL_CTX_load_verify_locations.3 delete mode 100644 src/lib/libssl/man/SSL_CTX_new.3 delete mode 100644 src/lib/libssl/man/SSL_CTX_sess_number.3 delete mode 100644 src/lib/libssl/man/SSL_CTX_sess_set_cache_size.3 delete mode 100644 src/lib/libssl/man/SSL_CTX_sess_set_get_cb.3 delete mode 100644 src/lib/libssl/man/SSL_CTX_sessions.3 delete mode 100644 src/lib/libssl/man/SSL_CTX_set1_groups.3 delete mode 100644 src/lib/libssl/man/SSL_CTX_set_alpn_select_cb.3 delete mode 100644 src/lib/libssl/man/SSL_CTX_set_cert_store.3 delete mode 100644 src/lib/libssl/man/SSL_CTX_set_cert_verify_callback.3 delete mode 100644 src/lib/libssl/man/SSL_CTX_set_cipher_list.3 delete mode 100644 src/lib/libssl/man/SSL_CTX_set_client_CA_list.3 delete mode 100644 src/lib/libssl/man/SSL_CTX_set_client_cert_cb.3 delete mode 100644 src/lib/libssl/man/SSL_CTX_set_default_passwd_cb.3 delete mode 100644 src/lib/libssl/man/SSL_CTX_set_generate_session_id.3 delete mode 100644 src/lib/libssl/man/SSL_CTX_set_info_callback.3 delete mode 100644 src/lib/libssl/man/SSL_CTX_set_keylog_callback.3 delete mode 100644 src/lib/libssl/man/SSL_CTX_set_max_cert_list.3 delete mode 100644 src/lib/libssl/man/SSL_CTX_set_min_proto_version.3 delete mode 100644 src/lib/libssl/man/SSL_CTX_set_mode.3 delete mode 100644 src/lib/libssl/man/SSL_CTX_set_msg_callback.3 delete mode 100644 src/lib/libssl/man/SSL_CTX_set_num_tickets.3 delete mode 100644 src/lib/libssl/man/SSL_CTX_set_options.3 delete mode 100644 src/lib/libssl/man/SSL_CTX_set_quiet_shutdown.3 delete mode 100644 src/lib/libssl/man/SSL_CTX_set_read_ahead.3 delete mode 100644 src/lib/libssl/man/SSL_CTX_set_security_level.3 delete mode 100644 src/lib/libssl/man/SSL_CTX_set_session_cache_mode.3 delete mode 100644 src/lib/libssl/man/SSL_CTX_set_session_id_context.3 delete mode 100644 src/lib/libssl/man/SSL_CTX_set_ssl_version.3 delete mode 100644 src/lib/libssl/man/SSL_CTX_set_timeout.3 delete mode 100644 src/lib/libssl/man/SSL_CTX_set_tlsext_servername_callback.3 delete mode 100644 src/lib/libssl/man/SSL_CTX_set_tlsext_status_cb.3 delete mode 100644 src/lib/libssl/man/SSL_CTX_set_tlsext_ticket_key_cb.3 delete mode 100644 src/lib/libssl/man/SSL_CTX_set_tlsext_use_srtp.3 delete mode 100644 src/lib/libssl/man/SSL_CTX_set_tmp_dh_callback.3 delete mode 100644 src/lib/libssl/man/SSL_CTX_set_tmp_rsa_callback.3 delete mode 100644 src/lib/libssl/man/SSL_CTX_set_verify.3 delete mode 100644 src/lib/libssl/man/SSL_CTX_use_certificate.3 delete mode 100644 src/lib/libssl/man/SSL_SESSION_free.3 delete mode 100644 src/lib/libssl/man/SSL_SESSION_get0_cipher.3 delete mode 100644 src/lib/libssl/man/SSL_SESSION_get0_peer.3 delete mode 100644 src/lib/libssl/man/SSL_SESSION_get_compress_id.3 delete mode 100644 src/lib/libssl/man/SSL_SESSION_get_ex_new_index.3 delete mode 100644 src/lib/libssl/man/SSL_SESSION_get_id.3 delete mode 100644 src/lib/libssl/man/SSL_SESSION_get_protocol_version.3 delete mode 100644 src/lib/libssl/man/SSL_SESSION_get_time.3 delete mode 100644 src/lib/libssl/man/SSL_SESSION_has_ticket.3 delete mode 100644 src/lib/libssl/man/SSL_SESSION_is_resumable.3 delete mode 100644 src/lib/libssl/man/SSL_SESSION_new.3 delete mode 100644 src/lib/libssl/man/SSL_SESSION_print.3 delete mode 100644 src/lib/libssl/man/SSL_SESSION_set1_id_context.3 delete mode 100644 src/lib/libssl/man/SSL_accept.3 delete mode 100644 src/lib/libssl/man/SSL_alert_type_string.3 delete mode 100644 src/lib/libssl/man/SSL_clear.3 delete mode 100644 src/lib/libssl/man/SSL_connect.3 delete mode 100644 src/lib/libssl/man/SSL_copy_session_id.3 delete mode 100644 src/lib/libssl/man/SSL_do_handshake.3 delete mode 100644 src/lib/libssl/man/SSL_dup.3 delete mode 100644 src/lib/libssl/man/SSL_dup_CA_list.3 delete mode 100644 src/lib/libssl/man/SSL_export_keying_material.3 delete mode 100644 src/lib/libssl/man/SSL_free.3 delete mode 100644 src/lib/libssl/man/SSL_get_SSL_CTX.3 delete mode 100644 src/lib/libssl/man/SSL_get_certificate.3 delete mode 100644 src/lib/libssl/man/SSL_get_ciphers.3 delete mode 100644 src/lib/libssl/man/SSL_get_client_CA_list.3 delete mode 100644 src/lib/libssl/man/SSL_get_client_random.3 delete mode 100644 src/lib/libssl/man/SSL_get_current_cipher.3 delete mode 100644 src/lib/libssl/man/SSL_get_default_timeout.3 delete mode 100644 src/lib/libssl/man/SSL_get_error.3 delete mode 100644 src/lib/libssl/man/SSL_get_ex_data_X509_STORE_CTX_idx.3 delete mode 100644 src/lib/libssl/man/SSL_get_ex_new_index.3 delete mode 100644 src/lib/libssl/man/SSL_get_fd.3 delete mode 100644 src/lib/libssl/man/SSL_get_finished.3 delete mode 100644 src/lib/libssl/man/SSL_get_peer_cert_chain.3 delete mode 100644 src/lib/libssl/man/SSL_get_peer_certificate.3 delete mode 100644 src/lib/libssl/man/SSL_get_rbio.3 delete mode 100644 src/lib/libssl/man/SSL_get_server_tmp_key.3 delete mode 100644 src/lib/libssl/man/SSL_get_session.3 delete mode 100644 src/lib/libssl/man/SSL_get_shared_ciphers.3 delete mode 100644 src/lib/libssl/man/SSL_get_state.3 delete mode 100644 src/lib/libssl/man/SSL_get_verify_result.3 delete mode 100644 src/lib/libssl/man/SSL_get_version.3 delete mode 100644 src/lib/libssl/man/SSL_library_init.3 delete mode 100644 src/lib/libssl/man/SSL_load_client_CA_file.3 delete mode 100644 src/lib/libssl/man/SSL_new.3 delete mode 100644 src/lib/libssl/man/SSL_num_renegotiations.3 delete mode 100644 src/lib/libssl/man/SSL_pending.3 delete mode 100644 src/lib/libssl/man/SSL_read.3 delete mode 100644 src/lib/libssl/man/SSL_read_early_data.3 delete mode 100644 src/lib/libssl/man/SSL_renegotiate.3 delete mode 100644 src/lib/libssl/man/SSL_rstate_string.3 delete mode 100644 src/lib/libssl/man/SSL_session_reused.3 delete mode 100644 src/lib/libssl/man/SSL_set1_host.3 delete mode 100644 src/lib/libssl/man/SSL_set1_param.3 delete mode 100644 src/lib/libssl/man/SSL_set_SSL_CTX.3 delete mode 100644 src/lib/libssl/man/SSL_set_bio.3 delete mode 100644 src/lib/libssl/man/SSL_set_connect_state.3 delete mode 100644 src/lib/libssl/man/SSL_set_fd.3 delete mode 100644 src/lib/libssl/man/SSL_set_max_send_fragment.3 delete mode 100644 src/lib/libssl/man/SSL_set_psk_use_session_callback.3 delete mode 100644 src/lib/libssl/man/SSL_set_session.3 delete mode 100644 src/lib/libssl/man/SSL_set_shutdown.3 delete mode 100644 src/lib/libssl/man/SSL_set_tmp_ecdh.3 delete mode 100644 src/lib/libssl/man/SSL_set_verify_result.3 delete mode 100644 src/lib/libssl/man/SSL_shutdown.3 delete mode 100644 src/lib/libssl/man/SSL_state_string.3 delete mode 100644 src/lib/libssl/man/SSL_want.3 delete mode 100644 src/lib/libssl/man/SSL_write.3 delete mode 100644 src/lib/libssl/man/d2i_SSL_SESSION.3 delete mode 100644 src/lib/libssl/man/ssl.3 (limited to 'src/lib/libssl/man') diff --git a/src/lib/libssl/man/BIO_f_ssl.3 b/src/lib/libssl/man/BIO_f_ssl.3 deleted file mode 100644 index ed26816779..0000000000 --- a/src/lib/libssl/man/BIO_f_ssl.3 +++ /dev/null @@ -1,632 +0,0 @@ -.\" $OpenBSD: BIO_f_ssl.3,v 1.14 2023/04/11 16:58:43 schwarze Exp $ -.\" full merge up to: OpenSSL f672aee4 Feb 9 11:52:40 2016 -0500 -.\" selective merge up to: OpenSSL 61f805c1 Jan 16 01:01:46 2018 +0800 -.\" -.\" This file was written by Dr. Stephen Henson . -.\" Copyright (c) 2000, 2003, 2009, 2014-2016 The OpenSSL Project. -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: April 11 2023 $ -.Dt BIO_F_SSL 3 -.Os -.Sh NAME -.Nm BIO_f_ssl , -.Nm BIO_set_ssl , -.Nm BIO_get_ssl , -.Nm BIO_set_ssl_mode , -.Nm BIO_set_ssl_renegotiate_bytes , -.Nm BIO_get_num_renegotiates , -.Nm BIO_set_ssl_renegotiate_timeout , -.Nm BIO_new_ssl , -.Nm BIO_new_ssl_connect , -.Nm BIO_new_buffer_ssl_connect , -.Nm BIO_ssl_copy_session_id , -.Nm BIO_ssl_shutdown , -.Nm BIO_do_handshake -.Nd SSL BIO -.Sh SYNOPSIS -.In openssl/bio.h -.In openssl/ssl.h -.Ft const BIO_METHOD * -.Fn BIO_f_ssl void -.Ft long -.Fo BIO_set_ssl -.Fa "BIO *b" -.Fa "SSL *ssl" -.Fa "long c" -.Fc -.Ft long -.Fo BIO_get_ssl -.Fa "BIO *b" -.Fa "SSL *sslp" -.Fc -.Ft long -.Fo BIO_set_ssl_mode -.Fa "BIO *b" -.Fa "long client" -.Fc -.Ft long -.Fo BIO_set_ssl_renegotiate_bytes -.Fa "BIO *b" -.Fa "long num" -.Fc -.Ft long -.Fo BIO_set_ssl_renegotiate_timeout -.Fa "BIO *b" -.Fa "long seconds" -.Fc -.Ft long -.Fo BIO_get_num_renegotiates -.Fa "BIO *b" -.Fc -.Ft BIO * -.Fn BIO_new_ssl "SSL_CTX *ctx" "int client" -.Ft BIO * -.Fn BIO_new_ssl_connect "SSL_CTX *ctx" -.Ft BIO * -.Fn BIO_new_buffer_ssl_connect "SSL_CTX *ctx" -.Ft int -.Fn BIO_ssl_copy_session_id "BIO *to" "BIO *from" -.Ft void -.Fn BIO_ssl_shutdown "BIO *bio" -.Ft long -.Fn BIO_do_handshake "BIO *b" -.Sh DESCRIPTION -.Fn BIO_f_ssl -returns the -.Vt SSL -.Vt BIO -method. -This is a filter -.Vt BIO -which is a wrapper around the OpenSSL -.Vt SSL -routines adding a -.Vt BIO -.Dq flavor -to SSL I/O. -.Pp -I/O performed on an -.Vt SSL -.Vt BIO -communicates using the SSL protocol with -the -.Vt SSL Ns 's -read and write -.Vt BIO Ns s . -If an SSL connection is not established then an attempt is made to establish -one on the first I/O call. -.Pp -If a -.Vt BIO -is appended to an -.Vt SSL -.Vt BIO -using -.Xr BIO_push 3 , -it is automatically used as the -.Vt SSL -.Vt BIO Ns 's read and write -.Vt BIO Ns s . -.Pp -Calling -.Xr BIO_reset 3 -on an -.Vt SSL -.Vt BIO -closes down any current SSL connection by calling -.Xr SSL_shutdown 3 . -.Xr BIO_reset 3 -is then sent to the next -.Vt BIO -in the chain; this will typically disconnect the underlying transport. -The -.Vt SSL -.Vt BIO -is then reset to the initial accept or connect state. -.Pp -If the close flag is set when an -.Vt SSL -.Vt BIO -is freed then the internal -.Vt SSL -structure is also freed using -.Xr SSL_free 3 . -.Pp -.Fn BIO_set_ssl -sets the internal -.Vt SSL -pointer of -.Vt BIO -.Fa b -to -.Fa ssl -using -the close flag -.Fa c . -.Pp -.Fn BIO_get_ssl -retrieves the -.Vt SSL -pointer of -.Vt BIO -.Fa b ; -it can then be manipulated using the standard SSL library functions. -.Pp -.Fn BIO_set_ssl_mode -sets the -.Vt SSL -.Vt BIO -mode to -.Fa client . -If -.Fa client -is 1, client mode is set. -If -.Fa client -is 0, server mode is set. -.Pp -.Fn BIO_set_ssl_renegotiate_bytes -sets the renegotiate byte count to -.Fa num . -When set, after every -.Fa num -bytes of I/O (read and write) the SSL session is automatically renegotiated. -.Fa num -must be at least 512 bytes. -.Pp -.Fn BIO_set_ssl_renegotiate_timeout -sets the renegotiate timeout to -.Fa seconds . -When the renegotiate timeout elapses, the session is automatically renegotiated. -.Pp -.Fn BIO_get_num_renegotiates -returns the total number of session renegotiations due to I/O or timeout. -.Pp -.Fn BIO_new_ssl -allocates an -.Vt SSL -.Vt BIO -using -.Vt SSL_CTX -.Va ctx -and using client mode if -.Fa client -is nonzero. -.Pp -.Fn BIO_new_ssl_connect -creates a new -.Vt BIO -chain consisting of an -.Vt SSL -.Vt BIO -(using -.Fa ctx ) -followed by a connect BIO. -.Pp -.Fn BIO_new_buffer_ssl_connect -creates a new -.Vt BIO -chain consisting of a buffering -.Vt BIO , -an -.Vt SSL -.Vt BIO -(using -.Fa ctx ) -and a connect -.Vt BIO . -.Pp -.Fn BIO_ssl_copy_session_id -copies an SSL session id between -.Vt BIO -chains -.Fa from -and -.Fa to . -It does this by locating the -.Vt SSL -.Vt BIO Ns s -in each chain and calling -.Xr SSL_copy_session_id 3 -on the internal -.Vt SSL -pointer. -.Pp -.Fn BIO_ssl_shutdown -closes down an SSL connection on -.Vt BIO -chain -.Fa bio . -It does this by locating the -.Vt SSL -.Vt BIO -in the -chain and calling -.Xr SSL_shutdown 3 -on its internal -.Vt SSL -pointer. -.Pp -.Fn BIO_do_handshake -attempts to complete an SSL handshake on the supplied -.Vt BIO -and establish the SSL connection. -It returns 1 if the connection was established successfully. -A zero or negative value is returned if the connection could not be -established; the call -.Xr BIO_should_retry 3 -should be used for non blocking connect -.Vt BIO Ns s -to determine if the call should be retried. -If an SSL connection has already been established, this call has no effect. -.Pp -When a chain containing an SSL BIO is copied with -.Xr BIO_dup_chain 3 , -.Xr SSL_dup 3 -is called internally to copy the -.Vt SSL -object from the existing BIO object to the new BIO object, -and the internal data related to -.Fn BIO_set_ssl_renegotiate_bytes -and -.Fn BIO_set_ssl_renegotiate_timeout -is also copied. -.Pp -.Vt SSL -.Vt BIO Ns s -are exceptional in that if the underlying transport is non-blocking they can -still request a retry in exceptional circumstances. -Specifically this will happen if a session renegotiation takes place during a -.Xr BIO_read 3 -operation. -One case where this happens is when step up occurs. -.Pp -In OpenSSL 0.9.6 and later the SSL flag -.Dv SSL_AUTO_RETRY -can be set to disable this behaviour. -In other words, when this flag is set an -.Vt SSL -.Vt BIO -using a blocking transport will never request a retry. -.Pp -Since unknown -.Xr BIO_ctrl 3 -operations are sent through filter -.Vt BIO Ns s , -the server name and port can be set using -.Xr BIO_set_conn_hostname 3 -and -.Xr BIO_set_conn_port 3 -on the -.Vt BIO -returned by -.Fn BIO_new_ssl_connect -without having to locate the connect -.Vt BIO -first. -.Pp -Applications do not have to call -.Fn BIO_do_handshake -but may wish to do so to separate the handshake process from other I/O -processing. -.Pp -.Fn BIO_set_ssl , -.Fn BIO_get_ssl , -.Fn BIO_set_ssl_mode , -.Fn BIO_set_ssl_renegotiate_bytes , -.Fn BIO_set_ssl_renegotiate_timeout , -.Fn BIO_get_num_renegotiates , -and -.Fn BIO_do_handshake -are implemented as macros. -.Sh RETURN VALUES -.Fn BIO_f_ssl -returns a pointer to a static -.Vt BIO_METHOD -structure. -.Pp -When called on an SSL BIO object, -.Xr BIO_method_type 3 -returns the constant -.Dv BIO_TYPE_SSL -and -.Xr BIO_method_name 3 -returns a pointer to the static string -.Qq ssl . -.Pp -.Fn BIO_set_ssl , -.Fn BIO_get_ssl , -.Fn BIO_set_ssl_mode , -.Fn BIO_set_ssl_renegotiate_bytes , -.Fn BIO_set_ssl_renegotiate_timeout , -and -.Fn BIO_get_num_renegotiates -return 1 on success or a value less than or equal to 0 -if an error occurred. -.Pp -.Fn BIO_new_ssl , -.Fn BIO_new_ssl_connect , -and -.Fn BIO_new_buffer_ssl_connect -returns a pointer to a newly allocated -.Vt BIO -chain or -.Dv NULL -if an error occurred. -.Pp -.Fn BIO_ssl_copy_session_id -returns 1 on success or 0 on error. -.Pp -.Fn BIO_do_handshake -returns 1 if the connection was established successfully -or a value less than or equal to 0 otherwise. -.Sh EXAMPLES -This SSL/TLS client example attempts to retrieve a page from an SSL/TLS web -server. -The I/O routines are identical to those of the unencrypted example in -.Xr BIO_s_connect 3 . -.Bd -literal -BIO *sbio, *out; -int len; -char tmpbuf[1024]; -SSL_CTX *ctx; -SSL *ssl; - -ERR_load_crypto_strings(); -ERR_load_SSL_strings(); -OpenSSL_add_all_algorithms(); - -/* - * We would seed the PRNG here if the platform didn't do it automatically - */ - -ctx = SSL_CTX_new(SSLv23_client_method()); - -/* - * We'd normally set some stuff like the verify paths and mode here because - * as things stand this will connect to any server whose certificate is - * signed by any CA. - */ - -sbio = BIO_new_ssl_connect(ctx); - -BIO_get_ssl(sbio, &ssl); - -if (!ssl) { - fprintf(stderr, "Can't locate SSL pointer\en"); - /* whatever ... */ -} - -/* Don't want any retries */ -SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY); - -/* We might want to do other things with ssl here */ - -BIO_set_conn_hostname(sbio, "localhost:https"); - -out = BIO_new_fp(stdout, BIO_NOCLOSE); -if (BIO_do_connect(sbio) <= 0) { - fprintf(stderr, "Error connecting to server\en"); - ERR_print_errors_fp(stderr); - /* whatever ... */ -} - -if (BIO_do_handshake(sbio) <= 0) { - fprintf(stderr, "Error establishing SSL connection\en"); - ERR_print_errors_fp(stderr); - /* whatever ... */ -} - -/* Could examine ssl here to get connection info */ - -BIO_puts(sbio, "GET / HTTP/1.0\en\en"); -for (;;) { - len = BIO_read(sbio, tmpbuf, 1024); - if(len <= 0) break; - BIO_write(out, tmpbuf, len); -} -BIO_free_all(sbio); -BIO_free(out); -.Ed -.Pp -Here is a simple server example. -It makes use of a buffering -.Vt BIO -to allow lines to be read from the -.Vt SSL -.Vt BIO -using -.Xr BIO_gets 3 . -It creates a pseudo web page containing the actual request from a client and -also echoes the request to standard output. -.Bd -literal -BIO *sbio, *bbio, *acpt, *out; -int len; -char tmpbuf[1024]; -SSL_CTX *ctx; -SSL *ssl; - -ERR_load_crypto_strings(); -ERR_load_SSL_strings(); -OpenSSL_add_all_algorithms(); - -/* Might seed PRNG here */ - -ctx = SSL_CTX_new(SSLv23_server_method()); - -if (!SSL_CTX_use_certificate_file(ctx,"server.pem",SSL_FILETYPE_PEM) - || !SSL_CTX_use_PrivateKey_file(ctx,"server.pem",SSL_FILETYPE_PEM) - || !SSL_CTX_check_private_key(ctx)) { - fprintf(stderr, "Error setting up SSL_CTX\en"); - ERR_print_errors_fp(stderr); - return 0; -} - -/* - * Might do other things here like setting verify locations and DH and/or - * RSA temporary key callbacks - */ - -/* New SSL BIO setup as server */ -sbio = BIO_new_ssl(ctx,0); - -BIO_get_ssl(sbio, &ssl); - -if (!ssl) { - fprintf(stderr, "Can't locate SSL pointer\en"); - /* whatever ... */ -} - -/* Don't want any retries */ -SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY); - -/* Create the buffering BIO */ - -bbio = BIO_new(BIO_f_buffer()); - -/* Add to chain */ -sbio = BIO_push(bbio, sbio); - -acpt = BIO_new_accept("4433"); - -/* - * By doing this when a new connection is established we automatically - * have sbio inserted into it. The BIO chain is now 'swallowed' by the - * accept BIO and will be freed when the accept BIO is freed. - */ - -BIO_set_accept_bios(acpt,sbio); - -out = BIO_new_fp(stdout, BIO_NOCLOSE); - -/* Wait for incoming connection */ -if (BIO_do_accept(acpt) <= 0) { - fprintf(stderr, "Error setting up accept BIO\en"); - ERR_print_errors_fp(stderr); - return 0; -} - -/* We only want one connection so remove and free accept BIO */ - -sbio = BIO_pop(acpt); - -BIO_free_all(acpt); - -if (BIO_do_handshake(sbio) <= 0) { - fprintf(stderr, "Error in SSL handshake\en"); - ERR_print_errors_fp(stderr); - return 0; -} - -BIO_puts(sbio, "HTTP/1.0 200 OK\er\enContent-type: text/plain\er\en\er\en"); -BIO_puts(sbio, "\er\enConnection Established\er\enRequest headers:\er\en"); -BIO_puts(sbio, "--------------------------------------------------\er\en"); - -for (;;) { - len = BIO_gets(sbio, tmpbuf, 1024); - if (len <= 0) - break; - BIO_write(sbio, tmpbuf, len); - BIO_write(out, tmpbuf, len); - /* Look for blank line signifying end of headers */ - if ((tmpbuf[0] == '\er') || (tmpbuf[0] == '\en')) - break; -} - -BIO_puts(sbio, "--------------------------------------------------\er\en"); -BIO_puts(sbio, "\er\en"); - -/* Since there is a buffering BIO present we had better flush it */ -BIO_flush(sbio); - -BIO_free_all(sbio); -.Ed -.Sh SEE ALSO -.Xr BIO_new 3 , -.Xr ssl 3 -.Sh HISTORY -.Fn BIO_f_ssl , -.Fn BIO_set_ssl , -and -.Fn BIO_get_ssl -first appeared in SSLeay 0.6.0. -.Fn BIO_set_ssl_mode , -.Fn BIO_new_ssl , -and -.Fn BIO_ssl_copy_session_id -first appeared in SSLeay 0.8.0. -.Fn BIO_ssl_shutdown -and -.Fn BIO_do_handshake -first appeared in SSLeay 0.8.1. -.Fn BIO_set_ssl_renegotiate_bytes , -.Fn BIO_get_num_renegotiates , -.Fn BIO_set_ssl_renegotiate_timeout , -.Fn BIO_new_ssl_connect , -and -.Fn BIO_new_buffer_ssl_connect -first appeared in SSLeay 0.9.0. -All these functions have been available since -.Ox 2.4 . -.Pp -In OpenSSL versions before 1.0.0 the -.Xr BIO_pop 3 -call was handled incorrectly: -the I/O BIO reference count was incorrectly incremented (instead of -decremented) and dissociated with the -.Vt SSL -.Vt BIO -even if the -.Vt SSL -.Vt BIO -was not -explicitly being popped (e.g., a pop higher up the chain). -Applications which included workarounds for this bug (e.g., freeing BIOs more -than once) should be modified to handle this fix or they may free up an already -freed -.Vt BIO . diff --git a/src/lib/libssl/man/DTLSv1_listen.3 b/src/lib/libssl/man/DTLSv1_listen.3 deleted file mode 100644 index 047ec0a7ff..0000000000 --- a/src/lib/libssl/man/DTLSv1_listen.3 +++ /dev/null @@ -1,187 +0,0 @@ -.\" $OpenBSD: DTLSv1_listen.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $ -.\" OpenSSL 7795475f Dec 18 13:18:31 2015 -0500 -.\" -.\" This file was written by Matt Caswell . -.\" Copyright (c) 2015 The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: March 27 2018 $ -.Dt DTLSV1_LISTEN 3 -.Os -.Sh NAME -.Nm DTLSv1_listen -.Nd listen for incoming DTLS connections -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft int -.Fo DTLSv1_listen -.Fa "SSL *ssl" -.Fa "struct sockaddr *peer" -.Fc -.Sh DESCRIPTION -.Fn DTLSv1_listen -listens for new incoming DTLS connections. -If a ClientHello is received that does not contain a cookie, then -.Fn DTLSv1_listen -responds with a HelloVerifyRequest. -If a ClientHello is received with a cookie that is verified, then -control is returned to user code to enable the handshake to be -completed (for example by using -.Xr SSL_accept 3 ) . -.Pp -.Fn DTLSv1_listen -is currently implemented as a macro. -.Pp -Datagram based protocols can be susceptible to Denial of Service -attacks. -A DTLS attacker could, for example, submit a series of handshake -initiation requests that cause the server to allocate state (and -possibly perform cryptographic operations) thus consuming server -resources. -The attacker could also (with UDP) quite simply forge the source IP -address in such an attack. -.Pp -As a counter measure to that DTLS includes a stateless cookie mechanism. -The idea is that when a client attempts to connect to a server it sends -a ClientHello message. -The server responds with a HelloVerifyRequest which contains a unique -cookie. -The client then resends the ClientHello, but this time includes the -cookie in the message thus proving that the client is capable of -receiving messages sent to that address. -All of this can be done by the server without allocating any state, and -thus without consuming expensive resources. -.Pp -OpenSSL implements this capability via the -.Fn DTLSv1_listen -function. -The -.Fa ssl -parameter should be a newly allocated -.Vt SSL -object with its read and write BIOs set, in the same way as might -be done for a call to -.Xr SSL_accept 3 . -Typically the read BIO will be in an "unconnected" state and thus -capable of receiving messages from any peer. -.Pp -When a ClientHello is received that contains a cookie that has been -verified, then -.Fn DTLSv1_listen -will return with the -.Fa ssl -parameter updated into a state where the handshake can be continued by a -call to (for example) -.Xr SSL_accept 3 . -Additionally the -.Vt struct sockaddr -pointed to by -.Fa peer -will be filled in with details of the peer that sent the ClientHello. -It is the calling code's responsibility to ensure that the -.Fa peer -location is sufficiently large to accommodate the addressing scheme in use. -For example this might be done by allocating space for a -.Vt struct sockaddr_storage -and casting the pointer to it to a -.Vt struct sockaddr * -for the call to -.Fn DTLSv1_listen . -Typically user code is expected to "connect" the underlying socket -to the peer and continue the handshake in a connected state. -.Pp -Prior to calling -.Fn DTLSv1_listen -user code must ensure that cookie generation and verification callbacks -have been set up using -.Fn SSL_CTX_set_cookie_generate_cb -and -.Fn SSL_CTX_set_cookie_verify_cb -respectively. -.Pp -Since -.Fn DTLSv1_listen -operates entirely statelessly whilst processing incoming ClientHellos, -it is unable to process fragmented messages (since this would require -the allocation of state). -An implication of this is that -.Fn DTLSv1_listen -only supports ClientHellos that fit inside a single datagram. -.Sh RETURN VALUES -From OpenSSL 1.1.0 a return value of >= 1 indicates success. -In this instance the -.Fa peer -value will be filled in and the -.Fa ssl -object set up ready to continue the handshake. -.Pp -A return value of 0 indicates a non-fatal error. -This could (for example) be because of non-blocking IO, or some invalid -message having been received from a peer. -Errors may be placed on the OpenSSL error queue with further information -if appropriate. -Typically user code is expected to retry the call to -.Fn DTLSv1_listen -in the event of a non-fatal error. -Any old errors on the error queue will be cleared in the subsequent -call. -.Pp -A return value of <0 indicates a fatal error. -This could (for example) be because of a failure to allocate sufficient -memory for the operation. -.Pp -Prior to OpenSSL 1.1.0 fatal and non-fatal errors both produce return -codes <= 0 (in typical implementations user code treats all errors as -non-fatal), whilst return codes >0 indicate success. -.Sh SEE ALSO -.Xr BIO_new 3 , -.Xr ssl 3 , -.Xr SSL_accept 3 , -.Xr SSL_get_error 3 -.Sh HISTORY -.Fn DTLSv1_listen -first appeared in OpenSSL 0.9.8m and has been available since -.Ox 4.9 . diff --git a/src/lib/libssl/man/Makefile b/src/lib/libssl/man/Makefile deleted file mode 100644 index c8f6e28541..0000000000 --- a/src/lib/libssl/man/Makefile +++ /dev/null @@ -1,134 +0,0 @@ -# $OpenBSD: Makefile,v 1.77 2022/07/13 20:52:36 schwarze Exp $ - -.include - -MAN = BIO_f_ssl.3 \ - DTLSv1_listen.3 \ - OPENSSL_init_ssl.3 \ - PEM_read_SSL_SESSION.3 \ - SSL_CIPHER_get_name.3 \ - SSL_COMP_add_compression_method.3 \ - SSL_CTX_add1_chain_cert.3 \ - SSL_CTX_add_extra_chain_cert.3 \ - SSL_CTX_add_session.3 \ - SSL_CTX_ctrl.3 \ - SSL_CTX_flush_sessions.3 \ - SSL_CTX_free.3 \ - SSL_CTX_get0_certificate.3 \ - SSL_CTX_get_ex_new_index.3 \ - SSL_CTX_get_verify_mode.3 \ - SSL_CTX_load_verify_locations.3 \ - SSL_CTX_new.3 \ - SSL_CTX_sess_number.3 \ - SSL_CTX_sess_set_cache_size.3 \ - SSL_CTX_sess_set_get_cb.3 \ - SSL_CTX_sessions.3 \ - SSL_CTX_set1_groups.3 \ - SSL_CTX_set_alpn_select_cb.3 \ - SSL_CTX_set_cert_store.3 \ - SSL_CTX_set_cert_verify_callback.3 \ - SSL_CTX_set_cipher_list.3 \ - SSL_CTX_set_client_CA_list.3 \ - SSL_CTX_set_client_cert_cb.3 \ - SSL_CTX_set_default_passwd_cb.3 \ - SSL_CTX_set_generate_session_id.3 \ - SSL_CTX_set_info_callback.3 \ - SSL_CTX_set_keylog_callback.3 \ - SSL_CTX_set_max_cert_list.3 \ - SSL_CTX_set_min_proto_version.3 \ - SSL_CTX_set_mode.3 \ - SSL_CTX_set_msg_callback.3 \ - SSL_CTX_set_options.3 \ - SSL_CTX_set_quiet_shutdown.3 \ - SSL_CTX_set_read_ahead.3 \ - SSL_CTX_set_security_level.3 \ - SSL_CTX_set_session_cache_mode.3 \ - SSL_CTX_set_session_id_context.3 \ - SSL_CTX_set_ssl_version.3 \ - SSL_CTX_set_timeout.3 \ - SSL_CTX_set_tlsext_servername_callback.3 \ - SSL_CTX_set_tlsext_status_cb.3 \ - SSL_CTX_set_tlsext_ticket_key_cb.3 \ - SSL_CTX_set_tlsext_use_srtp.3 \ - SSL_CTX_set_tmp_dh_callback.3 \ - SSL_CTX_set_tmp_rsa_callback.3 \ - SSL_CTX_set_verify.3 \ - SSL_CTX_use_certificate.3 \ - SSL_SESSION_free.3 \ - SSL_SESSION_get0_cipher.3 \ - SSL_SESSION_get0_peer.3 \ - SSL_SESSION_get_compress_id.3 \ - SSL_SESSION_get_ex_new_index.3 \ - SSL_SESSION_get_id.3 \ - SSL_SESSION_get_protocol_version.3 \ - SSL_SESSION_get_time.3 \ - SSL_SESSION_has_ticket.3 \ - SSL_SESSION_is_resumable.3 \ - SSL_SESSION_new.3 \ - SSL_SESSION_print.3 \ - SSL_SESSION_set1_id_context.3 \ - SSL_accept.3 \ - SSL_alert_type_string.3 \ - SSL_clear.3 \ - SSL_connect.3 \ - SSL_copy_session_id.3 \ - SSL_do_handshake.3 \ - SSL_dup.3 \ - SSL_dup_CA_list.3 \ - SSL_export_keying_material.3 \ - SSL_free.3 \ - SSL_get_SSL_CTX.3 \ - SSL_get_certificate.3 \ - SSL_get_ciphers.3 \ - SSL_get_client_CA_list.3 \ - SSL_get_client_random.3 \ - SSL_get_current_cipher.3 \ - SSL_get_default_timeout.3 \ - SSL_get_error.3 \ - SSL_get_ex_data_X509_STORE_CTX_idx.3 \ - SSL_get_ex_new_index.3 \ - SSL_get_fd.3 \ - SSL_get_finished.3 \ - SSL_get_peer_cert_chain.3 \ - SSL_get_peer_certificate.3 \ - SSL_get_rbio.3 \ - SSL_get_server_tmp_key.3 \ - SSL_get_session.3 \ - SSL_get_shared_ciphers.3 \ - SSL_get_state.3 \ - SSL_get_verify_result.3 \ - SSL_get_version.3 \ - SSL_library_init.3 \ - SSL_load_client_CA_file.3 \ - SSL_new.3 \ - SSL_num_renegotiations.3 \ - SSL_pending.3 \ - SSL_read.3 \ - SSL_read_early_data.3 \ - SSL_renegotiate.3 \ - SSL_rstate_string.3 \ - SSL_session_reused.3 \ - SSL_set1_host.3 \ - SSL_set1_param.3 \ - SSL_set_SSL_CTX.3 \ - SSL_set_bio.3 \ - SSL_set_connect_state.3 \ - SSL_set_fd.3 \ - SSL_set_max_send_fragment.3 \ - SSL_set_psk_use_session_callback.3 \ - SSL_set_session.3 \ - SSL_set_shutdown.3 \ - SSL_set_tmp_ecdh.3 \ - SSL_set_verify_result.3 \ - SSL_shutdown.3 \ - SSL_state_string.3 \ - SSL_want.3 \ - SSL_write.3 \ - d2i_SSL_SESSION.3 \ - ssl.3 - -all clean cleandir depend includes obj tags: - -install: maninstall - -.include diff --git a/src/lib/libssl/man/OPENSSL_init_ssl.3 b/src/lib/libssl/man/OPENSSL_init_ssl.3 deleted file mode 100644 index f37dccfaac..0000000000 --- a/src/lib/libssl/man/OPENSSL_init_ssl.3 +++ /dev/null @@ -1,76 +0,0 @@ -.\" $OpenBSD: OPENSSL_init_ssl.3,v 1.4 2019/06/14 13:41:31 schwarze Exp $ -.\" Copyright (c) 2018 Ingo Schwarze -.\" -.\" Permission to use, copy, modify, and distribute this software for any -.\" purpose with or without fee is hereby granted, provided that the above -.\" copyright notice and this permission notice appear in all copies. -.\" -.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES -.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF -.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR -.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF -.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -.\" -.Dd $Mdocdate: June 14 2019 $ -.Dt OPENSSL_INIT_SSL 3 -.Os -.Sh NAME -.Nm OPENSSL_init_ssl -.Nd initialise the crypto and ssl libraries -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft int -.Fo OPENSSL_init_ssl -.Fa "uint64_t options" -.Fa "const void *dummy" -.Fc -.Sh DESCRIPTION -This function is deprecated. -It is never useful for any application program to call it explicitly. -The library automatically calls it internally with an -.Fa options -argument of 0 whenever needed. -It is safest to assume that any function may do so. -.Pp -To enable or disable the standard configuration file, instead use -.Xr OPENSSL_config 3 -or -.Xr OPENSSL_no_config 3 , -respectively. -To load a non-standard configuration file, refer to -.Xr CONF_modules_load_file 3 . -.Pp -.Fn OPENSSL_init_ssl -calls -.Xr OPENSSL_init_crypto 3 , -.Xr SSL_load_error_strings 3 , -and -.Xr SSL_library_init 3 . -.Pp -The -.Fa options -argument is passed on to -.Xr OPENSSL_init_crypto 3 -and the -.Fa dummy -argument is ignored. -.Pp -If this function is called more than once, -none of the calls except the first one have any effect. -.Sh RETURN VALUES -.Fn OPENSSL_init_ssl -is intended to return 1 on success or 0 on error. -.Sh SEE ALSO -.Xr CONF_modules_load_file 3 , -.Xr OPENSSL_config 3 , -.Xr ssl 3 -.Sh HISTORY -.Fn OPENSSL_init_ssl -first appeared in OpenSSL 1.1.0 and has been available since -.Ox 6.3 . -.Sh BUGS -.Fn OPENSSL_init_ssl -silently ignores even more configuration failures than -.Xr OPENSSL_init_crypto 3 . diff --git a/src/lib/libssl/man/PEM_read_SSL_SESSION.3 b/src/lib/libssl/man/PEM_read_SSL_SESSION.3 deleted file mode 100644 index 3eb1414c62..0000000000 --- a/src/lib/libssl/man/PEM_read_SSL_SESSION.3 +++ /dev/null @@ -1,147 +0,0 @@ -.\" $OpenBSD: PEM_read_SSL_SESSION.3,v 1.4 2019/06/12 09:36:30 schwarze Exp $ -.\" OpenSSL doc/man3/PEM_read_CMS.pod b97fdb57 Nov 11 09:33:09 2016 +0100 -.\" -.\" This file was written by Rich Salz . -.\" Copyright (c) 2016 The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: June 12 2019 $ -.Dt PEM_READ_SSL_SESSION 3 -.Os -.Sh NAME -.Nm PEM_read_SSL_SESSION , -.Nm PEM_read_bio_SSL_SESSION , -.Nm PEM_write_SSL_SESSION , -.Nm PEM_write_bio_SSL_SESSION -.Nd encode and decode SSL session objects in PEM format -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft SSL_SESSION * -.Fo PEM_read_SSL_SESSION -.Fa "FILE *fp" -.Fa "SSL_SESSION **a" -.Fa "pem_password_cb *cb" -.Fa "void *u" -.Fc -.Ft SSL_SESSION * -.Fo PEM_read_bio_SSL_SESSION -.Fa "BIO *bp" -.Fa "SSL_SESSION **a" -.Fa "pem_password_cb *cb" -.Fa "void *u" -.Fc -.Ft int -.Fo PEM_write_SSL_SESSION -.Fa "FILE *fp" -.Fa "const SSL_SESSION *a" -.Fc -.Ft int -.Fo PEM_write_bio_SSL_SESSION -.Fa "BIO *bp" -.Fa "const SSL_SESSION *a" -.Fc -.Sh DESCRIPTION -These routines convert between local instances of ASN.1 -.Vt SSL_SESSION -objects and the PEM encoding. -.Pp -.Fn PEM_read_SSL_SESSION -reads a PEM-encoded -.Vt SSL_SESSION -object from the file -.Fa fp -and returns it. -The -.Fa cb -and -.Fa u -parameters are as described in -.Xr PEM_read_bio_PrivateKey 3 . -.Pp -.Fn PEM_read_bio_SSL_SESSION -is similar to -.Fn PEM_read_SSL_SESSION -but reads from the BIO -.Fa bp . -.Pp -.Fn PEM_write_SSL_SESSION -writes the PEM encoding of the object -.Fa a -to the file -.Fa fp . -.Pp -.Fn PEM_write_bio_SSL_SESSION -similarly writes to the BIO -.Fa bp . -.Sh RETURN VALUES -.Fn PEM_read_SSL_SESSION -and -.Fn PEM_read_bio_SSL_SESSION -return a pointer to an allocated object, which should be released by -calling -.Xr SSL_SESSION_free 3 , -or -.Dv NULL -on error. -.Pp -.Fn PEM_write_SSL_SESSION -and -.Fn PEM_write_bio_SSL_SESSION -return the number of bytes written or 0 on error. -.Sh SEE ALSO -.Xr PEM_read 3 , -.Xr ssl 3 -.Sh HISTORY -.Fn PEM_read_SSL_SESSION -and -.Fn PEM_write_SSL_SESSION -first appeared in SSLeay 0.5.2. -.Fn PEM_read_bio_SSL_SESSION -and -.Fn PEM_write_bio_SSL_SESSION -first appeared in SSLeay 0.6.0. -These functions have been available since -.Ox 2.4 . diff --git a/src/lib/libssl/man/SSL_CIPHER_get_name.3 b/src/lib/libssl/man/SSL_CIPHER_get_name.3 deleted file mode 100644 index 235ff1408e..0000000000 --- a/src/lib/libssl/man/SSL_CIPHER_get_name.3 +++ /dev/null @@ -1,378 +0,0 @@ -.\" $OpenBSD: SSL_CIPHER_get_name.3,v 1.14 2022/07/17 08:51:07 jsg Exp $ -.\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 -.\" selective merge up to: OpenSSL 61f805c1 Jan 16 01:01:46 2018 +0800 -.\" -.\" This file was written by Lutz Jaenicke , -.\" Dr. Stephen Henson , Todd Short , -.\" and Paul Yang . -.\" Copyright (c) 2000, 2005, 2009, 2013, 2014, 2015, 2016, 2017 -.\" The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: July 17 2022 $ -.Dt SSL_CIPHER_GET_NAME 3 -.Os -.Sh NAME -.Nm SSL_CIPHER_get_name , -.Nm SSL_CIPHER_get_bits , -.Nm SSL_CIPHER_get_version , -.Nm SSL_CIPHER_get_cipher_nid , -.Nm SSL_CIPHER_get_digest_nid , -.Nm SSL_CIPHER_get_kx_nid , -.Nm SSL_CIPHER_get_auth_nid , -.Nm SSL_CIPHER_is_aead , -.Nm SSL_CIPHER_find , -.Nm SSL_CIPHER_get_id , -.Nm SSL_CIPHER_description -.Nd get SSL_CIPHER properties -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft const char * -.Fn SSL_CIPHER_get_name "const SSL_CIPHER *cipher" -.Ft int -.Fn SSL_CIPHER_get_bits "const SSL_CIPHER *cipher" "int *alg_bits" -.Ft const char * -.Fn SSL_CIPHER_get_version "const SSL_CIPHER *cipher" -.Ft int -.Fn SSL_CIPHER_get_cipher_nid "const SSL_CIPHER *cipher" -.Ft int -.Fn SSL_CIPHER_get_digest_nid "const SSL_CIPHER *cipher" -.Ft int -.Fn SSL_CIPHER_get_kx_nid "const SSL_CIPHER *cipher" -.Ft int -.Fn SSL_CIPHER_get_auth_nid "const SSL_CIPHER *cipher" -.Ft int -.Fn SSL_CIPHER_is_aead "const SSL_CIPHER *cipher" -.Ft const SSL_CIPHER * -.Fn SSL_CIPHER_find "SSL *ssl" "const unsigned char *ptr" -.Ft unsigned long -.Fn SSL_CIPHER_get_id "const SSL_CIPHER *cipher" -.Ft char * -.Fn SSL_CIPHER_description "const SSL_CIPHER *cipher" "char *buf" "int size" -.Sh DESCRIPTION -.Fn SSL_CIPHER_get_name -returns a pointer to the name of -.Fa cipher . -.Pp -.Fn SSL_CIPHER_get_bits -returns the number of secret bits used for -.Fa cipher . -If -.Fa alg_bits -is not -.Dv NULL , -the number of bits processed by the chosen algorithm is stored into it. -.Pp -.Fn SSL_CIPHER_get_version -returns a string which indicates the SSL/TLS protocol version that first -defined the cipher. -This is currently -.Qq TLSv1/SSLv3 . -In some cases it should possibly return -.Qq TLSv1.2 -but the function does not; use -.Fn SSL_CIPHER_description -instead. -.Pp -.Fn SSL_CIPHER_get_cipher_nid -returns the cipher NID corresponding to the -.Fa cipher . -If there is no cipher (e.g. for cipher suites with no encryption), then -.Dv NID_undef -is returned. -.Pp -.Fn SSL_CIPHER_get_digest_nid -returns the digest NID corresponding to the MAC used by the -.Fa cipher -during record encryption/decryption. -If there is no digest (e.g. for AEAD cipher suites), then -.Dv NID_undef -is returned. -.Pp -.Fn SSL_CIPHER_get_kx_nid -returns the key exchange NID corresponding to the method used by the -.Fa cipher . -If there is no key exchange, then -.Dv NID_undef -is returned. -Examples of possible return values include -.Dv NID_kx_rsa , -.Dv NID_kx_dhe , -and -.Dv NID_kx_ecdhe . -.Pp -.Fn SSL_CIPHER_get_auth_nid -returns the authentication NID corresponding to the method used by the -.Fa cipher . -If there is no authentication, -.Dv NID_undef -is returned. -Examples of possible return values include -.Dv NID_auth_rsa -and -.Dv NID_auth_ecdsa . -.Pp -.Fn SSL_CIPHER_is_aead -returns 1 if the -.Fa cipher -is AEAD (e.g. GCM or ChaCha20/Poly1305), or 0 if it is not AEAD. -.Pp -.Fn SSL_CIPHER_find -returns a pointer to a -.Vt SSL_CIPHER -structure which has the cipher ID specified in -.Fa ptr . -The -.Fa ptr -parameter is an array of length two which stores the two-byte -TLS cipher ID (as allocated by IANA) in network byte order. -.Fa SSL_CIPHER_find -returns -.Dv NULL -if an error occurs or the indicated cipher is not found. -.Pp -.Fn SSL_CIPHER_get_id -returns the ID of the given -.Fa cipher , -which must not be -.Dv NULL . -The ID here is an OpenSSL-specific concept, which stores a prefix -of 0x0300 in the higher two bytes and the IANA-specified cipher -suite ID in the lower two bytes. -For instance, TLS_RSA_WITH_NULL_MD5 has IANA ID "0x00, 0x01", so -.Fn SSL_CIPHER_get_id -returns 0x03000001. -.Pp -.Fn SSL_CIPHER_description -copies a textual description of -.Fa cipher -into the buffer -.Fa buf , -which must be at least -.Fa size -bytes long. -The -.Fa cipher -argument must not be a -.Dv NULL -pointer. -If -.Fa buf -is -.Dv NULL , -a buffer is allocated using -.Xr asprintf 3 ; -that buffer should be freed using the -.Xr free 3 -function. -If -.Fa len -is too small to hold the description, a pointer to the static string -.Qq Buffer too small -is returned. -If memory allocation fails, which can happen even if a -.Fa buf -of sufficient size is provided, a pointer to the static string -.Qq OPENSSL_malloc Error -is returned and the content of -.Fa buf -remains unchanged. -.Pp -The string returned by -.Fn SSL_CIPHER_description -consists of several fields separated by whitespace: -.Bl -tag -width Ds -.It Aq Ar ciphername -Textual representation of the cipher name. -.It Aq Ar protocol version -Protocol version: -.Sy SSLv3 , -.Sy TLSv1.2 , -or -.Sy TLSv1.3 . -The TLSv1.0 ciphers are flagged with SSLv3. -No new ciphers were added by TLSv1.1. -.It Kx= Ns Aq Ar key exchange -Key exchange method: -.Sy DH , -.Sy ECDH , -.Sy GOST , -.Sy RSA , -or -.Sy TLSv1.3 . -.It Au= Ns Aq Ar authentication -Authentication method: -.Sy ECDSA , -.Sy GOST01 , -.Sy RSA , -.Sy TLSv1.3 , -or -.Sy None . -.Sy None -is the representation of anonymous ciphers. -.It Enc= Ns Aq Ar symmetric encryption method -Encryption method with number of secret bits: -.Sy 3DES(168) , -.Sy RC4(128) , -.Sy AES(128) , -.Sy AES(256) , -.Sy AESGCM(128) , -.Sy AESGCM(256) , -.Sy Camellia(128) , -.Sy Camellia(256) , -.Sy ChaCha20-Poly1305 , -.Sy GOST-28178-89-CNT , -or -.Sy None . -.It Mac= Ns Aq Ar message authentication code -Message digest: -.Sy MD5 , -.Sy SHA1 , -.Sy SHA256 , -.Sy SHA384 , -.Sy AEAD , -.Sy GOST94 , -.Sy GOST89IMIT , -or -.Sy STREEBOG256 . -.El -.Sh RETURN VALUES -.Fn SSL_CIPHER_get_name -returns an internal pointer to a NUL-terminated string. -.Fn SSL_CIPHER_get_version -returns a pointer to a static NUL-terminated string. -If -.Fa cipher -is a -.Dv NULL -pointer, both functions return a pointer to the static string -.Qq Pq NONE . -.Pp -.Fn SSL_CIPHER_get_bits -returns a positive integer representing the number of secret bits -or 0 if -.Fa cipher -is a -.Dv NULL -pointer. -.Pp -.Fn SSL_CIPHER_get_cipher_nid , -.Fn SSL_CIPHER_get_digest_nid , -.Fn SSL_CIPHER_get_kx_nid , -and -.Fn SSL_CIPHER_get_auth_nid -return an NID constant or -.Dv NID_undef -if an error occurred. -.Pp -.Fn SSL_CIPHER_is_aead -returns 1 if the -.Fa cipher -is AEAD or 0 otherwise. -.Pp -.Fn SSL_CIPHER_find -returns a pointer to a valid -.Vt SSL_CIPHER -structure or -.Dv NULL -if an error occurred. -.Pp -.Fn SSL_CIPHER_get_id -returns a 32-bit unsigned integer. -.Pp -.Fn SSL_CIPHER_description -returns -.Fa buf -or a newly allocated string on success or a pointer to a static -string on error. -.Sh EXAMPLES -An example for the output of -.Fn SSL_CIPHER_description : -.Bd -literal -ECDHE-RSA-AES256-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD -.Ed -.Pp -A complete list can be retrieved by invoking the following command: -.Pp -.Dl $ openssl ciphers -v ALL:COMPLEMENTOFALL -.Sh SEE ALSO -.Xr openssl 1 , -.Xr ssl 3 , -.Xr SSL_get_ciphers 3 , -.Xr SSL_get_current_cipher 3 -.Sh HISTORY -.Fn SSL_CIPHER_description -first appeared in SSLeay 0.8.0. -.Fn SSL_CIPHER_get_name , -.Fn SSL_CIPHER_get_bits , -and -.Fn SSL_CIPHER_get_version -first appeared in SSLeay 0.8.1. -These functions have been available since -.Ox 2.4 . -.Pp -.Fn SSL_CIPHER_get_id -first appeared in OpenSSL 1.0.1 and has been available since -.Ox 5.3 . -.Pp -.Fn SSL_CIPHER_get_cipher_nid , -.Fn SSL_CIPHER_get_digest_nid , -.Fn SSL_CIPHER_get_kx_nid , -.Fn SSL_CIPHER_get_auth_nid , -and -.Fn SSL_CIPHER_is_aead -first appeared in OpenSSL 1.1.0 and have been available since -.Ox 6.3 . -.Fn SSL_CIPHER_find -first appeared in OpenSSL 1.1.0 and has been available since -.Ox 7.0 . -.Sh BUGS -If -.Fn SSL_CIPHER_description -cannot handle a built-in cipher, -the according description of the cipher property is -.Qq unknown . -This case should not occur. diff --git a/src/lib/libssl/man/SSL_COMP_add_compression_method.3 b/src/lib/libssl/man/SSL_COMP_add_compression_method.3 deleted file mode 100644 index 99e3f87edf..0000000000 --- a/src/lib/libssl/man/SSL_COMP_add_compression_method.3 +++ /dev/null @@ -1,58 +0,0 @@ -.\" $OpenBSD: SSL_COMP_add_compression_method.3,v 1.5 2019/06/12 09:36:30 schwarze Exp $ -.\" -.\" Copyright (c) 2016 Ingo Schwarze -.\" -.\" Permission to use, copy, modify, and distribute this software for any -.\" purpose with or without fee is hereby granted, provided that the above -.\" copyright notice and this permission notice appear in all copies. -.\" -.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES -.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF -.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR -.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF -.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -.\" -.Dd $Mdocdate: June 12 2019 $ -.Dt SSL_COMP_ADD_COMPRESSION_METHOD 3 -.Os -.Sh NAME -.Nm SSL_COMP_add_compression_method , -.Nm SSL_COMP_get_compression_methods -.Nd handle SSL/TLS integrated compression methods -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft int -.Fn SSL_COMP_add_compression_method "int id" "COMP_METHOD *cm" -.Ft STACK_OF(SSL_COMP) * -.Fn SSL_COMP_get_compression_methods void -.Sh DESCRIPTION -These functions are deprecated and have no effect. -They are provided purely for compatibility with legacy application code. -.Pp -.Fn SSL_COMP_add_compression_method -used to add the compression method -.Fa cm -with the identifier -.Fa id -to the list of available compression methods. -.Pp -.Fn SSL_COMP_get_compression_methods -used to return a stack of available compression methods. -.Sh RETURN VALUES -.Fn SSL_COMP_add_compression_method -always returns 1. -.Fn SSL_COMP_get_compression_methods -always returns -.Dv NULL . -.Sh SEE ALSO -.Xr ssl 3 -.Sh HISTORY -.Fn SSL_COMP_add_compression_method -first appeared in OpenSSL 0.9.2b and has been available since -.Ox 2.6 . -.Pp -.Fn SSL_COMP_get_compression_methods -first appeared in OpenSSL 0.9.8 and has been available since -.Ox 4.5 . diff --git a/src/lib/libssl/man/SSL_CTX_add1_chain_cert.3 b/src/lib/libssl/man/SSL_CTX_add1_chain_cert.3 deleted file mode 100644 index 1f60bad142..0000000000 --- a/src/lib/libssl/man/SSL_CTX_add1_chain_cert.3 +++ /dev/null @@ -1,222 +0,0 @@ -.\" $OpenBSD: SSL_CTX_add1_chain_cert.3,v 1.1 2019/04/05 18:29:43 schwarze Exp $ -.\" selective merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100 -.\" -.\" This file was written by Dr. Stephen Henson -.\" and Rob Stradling . -.\" Copyright (c) 2013 The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: April 5 2019 $ -.Dt SSL_CTX_ADD1_CHAIN_CERT 3 -.Os -.Sh NAME -.Nm SSL_CTX_set0_chain , -.Nm SSL_CTX_set1_chain , -.Nm SSL_CTX_add0_chain_cert , -.Nm SSL_CTX_add1_chain_cert , -.Nm SSL_CTX_get0_chain_certs , -.Nm SSL_CTX_clear_chain_certs , -.Nm SSL_set0_chain , -.Nm SSL_set1_chain , -.Nm SSL_add0_chain_cert , -.Nm SSL_add1_chain_cert , -.Nm SSL_get0_chain_certs , -.Nm SSL_clear_chain_certs -.Nd extra chain certificate processing -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft int -.Fo SSL_CTX_set0_chain -.Fa "SSL_CTX *ctx" -.Fa "STACK_OF(X509) *chain" -.Fc -.Ft int -.Fo SSL_CTX_set1_chain -.Fa "SSL_CTX *ctx" -.Fa "STACK_OF(X509) *chain" -.Fc -.Ft int -.Fo SSL_CTX_add0_chain_cert -.Fa "SSL_CTX *ctx" -.Fa "X509 *cert" -.Fc -.Ft int -.Fo SSL_CTX_add1_chain_cert -.Fa "SSL_CTX *ctx" -.Fa "X509 *cert" -.Fc -.Ft int -.Fo SSL_CTX_get0_chain_certs -.Fa "SSL_CTX *ctx" -.Fa "STACK_OF(X509) **chain" -.Fc -.Ft int -.Fo SSL_CTX_clear_chain_certs -.Fa "SSL_CTX *ctx" -.Fc -.Ft int -.Fo SSL_set0_chain -.Fa "SSL *ssl" -.Fa "STACK_OF(X509) *chain" -.Fc -.Ft int -.Fo SSL_set1_chain -.Fa "SSL *ssl" -.Fa "STACK_OF(X509) *chain" -.Fc -.Ft int -.Fo SSL_add0_chain_cert -.Fa "SSL *ssl" -.Fa "X509 *cert" -.Fc -.Ft int -.Fo SSL_add1_chain_cert -.Fa "SSL *ssl" -.Fa "X509 *cert" -.Fc -.Ft int -.Fo SSL_get0_chain_certs -.Fa "SSL *ssl" -.Fa "STACK_OF(X509) **chain" -.Fc -.Ft int -.Fo SSL_clear_chain_certs -.Fa "SSL *ssl" -.Fc -.Sh DESCRIPTION -.Fn SSL_CTX_set0_chain -and -.Fn SSL_CTX_set1_chain -set the certificate chain associated with the current certificate of -.Fa ctx -to -.Fa chain . -The -.Fa chain -is not supposed to include the current certificate itself. -.Pp -.Fn SSL_CTX_add0_chain_cert -and -.Fn SSL_CTX_add1_chain_cert -append the single certificate -.Fa cert -to the chain associated with the current certificate of -.Fa ctx . -.Pp -.Fn SSL_CTX_get0_chain_certs -retrieves the chain associated with the current certificate of -.Fa ctx . -.Pp -.Fn SSL_CTX_clear_chain_certs -clears the existing chain associated with the current certificate of -.Fa ctx , -if any. -This is equivalent to calling -.Fn SSL_CTX_set0_chain -with -.Fa chain -set to -.Dv NULL . -.Pp -Each of these functions operates on the -.Em current -end entity (i.e. server or client) certificate. -This is the last certificate loaded or selected on the corresponding -.Fa ctx -structure, for example using -.Xr SSL_CTX_use_certificate 3 . -.Pp -.Fn SSL_set0_chain , -.Fn SSL_set1_chain , -.Fn SSL_add0_chain_cert , -.Fn SSL_add1_chain_cert , -.Fn SSL_get0_chain_certs , -and -.Fn SSL_clear_chain_certs -are similar except that they operate on the -.Fa ssl -connection. -.Pp -The functions containing a -.Sy 1 -in their name increment the reference count of the supplied certificate -or chain, so it must be freed at some point after the operation. -Those containing a -.Sy 0 -do not increment reference counts and the supplied certificate or chain -must not be freed after the operation. -.Pp -The chains associated with an -.Vt SSL_CTX -structure are copied to the new -.Vt SSL -structure when -.Xr SSL_new 3 -is called. -Existing -.Vt SSL -structures are not affected by any chains subsequently changed -in the parent -.Vt SSL_CTX . -.Pp -One chain can be set for each key type supported by a server. -So, for example, an RSA and a DSA certificate can (and often will) have -different chains. -.Pp -If any certificates are added using these functions, no certificates -added using -.Xr SSL_CTX_add_extra_chain_cert 3 -will be used. -.Sh RETURN VALUES -These functions return 1 for success or 0 for failure. -.Sh SEE ALSO -.Xr ssl 3 , -.Xr SSL_CTX_add_extra_chain_cert 3 , -.Xr SSL_CTX_use_certificate 3 -.Sh HISTORY -These functions first appeared in OpenSSL 1.0.2 -and have been available since -.Ox 6.5 . diff --git a/src/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3 b/src/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3 deleted file mode 100644 index 4c731309e4..0000000000 --- a/src/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3 +++ /dev/null @@ -1,160 +0,0 @@ -.\" $OpenBSD: SSL_CTX_add_extra_chain_cert.3,v 1.7 2020/01/02 09:09:16 schwarze Exp $ -.\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 -.\" -.\" This file was written by Lutz Jaenicke and -.\" Dr. Stephen Henson . -.\" Copyright (c) 2000, 2002, 2013, 2015 The OpenSSL Project. -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: January 2 2020 $ -.Dt SSL_CTX_ADD_EXTRA_CHAIN_CERT 3 -.Os -.Sh NAME -.Nm SSL_CTX_add_extra_chain_cert , -.Nm SSL_CTX_get_extra_chain_certs_only , -.Nm SSL_CTX_get_extra_chain_certs , -.Nm SSL_CTX_clear_extra_chain_certs -.Nd add, retrieve, and clear extra chain certificates -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft long -.Fn SSL_CTX_add_extra_chain_cert "SSL_CTX *ctx" "X509 *x509" -.Ft long -.Fn SSL_CTX_get_extra_chain_certs_only "SSL_CTX *ctx" "STACK_OF(X509) **certs" -.Ft long -.Fn SSL_CTX_get_extra_chain_certs "SSL_CTX *ctx" "STACK_OF(X509) **certs" -.Ft long -.Fn SSL_CTX_clear_extra_chain_certs "SSL_CTX *ctx" -.Sh DESCRIPTION -.Fn SSL_CTX_add_extra_chain_cert -adds the certificate -.Fa x509 -to the extra chain certificates associated with -.Fa ctx . -Several certificates can be added one after another. -.Pp -.Fn SSL_CTX_get_extra_chain_certs_only -retrieves an internal pointer to the stack of extra chain certificates -associated with -.Fa ctx , -or set -.Pf * Fa certs -to -.Dv NULL -if there are none. -.Pp -.Fn SSL_CTX_get_extra_chain_certs -does the same except that it retrieves an internal pointer -to the chain associated with the certificate -if there are no extra chain certificates. -.Pp -.Fn SSL_CTX_clear_extra_chain_certs -clears all extra chain certificates associated with -.Fa ctx . -.Pp -These functions are implemented as macros. -.Pp -When sending a certificate chain, extra chain certificates are sent -in order following the end entity certificate. -.Pp -If no chain is specified, the library will try to complete the chain from the -available CA certificates in the trusted CA storage, see -.Xr SSL_CTX_load_verify_locations 3 . -.Pp -The x509 certificate provided to -.Fn SSL_CTX_add_extra_chain_cert -will be freed by the library when the -.Vt SSL_CTX -is destroyed. -An application should not free the -.Fa x509 -object, nor the -.Pf * Fa certs -object retrieved by -.Fn SSL_CTX_get_extra_chain_certs . -.Sh RETURN VALUES -These functions return 1 on success or 0 for failure. -Check out the error stack to find out the reason for failure. -.Sh SEE ALSO -.Xr ssl 3 , -.Xr SSL_CTX_add1_chain_cert 3 , -.Xr SSL_CTX_ctrl 3 , -.Xr SSL_CTX_load_verify_locations 3 , -.Xr SSL_CTX_set_client_cert_cb 3 , -.Xr SSL_CTX_use_certificate 3 -.Sh HISTORY -.Fn SSL_CTX_add_extra_chain_cert -first appeared in SSLeay 0.9.1 and has been available since -.Ox 2.6 . -.Pp -.Fn SSL_CTX_get_extra_chain_certs -and -.Fn SSL_CTX_clear_extra_chain_certs -first appeared in OpenSSL 1.0.1 and have been available since -.Ox 5.3 . -.Pp -.Fn SSL_CTX_get_extra_chain_certs_only -first appeared in OpenSSL 1.0.2 and has been available since -.Ox 6.7 . -.Sh CAVEATS -Certificates added with -.Fn SSL_CTX_add_extra_chain_cert -are ignored when certificates are also available that have been -added using the functions documented in -.Xr SSL_CTX_set1_chain 3 . -.Pp -Only one set of extra chain certificates can be specified per -.Vt SSL_CTX -structure using -.Fn SSL_CTX_add_extra_chain_cert . -Different chains for different certificates (for example if both -RSA and DSA certificates are specified by the same server) or -different SSL structures with the same parent -.Vt SSL_CTX -require using the functions documented in -.Xr SSL_CTX_set1_chain 3 -instead. diff --git a/src/lib/libssl/man/SSL_CTX_add_session.3 b/src/lib/libssl/man/SSL_CTX_add_session.3 deleted file mode 100644 index 443bdb542a..0000000000 --- a/src/lib/libssl/man/SSL_CTX_add_session.3 +++ /dev/null @@ -1,132 +0,0 @@ -.\" $OpenBSD: SSL_CTX_add_session.3,v 1.5 2018/03/27 17:35:50 schwarze Exp $ -.\" OpenSSL SSL_CTX_add_session.pod 1722496f Jun 8 15:18:38 2017 -0400 -.\" -.\" This file was written by Lutz Jaenicke and -.\" Geoff Thorpe . -.\" Copyright (c) 2001, 2002, 2014 The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: March 27 2018 $ -.Dt SSL_CTX_ADD_SESSION 3 -.Os -.Sh NAME -.Nm SSL_CTX_add_session , -.Nm SSL_CTX_remove_session -.Nd manipulate session cache -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft int -.Fn SSL_CTX_add_session "SSL_CTX *ctx" "SSL_SESSION *c" -.Ft int -.Fn SSL_CTX_remove_session "SSL_CTX *ctx" "SSL_SESSION *c" -.Sh DESCRIPTION -.Fn SSL_CTX_add_session -adds the session -.Fa c -to the context -.Fa ctx . -The reference count for session -.Fa c -is incremented by 1. -If a session with the same session id already exists, -the old session is removed by calling -.Xr SSL_SESSION_free 3 . -.Pp -.Fn SSL_CTX_remove_session -removes the session -.Fa c -from the context -.Fa ctx -and marks it as non-resumable. -.Xr SSL_SESSION_free 3 -is called once for -.Fa c . -.Pp -When adding a new session to the internal session cache, it is examined -whether a session with the same session id already exists. -In this case it is assumed that both sessions are identical. -If the same session is stored in a different -.Vt SSL_SESSION -object, the old session is removed and replaced by the new session. -If the session is actually identical (the -.Vt SSL_SESSION -object is identical), -.Fn SSL_CTX_add_session -is a no-op, and the return value is 0. -.Pp -If a server -.Vt SSL_CTX -is configured with the -.Dv SSL_SESS_CACHE_NO_INTERNAL_STORE -flag then the internal cache will not be populated automatically by new -sessions negotiated by the SSL/TLS implementation, even though the internal -cache will be searched automatically for session-resume requests (the -latter can be suppressed by -.Dv SSL_SESS_CACHE_NO_INTERNAL_LOOKUP ) . -So the application can use -.Fn SSL_CTX_add_session -directly to have full control over the sessions that can be resumed if desired. -.Sh RETURN VALUES -The following values are returned by all functions: -.Bl -tag -width Ds -.It 0 -The operation failed. -In case of the add operation, it was tried to add the same (identical) session -twice. -In case of the remove operation, the session was not found in the cache. -.It 1 -The operation succeeded. -.El -.Sh SEE ALSO -.Xr ssl 3 , -.Xr SSL_CTX_set_session_cache_mode 3 , -.Xr SSL_SESSION_free 3 -.Sh HISTORY -.Fn SSL_CTX_add_session -and -.Fn SSL_CTX_remove_session -first appeared in SSLeay 0.8.0 and have been available since -.Ox 2.4 . diff --git a/src/lib/libssl/man/SSL_CTX_ctrl.3 b/src/lib/libssl/man/SSL_CTX_ctrl.3 deleted file mode 100644 index c91ddff374..0000000000 --- a/src/lib/libssl/man/SSL_CTX_ctrl.3 +++ /dev/null @@ -1,122 +0,0 @@ -.\" $OpenBSD: SSL_CTX_ctrl.3,v 1.7 2018/03/27 17:35:50 schwarze Exp $ -.\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 -.\" -.\" This file was written by Lutz Jaenicke . -.\" Copyright (c) 2001 The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: March 27 2018 $ -.Dt SSL_CTX_CTRL 3 -.Os -.Sh NAME -.Nm SSL_CTX_ctrl , -.Nm SSL_CTX_callback_ctrl , -.Nm SSL_ctrl , -.Nm SSL_callback_ctrl -.Nd internal handling functions for SSL_CTX and SSL objects -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft long -.Fn SSL_CTX_ctrl "SSL_CTX *ctx" "int cmd" "long larg" "void *parg" -.Ft long -.Fn SSL_CTX_callback_ctrl "SSL_CTX *" "int cmd" "void (*fp)()" -.Ft long -.Fn SSL_ctrl "SSL *ssl" "int cmd" "long larg" "void *parg" -.Ft long -.Fn SSL_callback_ctrl "SSL *" "int cmd" "void (*fp)()" -.Sh DESCRIPTION -The -.Fn SSL_*_ctrl -family of functions is used to manipulate settings of -the -.Vt SSL_CTX -and -.Vt SSL -objects. -Depending on the command -.Fa cmd -the arguments -.Fa larg , -.Fa parg , -or -.Fa fp -are evaluated. -These functions should never be called directly. -All functionalities needed are made available via other functions or macros. -.Sh RETURN VALUES -The return values of the -.Fn SSL*_ctrl -functions depend on the command supplied via the -.Fn cmd -parameter. -.Sh SEE ALSO -.Xr ssl 3 , -.Xr SSL_CTX_add_extra_chain_cert 3 , -.Xr SSL_CTX_sess_number 3 , -.Xr SSL_CTX_sess_set_cache_size 3 , -.Xr SSL_CTX_set_max_cert_list 3 , -.Xr SSL_CTX_set_mode 3 , -.Xr SSL_CTX_set_options 3 , -.Xr SSL_CTX_set_session_cache_mode 3 , -.Xr SSL_CTX_set_tlsext_servername_callback 3 , -.Xr SSL_CTX_set_tlsext_status_cb 3 , -.Xr SSL_CTX_set_tlsext_ticket_key_cb 3 , -.Xr SSL_get_server_tmp_key 3 , -.Xr SSL_num_renegotiations 3 , -.Xr SSL_session_reused 3 , -.Xr SSL_set_max_send_fragment 3 -.Sh HISTORY -.Fn SSL_CTX_ctrl -and -.Fn SSL_ctrl -first appeared in SSLeay 0.8.0 and have been available since -.Ox 2.4 . -.Pp -.Fn SSL_CTX_callback_ctrl -and -.Fn SSL_callback_ctrl -first appeared in OpenSSL 0.9.5 and have been available since -.Ox 2.7 . diff --git a/src/lib/libssl/man/SSL_CTX_flush_sessions.3 b/src/lib/libssl/man/SSL_CTX_flush_sessions.3 deleted file mode 100644 index 2ef781cb4a..0000000000 --- a/src/lib/libssl/man/SSL_CTX_flush_sessions.3 +++ /dev/null @@ -1,100 +0,0 @@ -.\" $OpenBSD: SSL_CTX_flush_sessions.3,v 1.5 2018/03/27 17:35:50 schwarze Exp $ -.\" OpenSSL SSL_CTX_flush_sessions.pod 1722496f Jun 8 15:18:38 2017 -0400 -.\" -.\" This file was written by Lutz Jaenicke . -.\" Copyright (c) 2001 The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: March 27 2018 $ -.Dt SSL_CTX_FLUSH_SESSIONS 3 -.Os -.Sh NAME -.Nm SSL_CTX_flush_sessions -.Nd remove expired sessions -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft void -.Fn SSL_CTX_flush_sessions "SSL_CTX *ctx" "long tm" -.Sh DESCRIPTION -.Fn SSL_CTX_flush_sessions -causes a run through the session cache of -.Fa ctx -to remove sessions expired at time -.Fa tm . -.Pp -If enabled, the internal session cache will collect all sessions established -up to the specified maximum number (see -.Xr SSL_CTX_sess_set_cache_size 3 ) . -As sessions will not be reused once they are expired, they should be -removed from the cache to save resources. -This can either be done automatically whenever 255 new sessions were -established (see -.Xr SSL_CTX_set_session_cache_mode 3 ) -or manually by calling -.Fn SSL_CTX_flush_sessions . -.Pp -The parameter -.Fa tm -specifies the time which should be used for the -expiration test, in most cases the actual time given by -.Fn time 0 -will be used. -.Pp -.Fn SSL_CTX_flush_sessions -will only check sessions stored in the internal cache. -When a session is found and removed, the -.Va remove_session_cb -is however called to synchronize with the external cache (see -.Xr SSL_CTX_sess_set_get_cb 3 ) . -.Sh SEE ALSO -.Xr ssl 3 , -.Xr SSL_CTX_sess_set_get_cb 3 , -.Xr SSL_CTX_set_session_cache_mode 3 , -.Xr SSL_CTX_set_timeout 3 -.Sh HISTORY -.Fn SSL_CTX_flush_sessions -first appeared in SSLeay 0.8.0 and has been available since -.Ox 2.4 . diff --git a/src/lib/libssl/man/SSL_CTX_free.3 b/src/lib/libssl/man/SSL_CTX_free.3 deleted file mode 100644 index 47f247631b..0000000000 --- a/src/lib/libssl/man/SSL_CTX_free.3 +++ /dev/null @@ -1,101 +0,0 @@ -.\" $OpenBSD: SSL_CTX_free.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $ -.\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 -.\" -.\" This file was written by Lutz Jaenicke . -.\" Copyright (c) 2000, 2001, 2003 The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: March 27 2018 $ -.Dt SSL_CTX_FREE 3 -.Os -.Sh NAME -.Nm SSL_CTX_free -.Nd free an allocated SSL_CTX object -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft void -.Fn SSL_CTX_free "SSL_CTX *ctx" -.Sh DESCRIPTION -.Fn SSL_CTX_free -decrements the reference count of -.Fa ctx , -and removes the -.Vt SSL_CTX -object pointed to by -.Fa ctx -and frees up the allocated memory if the reference count has reached 0. -If -.Fa ctx -is a -.Dv NULL -pointer, no action occurs. -.Pp -It also calls the -.Xr free 3 Ns ing -procedures for indirectly affected items, if applicable: -the session cache, the list of ciphers, the list of Client CAs, -the certificates and keys. -.Sh WARNINGS -If a session-remove callback is set -.Pq Xr SSL_CTX_sess_set_remove_cb 3 , -this callback will be called for each session being freed from -.Fa ctx Ns 's -session cache. -This implies that all corresponding sessions from an external session cache are -removed as well. -If this is not desired, the user should explicitly unset the callback by -calling -.Fn SSL_CTX_sess_set_remove_cb ctx NULL -prior to calling -.Fn SSL_CTX_free . -.Sh SEE ALSO -.Xr ssl 3 , -.Xr SSL_CTX_new 3 , -.Xr SSL_CTX_sess_set_get_cb 3 -.Sh HISTORY -.Fn SSL_CTX_free -first appeared in SSLeay 0.5.1 and has been available since -.Ox 2.4 . diff --git a/src/lib/libssl/man/SSL_CTX_get0_certificate.3 b/src/lib/libssl/man/SSL_CTX_get0_certificate.3 deleted file mode 100644 index 63c86bd5e0..0000000000 --- a/src/lib/libssl/man/SSL_CTX_get0_certificate.3 +++ /dev/null @@ -1,51 +0,0 @@ -.\" $OpenBSD: SSL_CTX_get0_certificate.3,v 1.3 2019/06/12 09:36:30 schwarze Exp $ -.\" -.\" Copyright (c) 2018 Ingo Schwarze -.\" -.\" Permission to use, copy, modify, and distribute this software for any -.\" purpose with or without fee is hereby granted, provided that the above -.\" copyright notice and this permission notice appear in all copies. -.\" -.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES -.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF -.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR -.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF -.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -.\" -.Dd $Mdocdate: June 12 2019 $ -.Dt SSL_CTX_GET0_CERTIFICATE 3 -.Os -.Sh NAME -.Nm SSL_CTX_get0_certificate -.Nd get the active certificate from an SSL context -.Sh SYNOPSIS -.Ft X509 * -.Fo SSL_CTX_get0_certificate -.Fa "const SSL_CTX *ctx" -.Fc -.Sh DESCRIPTION -The -.Fn SSL_CTX_get0_certificate -function returns an internal pointer -to the ASN.1 certificate currently active in -.Fa ctx -or -.Dv NULL -if none was installed with -.Xr SSL_CTX_use_certificate 3 -or similar functions. -.Pp -The returned pointer must not be freed by the caller. -.Sh SEE ALSO -.Xr ssl 3 , -.Xr SSL_CTX_new 3 , -.Xr SSL_CTX_use_certificate 3 , -.Xr X509_get_pubkey 3 , -.Xr X509_get_subject_name 3 , -.Xr X509_new 3 -.Sh HISTORY -.Fn SSL_CTX_get0_certificate -first appeared in OpenSSL 1.0.2 and have been available since -.Ox 6.3 . diff --git a/src/lib/libssl/man/SSL_CTX_get_ex_new_index.3 b/src/lib/libssl/man/SSL_CTX_get_ex_new_index.3 deleted file mode 100644 index 3dbaf2e981..0000000000 --- a/src/lib/libssl/man/SSL_CTX_get_ex_new_index.3 +++ /dev/null @@ -1,124 +0,0 @@ -.\" $OpenBSD: SSL_CTX_get_ex_new_index.3,v 1.3 2018/03/21 08:06:34 schwarze Exp $ -.\" OpenSSL 9b86974e Aug 17 15:21:33 2015 -0400 -.\" -.\" This file was written by Lutz Jaenicke . -.\" Copyright (c) 2001, 2005 The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: March 21 2018 $ -.Dt SSL_CTX_GET_EX_NEW_INDEX 3 -.Os -.Sh NAME -.Nm SSL_CTX_get_ex_new_index , -.Nm SSL_CTX_set_ex_data , -.Nm SSL_CTX_get_ex_data -.Nd internal application specific data functions -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft int -.Fo SSL_CTX_get_ex_new_index -.Fa "long argl" -.Fa "void *argp" -.Fa "CRYPTO_EX_new *new_func" -.Fa "CRYPTO_EX_dup *dup_func" -.Fa "CRYPTO_EX_free *free_func" -.Fc -.Ft int -.Fn SSL_CTX_set_ex_data "SSL_CTX *ctx" "int idx" "void *arg" -.Ft void * -.Fn SSL_CTX_get_ex_data "const SSL_CTX *ctx" "int idx" -.Bd -literal - typedef int new_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad, - int idx, long argl, void *argp); - typedef void free_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad, - int idx, long argl, void *argp); - typedef int dup_func(CRYPTO_EX_DATA *to, CRYPTO_EX_DATA *from, void *from_d, - int idx, long argl, void *argp); -.Ed -.Sh DESCRIPTION -Several OpenSSL structures can have application specific data attached to them. -These functions are used internally by OpenSSL to manipulate application -specific data attached to a specific structure. -.Pp -.Fn SSL_CTX_get_ex_new_index -is used to register a new index for application specific data. -.Pp -.Fn SSL_CTX_set_ex_data -is used to store application data at -.Fa arg -for -.Fa idx -into the -.Fa ctx -object. -.Pp -.Fn SSL_CTX_get_ex_data -is used to retrieve the information for -.Fa idx -from -.Fa ctx . -.Pp -A detailed description for the -.Fn *_get_ex_new_index -functionality can be found in -.Xr RSA_get_ex_new_index 3 . -The -.Fn *_get_ex_data -and -.Fn *_set_ex_data -functionality is described in -.Xr CRYPTO_set_ex_data 3 . -.Sh SEE ALSO -.Xr CRYPTO_set_ex_data 3 , -.Xr RSA_get_ex_new_index 3 , -.Xr ssl 3 -.Sh HISTORY -.Fn SSL_CTX_get_ex_new_index , -.Fn SSL_CTX_set_ex_data , -and -.Fn SSL_CTX_get_ex_data -first appeared in SSLeay 0.9.0 and have been available since -.Ox 2.4 . diff --git a/src/lib/libssl/man/SSL_CTX_get_verify_mode.3 b/src/lib/libssl/man/SSL_CTX_get_verify_mode.3 deleted file mode 100644 index 7c87775069..0000000000 --- a/src/lib/libssl/man/SSL_CTX_get_verify_mode.3 +++ /dev/null @@ -1,131 +0,0 @@ -.\" $OpenBSD: SSL_CTX_get_verify_mode.3,v 1.5 2018/03/27 17:35:50 schwarze Exp $ -.\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 -.\" -.\" This file was written by Lutz Jaenicke . -.\" Copyright (c) 2000, 2005 The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: March 27 2018 $ -.Dt SSL_CTX_GET_VERIFY_MODE 3 -.Os -.Sh NAME -.Nm SSL_CTX_get_verify_mode , -.Nm SSL_get_verify_mode , -.Nm SSL_CTX_get_verify_depth , -.Nm SSL_get_verify_depth , -.Nm SSL_get_verify_callback , -.Nm SSL_CTX_get_verify_callback -.Nd get currently set verification parameters -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft int -.Fn SSL_CTX_get_verify_mode "const SSL_CTX *ctx" -.Ft int -.Fn SSL_get_verify_mode "const SSL *ssl" -.Ft int -.Fn SSL_CTX_get_verify_depth "const SSL_CTX *ctx" -.Ft int -.Fn SSL_get_verify_depth "const SSL *ssl" -.Ft int -.Fo "(*SSL_CTX_get_verify_callback(const SSL_CTX *ctx))" -.Fa int "X509_STORE_CTX *" -.Fc -.Ft int -.Fo "(*SSL_get_verify_callback(const SSL *ssl))" -.Fa int "X509_STORE_CTX *" -.Fc -.Sh DESCRIPTION -.Fn SSL_CTX_get_verify_mode -returns the verification mode currently set in -.Fa ctx . -.Pp -.Fn SSL_get_verify_mode -returns the verification mode currently set in -.Fa ssl . -.Pp -.Fn SSL_CTX_get_verify_depth -returns the verification depth limit currently set -in -.Fa ctx . -If no limit has been explicitly set, -\(mi1 is returned and the default value will be used. -.Pp -.Fn SSL_get_verify_depth -returns the verification depth limit currently set in -.Fa ssl . -If no limit has been explicitly set, -\(mi1 is returned and the default value will be used. -.Pp -.Fn SSL_CTX_get_verify_callback -returns a function pointer to the verification callback currently set in -.Fa ctx . -If no callback was explicitly set, the -.Dv NULL -pointer is returned and the default callback will be used. -.Pp -.Fn SSL_get_verify_callback -returns a function pointer to the verification callback currently set in -.Fa ssl . -If no callback was explicitly set, the -.Dv NULL -pointer is returned and the default callback will be used. -.Sh SEE ALSO -.Xr ssl 3 , -.Xr SSL_CTX_set_verify 3 -.Sh HISTORY -.Fn SSL_CTX_get_verify_mode , -.Fn SSL_get_verify_mode , -.Fn SSL_get_verify_callback , -and -.Fn SSL_CTX_get_verify_callback -first appeared in SSLeay 0.8.0 and have been available since -.Ox 2.4 . -.Pp -.Fn SSL_CTX_get_verify_depth -and -.Fn SSL_get_verify_depth -first appeared in OpenSSL 0.9.3 and have been available since -.Ox 2.6 . diff --git a/src/lib/libssl/man/SSL_CTX_load_verify_locations.3 b/src/lib/libssl/man/SSL_CTX_load_verify_locations.3 deleted file mode 100644 index 373df2402e..0000000000 --- a/src/lib/libssl/man/SSL_CTX_load_verify_locations.3 +++ /dev/null @@ -1,238 +0,0 @@ -.\" $OpenBSD: SSL_CTX_load_verify_locations.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $ -.\" OpenSSL 9b86974e Aug 17 15:21:33 2015 -0400 -.\" -.\" This file was written by Lutz Jaenicke . -.\" Copyright (c) 2000, 2001, 2015, 2016 The OpenSSL Project. -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: March 27 2018 $ -.Dt SSL_CTX_LOAD_VERIFY_LOCATIONS 3 -.Os -.Sh NAME -.Nm SSL_CTX_load_verify_locations , -.Nm SSL_CTX_set_default_verify_paths -.Nd set default locations for trusted CA certificates -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft int -.Fo SSL_CTX_load_verify_locations -.Fa "SSL_CTX *ctx" "const char *CAfile" "const char *CApath" -.Fc -.Ft int -.Fo SSL_CTX_set_default_verify_paths -.Fa "SSL_CTX *ctx" -.Fc -.Sh DESCRIPTION -.Fn SSL_CTX_load_verify_locations -specifies the locations for -.Fa ctx , -at which CA certificates for verification purposes are located. -The certificates available via -.Fa CAfile -and -.Fa CApath -are trusted. -.Pp -.Fn SSL_CTX_set_default_verify_paths -specifies that the default locations from which CA certificates are -loaded should be used. -There is one default directory and one default file. -The default CA certificates directory is called -.Pa certs -in the default OpenSSL directory. -The default CA certificates file is called -.Pa cert.pem -in the default OpenSSL directory. -.Pp -If -.Fa CAfile -is not -.Dv NULL , -it points to a file of CA certificates in PEM format. -The file can contain several CA certificates identified by sequences of: -.Bd -literal - -----BEGIN CERTIFICATE----- - ... (CA certificate in base64 encoding) ... - -----END CERTIFICATE----- -.Ed -.Pp -Before, between, and after the certificates arbitrary text is allowed which can -be used, e.g., for descriptions of the certificates. -.Pp -The -.Fa CAfile -is processed on execution of the -.Fn SSL_CTX_load_verify_locations -function. -.Pp -If -.Fa CApath -is not NULL, it points to a directory containing CA certificates in PEM format. -The files each contain one CA certificate. -The files are looked up by the CA subject name hash value, -which must hence be available. -If more than one CA certificate with the same name hash value exist, -the extension must be different (e.g., -.Pa 9d66eef0.0 , -.Pa 9d66eef0.1 , -etc.). -The search is performed in the ordering of the extension number, -regardless of other properties of the certificates. -.Pp -The certificates in -.Fa CApath -are only looked up when required, e.g., when building the certificate chain or -when actually performing the verification of a peer certificate. -.Pp -When looking up CA certificates, the OpenSSL library will first search the -certificates in -.Fa CAfile , -then those in -.Fa CApath . -Certificate matching is done based on the subject name, the key identifier (if -present), and the serial number as taken from the certificate to be verified. -If these data do not match, the next certificate will be tried. -If a first certificate matching the parameters is found, -the verification process will be performed; -no other certificates for the same parameters will be searched in case of -failure. -.Pp -In server mode, when requesting a client certificate, the server must send -the list of CAs of which it will accept client certificates. -This list is not influenced by the contents of -.Fa CAfile -or -.Fa CApath -and must explicitly be set using the -.Xr SSL_CTX_set_client_CA_list 3 -family of functions. -.Pp -When building its own certificate chain, an OpenSSL client/server will try to -fill in missing certificates from -.Fa CAfile Ns / Fa CApath , -if the -certificate chain was not explicitly specified (see -.Xr SSL_CTX_add_extra_chain_cert 3 -and -.Xr SSL_CTX_use_certificate 3 ) . -.Sh RETURN VALUES -For -.Fn SSL_CTX_load_verify_locations , -the following return values can occur: -.Bl -tag -width Ds -.It 0 -The operation failed because -.Fa CAfile -and -.Fa CApath -are -.Dv NULL -or the processing at one of the locations specified failed. -Check the error stack to find out the reason. -.It 1 -The operation succeeded. -.El -.Pp -.Fn SSL_CTX_set_default_verify_paths -returns 1 on success or 0 on failure. -A missing default location is still treated as a success. -.Sh EXAMPLES -Generate a CA certificate file with descriptive text from the CA certificates -.Pa ca1.pem -.Pa ca2.pem -.Pa ca3.pem : -.Bd -literal -#!/bin/sh -rm CAfile.pem -for i in ca1.pem ca2.pem ca3.pem; do - openssl x509 -in $i -text >> CAfile.pem -done -.Ed -.Pp -Prepare the directory /some/where/certs containing several CA certificates -for use as -.Fa CApath : -.Bd -literal -$ cd /some/where/certs -$ rm -f *.[0-9]* *.r[0-9]* -$ for c in *.pem; do -> [ "$c" = "*.pem" ] && continue -> hash=$(openssl x509 -noout -hash -in "$c") -> if egrep -q -- '-BEGIN( X509 | TRUSTED | )CERTIFICATE-' "$c"; then -> suf=0 -> while [ -e $hash.$suf ]; do suf=$(( $suf + 1 )); done -> ln -s "$c" $hash.$suf -> fi -> if egrep -q -- '-BEGIN X509 CRL-' "$c"; then -> suf=0 -> while [ -e $hash.r$suf ]; do suf=$(( $suf + 1 )); done -> ln -s "$c" $hash.r$suf -> fi -> done -.Ed -.Sh SEE ALSO -.Xr ssl 3 , -.Xr SSL_CTX_add_extra_chain_cert 3 , -.Xr SSL_CTX_set_cert_store 3 , -.Xr SSL_CTX_set_client_CA_list 3 , -.Xr SSL_CTX_use_certificate 3 , -.Xr SSL_get_client_CA_list 3 -.Sh HISTORY -.Fn SSL_CTX_load_verify_locations -and -.Fn SSL_CTX_set_default_verify_paths -first appeared in SSLeay 0.8.0 and have been available since -.Ox 2.4 . -.Sh CAVEATS -If several CA certificates matching the name, key identifier, and serial -number condition are available, only the first one will be examined. -This may lead to unexpected results if the same CA certificate is available -with different expiration dates. -If a -.Dq certificate expired -verification error occurs, no other certificate will be searched. -Make sure to not have expired certificates mixed with valid ones. diff --git a/src/lib/libssl/man/SSL_CTX_new.3 b/src/lib/libssl/man/SSL_CTX_new.3 deleted file mode 100644 index 4b50a03de4..0000000000 --- a/src/lib/libssl/man/SSL_CTX_new.3 +++ /dev/null @@ -1,345 +0,0 @@ -.\" $OpenBSD: SSL_CTX_new.3,v 1.17 2022/07/13 22:05:53 schwarze Exp $ -.\" full merge up to: OpenSSL 21cd6e00 Oct 21 14:40:15 2015 +0100 -.\" selective merge up to: OpenSSL 8f75443f May 24 14:04:26 2019 +0200 -.\" -.\" This file was written by Lutz Jaenicke . -.\" Copyright (c) 2000, 2005, 2012, 2013, 2015, 2016 The OpenSSL Project. -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: July 13 2022 $ -.Dt SSL_CTX_NEW 3 -.Os -.Sh NAME -.Nm SSL_CTX_new , -.Nm SSL_CTX_up_ref , -.Nm TLS_method , -.Nm TLS_server_method , -.Nm TLS_client_method , -.Nm SSLv23_method , -.Nm SSLv23_server_method , -.Nm SSLv23_client_method , -.Nm TLSv1_method , -.Nm TLSv1_server_method , -.Nm TLSv1_client_method , -.Nm TLSv1_1_method , -.Nm TLSv1_1_server_method , -.Nm TLSv1_1_client_method , -.Nm TLSv1_2_method , -.Nm TLSv1_2_server_method , -.Nm TLSv1_2_client_method , -.Nm DTLS_method , -.Nm DTLS_server_method , -.Nm DTLS_client_method , -.Nm DTLSv1_method , -.Nm DTLSv1_server_method , -.Nm DTLSv1_client_method , -.Nm DTLSv1_2_method , -.Nm DTLSv1_2_server_method , -.Nm DTLSv1_2_client_method -.Nd create a new SSL_CTX object as a framework for TLS enabled functions -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft SSL_CTX * -.Fn SSL_CTX_new "const SSL_METHOD *method" -.Ft int -.Fn SSL_CTX_up_ref "SSL_CTX *ctx" -.Ft const SSL_METHOD * -.Fn TLS_method void -.Ft const SSL_METHOD * -.Fn TLS_server_method void -.Ft const SSL_METHOD * -.Fn TLS_client_method void -.Ft const SSL_METHOD * -.Fn SSLv23_method void -.Ft const SSL_METHOD * -.Fn SSLv23_server_method void -.Ft const SSL_METHOD * -.Fn SSLv23_client_method void -.Ft const SSL_METHOD * -.Fn TLSv1_method void -.Ft const SSL_METHOD * -.Fn TLSv1_server_method void -.Ft const SSL_METHOD * -.Fn TLSv1_client_method void -.Ft const SSL_METHOD * -.Fn TLSv1_1_method void -.Ft const SSL_METHOD * -.Fn TLSv1_1_server_method void -.Ft const SSL_METHOD * -.Fn TLSv1_1_client_method void -.Ft const SSL_METHOD * -.Fn TLSv1_2_method void -.Ft const SSL_METHOD * -.Fn TLSv1_2_server_method void -.Ft const SSL_METHOD * -.Fn TLSv1_2_client_method void -.Ft const SSL_METHOD * -.Fn DTLS_method void -.Ft const SSL_METHOD * -.Fn DTLS_server_method void -.Ft const SSL_METHOD * -.Fn DTLS_client_method void -.Ft const SSL_METHOD * -.Fn DTLSv1_method void -.Ft const SSL_METHOD * -.Fn DTLSv1_server_method void -.Ft const SSL_METHOD * -.Fn DTLSv1_client_method void -.Ft const SSL_METHOD * -.Fn DTLSv1_2_method void -.Ft const SSL_METHOD * -.Fn DTLSv1_2_server_method void -.Ft const SSL_METHOD * -.Fn DTLSv1_2_client_method void -.Sh DESCRIPTION -.Fn SSL_CTX_new -creates a new -.Vt SSL_CTX -object as a framework to establish TLS or DTLS enabled connections. -It initializes the list of ciphers, the session cache setting, the -callbacks, the keys and certificates, the options, and the security -level to its default values. -.Pp -An -.Vt SSL_CTX -object is reference counted. -Creating a new -.Vt SSL_CTX -object sets its reference count to 1. -Calling -.Fn SSL_CTX_up_ref -on it increments the reference count by 1. -Calling -.Xr SSL_CTX_free 3 -on it decrements the reference count by 1. -When the reference count drops to zero, -any memory or resources allocated to the -.Vt SSL_CTX -object are freed. -.Pp -The -.Vt SSL_CTX -object uses -.Fa method -as its connection method, which can be: -.Bl -tag -width Ds -.It Fn TLS_method -The general-purpose version-flexible TLS method. -The protocol version used will be negotiated to the highest -version mutually supported by the client and the server. -The supported protocols are TLSv1, TLSv1.1, TLSv1.2, and TLSv1.3. -.It Fn DTLS_method -The version-flexible DTLS method. -The currently supported protocols are DTLSv1 and DTLSv1.2. -.El -.Pp -The following -.Fa method -arguments are deprecated: -.Bl -tag -width Ds -.It Xo -.Fn TLS_server_method , -.Fn TLS_client_method , -.Fn SSLv23_method , -.Fn SSLv23_server_method , -.Fn SSLv23_client_method -.Xc -Deprecated aliases for -.Fn TLS_method . -.It Xo -.Fn DTLS_server_method , -.Fn DTLS_client_method -.Xc -Deprecated aliases for -.Fn DTLS_method . -.It Xo -.Fn TLSv1_method , -.Fn TLSv1_server_method , -.Fn TLSv1_client_method -.Xc -A connection established with these methods will only -understand the TLSv1 protocol. -.It Xo -.Fn TLSv1_1_method , -.Fn TLSv1_1_server_method , -.Fn TLSv1_1_client_method -.Xc -A connection established with these methods will only -understand the TLSv1.1 protocol. -.It Xo -.Fn TLSv1_2_method , -.Fn TLSv1_2_server_method , -.Fn TLSv1_2_client_method -.Xc -A connection established with these methods will only -understand the TLSv1.2 protocol. -.It Xo -.Fn DTLSv1_method , -.Fn DTLSv1_server_method , -.Fn DTLSv1_client_method -.Xc -These are the version-specific methods for DTLSv1. -.It Xo -.Fn DTLSv1_2_method , -.Fn DTLSv1_2_server_method , -.Fn DTLSv1_2_client_method -These are the version-specific methods for DTLSv1.2. -.Xc -.El -.Pp -In LibreSSL, the methods containing the substrings -.Dq _server -or -.Dq _client -in their names return the same objects -as the methods without these substrings. -.Pp -The list of protocols available can also be limited using the -.Dv SSL_OP_NO_TLSv1 , -.Dv SSL_OP_NO_TLSv1_1 , -and -.Dv SSL_OP_NO_TLSv1_2 -options of the -.Xr SSL_CTX_set_options 3 -or -.Xr SSL_set_options 3 -functions, but this approach is not recommended. -Clients should avoid creating "holes" in the set of protocols they support. -When disabling a protocol, make sure that you also disable either -all previous or all subsequent protocol versions. -In clients, when a protocol version is disabled without disabling -all previous protocol versions, the effect is to also disable all -subsequent protocol versions. -.Pp -DTLSv1 and DTLSv1.2 can be disabled with -.Xr SSL_CTX_set_options 3 -or -.Xr SSL_set_options 3 -using the -.Dv SSL_OP_NO_DTLSv1 -and -.Dv SSL_OP_NO_DTLSv1_2 -options, respectively. -.Sh RETURN VALUES -.Fn SSL_CTX_new -returns a pointer to the newly allocated object or -.Dv NULL -on failure. -Check the error stack to find out the reason for failure. -.Pp -.Fn SSL_CTX_up_ref -returns 1 for success or 0 for failure. -.Pp -.Fn TLS_method -and the other -.Fn *_method -functions return pointers to constant static objects. -.Sh SEE ALSO -.Xr ssl 3 , -.Xr SSL_accept 3 , -.Xr SSL_CTX_free 3 , -.Xr SSL_CTX_set_min_proto_version 3 , -.Xr SSL_CTX_set_options 3 , -.Xr SSL_CTX_set_security_level 3 , -.Xr SSL_set_connect_state 3 -.Sh HISTORY -.Fn SSL_CTX_new -first appeared in SSLeay 0.5.1. -.Fn SSLv23_method , -.Fn SSLv23_server_method , -and -.Fn SSLv23_client_method -first appeared in SSLeay 0.8.0. -.Fn TLSv1_method , -.Fn TLSv1_server_method , -and -.Fn TLSv1_client_method -first appeared in SSLeay 0.9.0. -All these functions have been available since -.Ox 2.4 . -.Pp -.Fn DTLSv1_method , -.Fn DTLSv1_server_method , -and -.Fn DTLSv1_client_method -first appeared in OpenSSL 0.9.8 and have been available since -.Ox 4.5 . -.Pp -.Fn TLSv1_1_method , -.Fn TLSv1_1_server_method , -.Fn TLSv1_1_client_method , -.Fn TLSv1_2_method , -.Fn TLSv1_2_server_method , -and -.Fn TLSv1_2_client_method -first appeared in OpenSSL 1.0.1 and have been available since -.Ox 5.3 . -.Pp -.Fn DTLS_method , -.Fn DTLS_server_method , -and -.Fn DTLS_client_method -first appeared in OpenSSL 1.0.2 and have been available since -.Ox 6.5 . -.Pp -.Fn TLS_method , -.Fn TLS_server_method , -and -.Fn TLS_client_method -first appeared in OpenSSL 1.1.0 and have been available since -.Ox 5.8 . -.Pp -.Fn SSL_CTX_up_ref -first appeared in OpenSSL 1.1.0 and has been available since -.Ox 6.3 . -.Pp -.Fn DTLSv1_2_method , -.Fn DTLSv1_2_server_method , -and -.Fn DTLSv1_2_client_method -first appeared in OpenSSL 1.1.0 and have been available since -.Ox 6.9 . diff --git a/src/lib/libssl/man/SSL_CTX_sess_number.3 b/src/lib/libssl/man/SSL_CTX_sess_number.3 deleted file mode 100644 index 76d436cd17..0000000000 --- a/src/lib/libssl/man/SSL_CTX_sess_number.3 +++ /dev/null @@ -1,168 +0,0 @@ -.\" $OpenBSD: SSL_CTX_sess_number.3,v 1.9 2019/06/12 09:36:30 schwarze Exp $ -.\" OpenSSL SSL_CTX_sess_number.pod 7bd27895 Mar 29 11:45:29 2017 +1000 -.\" -.\" This file was written by Lutz Jaenicke . -.\" Copyright (c) 2001 The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: June 12 2019 $ -.Dt SSL_CTX_SESS_NUMBER 3 -.Os -.Sh NAME -.Nm SSL_CTX_sess_number , -.Nm SSL_CTX_sess_connect , -.Nm SSL_CTX_sess_connect_good , -.Nm SSL_CTX_sess_connect_renegotiate , -.Nm SSL_CTX_sess_accept , -.Nm SSL_CTX_sess_accept_good , -.Nm SSL_CTX_sess_accept_renegotiate , -.Nm SSL_CTX_sess_hits , -.Nm SSL_CTX_sess_cb_hits , -.Nm SSL_CTX_sess_misses , -.Nm SSL_CTX_sess_timeouts , -.Nm SSL_CTX_sess_cache_full -.Nd obtain session cache statistics -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft long -.Fn SSL_CTX_sess_number "SSL_CTX *ctx" -.Ft long -.Fn SSL_CTX_sess_connect "SSL_CTX *ctx" -.Ft long -.Fn SSL_CTX_sess_connect_good "SSL_CTX *ctx" -.Ft long -.Fn SSL_CTX_sess_connect_renegotiate "SSL_CTX *ctx" -.Ft long -.Fn SSL_CTX_sess_accept "SSL_CTX *ctx" -.Ft long -.Fn SSL_CTX_sess_accept_good "SSL_CTX *ctx" -.Ft long -.Fn SSL_CTX_sess_accept_renegotiate "SSL_CTX *ctx" -.Ft long -.Fn SSL_CTX_sess_hits "SSL_CTX *ctx" -.Ft long -.Fn SSL_CTX_sess_cb_hits "SSL_CTX *ctx" -.Ft long -.Fn SSL_CTX_sess_misses "SSL_CTX *ctx" -.Ft long -.Fn SSL_CTX_sess_timeouts "SSL_CTX *ctx" -.Ft long -.Fn SSL_CTX_sess_cache_full "SSL_CTX *ctx" -.Sh DESCRIPTION -.Fn SSL_CTX_sess_number -returns the current number of sessions in the internal session cache. -.Pp -.Fn SSL_CTX_sess_connect -returns the number of started SSL/TLS handshakes in client mode. -.Pp -.Fn SSL_CTX_sess_connect_good -returns the number of successfully established SSL/TLS sessions in client mode. -.Pp -.Fn SSL_CTX_sess_connect_renegotiate -returns the number of started renegotiations in client mode. -.Pp -.Fn SSL_CTX_sess_accept -returns the number of started SSL/TLS handshakes in server mode. -.Pp -.Fn SSL_CTX_sess_accept_good -returns the number of successfully established SSL/TLS sessions in server mode. -.Pp -.Fn SSL_CTX_sess_accept_renegotiate -returns the number of started renegotiations in server mode. -.Pp -.Fn SSL_CTX_sess_hits -returns the number of successfully reused sessions. -In client mode a session set with -.Xr SSL_set_session 3 -successfully reused is counted as a hit. -In server mode a session successfully retrieved from internal or external cache -is counted as a hit. -.Pp -.Fn SSL_CTX_sess_cb_hits -returns the number of successfully retrieved sessions from the external session -cache in server mode. -.Pp -.Fn SSL_CTX_sess_misses -returns the number of sessions proposed by clients that were not found in the -internal session cache in server mode. -.Pp -.Fn SSL_CTX_sess_timeouts -returns the number of sessions proposed by clients and either found in the -internal or external session cache in server mode, -but that were invalid due to timeout. -These sessions are not included in the -.Fn SSL_CTX_sess_hits -count. -.Pp -.Fn SSL_CTX_sess_cache_full -returns the number of sessions that were removed because the maximum session -cache size was exceeded. -.Sh SEE ALSO -.Xr ssl 3 , -.Xr SSL_CTX_ctrl 3 , -.Xr SSL_CTX_sess_set_cache_size 3 , -.Xr SSL_CTX_set_session_cache_mode 3 , -.Xr SSL_set_session 3 -.Sh HISTORY -.Fn SSL_CTX_sess_number , -.Fn SSL_CTX_sess_connect , -.Fn SSL_CTX_sess_connect_good , -.Fn SSL_CTX_sess_accept , -.Fn SSL_CTX_sess_accept_good , -.Fn SSL_CTX_sess_hits , -.Fn SSL_CTX_sess_misses , -and -.Fn SSL_CTX_sess_timeouts -first appeared in SSLeay 0.5.2. -.Fn SSL_CTX_sess_cb_hits -first appeared in SSLeay 0.6.0. -.Fn SSL_CTX_sess_connect_renegotiate , -.Fn SSL_CTX_sess_accept_renegotiate , -and -.Fn SSL_CTX_sess_cache_full -first appeared in SSLeay 0.9.0. -All these functions have been available since -.Ox 2.4 . diff --git a/src/lib/libssl/man/SSL_CTX_sess_set_cache_size.3 b/src/lib/libssl/man/SSL_CTX_sess_set_cache_size.3 deleted file mode 100644 index 6d5fede0b6..0000000000 --- a/src/lib/libssl/man/SSL_CTX_sess_set_cache_size.3 +++ /dev/null @@ -1,109 +0,0 @@ -.\" $OpenBSD: SSL_CTX_sess_set_cache_size.3,v 1.5 2019/06/12 09:36:30 schwarze Exp $ -.\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 -.\" -.\" This file was written by Lutz Jaenicke . -.\" Copyright (c) 2001, 2002, 2014 The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: June 12 2019 $ -.Dt SSL_CTX_SESS_SET_CACHE_SIZE 3 -.Os -.Sh NAME -.Nm SSL_CTX_sess_set_cache_size , -.Nm SSL_CTX_sess_get_cache_size -.Nd manipulate session cache size -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft long -.Fn SSL_CTX_sess_set_cache_size "SSL_CTX *ctx" "long t" -.Ft long -.Fn SSL_CTX_sess_get_cache_size "SSL_CTX *ctx" -.Sh DESCRIPTION -.Fn SSL_CTX_sess_set_cache_size -sets the size of the internal session cache of context -.Fa ctx -to -.Fa t . -.Pp -.Fn SSL_CTX_sess_get_cache_size -returns the currently valid session cache size. -.Pp -The internal session cache size is -.Dv SSL_SESSION_CACHE_MAX_SIZE_DEFAULT , -currently 1024\(mu20, so that up to 20000 sessions can be held. -This size can be modified using the -.Fn SSL_CTX_sess_set_cache_size -call. -A special case is the size 0, which is used for unlimited size. -.Pp -If adding the session makes the cache exceed its size, then unused -sessions are dropped from the end of the cache. -Cache space may also be reclaimed by calling -.Xr SSL_CTX_flush_sessions 3 -to remove expired sessions. -.Pp -If the size of the session cache is reduced and more sessions are already in -the session cache, -old session will be removed the next time a session shall be added. -This removal is not synchronized with the expiration of sessions. -.Sh RETURN VALUES -.Fn SSL_CTX_sess_set_cache_size -returns the previously valid size. -.Pp -.Fn SSL_CTX_sess_get_cache_size -returns the currently valid size. -.Sh SEE ALSO -.Xr ssl 3 , -.Xr SSL_CTX_ctrl 3 , -.Xr SSL_CTX_flush_sessions 3 , -.Xr SSL_CTX_sess_number 3 , -.Xr SSL_CTX_set_session_cache_mode 3 -.Sh HISTORY -.Fn SSL_CTX_sess_set_cache_size -and -.Fn SSL_CTX_sess_get_cache_size -first appeared in SSLeay 0.9.0 and have been available since -.Ox 2.4 . diff --git a/src/lib/libssl/man/SSL_CTX_sess_set_get_cb.3 b/src/lib/libssl/man/SSL_CTX_sess_set_get_cb.3 deleted file mode 100644 index e99f2be671..0000000000 --- a/src/lib/libssl/man/SSL_CTX_sess_set_get_cb.3 +++ /dev/null @@ -1,221 +0,0 @@ -.\" $OpenBSD: SSL_CTX_sess_set_get_cb.3,v 1.7 2022/03/29 18:15:52 naddy Exp $ -.\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 -.\" -.\" This file was written by Lutz Jaenicke . -.\" Copyright (c) 2001, 2002, 2003, 2016 The OpenSSL Project. -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: March 29 2022 $ -.Dt SSL_CTX_SESS_SET_GET_CB 3 -.Os -.Sh NAME -.Nm SSL_CTX_sess_set_new_cb , -.Nm SSL_CTX_sess_set_remove_cb , -.Nm SSL_CTX_sess_set_get_cb , -.Nm SSL_CTX_sess_get_new_cb , -.Nm SSL_CTX_sess_get_remove_cb , -.Nm SSL_CTX_sess_get_get_cb -.Nd provide callback functions for server side external session caching -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft void -.Fo SSL_CTX_sess_set_new_cb -.Fa "SSL_CTX *ctx" -.Fa "int (*new_session_cb)(SSL *, SSL_SESSION *)" -.Fc -.Ft void -.Fo SSL_CTX_sess_set_remove_cb -.Fa "SSL_CTX *ctx" -.Fa "void (*remove_session_cb)(SSL_CTX *ctx, SSL_SESSION *)" -.Fc -.Ft void -.Fo SSL_CTX_sess_set_get_cb -.Fa "SSL_CTX *ctx" -.Fa "SSL_SESSION (*get_session_cb)(SSL *, const unsigned char *, int, int *)" -.Fc -.Ft int -.Fo "(*SSL_CTX_sess_get_new_cb(SSL_CTX *ctx))" -.Fa "SSL *ssl" -.Fa "SSL_SESSION *sess" -.Fc -.Ft void -.Fo "(*SSL_CTX_sess_get_remove_cb(SSL_CTX *ctx))" -.Fa "SSL_CTX *ctx" -.Fa "SSL_SESSION *sess" -.Fc -.Ft SSL_SESSION * -.Fo "(*SSL_CTX_sess_get_get_cb(SSL_CTX *ctx))" -.Fa "SSL *ssl" -.Fa "const unsigned char *data" -.Fa "int len" -.Fa "int *copy" -.Fc -.Ft int -.Fo "(*new_session_cb)" -.Fa "SSL *ssl" -.Fa "SSL_SESSION *sess" -.Fc -.Ft void -.Fo "(*remove_session_cb)" -.Fa "SSL_CTX *ctx" -.Fa "SSL_SESSION *sess" -.Fc -.Ft SSL_SESSION * -.Fo "(*get_session_cb)" -.Fa "SSL *ssl" -.Fa "unsigned char *data" -.Fa "int len" -.Fa "int *copy" -.Fc -.Sh DESCRIPTION -.Fn SSL_CTX_sess_set_new_cb -sets the callback function which is automatically called whenever a new session -was negotiated. -.Pp -.Fn SSL_CTX_sess_set_remove_cb -sets the callback function which is automatically called whenever a session is -removed by the SSL engine (because it is considered faulty or the session has -become obsolete because of exceeding the timeout value). -.Pp -.Fn SSL_CTX_sess_set_get_cb -sets the callback function which is called whenever a SSL/TLS client proposes -to resume a session but the session cannot be found in the internal session -cache (see -.Xr SSL_CTX_set_session_cache_mode 3 ) . -(SSL/TLS server only.) -.Pp -.Fn SSL_CTX_sess_get_new_cb , -.Fn SSL_CTX_sess_get_remove_cb , -and -.Fn SSL_CTX_sess_get_get_cb -retrieve the function pointers of the provided callback functions. -If a callback function has not been set, the -.Dv NULL -pointer is returned. -.Pp -In order to allow external session caching, synchronization with the internal -session cache is realized via callback functions. -Inside these callback functions, session can be saved to disk or put into a -database using the -.Xr d2i_SSL_SESSION 3 -interface. -.Pp -The -.Fn new_session_cb -function is called whenever a new session has been negotiated and session -caching is enabled (see -.Xr SSL_CTX_set_session_cache_mode 3 ) . -The -.Fn new_session_cb -function is passed the -.Fa ssl -connection and the ssl session -.Fa sess . -If the callback returns 0, the session will be immediately removed again. -.Pp -The -.Fn remove_session_cb -function is called whenever the SSL engine removes a session from the -internal cache. -This happens when the session is removed because it is expired or when a -connection was not shut down cleanly. -It also happens for all sessions in the internal session cache when -.Xr SSL_CTX_free 3 -is called. -The -.Fn remove_session_cb -function is passed the -.Fa ctx -and the -.Vt ssl -session -.Fa sess . -It does not provide any feedback. -.Pp -The -.Fn get_session_cb -function is only called on SSL/TLS servers with the session id proposed by the -client. -The -.Fn get_session_cb -function is always called, also when session caching was disabled. -The -.Fn get_session_cb -function is passed the -.Fa ssl -connection, the session id of length -.Fa length -at the memory location -.Fa data . -With the parameter -.Fa copy -the callback can require the SSL engine to increment the reference count of the -.Vt SSL_SESSION -object, -Normally the reference count is not incremented and therefore the session must -not be explicitly freed with -.Xr SSL_SESSION_free 3 . -.Sh SEE ALSO -.Xr d2i_SSL_SESSION 3 , -.Xr ssl 3 , -.Xr SSL_CTX_flush_sessions 3 , -.Xr SSL_CTX_free 3 , -.Xr SSL_CTX_set_session_cache_mode 3 , -.Xr SSL_SESSION_free 3 -.Sh HISTORY -.Fn SSL_CTX_sess_set_new_cb , -.Fn SSL_CTX_sess_set_get_cb , -.Fn SSL_CTX_sess_get_new_cb , -and -.Fn SSL_CTX_sess_get_get_cb -first appeared in SSLeay 0.6.0. -.Fn SSL_CTX_sess_set_remove_cb -and -.Fn SSL_CTX_sess_get_remove_cb -first appeared in SSLeay 0.8.0. -These functions have been available since -.Ox 2.4 . diff --git a/src/lib/libssl/man/SSL_CTX_sessions.3 b/src/lib/libssl/man/SSL_CTX_sessions.3 deleted file mode 100644 index 964d1a7346..0000000000 --- a/src/lib/libssl/man/SSL_CTX_sessions.3 +++ /dev/null @@ -1,86 +0,0 @@ -.\" $OpenBSD: SSL_CTX_sessions.3,v 1.5 2018/04/25 14:19:39 schwarze Exp $ -.\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 -.\" -.\" This file was written by Lutz Jaenicke . -.\" Copyright (c) 2001 The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: April 25 2018 $ -.Dt SSL_CTX_SESSIONS 3 -.Os -.Sh NAME -.Nm SSL_CTX_sessions -.Nd access internal session cache -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft LHASH_OF(SSL_SESSION) * -.Fn SSL_CTX_sessions "SSL_CTX *ctx" -.Sh DESCRIPTION -.Fn SSL_CTX_sessions -returns a pointer to the lhash databases containing the internal session cache -for -.Fa ctx . -.Pp -The sessions in the internal session cache are kept in an -lhash-type database -(see -.Xr lh_new 3 ) . -It is possible to directly access this database, e.g., for searching. -In parallel, -the sessions form a linked list which is maintained separately from the -lhash operations, -so that the database must not be modified directly but by using the -.Xr SSL_CTX_add_session 3 -family of functions. -.Sh SEE ALSO -.Xr lh_new 3 , -.Xr ssl 3 , -.Xr SSL_CTX_add_session 3 , -.Xr SSL_CTX_set_session_cache_mode 3 -.Sh HISTORY -.Fn SSL_CTX_sessions -first appeared in SSLeay 0.5.2 and has been available since -.Ox 2.4 . diff --git a/src/lib/libssl/man/SSL_CTX_set1_groups.3 b/src/lib/libssl/man/SSL_CTX_set1_groups.3 deleted file mode 100644 index 0d1eb36ea7..0000000000 --- a/src/lib/libssl/man/SSL_CTX_set1_groups.3 +++ /dev/null @@ -1,163 +0,0 @@ -.\" $OpenBSD: SSL_CTX_set1_groups.3,v 1.2 2017/08/19 19:36:39 schwarze Exp $ -.\" OpenSSL SSL_CTX_set1_curves.pod de4d764e Nov 9 14:51:06 2016 +0000 -.\" -.\" This file was written by Dr. Stephen Henson . -.\" Copyright (c) 2013, 2014, 2016 The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: August 19 2017 $ -.Dt SSL_CTX_SET1_GROUPS 3 -.Os -.Sh NAME -.Nm SSL_CTX_set1_groups , -.Nm SSL_CTX_set1_groups_list , -.Nm SSL_set1_groups , -.Nm SSL_set1_groups_list , -.Nm SSL_CTX_set1_curves , -.Nm SSL_CTX_set1_curves_list , -.Nm SSL_set1_curves , -.Nm SSL_set1_curves_list -.Nd choose supported EC groups -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft int -.Fo SSL_CTX_set1_groups -.Fa "SSL_CTX *ctx" -.Fa "const int *glist" -.Fa "size_t glistlen" -.Fc -.Ft int -.Fo SSL_CTX_set1_groups_list -.Fa "SSL_CTX *ctx" -.Fa "const char *list" -.Fc -.Ft int -.Fo SSL_set1_groups -.Fa "SSL *ssl" -.Fa "const int *glist" -.Fa "size_t glistlen" -.Fc -.Ft int -.Fo SSL_set1_groups_list -.Fa "SSL *ssl" -.Fa "const char *list" -.Fc -.Ft int -.Fo SSL_CTX_set1_curves -.Fa "SSL_CTX *ctx" -.Fa "const int *clist" -.Fa "size_t clistlen" -.Fc -.Ft int -.Fo SSL_CTX_set1_curves_list -.Fa "SSL_CTX *ctx" -.Fa "const char *list" -.Fc -.Ft int -.Fo SSL_set1_curves -.Fa "SSL *ssl" -.Fa "const int *clist" -.Fa "size_t clistlen" -.Fc -.Ft int -.Fo SSL_set1_curves_list -.Fa "SSL *ssl" -.Fa "const char *list" -.Fc -.Sh DESCRIPTION -.Fn SSL_CTX_set1_groups -sets the supported groups for -.Fa ctx -to the -.Fa glistlen -groups in the array -.Fa glist . -The array consists of group NIDs in preference order. -For a TLS client, the groups are used directly in the supported groups -extension. -For a TLS server, the groups are used to determine the set of shared -groups. -.Pp -.Fn SSL_CTX_set1_groups_list -sets the supported groups for -.Fa ctx -to the -.Fa list -represented as a colon separated list of group NIDs or names, for example -"P-521:P-384:P-256". -.Pp -.Fn SSL_set1_groups -and -.Fn SSL_set1_groups_list -are similar except that they set supported groups for the SSL structure -.Fa ssl -only. -.Pp -The curve functions are deprecated synonyms for the equivalently -named group functions and are identical in every respect except -that they are implemented as macros. -They exist because prior to TLS1.3, there was only the concept of -supported curves. -In TLS1.3, this was renamed to supported groups and extended to include -Diffie Hellman groups. -.Pp -If an application wishes to make use of several of these functions for -configuration purposes either on a command line or in a file, it should -consider using the SSL_CONF interface instead of manually parsing -options. -.Sh RETURN VALUES -All these functions return 1 for success or 0 for failure. -.Sh SEE ALSO -.Xr ssl 3 , -.Xr SSL_CTX_add_extra_chain_cert 3 , -.Xr SSL_CTX_set_cipher_list 3 , -.Xr SSL_CTX_set_options 3 , -.Xr SSL_new 3 -.Sh HISTORY -The curve functions first appeared in OpenSSL 1.0.2 -and the group functions in OpenSSL 1.1.1. -Both have been available since -.Ox 6.1 . diff --git a/src/lib/libssl/man/SSL_CTX_set_alpn_select_cb.3 b/src/lib/libssl/man/SSL_CTX_set_alpn_select_cb.3 deleted file mode 100644 index 683b6696e3..0000000000 --- a/src/lib/libssl/man/SSL_CTX_set_alpn_select_cb.3 +++ /dev/null @@ -1,277 +0,0 @@ -.\" $OpenBSD: SSL_CTX_set_alpn_select_cb.3,v 1.8 2021/09/10 09:25:29 tb Exp $ -.\" OpenSSL 87b81496 Apr 19 12:38:27 2017 -0400 -.\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 -.\" -.\" This file was written by Todd Short . -.\" Copyright (c) 2016 The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: September 10 2021 $ -.Dt SSL_CTX_SET_ALPN_SELECT_CB 3 -.Os -.Sh NAME -.Nm SSL_CTX_set_alpn_protos , -.Nm SSL_set_alpn_protos , -.Nm SSL_CTX_set_alpn_select_cb , -.Nm SSL_select_next_proto , -.Nm SSL_get0_alpn_selected -.Nd handle application layer protocol negotiation (ALPN) -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft int -.Fo SSL_CTX_set_alpn_protos -.Fa "SSL_CTX *ctx" -.Fa "const unsigned char *protos" -.Fa "unsigned int protos_len" -.Fc -.Ft int -.Fo SSL_set_alpn_protos -.Fa "SSL *ssl" -.Fa "const unsigned char *protos" -.Fa "unsigned int protos_len" -.Fc -.Ft void -.Fo SSL_CTX_set_alpn_select_cb -.Fa "SSL_CTX *ctx" -.Fa "int (*cb)(SSL *ssl, const unsigned char **out,\ - unsigned char *outlen, const unsigned char *in,\ - unsigned int inlen, void *arg)" -.Fa "void *arg" -.Fc -.Ft int -.Fo SSL_select_next_proto -.Fa "unsigned char **out" -.Fa "unsigned char *outlen" -.Fa "const unsigned char *server" -.Fa "unsigned int server_len" -.Fa "const unsigned char *client" -.Fa "unsigned int client_len" -.Fc -.Ft void -.Fo SSL_get0_alpn_selected -.Fa "const SSL *ssl" -.Fa "const unsigned char **data" -.Fa "unsigned int *len" -.Fc -.Sh DESCRIPTION -.Fn SSL_CTX_set_alpn_protos -and -.Fn SSL_set_alpn_protos -are used by the client to set the list of protocols available to be -negotiated. -The -.Fa protos -must be in protocol-list format, described below. -The length of -.Fa protos -is specified in -.Fa protos_len . -.Pp -.Fn SSL_CTX_set_alpn_select_cb -sets the application callback -.Fa cb -used by a server to select which protocol to use for the incoming -connection. -When -.Fa cb -is -.Dv NULL , -ALPN is not used. -The -.Fa arg -value is a pointer which is passed to the application callback. -.Pp -.Fa cb -is the application defined callback. -The -.Fa in , -.Fa inlen -parameters are a vector in protocol-list format. -The value of the -.Fa out , -.Fa outlen -vector should be set to the value of a single protocol selected from the -.Fa in , -.Fa inlen -vector. -The -.Fa out -buffer may point directly into -.Fa in , -or to a buffer that outlives the handshake. -The -.Fa arg -parameter is the pointer set via -.Fn SSL_CTX_set_alpn_select_cb . -.Pp -.Fn SSL_select_next_proto -is a helper function used to select protocols. -It implements the standard protocol selection. -It is expected that this function is called from the application -callback -.Fa cb . -The protocol data in -.Fa server , -.Fa server_len -and -.Fa client , -.Fa client_len -must be in the protocol-list format described below. -The first item in the -.Fa server , -.Fa server_len -list that matches an item in the -.Fa client , -.Fa client_len -list is selected, and returned in -.Fa out , -.Fa outlen . -The -.Fa out -value will point into either -.Fa server -or -.Fa client , -so it should be copied immediately. -If no match is found, the first item in -.Fa client , -.Fa client_len -is returned in -.Fa out , -.Fa outlen . -.Pp -.Fn SSL_get0_alpn_selected -returns a pointer to the selected protocol in -.Fa data -with length -.Fa len . -It is not NUL-terminated. -.Fa data -is set to -.Dv NULL -and -.Fa len -is set to 0 if no protocol has been selected. -.Fa data -must not be freed. -.Pp -The protocol-lists must be in wire-format, which is defined as a vector -of non-empty, 8-bit length-prefixed byte strings. -The length-prefix byte is not included in the length. -Each string is limited to 255 bytes. -A byte-string length of 0 is invalid. -A truncated byte-string is invalid. -The length of the vector is not in the vector itself, but in a separate -variable. -.Pp -For example: -.Bd -literal -unsigned char vector[] = { - 6, 's', 'p', 'd', 'y', '/', '1', - 8, 'h', 't', 't', 'p', '/', '1', '.', '1' -}; -unsigned int length = sizeof(vector); -.Ed -.Pp -The ALPN callback is executed after the servername callback; as that -servername callback may update the SSL_CTX, and subsequently, the ALPN -callback. -.Pp -If there is no ALPN proposed in the ClientHello, the ALPN callback is -not invoked. -.Sh RETURN VALUES -.Fn SSL_CTX_set_alpn_protos -and -.Fn SSL_set_alpn_protos -return 0 on success or non-zero on failure. -WARNING: these functions reverse the return value convention. -.Pp -.Fn SSL_select_next_proto -returns one of the following: -.Bl -tag -width Ds -.It OPENSSL_NPN_NEGOTIATED -A match was found and is returned in -.Fa out , -.Fa outlen . -.It OPENSSL_NPN_NO_OVERLAP -No match was found. -The first item in -.Fa client , -.Fa client_len -is returned in -.Fa out , -.Fa outlen . -.El -.Pp -The ALPN select callback -.Fa cb -must return one of the following: -.Bl -tag -width Ds -.It SSL_TLSEXT_ERR_OK -ALPN protocol selected. -.It SSL_TLSEXT_ERR_ALERT_FATAL -There was no overlap between the client's supplied list and the -server configuration. -.It SSL_TLSEXT_ERR_NOACK -ALPN protocol not selected, e.g., because no ALPN protocols are -configured for this connection. -.El -.Sh SEE ALSO -.Xr ssl 3 , -.Xr SSL_CTX_set_tlsext_servername_arg 3 , -.Xr SSL_CTX_set_tlsext_servername_callback 3 -.Sh HISTORY -.Fn SSL_select_next_proto -first appeared in OpenSSL 1.0.1 and has been available since -.Ox 5.3 . -.Pp -.Fn SSL_CTX_set_alpn_protos , -.Fn SSL_set_alpn_protos , -.Fn SSL_CTX_set_alpn_select_cb , -and -.Fn SSL_get0_alpn_selected -first appeared in OpenSSL 1.0.2 and have been available since -.Ox 5.7 . diff --git a/src/lib/libssl/man/SSL_CTX_set_cert_store.3 b/src/lib/libssl/man/SSL_CTX_set_cert_store.3 deleted file mode 100644 index b23e3c4a12..0000000000 --- a/src/lib/libssl/man/SSL_CTX_set_cert_store.3 +++ /dev/null @@ -1,130 +0,0 @@ -.\" $OpenBSD: SSL_CTX_set_cert_store.3,v 1.7 2018/03/27 17:35:50 schwarze Exp $ -.\" OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 -.\" -.\" This file was written by Lutz Jaenicke . -.\" Copyright (c) 2001, 2002, 2005 The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: March 27 2018 $ -.Dt SSL_CTX_SET_CERT_STORE 3 -.Os -.Sh NAME -.Nm SSL_CTX_set_cert_store , -.Nm SSL_CTX_get_cert_store -.Nd manipulate X509 certificate verification storage -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft void -.Fn SSL_CTX_set_cert_store "SSL_CTX *ctx" "X509_STORE *store" -.Ft X509_STORE * -.Fn SSL_CTX_get_cert_store "const SSL_CTX *ctx" -.Sh DESCRIPTION -.Fn SSL_CTX_set_cert_store -sets the verification storage of -.Fa ctx -to or replaces it with -.Fa store . -If another -.Vt X509_STORE -object is currently set in -.Fa ctx , -it will be freed. -.Pp -.Fn SSL_CTX_get_cert_store -returns a pointer to the current certificate verification storage. -.Pp -In order to verify the certificates presented by the peer, trusted CA -certificates must be accessed. -These CA certificates are made available via lookup methods, handled inside the -.Vt X509_STORE . -From the -.Vt X509_STORE -the -.Vt X509_STORE_CTX -used when verifying certificates is created. -.Pp -Typically the trusted certificate store is handled indirectly via using -.Xr SSL_CTX_load_verify_locations 3 . -Using the -.Fn SSL_CTX_set_cert_store -and -.Fn SSL_CTX_get_cert_store -functions it is possible to manipulate the -.Vt X509_STORE -object beyond the -.Xr SSL_CTX_load_verify_locations 3 -call. -.Pp -Currently no detailed documentation on how to use the -.Vt X509_STORE -object is available. -Not all members of the -.Vt X509_STORE -are used when the verification takes place. -So will, for example, the -.Fn verify_callback -be overridden with the -.Fn verify_callback -set via the -.Xr SSL_CTX_set_verify 3 -family of functions. -This document must therefore be updated when documentation about the -.Vt X509_STORE -object and its handling becomes available. -.Sh RETURN VALUES -.Fn SSL_CTX_get_cert_store -returns the current setting. -.Sh SEE ALSO -.Xr ssl 3 , -.Xr SSL_CTX_load_verify_locations 3 , -.Xr SSL_CTX_set_verify 3 , -.Xr X509_STORE_new 3 -.Sh HISTORY -.Fn SSL_CTX_set_cert_store -and -.Fn SSL_CTX_get_cert_store -first appeared in SSLeay 0.8.1 and have been available since -.Ox 2.4 . diff --git a/src/lib/libssl/man/SSL_CTX_set_cert_verify_callback.3 b/src/lib/libssl/man/SSL_CTX_set_cert_verify_callback.3 deleted file mode 100644 index 0e12b48c78..0000000000 --- a/src/lib/libssl/man/SSL_CTX_set_cert_verify_callback.3 +++ /dev/null @@ -1,163 +0,0 @@ -.\" $OpenBSD: SSL_CTX_set_cert_verify_callback.3,v 1.5 2019/06/08 15:25:43 schwarze Exp $ -.\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 -.\" -.\" This file was written by Lutz Jaenicke . -.\" Copyright (c) 2001, 2002 The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: June 8 2019 $ -.Dt SSL_CTX_SET_CERT_VERIFY_CALLBACK 3 -.Os -.Sh NAME -.Nm SSL_CTX_set_cert_verify_callback -.Nd set peer certificate verification procedure -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft void -.Fo SSL_CTX_set_cert_verify_callback -.Fa "SSL_CTX *ctx" -.Fa "int (*callback)(X509_STORE_CTX *, void *)" -.Fa "void *arg" -.Fc -.Sh DESCRIPTION -.Fn SSL_CTX_set_cert_verify_callback -sets the verification callback function for -.Fa ctx . -.Vt SSL -objects that are created from -.Fa ctx -inherit the setting valid at the time when -.Xr SSL_new 3 -is called. -.Pp -Whenever a certificate is verified during a SSL/TLS handshake, -a verification function is called. -If the application does not explicitly specify a verification callback -function, the built-in verification function is used. -If a verification callback -.Fa callback -is specified via -.Fn SSL_CTX_set_cert_verify_callback , -the supplied callback function is called instead. -By setting -.Fa callback -to -.Dv NULL , -the default behaviour is restored. -.Pp -When the verification must be performed, -.Fa callback -will be called with the arguments -.Fn callback "X509_STORE_CTX *x509_store_ctx" "void *arg" . -The argument -.Fa arg -is specified by the application when setting -.Fa callback . -.Pp -.Fa callback -should return 1 to indicate verification success and 0 to indicate verification -failure. -If -.Dv SSL_VERIFY_PEER -is set and -.Fa callback -returns 0, the handshake will fail. -As the verification procedure may allow the connection to continue in case of -failure (by always returning 1) the verification result must be set in any case -using the -.Fa error -member of -.Fa x509_store_ctx -so that the calling application will be informed about the detailed result of -the verification procedure! -.Pp -Within -.Fa x509_store_ctx , -.Fa callback -has access to the -.Fa verify_callback -function set using -.Xr SSL_CTX_set_verify 3 . -.Sh SEE ALSO -.Xr ssl 3 , -.Xr SSL_CTX_load_verify_locations 3 , -.Xr SSL_CTX_set_verify 3 , -.Xr SSL_get_verify_result 3 -.Sh HISTORY -.Fn SSL_CTX_set_cert_verify_callback -first appeared in SSLeay 0.6.1 and has been available since -.Ox 2.4 . -.Pp -Previous to OpenSSL 0.9.7, the -.Fa arg -argument to -.Fn SSL_CTX_set_cert_verify_callback -was ignored, and -.Fa callback -was called -simply as -.Ft int -.Fn (*callback) "X509_STORE_CTX *" . -To compile software written for previous versions of OpenSSL, -a dummy argument will have to be added to -.Fa callback . -.Sh CAVEATS -Do not mix the verification callback described in this function with the -.Fa verify_callback -function called during the verification process. -The latter is set using the -.Xr SSL_CTX_set_verify 3 -family of functions. -.Pp -Providing a complete verification procedure including certificate purpose -settings, etc., is a complex task. -The built-in procedure is quite powerful and in most cases it should be -sufficient to modify its behaviour using the -.Fa verify_callback -function. -.Sh BUGS -.Fn SSL_CTX_set_cert_verify_callback -does not provide diagnostic information. diff --git a/src/lib/libssl/man/SSL_CTX_set_cipher_list.3 b/src/lib/libssl/man/SSL_CTX_set_cipher_list.3 deleted file mode 100644 index 9d24e00880..0000000000 --- a/src/lib/libssl/man/SSL_CTX_set_cipher_list.3 +++ /dev/null @@ -1,391 +0,0 @@ -.\" $OpenBSD: SSL_CTX_set_cipher_list.3,v 1.16 2022/12/11 20:53:27 tb Exp $ -.\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 -.\" -.\" This file is a derived work. -.\" The changes are covered by the following Copyright and license: -.\" -.\" Copyright (c) 2018, 2020 Ingo Schwarze -.\" -.\" Permission to use, copy, modify, and distribute this software for any -.\" purpose with or without fee is hereby granted, provided that the above -.\" copyright notice and this permission notice appear in all copies. -.\" -.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES -.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF -.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR -.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF -.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -.\" -.\" The original file was written by Lutz Jaenicke . -.\" Copyright (c) 2000, 2001, 2013 The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: December 11 2022 $ -.Dt SSL_CTX_SET_CIPHER_LIST 3 -.Os -.Sh NAME -.Nm SSL_CTX_set_cipher_list , -.Nm SSL_set_cipher_list -.Nd choose list of available SSL_CIPHERs -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft int -.Fn SSL_CTX_set_cipher_list "SSL_CTX *ctx" "const char *control" -.Ft int -.Fn SSL_set_cipher_list "SSL *ssl" "const char *control" -.Sh DESCRIPTION -.Fn SSL_CTX_set_cipher_list -sets the list of available cipher suites for -.Fa ctx -using the -.Fa control -string. -The list of cipher suites is inherited by all -.Fa ssl -objects created from -.Fa ctx . -.Pp -.Fn SSL_set_cipher_list -sets the list of cipher suites only for -.Fa ssl . -.Pp -The control string consists of one or more control words -separated by colon characters -.Pq Ql \&: . -Space -.Pq Ql \ \& , -semicolon -.Pq Ql \&; , -and comma -.Pq Ql \&, -characters can also be used as separators. -Each control words selects a set of cipher suites -and can take one of the following optional prefix characters: -.Bl -tag -width Ds -.It \&No prefix: -Those of the selected cipher suites that have not been made available -yet are added to the end of the list of available cipher suites, -preserving their order. -.It Prefixed minus sign Pq Ql \- : -Those of the selected cipher suites that have been made available -earlier are moved back from the list of available cipher suites to -the beginning of the list of unavailable cipher suites, -also preserving their order. -.It Prefixed plus sign Pq Ql + : -Those of the selected cipher suites have been made available earlier -are moved to end of the list of available cipher suites, reducing -their priority, but preserving the order among themselves. -.It Prefixed exclamation mark Pq Ql \&! : -The selected cipher suites are permanently deleted, no matter whether -they had earlier been made available or not, and can no longer -be added or re-added by later words. -.El -.Pp -The following special words can only be used without a prefix: -.Bl -tag -width Ds -.It Cm DEFAULT -An alias for -.Sm off -.Cm ALL No :! Cm aNULL No :! Cm eNULL . -.Sm on -It can only be used as the first word. -The -.Cm DEFAULT -cipher list can be displayed with the -.Xr openssl 1 -.Cm ciphers -command. -.It Cm @SECLEVEL=n -Set the security level to n, which should be a number between -zero and five. -See -.Xr SSL_CTX_set_security_level 3 -for details. -.It Cm @STRENGTH -Sort the list by decreasing encryption strength, -preserving the order of cipher suites that have the same strength. -It is usually given as the last word. -.El -.Pp -The following words can be used to select groups of cipher suites, -with or without a prefix character. -If two or more of these words are joined with plus signs -.Pq Ql + -to form a longer word, only the intersection of the specified sets -is selected. -.Bl -tag -width Ds -.It Cm ADH -Cipher suites using ephemeral DH for key exchange -without doing any server authentication. -Equivalent to -.Cm DH Ns + Ns Cm aNULL . -.It Cm AEAD -Cipher suites using Authenticated Encryption with Additional Data. -.It Cm AECDH -Cipher suites using ephemeral ECDH for key exchange -without doing any server authentication. -Equivalent to -.Cm ECDH Ns + Ns Cm aNULL . -.It Cm aECDSA -Cipher suites using ECDSA server authentication. -.It Cm AES -Cipher suites using AES or AESGCM for symmetric encryption. -.It Cm AES128 -Cipher suites using AES(128) or AESGCM(128) for symmetric encryption. -.It Cm AES256 -Cipher suites using AES(256) or AESGCM(256) for symmetric encryption. -.It Cm AESGCM -Cipher suites using AESGCM for symmetric encryption. -.It Cm aGOST -An alias for -.Cm aGOST01 . -.It Cm aGOST01 -Cipher suites using GOST R 34.10-2001 server authentication. -.It Cm ALL -All cipher suites except those selected by -.Cm eNULL . -.It Cm aNULL -Cipher suites that don't do any server authentication. -Not enabled by -.Cm DEFAULT . -Beware of man-in-the-middle attacks. -.It Cm aRSA -Cipher suites using RSA server authentication. -.It Cm CAMELLIA -Cipher suites using Camellia for symmetric encryption. -.It Cm CAMELLIA128 -Cipher suites using Camellia(128) for symmetric encryption. -.It Cm CAMELLIA256 -Cipher suites using Camellia(256) for symmetric encryption. -.It Cm CHACHA20 -Cipher suites using ChaCha20-Poly1305 for symmetric encryption. -.It Cm COMPLEMENTOFALL -Cipher suites that are not included in -.Cm ALL . -Currently an alias for -.Cm eNULL . -.It Cm COMPLEMENTOFDEFAULT -Cipher suites that are included in -.Cm ALL , -but not included in -.Cm DEFAULT . -Currently similar to -.Cm aNULL Ns :! Ns Cm eNULL -except for the order of the cipher suites which are -.Em not -selected. -.It Cm 3DES -Cipher suites using triple DES for symmetric encryption. -.It Cm DH -Cipher suites using ephemeral DH for key exchange. -.It Cm DHE -Cipher suites using ephemeral DH for key exchange, -but excluding those that don't do any server authentication. -Similar to -.Cm DH Ns :! Ns Cm aNULL -except for the order of the cipher suites which are -.Em not -selected. -.It Cm ECDH -Cipher suites using ephemeral ECDH for key exchange. -.It Cm ECDHE -Cipher suites using ephemeral ECDH for key exchange, -but excluding those that don't do any server authentication. -Similar to -.Cm ECDH Ns :! Ns Cm aNULL -except for the order of the cipher suites which are -.Em not -selected. -.It Cm ECDSA -An alias for -.Cm aECDSA . -.It Cm eNULL -Cipher suites that do not use any encryption. -Not enabled by -.Cm DEFAULT , -and not even included in -.Cm ALL . -.It Cm GOST89MAC -Cipher suites using GOST 28147-89 for message authentication -instead of HMAC. -.It Cm GOST94 -Cipher suites using HMAC based on GOST R 34.11-94 -for message authentication. -.It Cm HIGH -Cipher suites of high strength. -.It Cm kGOST -Cipher suites using VKO 34.10 key exchange, specified in RFC 4357. -.It Cm kRSA -Cipher suites using RSA key exchange. -.It Cm LOW -Cipher suites of low strength. -.It Cm MD5 -Cipher suites using MD5 for message authentication. -.It Cm MEDIUM -Cipher suites of medium strength. -.It Cm NULL -An alias for -.Cm eNULL . -.It Cm RC4 -Cipher suites using RC4 for symmetric encryption. -.It Cm RSA -Cipher suites using RSA for both key exchange and server authentication. -Equivalent to -.Cm kRSA Ns + Ns Cm aRSA . -.It Cm SHA -An alias for -.Cm SHA1 . -.It Cm SHA1 -Cipher suites using SHA1 for message authentication. -.It Cm SHA256 -Cipher suites using SHA256 for message authentication. -.It Cm SHA384 -Cipher suites using SHA384 for message authentication. -.It Cm SSLv3 -An alias for -.Cm TLSv1 . -.It Cm STREEBOG256 -Cipher suites using STREEBOG256 for message authentication. -.It Cm TLSv1 -Cipher suites usable with the TLSv1.0, TLSv1.1, and TLSv1.2 protocols. -.It Cm TLSv1.2 -Cipher suites for the TLSv1.2 protocol. -.It Cm TLSv1.3 -Cipher suites for the TLSv1.3 protocol. -If the -.Fa control -string selects at least one cipher suite but neither contains the word -.Cm TLSv1.3 -nor specifically includes nor excludes any TLSv1.3 cipher suites, all the -.Cm TLSv1.3 -cipher suites are made available, too. -.El -.Pp -The full words returned by the -.Xr openssl 1 -.Cm ciphers -command can be used to select individual cipher suites. -.Pp -The following words do not match anything because -LibreSSL no longer provides any such cipher suites: -.Pp -.Bl -tag -width Ds -compact -.It Cm DES -Cipher suites using single DES for symmetric encryption. -.It Cm DSS -Cipher suites using DSS server authentication. -.It Cm IDEA -Cipher suites using IDEA for symmetric encryption. -.El -.Pp -The following are deprecated aliases: -.Pp -.Bl -column kEECDH ECDHE -compact -offset indent -.It avoid: Ta use: -.It Cm EDH Ta Cm DHE -.It Cm EECDH Ta Cm ECDHE -.It Cm kEDH Ta Cm DH -.It Cm kEECDH Ta Cm ECDH -.El -.Pp -Unknown words are silently ignored, selecting no cipher suites. -Failure is only flagged if the -.Fa control -string contains invalid bytes -or if no matching cipher suites are available at all. -.Pp -On the client side, including a cipher suite into the list of -available cipher suites is sufficient for using it. -On the server side, all cipher suites have additional requirements. -ADH ciphers don't need a certificate, but DH-parameters must have been set. -All other cipher suites need a corresponding certificate and key. -.Pp -A RSA cipher can only be chosen when an RSA certificate is available. -RSA ciphers using DHE need a certificate and key and additional DH-parameters -(see -.Xr SSL_CTX_set_tmp_dh_callback 3 ) . -.Pp -A DSA cipher can only be chosen when a DSA certificate is available. -DSA ciphers always use DH key exchange and therefore need DH-parameters (see -.Xr SSL_CTX_set_tmp_dh_callback 3 ) . -.Pp -When these conditions are not met -for any cipher suite in the list (for example, a -client only supports export RSA ciphers with an asymmetric key length of 512 -bits and the server is not configured to use temporary RSA keys), the -.Dq no shared cipher -.Pq Dv SSL_R_NO_SHARED_CIPHER -error is generated and the handshake will fail. -.Sh RETURN VALUES -.Fn SSL_CTX_set_cipher_list -and -.Fn SSL_set_cipher_list -return 1 if any cipher suite could be selected and 0 on complete failure. -.Sh SEE ALSO -.Xr ssl 3 , -.Xr SSL_CTX_set1_groups 3 , -.Xr SSL_CTX_set_tmp_dh_callback 3 , -.Xr SSL_CTX_use_certificate 3 , -.Xr SSL_get_ciphers 3 -.Sh HISTORY -.Fn SSL_CTX_set_cipher_list -and -.Fn SSL_set_cipher_list -first appeared in SSLeay 0.5.2 and have been available since -.Ox 2.4 . -.Sh CAVEATS -In LibreSSL, -.Fn SSL_CTX_set_cipher_list -and -.Fn SSL_set_cipher_list -can be used to configure the list of available cipher suites for -all versions of the TLS protocol, whereas in OpenSSL, they only -control cipher suites for protocols up to TLSv1.2. -If compatibility with OpenSSL is required, the list of -available TLSv1.3 cipher suites can only be changed with -.Fn SSL_set_ciphersuites . diff --git a/src/lib/libssl/man/SSL_CTX_set_client_CA_list.3 b/src/lib/libssl/man/SSL_CTX_set_client_CA_list.3 deleted file mode 100644 index d19fb93ed0..0000000000 --- a/src/lib/libssl/man/SSL_CTX_set_client_CA_list.3 +++ /dev/null @@ -1,183 +0,0 @@ -.\" $OpenBSD: SSL_CTX_set_client_CA_list.3,v 1.6 2020/03/30 10:28:59 schwarze Exp $ -.\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 -.\" -.\" This file was written by Lutz Jaenicke . -.\" Copyright (c) 2000, 2001, 2013 The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: March 30 2020 $ -.Dt SSL_CTX_SET_CLIENT_CA_LIST 3 -.Os -.Sh NAME -.Nm SSL_CTX_set_client_CA_list , -.Nm SSL_set_client_CA_list , -.Nm SSL_CTX_add_client_CA , -.Nm SSL_add_client_CA -.Nd set list of CAs sent to the client when requesting a client certificate -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft void -.Fn SSL_CTX_set_client_CA_list "SSL_CTX *ctx" "STACK_OF(X509_NAME) *list" -.Ft void -.Fn SSL_set_client_CA_list "SSL *s" "STACK_OF(X509_NAME) *list" -.Ft int -.Fn SSL_CTX_add_client_CA "SSL_CTX *ctx" "X509 *cacert" -.Ft int -.Fn SSL_add_client_CA "SSL *ssl" "X509 *cacert" -.Sh DESCRIPTION -.Fn SSL_CTX_set_client_CA_list -sets the -.Fa list -of CAs sent to the client when requesting a client certificate for -.Fa ctx . -.Pp -.Fn SSL_set_client_CA_list -sets the -.Fa list -of CAs sent to the client when requesting a client certificate for the chosen -.Fa ssl , -overriding the setting valid for -.Fa ssl Ns 's -.Vt SSL_CTX -object. -.Pp -.Fn SSL_CTX_add_client_CA -adds the CA name extracted from -.Fa cacert -to the list of CAs sent to the client when requesting a client certificate for -.Fa ctx . -.Pp -.Fn SSL_add_client_CA -adds the CA name extracted from -.Fa cacert -to the list of CAs sent to the client when requesting a client certificate for -the chosen -.Fa ssl , -overriding the setting valid for -.Fa ssl Ns 's -.Va SSL_CTX -object. -.Pp -When a TLS/SSL server requests a client certificate (see -.Fn SSL_CTX_set_verify ) , -it sends a list of CAs for which it will accept certificates to the client. -.Pp -This list must explicitly be set using -.Fn SSL_CTX_set_client_CA_list -for -.Fa ctx -and -.Fn SSL_set_client_CA_list -for the specific -.Fa ssl . -The list specified overrides the previous setting. -The CAs listed do not become trusted -.Po -.Fa list -only contains the names, not the complete certificates -.Pc ; -use -.Xr SSL_CTX_load_verify_locations 3 -to additionally load them for verification. -.Pp -If the list of acceptable CAs is compiled in a file, the -.Xr SSL_load_client_CA_file 3 -function can be used to help importing the necessary data. -.Pp -.Fn SSL_CTX_add_client_CA -and -.Fn SSL_add_client_CA -can be used to add additional items the list of client CAs. -If no list was specified before using -.Fn SSL_CTX_set_client_CA_list -or -.Fn SSL_set_client_CA_list , -a new client CA list for -.Fa ctx -or -.Fa ssl -(as appropriate) is opened. -.Pp -These functions are only useful for TLS/SSL servers. -.Sh RETURN VALUES -.Fn SSL_CTX_add_client_CA -and -.Fn SSL_add_client_CA -have the following return values: -.Bl -tag -width Ds -.It 0 -A failure while manipulating the -.Dv STACK_OF Ns -.Pq Vt X509_NAME -object occurred or the -.Vt X509_NAME -could not be extracted from -.Fa cacert . -Check the error stack to find out the reason. -.It 1 -The operation succeeded. -.El -.Sh EXAMPLES -Scan all certificates in -.Fa CAfile -and list them as acceptable CAs: -.Bd -literal -SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(CAfile)); -.Ed -.Sh SEE ALSO -.Xr ssl 3 , -.Xr SSL_CTX_load_verify_locations 3 , -.Xr SSL_get_client_CA_list 3 , -.Xr SSL_load_client_CA_file 3 , -.Xr X509_NAME_new 3 -.Sh HISTORY -.Fn SSL_CTX_set_client_CA_list , -.Fn SSL_set_client_CA_list , -.Fn SSL_CTX_add_client_CA , -and -.Fn SSL_add_client_CA -first appeared in SSLeay 0.8.0 and have been available since -.Ox 2.4 . diff --git a/src/lib/libssl/man/SSL_CTX_set_client_cert_cb.3 b/src/lib/libssl/man/SSL_CTX_set_client_cert_cb.3 deleted file mode 100644 index a2433b5e92..0000000000 --- a/src/lib/libssl/man/SSL_CTX_set_client_cert_cb.3 +++ /dev/null @@ -1,191 +0,0 @@ -.\" $OpenBSD: SSL_CTX_set_client_cert_cb.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $ -.\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 -.\" -.\" This file was written by Lutz Jaenicke . -.\" Copyright (c) 2002 The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: March 27 2018 $ -.Dt SSL_CTX_SET_CLIENT_CERT_CB 3 -.Os -.Sh NAME -.Nm SSL_CTX_set_client_cert_cb , -.Nm SSL_CTX_get_client_cert_cb -.Nd handle client certificate callback function -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft void -.Fo SSL_CTX_set_client_cert_cb -.Fa "SSL_CTX *ctx" -.Fa "int (*client_cert_cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey)" -.Fc -.Ft int -.Fo "(*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))" -.Fa "SSL *ssl" "X509 **x509" "EVP_PKEY **pkey" -.Fc -.Ft int -.Fn "(*client_cert_cb)" "SSL *ssl" "X509 **x509" "EVP_PKEY **pkey" -.Sh DESCRIPTION -.Fn SSL_CTX_set_client_cert_cb -sets the -.Fa client_cert_cb() -callback that is called when a client certificate is requested by a server and -no certificate was yet set for the SSL object. -.Pp -When -.Fa client_cert_cb -is -.Dv NULL , -no callback function is used. -.Pp -.Fn SSL_CTX_get_client_cert_cb -returns a pointer to the currently set callback function. -.Pp -.Fn client_cert_cb -is the application-defined callback. -If it wants to set a certificate, -a certificate/private key combination must be set using the -.Fa x509 -and -.Fa pkey -arguments and 1 must be returned. -The certificate will be installed into -.Fa ssl . -If no certificate should be set, -0 has to be returned and no certificate will be sent. -A negative return value will suspend the handshake and the handshake function -will return immediately. -.Xr SSL_get_error 3 -will return -.Dv SSL_ERROR_WANT_X509_LOOKUP -to indicate that the handshake was suspended. -The next call to the handshake function will again lead to the call of -.Fa client_cert_cb() . -It is the job of the -.Fa client_cert_cb() -to store information -about the state of the last call, if required to continue. -.Pp -During a handshake (or renegotiation) -a server may request a certificate from the client. -A client certificate must only be sent when the server did send the request. -.Pp -When a certificate has been set using the -.Xr SSL_CTX_use_certificate 3 -family of functions, -it will be sent to the server. -The TLS standard requires that only a certificate is sent if it matches the -list of acceptable CAs sent by the server. -This constraint is violated by the default behavior of the OpenSSL library. -Using the callback function it is possible to implement a proper selection -routine or to allow a user interaction to choose the certificate to be sent. -.Pp -If a callback function is defined and no certificate was yet defined for the -.Vt SSL -object, the callback function will be called. -If the callback function returns a certificate, the OpenSSL library -will try to load the private key and certificate data into the -.Vt SSL -object using the -.Fn SSL_use_certificate -and -.Fn SSL_use_private_key -functions. -Thus it will permanently install the certificate and key for this SSL object. -It will not be reset by calling -.Xr SSL_clear 3 . -If the callback returns no certificate, the OpenSSL library will not send a -certificate. -.Sh SEE ALSO -.Xr ssl 3 , -.Xr SSL_clear 3 , -.Xr SSL_CTX_add_extra_chain_cert 3 , -.Xr SSL_CTX_use_certificate 3 , -.Xr SSL_free 3 , -.Xr SSL_get_client_CA_list 3 -.Sh HISTORY -.Fn SSL_CTX_set_client_cert_cb -and -.Fn SSL_CTX_get_client_cert_cb -first appeared in SSLeay 0.6.6 and have been available since -.Ox 2.4 . -.Sh BUGS -The -.Fa client_cert_cb() -cannot return a complete certificate chain; -it can only return one client certificate. -If the chain only has a length of 2, -the root CA certificate may be omitted according to the TLS standard and -thus a standard conforming answer can be sent to the server. -For a longer chain, the client must send the complete chain -(with the option to leave out the root CA certificate). -This can be accomplished only by either adding the intermediate CA certificates -into the trusted certificate store for the -.Vt SSL_CTX -object (resulting in having to add CA certificates that otherwise maybe would -not be trusted), or by adding the chain certificates using the -.Xr SSL_CTX_add_extra_chain_cert 3 -function, which is only available for the -.Vt SSL_CTX -object as a whole and that therefore probably can only apply for one client -certificate, making the concept of the callback function -(to allow the choice from several certificates) questionable. -.Pp -Once the -.Vt SSL -object has been used in conjunction with the callback function, -the certificate will be set for the -.Vt SSL -object and will not be cleared even when -.Xr SSL_clear 3 -is called. -It is therefore -.Em mandatory -to destroy the -.Vt SSL -object using -.Xr SSL_free 3 -and create a new one to return to the previous state. diff --git a/src/lib/libssl/man/SSL_CTX_set_default_passwd_cb.3 b/src/lib/libssl/man/SSL_CTX_set_default_passwd_cb.3 deleted file mode 100644 index 7ab9633f5c..0000000000 --- a/src/lib/libssl/man/SSL_CTX_set_default_passwd_cb.3 +++ /dev/null @@ -1,171 +0,0 @@ -.\" $OpenBSD: SSL_CTX_set_default_passwd_cb.3,v 1.7 2018/04/02 02:06:14 schwarze Exp $ -.\" full merge up to: OpenSSL 9b86974e Aug 17 15:21:33 2015 -0400 -.\" selective merge up to: OpenSSL 2947af32 Nov 19 00:10:05 2016 +0100 -.\" -.\" This file was written by Lutz Jaenicke -.\" and Christian Heimes . -.\" Copyright (c) 2000, 2001, 2016 The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: April 2 2018 $ -.Dt SSL_CTX_SET_DEFAULT_PASSWD_CB 3 -.Os -.Sh NAME -.Nm SSL_CTX_set_default_passwd_cb , -.Nm SSL_CTX_set_default_passwd_cb_userdata , -.Nm SSL_CTX_get_default_passwd_cb , -.Nm SSL_CTX_get_default_passwd_cb_userdata , -.Nm pem_password_cb -.Nd set or get passwd callback for encrypted PEM file handling -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft void -.Fn SSL_CTX_set_default_passwd_cb "SSL_CTX *ctx" "pem_password_cb *cb" -.Ft void -.Fn SSL_CTX_set_default_passwd_cb_userdata "SSL_CTX *ctx" "void *u" -.Ft pem_password_cb * -.Fn SSL_CTX_get_default_passwd_cb "SSL_CTX *ctx" -.Ft void * -.Fn SSL_CTX_get_default_passwd_cb_userdata "SSL_CTX *ctx" -.In openssl/pem.h -.Ft typedef int -.Fn pem_password_cb "char *buf" "int size" "int rwflag" "void *userdata" -.Sh DESCRIPTION -.Fn SSL_CTX_set_default_passwd_cb -sets the default password callback called when loading/storing a PEM -certificate with encryption. -.Pp -.Fn SSL_CTX_set_default_passwd_cb_userdata -sets a pointer to userdata -.Fa u -which will be provided to the password callback on invocation. -.Pp -The -password callback -.Fa cb , -which must be provided by the application, -hands back the password to be used during decryption. -On invocation a pointer to -.Fa userdata -is provided. -The password callback must write the password into the provided buffer -.Fa buf -which is of size -.Fa size . -The actual length of the password must be returned to the calling function. -.Fa rwflag -indicates whether the callback is used for reading/decryption -.Pq Fa rwflag No = 0 -or writing/encryption -.Pq Fa rwflag No = 1 . -.Pp -When loading or storing private keys, a password might be supplied to protect -the private key. -The way this password can be supplied may depend on the application. -If only one private key is handled, it can be practical to have the -callback handle the password dialog interactively. -If several keys have to be handled, it can be practical to ask for the password -once, then keep it in memory and use it several times. -In the last case, the password could be stored into the -.Fa userdata -storage and the callback only returns the password already stored. -.Pp -When asking for the password interactively, the callback can use -.Fa rwflag -to check whether an item shall be encrypted -.Pq Fa rwflag No = 1 . -In this case the password dialog may ask for the same password twice for -comparison in order to catch typos which would make decryption impossible. -.Pp -Other items in PEM formatting (certificates) can also be encrypted; it is -however atypical, as certificate information is considered public. -.Sh RETURN VALUES -.Fn SSL_CTX_get_default_passwd_cb -returns a function pointer to the password callback currently set in -.Fa ctx , -or -.Dv NULL -if none is set. -.Pp -.Fn SSL_CTX_get_default_passwd_cb_userdata -returns a pointer to the userdata currently set in -.Fa ctx , -or -.Dv NULL -if none is set. -.Sh EXAMPLES -The following example returns the password provided as -.Fa userdata -to the calling function. -The password is considered to be a -.Sq \e0 -terminated string. -If the password does not fit into the buffer, the password is truncated. -.Bd -literal -int pem_passwd_cb(char *buf, int size, int rwflag, void *password) -{ - strncpy(buf, (char *)password, size); - buf[size - 1] = '\e0'; - return strlen(buf); -} -.Ed -.Sh SEE ALSO -.Xr ssl 3 , -.Xr SSL_CTX_use_certificate 3 -.Sh HISTORY -.Fn SSL_CTX_set_default_passwd_cb -first appeared in SSLeay 0.6.2 and has been available since -.Ox 2.4 . -.Pp -.Fn SSL_CTX_set_default_passwd_cb_userdata -first appeared in OpenSSL 0.9.4 and has been available since -.Ox 2.6 . -.Pp -.Fn SSL_CTX_get_default_passwd_cb -and -.Fn SSL_CTX_get_default_passwd_cb_userdata -first appeared in OpenSSL 1.1.0 and have been available since -.Ox 6.3 . diff --git a/src/lib/libssl/man/SSL_CTX_set_generate_session_id.3 b/src/lib/libssl/man/SSL_CTX_set_generate_session_id.3 deleted file mode 100644 index d85383d776..0000000000 --- a/src/lib/libssl/man/SSL_CTX_set_generate_session_id.3 +++ /dev/null @@ -1,221 +0,0 @@ -.\" $OpenBSD: SSL_CTX_set_generate_session_id.3,v 1.5 2018/03/22 21:09:18 schwarze Exp $ -.\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 -.\" -.\" This file was written by Lutz Jaenicke . -.\" Copyright (c) 2001, 2014 The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: March 22 2018 $ -.Dt SSL_CTX_SET_GENERATE_SESSION_ID 3 -.Os -.Sh NAME -.Nm SSL_CTX_set_generate_session_id , -.Nm SSL_set_generate_session_id , -.Nm SSL_has_matching_session_id , -.Nm GEN_SESSION_CB -.Nd manipulate generation of SSL session IDs (server only) -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft typedef int -.Fo (*GEN_SESSION_CB) -.Fa "const SSL *ssl" -.Fa "unsigned char *id" -.Fa "unsigned int *id_len" -.Fc -.Ft int -.Fn SSL_CTX_set_generate_session_id "SSL_CTX *ctx" "GEN_SESSION_CB cb" -.Ft int -.Fn SSL_set_generate_session_id "SSL *ssl" "GEN_SESSION_CB cb" -.Ft int -.Fo SSL_has_matching_session_id -.Fa "const SSL *ssl" "const unsigned char *id" "unsigned int id_len" -.Fc -.Sh DESCRIPTION -.Fn SSL_CTX_set_generate_session_id -sets the callback function for generating new session ids for SSL/TLS sessions -for -.Fa ctx -to be -.Fa cb . -.Pp -.Fn SSL_set_generate_session_id -sets the callback function for generating new session ids for SSL/TLS sessions -for -.Fa ssl -to be -.Fa cb . -.Pp -.Fn SSL_has_matching_session_id -checks, whether a session with id -.Fa id -(of length -.Fa id_len ) -is already contained in the internal session cache -of the parent context of -.Fa ssl . -.Pp -When a new session is established between client and server, -the server generates a session id. -The session id is an arbitrary sequence of bytes. -The length of the session id is between 1 and 32 bytes. -The session id is not security critical but must be unique for the server. -Additionally, the session id is transmitted in the clear when reusing the -session so it must not contain sensitive information. -.Pp -Without a callback being set, an OpenSSL server will generate a unique session -id from pseudo random numbers of the maximum possible length. -Using the callback function, the session id can be changed to contain -additional information like, e.g., a host id in order to improve load balancing -or external caching techniques. -.Pp -The callback function receives a pointer to the memory location to put -.Fa id -into and a pointer to the maximum allowed length -.Fa id_len . -The buffer at location -.Fa id -is only guaranteed to have the size -.Fa id_len . -The callback is only allowed to generate a shorter id and reduce -.Fa id_len ; -the callback -.Em must never -increase -.Fa id_len -or write to the location -.Fa id -exceeding the given limit. -.Pp -The location -.Fa id -is filled with 0x00 before the callback is called, -so the callback may only fill part of the possible length and leave -.Fa id_len -untouched while maintaining reproducibility. -.Pp -Since the sessions must be distinguished, session ids must be unique. -Without the callback a random number is used, -so that the probability of generating the same session id is extremely small -(2^256 for TLSv1). -In order to ensure the uniqueness of the generated session id, -the callback must call -.Fn SSL_has_matching_session_id -and generate another id if a conflict occurs. -If an id conflict is not resolved, the handshake will fail. -If the application codes, e.g., a unique host id, a unique process number, and -a unique sequence number into the session id, uniqueness could easily be -achieved without randomness added (it should however be taken care that -no confidential information is leaked this way). -If the application cannot guarantee uniqueness, -it is recommended to use the maximum -.Fa id_len -and fill in the bytes not used to code special information with random data to -avoid collisions. -.Pp -.Fn SSL_has_matching_session_id -will only query the internal session cache, not the external one. -Since the session id is generated before the handshake is completed, -it is not immediately added to the cache. -If another thread is using the same internal session cache, -a race condition can occur in that another thread generates the same session id. -Collisions can also occur when using an external session cache, -since the external cache is not tested with -.Fn SSL_has_matching_session_id -and the same race condition applies. -.Pp -The callback must return 0 if it cannot generate a session id for whatever -reason and return 1 on success. -.Sh RETURN VALUES -.Fn SSL_CTX_set_generate_session_id -and -.Fn SSL_set_generate_session_id -always return 1. -.Pp -.Fn SSL_has_matching_session_id -returns 1 if another session with the same id is already in the cache. -.Sh EXAMPLES -The callback function listed will generate a session id with the server id -given, and will fill the rest with pseudo random bytes: -.Bd -literal -const char session_id_prefix = "www-18"; - -#define MAX_SESSION_ID_ATTEMPTS 10 -static int -generate_session_id(const SSL *ssl, unsigned char *id, - unsigned int *id_len) -{ - unsigned int count = 0; - - do { - RAND_pseudo_bytes(id, *id_len); - /* - * Prefix the session_id with the required prefix. NB: If - * our prefix is too long, clip it \(en but there will be - * worse effects anyway, e.g., the server could only - * possibly create one session ID (the prefix!) so all - * future session negotiations will fail due to conflicts. - */ - memcpy(id, session_id_prefix, - (strlen(session_id_prefix) < *id_len) ? - strlen(session_id_prefix) : *id_len); - } while (SSL_has_matching_session_id(ssl, id, *id_len) && - (++count < MAX_SESSION_ID_ATTEMPTS)); - - if (count >= MAX_SESSION_ID_ATTEMPTS) - return 0; - return 1; -} -.Ed -.Sh SEE ALSO -.Xr ssl 3 , -.Xr SSL_get_version 3 -.Sh HISTORY -.Fn SSL_CTX_set_generate_session_id , -.Fn SSL_set_generate_session_id -and -.Fn SSL_has_matching_session_id -first appeared in OpenSSL 0.9.7 and have been available since -.Ox 3.2 . diff --git a/src/lib/libssl/man/SSL_CTX_set_info_callback.3 b/src/lib/libssl/man/SSL_CTX_set_info_callback.3 deleted file mode 100644 index 76eb8bee61..0000000000 --- a/src/lib/libssl/man/SSL_CTX_set_info_callback.3 +++ /dev/null @@ -1,233 +0,0 @@ -.\" $OpenBSD: SSL_CTX_set_info_callback.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $ -.\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 -.\" -.\" This file was written by Lutz Jaenicke . -.\" Copyright (c) 2001, 2005, 2014 The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: March 27 2018 $ -.Dt SSL_CTX_SET_INFO_CALLBACK 3 -.Os -.Sh NAME -.Nm SSL_CTX_set_info_callback , -.Nm SSL_CTX_get_info_callback , -.Nm SSL_set_info_callback , -.Nm SSL_get_info_callback -.Nd handle information callback for SSL connections -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft void -.Fo SSL_CTX_set_info_callback -.Fa "SSL_CTX *ctx" -.Fa "void (*callback)(const SSL *ssl, int where, int ret)" -.Fc -.Ft void -.Fo "(*SSL_CTX_get_info_callback(const SSL_CTX *ctx))" -.Fa "const SSL *ssl" -.Fa "int where" -.Fa "int ret" -.Fc -.Ft void -.Fo SSL_set_info_callback -.Fa "SSL *ssl" -.Fa "void (*callback)(const SSL *ssl, int where, int ret)" -.Fc -.Ft void -.Fo "(*SSL_get_info_callback(const SSL *ssl))" -.Fa "const SSL *ssl" -.Fa "int where" -.Fa "int ret" -.Fc -.Sh DESCRIPTION -.Fn SSL_CTX_set_info_callback -sets the -.Fa callback -function that can be used to obtain state information for SSL objects created -from -.Fa ctx -during connection setup and use. -The setting for -.Fa ctx -is overridden from the setting for a specific SSL object, if specified. -When -.Fa callback -is -.Dv NULL , -no callback function is used. -.Pp -.Fn SSL_set_info_callback -sets the -.Fa callback -function that can be used to -obtain state information for -.Fa ssl -during connection setup and use. -When -.Fa callback -is -.Dv NULL , -the callback setting currently valid for -.Fa ctx -is used. -.Pp -.Fn SSL_CTX_get_info_callback -returns a pointer to the currently set information callback function for -.Fa ctx . -.Pp -.Fn SSL_get_info_callback -returns a pointer to the currently set information callback function for -.Fa ssl . -.Pp -When setting up a connection and during use, -it is possible to obtain state information from the SSL/TLS engine. -When set, an information callback function is called whenever the state changes, -an alert appears, or an error occurs. -.Pp -The callback function is called as -.Fn callback "SSL *ssl" "int where" "int ret" . -The -.Fa where -argument specifies information about where (in which context) -the callback function was called. -If -.Fa ret -is 0, an error condition occurred. -If an alert is handled, -.Dv SSL_CB_ALERT -is set and -.Fa ret -specifies the alert information. -.Pp -.Fa where -is a bitmask made up of the following bits: -.Bl -tag -width Ds -.It Dv SSL_CB_LOOP -Callback has been called to indicate state change inside a loop. -.It Dv SSL_CB_EXIT -Callback has been called to indicate error exit of a handshake function. -(May be soft error with retry option for non-blocking setups.) -.It Dv SSL_CB_READ -Callback has been called during read operation. -.It Dv SSL_CB_WRITE -Callback has been called during write operation. -.It Dv SSL_CB_ALERT -Callback has been called due to an alert being sent or received. -.It Dv SSL_CB_READ_ALERT -.It Dv SSL_CB_WRITE_ALERT -.It Dv SSL_CB_ACCEPT_LOOP -.It Dv SSL_CB_ACCEPT_EXIT -.It Dv SSL_CB_CONNECT_LOOP -.It Dv SSL_CB_CONNECT_EXIT -.It Dv SSL_CB_HANDSHAKE_START -Callback has been called because a new handshake is started. -.It Dv SSL_CB_HANDSHAKE_DONE -Callback has been called because a handshake is finished. -.El -.Pp -The current state information can be obtained using the -.Xr SSL_state_string 3 -family of functions. -.Pp -The -.Fa ret -information can be evaluated using the -.Xr SSL_alert_type_string 3 -family of functions. -.Sh RETURN VALUES -.Fn SSL_CTX_get_info_callback -and -.Fn SSL_get_info_callback -return a pointer to the current callback or -.Dv NULL -if none is set. -.Sh EXAMPLES -The following example callback function prints state strings, -information about alerts being handled and error messages to the -.Va bio_err -.Vt BIO . -.Bd -literal -void -apps_ssl_info_callback(SSL *s, int where, int ret) -{ - const char *str; - int w; - - w = where & ~SSL_ST_MASK; - - if (w & SSL_ST_CONNECT) - str = "SSL_connect"; - else if (w & SSL_ST_ACCEPT) - str = "SSL_accept"; - else - str = "undefined"; - - if (where & SSL_CB_LOOP) { - BIO_printf(bio_err, "%s:%s\en", str, - SSL_state_string_long(s)); - } else if (where & SSL_CB_ALERT) { - str = (where & SSL_CB_READ) ? "read" : "write"; - BIO_printf(bio_err, "SSL3 alert %s:%s:%s\en", str, - SSL_alert_type_string_long(ret), - SSL_alert_desc_string_long(ret)); - } else if (where & SSL_CB_EXIT) { - if (ret == 0) - BIO_printf(bio_err, "%s:failed in %s\en", - str, SSL_state_string_long(s)); - else if (ret < 0) { - BIO_printf(bio_err, "%s:error in %s\en", - str, SSL_state_string_long(s)); - } - } -} -.Ed -.Sh SEE ALSO -.Xr ssl 3 , -.Xr SSL_alert_type_string 3 , -.Xr SSL_state_string 3 -.Sh HISTORY -These functions first appeared in SSLeay 0.6.0 -and have been available since -.Ox 2.4 . diff --git a/src/lib/libssl/man/SSL_CTX_set_keylog_callback.3 b/src/lib/libssl/man/SSL_CTX_set_keylog_callback.3 deleted file mode 100644 index 04c94fa83e..0000000000 --- a/src/lib/libssl/man/SSL_CTX_set_keylog_callback.3 +++ /dev/null @@ -1,56 +0,0 @@ -.\" $OpenBSD: SSL_CTX_set_keylog_callback.3,v 1.2 2021/10/23 13:17:03 schwarze Exp $ -.\" OpenSSL pod checked up to: 61f805c1 Jan 16 01:01:46 2018 +0800 -.\" -.\" Copyright (c) 2021 Bob Beck -.\" -.\" Permission to use, copy, modify, and distribute this software for any -.\" purpose with or without fee is hereby granted, provided that the above -.\" copyright notice and this permission notice appear in all copies. -.\" -.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES -.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF -.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR -.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF -.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -.\" -.Dd $Mdocdate: October 23 2021 $ -.Dt SSL_CTX_SET_KEYLOG_CALLBACK 3 -.Os -.Sh NAME -.Nm SSL_CTX_set_keylog_callback , -.Nm SSL_CTX_get_keylog_callback -.Nd set and get the unused key logging callback -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft typedef void -.Fo (*SSL_CTX_keylog_cb_func) -.Fa "const SSL *ssl" -.Fa "const char *line" -.Fc -.Ft void -.Fn SSL_CTX_set_keylog_callback "SSL_CTX *ctx" "SSL_CTX_keylog_cb_func cb" -.Ft SSL_CTX_keylog_cb_func -.Fn SSL_CTX_get_keylog_callback "const SSL_CTX *ctx" -.Sh DESCRIPTION -.Fn SSL_CTX_set_keylog_callback -sets the TLS key logging callback. -This callback is never called in LibreSSL. -.Pp -.Fn SSL_CTX_set_keylog_callback -retrieves the previously set TLS key logging callback. -.Pp -These functions are provided only for compatibility with OpenSSL. -.Sh RETURN VALUES -.Fn SSL_CTX_get_keylog_callback -returns the previously set TLS key logging callback, or -.Dv NULL -if no callback has been set. -.Sh SEE ALSO -.Xr ssl 3 , -.Xr SSL_CTX_new 3 -.Sh HISTORY -These function first appeared in OpenSSL 1.1.1 -and have been available since -.Ox 7.1 . diff --git a/src/lib/libssl/man/SSL_CTX_set_max_cert_list.3 b/src/lib/libssl/man/SSL_CTX_set_max_cert_list.3 deleted file mode 100644 index 89513b1006..0000000000 --- a/src/lib/libssl/man/SSL_CTX_set_max_cert_list.3 +++ /dev/null @@ -1,154 +0,0 @@ -.\" $OpenBSD: SSL_CTX_set_max_cert_list.3,v 1.6 2019/06/12 09:36:30 schwarze Exp $ -.\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 -.\" -.\" This file was written by Lutz Jaenicke . -.\" Copyright (c) 2001 The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: June 12 2019 $ -.Dt SSL_CTX_SET_MAX_CERT_LIST 3 -.Os -.Sh NAME -.Nm SSL_CTX_set_max_cert_list , -.Nm SSL_CTX_get_max_cert_list , -.Nm SSL_set_max_cert_list , -.Nm SSL_get_max_cert_list -.Nd manipulate allowed size for the peer's certificate chain -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft long -.Fn SSL_CTX_set_max_cert_list "SSL_CTX *ctx" "long size" -.Ft long -.Fn SSL_CTX_get_max_cert_list "SSL_CTX *ctx" -.Ft long -.Fn SSL_set_max_cert_list "SSL *ssl" "long size" -.Ft long -.Fn SSL_get_max_cert_list "SSL *ctx" -.Sh DESCRIPTION -.Fn SSL_CTX_set_max_cert_list -sets the maximum size allowed for the peer's certificate chain for all -.Vt SSL -objects created from -.Fa ctx -to be -.Fa size -bytes. -The -.Vt SSL -objects inherit the setting valid for -.Fa ctx -at the time -.Xr SSL_new 3 -is being called. -.Pp -.Fn SSL_CTX_get_max_cert_list -returns the currently set maximum size for -.Fa ctx . -.Pp -.Fn SSL_set_max_cert_list -sets the maximum size allowed for the peer's certificate chain for -.Fa ssl -to be -.Fa size -bytes. -This setting stays valid until a new value is set. -.Pp -.Fn SSL_get_max_cert_list -returns the currently set maximum size for -.Fa ssl . -.Pp -During the handshake process, the peer may send a certificate chain. -The TLS/SSL standard does not give any maximum size of the certificate chain. -The OpenSSL library handles incoming data by a dynamically allocated buffer. -In order to prevent this buffer from growing without bound due to data -received from a faulty or malicious peer, a maximum size for the certificate -chain is set. -.Pp -The default value for the maximum certificate chain size is 100kB (30kB -on the 16bit DOS platform). -This should be sufficient for usual certificate chains -(OpenSSL's default maximum chain length is 10, see -.Xr SSL_CTX_set_verify 3 , -and certificates without special extensions have a typical size of 1-2kB). -.Pp -For special applications it can be necessary to extend the maximum certificate -chain size allowed to be sent by the peer. -See for example the work on -.%T "Internet X.509 Public Key Infrastructure Proxy Certificate Profile" -and -.%T "TLS Delegation Protocol" -at -.Lk https://www.ietf.org/ -and -.Lk http://www.globus.org/ . -.Pp -Under normal conditions it should never be necessary to set a value smaller -than the default, as the buffer is handled dynamically and only uses the -memory actually required by the data sent by the peer. -.Pp -If the maximum certificate chain size allowed is exceeded, the handshake will -fail with a -.Dv SSL_R_EXCESSIVE_MESSAGE_SIZE -error. -.Sh RETURN VALUES -.Fn SSL_CTX_set_max_cert_list -and -.Fn SSL_set_max_cert_list -return the previously set value. -.Pp -.Fn SSL_CTX_get_max_cert_list -and -.Fn SSL_get_max_cert_list -return the currently set value. -.Sh SEE ALSO -.Xr ssl 3 , -.Xr SSL_CTX_ctrl 3 , -.Xr SSL_CTX_set_verify 3 , -.Xr SSL_new 3 -.Sh HISTORY -These functions first appeared in OpenSSL 0.9.7 -and have been available since -.Ox 3.2 . diff --git a/src/lib/libssl/man/SSL_CTX_set_min_proto_version.3 b/src/lib/libssl/man/SSL_CTX_set_min_proto_version.3 deleted file mode 100644 index a2597cda83..0000000000 --- a/src/lib/libssl/man/SSL_CTX_set_min_proto_version.3 +++ /dev/null @@ -1,156 +0,0 @@ -.\" $OpenBSD: SSL_CTX_set_min_proto_version.3,v 1.5 2021/04/15 16:40:32 tb Exp $ -.\" full merge up to: OpenSSL 3edabd3c Sep 14 09:28:39 2017 +0200 -.\" -.\" This file was written by Kurt Roeckx and -.\" Christian Heimes . -.\" Copyright (c) 2015, 2017 The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: April 15 2021 $ -.Dt SSL_CTX_SET_MIN_PROTO_VERSION 3 -.Os -.Sh NAME -.Nm SSL_CTX_set_min_proto_version , -.Nm SSL_CTX_set_max_proto_version , -.Nm SSL_CTX_get_min_proto_version , -.Nm SSL_CTX_get_max_proto_version , -.Nm SSL_set_min_proto_version , -.Nm SSL_set_max_proto_version , -.Nm SSL_get_min_proto_version , -.Nm SSL_get_max_proto_version -.Nd get and set minimum and maximum supported protocol version -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft int -.Fo SSL_CTX_set_min_proto_version -.Fa "SSL_CTX *ctx" -.Fa "uint16_t version" -.Fc -.Ft int -.Fo SSL_CTX_set_max_proto_version -.Fa "SSL_CTX *ctx" -.Fa "uint16_t version" -.Fc -.Ft int -.Fo SSL_CTX_get_min_proto_version -.Fa "SSL_CTX *ctx" -.Fc -.Ft int -.Fo SSL_CTX_get_max_proto_version -.Fa "SSL_CTX *ctx" -.Fc -.Ft int -.Fo SSL_set_min_proto_version -.Fa "SSL *ssl" -.Fa "uint16_t version" -.Fc -.Ft int -.Fo SSL_set_max_proto_version -.Fa "SSL *ssl" -.Fa "uint16_t version" -.Fc -.Ft int -.Fo SSL_get_min_proto_version -.Fa "SSL *ssl" -.Fc -.Ft int -.Fo SSL_get_max_proto_version -.Fa "SSL *ssl" -.Fc -.Sh DESCRIPTION -These functions get or set the minimum and maximum supported protocol -versions for -.Fa ctx -or -.Fa ssl . -This works in combination with the options set via -.Xr SSL_CTX_set_options 3 -that also make it possible to disable specific protocol versions. -Use these functions instead of disabling specific protocol versions. -.Pp -Setting the minimum or maximum version to 0 will enable protocol -versions down to the lowest or up to the highest version supported -by the library, respectively. -.Pp -Currently supported versions are -.Dv TLS1_VERSION , -.Dv TLS1_1_VERSION , -and -.Dv TLS1_2_VERSION -for TLS and -.Dv DTLS1_VERSION -and -.Dv DTLS1_2_VERSION -for DTLS. -.Pp -In other implementations, these functions may be implemented as macros. -.Sh RETURN VALUES -The setter functions return 1 on success or 0 on failure. -.Pp -The getter functions return the configured version or 0 if -.Fa ctx -or -.Fa ssl -has been configured to automatically use the lowest or highest -version supported by the library. -.Sh SEE ALSO -.Xr ssl 3 , -.Xr SSL_CTX_new 3 , -.Xr SSL_CTX_set_options 3 -.Sh HISTORY -The setter functions first appeared in BoringSSL in December 2014, -with shorter names without the -.Sy proto_ -part. -Two years later, OpenSSL included them in their 1.1.0 release, -gratuitously changing the names; Google shrugged and adopted -the longer names one month later. -They have been available since -.Ox 6.2 . -.Pp -The getter functions first appeared in OpenSSL 1.1.0g -and have been available since -.Ox 6.3 . diff --git a/src/lib/libssl/man/SSL_CTX_set_mode.3 b/src/lib/libssl/man/SSL_CTX_set_mode.3 deleted file mode 100644 index fca1a977d0..0000000000 --- a/src/lib/libssl/man/SSL_CTX_set_mode.3 +++ /dev/null @@ -1,204 +0,0 @@ -.\" $OpenBSD: SSL_CTX_set_mode.3,v 1.7 2020/10/08 16:02:38 tb Exp $ -.\" full merge up to: OpenSSL 8671b898 Jun 3 02:48:34 2008 +0000 -.\" selective merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100 -.\" -.\" This file was written by Lutz Jaenicke and -.\" Ben Laurie . -.\" Copyright (c) 2001, 2008 The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: October 8 2020 $ -.Dt SSL_CTX_SET_MODE 3 -.Os -.Sh NAME -.Nm SSL_CTX_set_mode , -.Nm SSL_set_mode , -.Nm SSL_CTX_clear_mode , -.Nm SSL_clear_mode , -.Nm SSL_CTX_get_mode , -.Nm SSL_get_mode -.Nd manipulate SSL engine mode -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft long -.Fn SSL_CTX_set_mode "SSL_CTX *ctx" "long mode" -.Ft long -.Fn SSL_set_mode "SSL *ssl" "long mode" -.Ft long -.Fn SSL_CTX_clear_mode "SSL_CTX *ctx" "long mode" -.Ft long -.Fn SSL_clear_mode "SSL *ssl" "long mode" -.Ft long -.Fn SSL_CTX_get_mode "SSL_CTX *ctx" -.Ft long -.Fn SSL_get_mode "SSL *ssl" -.Sh DESCRIPTION -.Fn SSL_CTX_set_mode -and -.Fn SSL_set_mode -enable the options contained in the bitmask -.Fa mode -for the -.Fa ctx -or -.Fa ssl -object, respectively. -Options that were already enabled before the call are not disabled. -.Pp -.Fn SSL_CTX_clear_mode -and -.Fn SSL_clear_mode -disable the options contained in the bitmask -.Fa mode -for the -.Fa ctx -or -.Fa ssl -object. -.Pp -.Fn SSL_CTX_get_mode -and -.Fn SSL_get_mode -return a bitmask representing the options -that are currently enabled for the -.Fa ctx -or -.Fa ssl -object. -.Pp -The following options are available: -.Bl -tag -width Ds -.It Dv SSL_MODE_ENABLE_PARTIAL_WRITE -Allow -.Fn SSL_write ... n -to return -.Ms r -with -.EQ -0 < r < n -.EN -(i.e., report success when just a single record has been written). -When not set (the default), -.Xr SSL_write 3 -will only report success once the complete chunk was written. -Once -.Xr SSL_write 3 -returns with -.Ms r , -.Ms r -bytes have been successfully written and the next call to -.Xr SSL_write 3 -must only send the -.Ms n \(mi r -bytes left, imitating the behaviour of -.Xr write 2 . -.It Dv SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER -Make it possible to retry -.Xr SSL_write 3 -with changed buffer location (the buffer contents must stay the same). -This is not the default to avoid the misconception that non-blocking -.Xr SSL_write 3 -behaves like non-blocking -.Xr write 2 . -.It Dv SSL_MODE_AUTO_RETRY -Never bother the application with retries if the transport is blocking. -If a renegotiation takes place during normal operation, a -.Xr SSL_read 3 -or -.Xr SSL_write 3 -would return -with \(mi1 and indicate the need to retry with -.Dv SSL_ERROR_WANT_READ . -In a non-blocking environment applications must be prepared to handle -incomplete read/write operations. -In a blocking environment, applications are not always prepared to deal with -read/write operations returning without success report. -The flag -.Dv SSL_MODE_AUTO_RETRY -will cause read/write operations to only return after the handshake and -successful completion. -.It Dv SSL_MODE_RELEASE_BUFFERS -When we no longer need a read buffer or a write buffer for a given -.Vt SSL , -then release the memory we were using to hold it. -Using this flag can save around 34k per idle SSL connection. -This flag has no effect on SSL v2 connections, or on DTLS connections. -.El -.Sh RETURN VALUES -.Fn SSL_CTX_set_mode , -.Fn SSL_set_mode , -.Fn SSL_CTX_clear_mode , -and -.Fn SSL_clear_mode -return the new mode bitmask after adding or clearing -.Fa mode . -.Pp -.Fn SSL_CTX_get_mode -and -.Fn SSL_get_mode -return the current bitmask. -.Sh SEE ALSO -.Xr ssl 3 , -.Xr SSL_CTX_ctrl 3 , -.Xr SSL_read 3 , -.Xr SSL_write 3 -.Sh HISTORY -.Fn SSL_CTX_set_mode , -.Fn SSL_set_mode , -.Fn SSL_CTX_get_mode , -and -.Fn SSL_get_mode -first appeared in OpenSSL 0.9.4 and have been available since -.Ox 2.6 . -.Pp -.Fn SSL_CTX_clear_mode -and -.Fn SSL_clear_mode -first appeared in OpenSSL 0.9.8m and have been available since -.Ox 4.9 . -.Pp -.Dv SSL_MODE_AUTO_RETRY -was added in OpenSSL 0.9.6. diff --git a/src/lib/libssl/man/SSL_CTX_set_msg_callback.3 b/src/lib/libssl/man/SSL_CTX_set_msg_callback.3 deleted file mode 100644 index a27333e6d9..0000000000 --- a/src/lib/libssl/man/SSL_CTX_set_msg_callback.3 +++ /dev/null @@ -1,183 +0,0 @@ -.\" $OpenBSD: SSL_CTX_set_msg_callback.3,v 1.5 2021/04/15 16:43:27 tb Exp $ -.\" OpenSSL SSL_CTX_set_msg_callback.pod e9b77246 Jan 20 19:58:49 2017 +0100 -.\" OpenSSL SSL_CTX_set_msg_callback.pod b97fdb57 Nov 11 09:33:09 2016 +0100 -.\" -.\" This file was written by Bodo Moeller . -.\" Copyright (c) 2001, 2014, 2016 The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: April 15 2021 $ -.Dt SSL_CTX_SET_MSG_CALLBACK 3 -.Os -.Sh NAME -.Nm SSL_CTX_set_msg_callback , -.Nm SSL_CTX_set_msg_callback_arg , -.Nm SSL_set_msg_callback , -.Nm SSL_set_msg_callback_arg -.Nd install callback for observing protocol messages -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft void -.Fo SSL_CTX_set_msg_callback -.Fa "SSL_CTX *ctx" -.Fa "void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg)" -.Fc -.Ft void -.Fn SSL_CTX_set_msg_callback_arg "SSL_CTX *ctx" "void *arg" -.Ft void -.Fo SSL_set_msg_callback -.Fa "SSL *ssl" -.Fa "void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg)" -.Fc -.Ft void -.Fn SSL_set_msg_callback_arg "SSL *ssl" "void *arg" -.Sh DESCRIPTION -.Fn SSL_CTX_set_msg_callback -or -.Fn SSL_set_msg_callback -can be used to define a message callback function -.Fa cb -for observing all SSL/TLS protocol messages (such as handshake messages) -that are received or sent. -.Fn SSL_CTX_set_msg_callback_arg -and -.Fn SSL_set_msg_callback_arg -can be used to set argument -.Fa arg -to the callback function, which is available for arbitrary application use. -.Pp -.Fn SSL_CTX_set_msg_callback -and -.Fn SSL_CTX_set_msg_callback_arg -specify default settings that will be copied to new -.Vt SSL -objects by -.Xr SSL_new 3 . -.Fn SSL_set_msg_callback -and -.Fn SSL_set_msg_callback_arg -modify the actual settings of an -.Vt SSL -object. -Using a -.Dv NULL -pointer for -.Fa cb -disables the message callback. -.Pp -When -.Fa cb -is called by the SSL/TLS library for a protocol message, -the function arguments have the following meaning: -.Bl -tag -width Ds -.It Fa write_p -This flag is 0 when a protocol message has been received and 1 when a protocol -message has been sent. -.It Fa version -The protocol version according to which the protocol message is -interpreted by the library, such as -.Dv TLS1_VERSION , -.Dv TLS1_1_VERSION , -.Dv TLS1_2_VERSION , -.Dv DTLS1_VERSION , -or -.Dv DTLS1_2_VERSION . -.It Fa content_type -This is one of the -.Em ContentType -values defined in the protocol specification -.Po -.Dv SSL3_RT_CHANGE_CIPHER_SPEC , -.Dv SSL3_RT_ALERT , -.Dv SSL3_RT_HANDSHAKE , -but never -.Dv SSL3_RT_APPLICATION_DATA -because the callback will only be called for protocol messages. -.Pc -.It Fa buf , Fa len -.Fa buf -points to a buffer containing the protocol message, which consists of -.Fa len -bytes. -The buffer is no longer valid after the callback function has returned. -.It Fa ssl -The -.Vt SSL -object that received or sent the message. -.It Fa arg -The user-defined argument optionally defined by -.Fn SSL_CTX_set_msg_callback_arg -or -.Fn SSL_set_msg_callback_arg . -.El -.Pp -Protocol messages are passed to the callback function after decryption -and fragment collection where applicable. -(Thus record boundaries are not visible.) -.Pp -If processing a received protocol message results in an error, -the callback function may not be called. -For example, the callback function will never see messages that are considered -too large to be processed. -.Pp -Due to automatic protocol version negotiation, -.Fa version -is not necessarily the protocol version used by the sender of the message: -If a TLS 1.0 ClientHello message is received by an SSL 3.0-only server, -.Fa version -will be -.Dv SSL3_VERSION . -.Sh SEE ALSO -.Xr ssl 3 , -.Xr SSL_new 3 -.Sh HISTORY -.Fn SSL_CTX_set_msg_callback , -.Fn SSL_CTX_set_msg_callback_arg , -.Fn SSL_set_msg_callback -and -.Fn SSL_set_msg_callback_arg -first appeared in OpenSSL 0.9.7 and have been available since -.Ox 3.2 . diff --git a/src/lib/libssl/man/SSL_CTX_set_num_tickets.3 b/src/lib/libssl/man/SSL_CTX_set_num_tickets.3 deleted file mode 100644 index cb6d7e000a..0000000000 --- a/src/lib/libssl/man/SSL_CTX_set_num_tickets.3 +++ /dev/null @@ -1,63 +0,0 @@ -.\" $OpenBSD: SSL_CTX_set_num_tickets.3,v 1.2 2021/10/23 17:20:50 schwarze Exp $ -.\" OpenSSL pod checked up to: 5402f96a Sep 11 09:58:52 2021 +0100 -.\" -.\" Copyright (c) 2021 Bob Beck -.\" -.\" Permission to use, copy, modify, and distribute this software for any -.\" purpose with or without fee is hereby granted, provided that the above -.\" copyright notice and this permission notice appear in all copies. -.\" -.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES -.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF -.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR -.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF -.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -.\" -.Dd $Mdocdate: October 23 2021 $ -.Dt SSL_CTX_SET_NUM_TICKETS 3 -.Os -.Sh NAME -.Nm SSL_CTX_set_num_tickets , -.Nm SSL_CTX_get_num_tickets , -.Nm SSL_set_num_tickets , -.Nm SSL_get_num_tickets -.Nd set and get the number of TLS 1.3 session tickets to be sent -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft int -.Fn SSL_CTX_set_num_tickets "SSL_CTX *ctx" "size_t num_tickets" -.Ft size_t -.Fn SSL_CTX_get_num_tickets "const SSL_CTX *ctx" -.Ft int -.Fn SSL_set_num_tickets "SSL *ssl" "size_t num_tickets" -.Ft size_t -.Fn SSL_get_num_tickets "const SSL *ssl" -.Sh DESCRIPTION -These functions set and retrieve -the configured number of session tickets for -.Fa ctx -and -.Fa ssl , -respectively. -.Pp -They are provided only for compatibility with OpenSSL -and have no effect in LibreSSL. -.Sh RETURN VALUES -.Fn SSL_CTX_set_num_tickets -and -.Fn SSL_set_num_tickets -always return 1. -.Pp -.Fn SSL_CTX_get_num_tickets -and -.Fn SSL_get_num_tickets -return the previously set number of tickets, or 0 if it has not been set. -.Sh SEE ALSO -.Xr ssl 3 , -.Xr SSL_CTX_new 3 -.Sh HISTORY -These function first appeared in OpenSSL 1.1.1 -and have been available since -.Ox 7.1 . diff --git a/src/lib/libssl/man/SSL_CTX_set_options.3 b/src/lib/libssl/man/SSL_CTX_set_options.3 deleted file mode 100644 index 5df0b07785..0000000000 --- a/src/lib/libssl/man/SSL_CTX_set_options.3 +++ /dev/null @@ -1,374 +0,0 @@ -.\" $OpenBSD: SSL_CTX_set_options.3,v 1.16 2022/03/31 17:27:18 naddy Exp $ -.\" full merge up to: OpenSSL 7946ab33 Dec 6 17:56:41 2015 +0100 -.\" selective merge up to: OpenSSL edb79c3a Mar 29 10:07:14 2017 +1000 -.\" -.\" This file was written by Lutz Jaenicke , -.\" Bodo Moeller , and -.\" Dr. Stephen Henson . -.\" Copyright (c) 2001-2003, 2005, 2007, 2009, 2010, 2013-2015 -.\" The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: March 31 2022 $ -.Dt SSL_CTX_SET_OPTIONS 3 -.Os -.Sh NAME -.Nm SSL_CTX_set_options , -.Nm SSL_set_options , -.Nm SSL_CTX_clear_options , -.Nm SSL_clear_options , -.Nm SSL_CTX_get_options , -.Nm SSL_get_options , -.Nm SSL_get_secure_renegotiation_support -.Nd manipulate SSL options -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft long -.Fn SSL_CTX_set_options "SSL_CTX *ctx" "long options" -.Ft long -.Fn SSL_set_options "SSL *ssl" "long options" -.Ft long -.Fn SSL_CTX_clear_options "SSL_CTX *ctx" "long options" -.Ft long -.Fn SSL_clear_options "SSL *ssl" "long options" -.Ft long -.Fn SSL_CTX_get_options "SSL_CTX *ctx" -.Ft long -.Fn SSL_get_options "SSL *ssl" -.Ft long -.Fn SSL_get_secure_renegotiation_support "SSL *ssl" -.Sh DESCRIPTION -.Fn SSL_CTX_set_options -adds the options set via bitmask in -.Fa options -to -.Fa ctx . -Options already set before are not cleared! -.Pp -.Fn SSL_set_options -adds the options set via bitmask in -.Fa options -to -.Fa ssl . -Options already set before are not cleared! -.Pp -.Fn SSL_CTX_clear_options -clears the options set via bitmask in -.Fa options -to -.Fa ctx . -.Pp -.Fn SSL_clear_options -clears the options set via bitmask in -.Fa options -to -.Fa ssl . -.Pp -.Fn SSL_CTX_get_options -returns the options set for -.Fa ctx . -.Pp -.Fn SSL_get_options -returns the options set for -.Fa ssl . -.Pp -.Fn SSL_get_secure_renegotiation_support -indicates whether the peer supports secure renegotiation. -.Pp -All these functions are implemented using macros. -.Pp -The behaviour of the SSL library can be changed by setting several options. -The options are coded as bitmasks and can be combined by a bitwise OR -operation (|). -.Pp -.Fn SSL_CTX_set_options -and -.Fn SSL_set_options -affect the (external) protocol behaviour of the SSL library. -The (internal) behaviour of the API can be changed by using the similar -.Xr SSL_CTX_set_mode 3 -and -.Xr SSL_set_mode 3 -functions. -.Pp -During a handshake, the option settings of the SSL object are used. -When a new SSL object is created from a context using -.Xr SSL_new 3 , -the current option setting is copied. -Changes to -.Fa ctx -do not affect already created -.Vt SSL -objects. -.Fn SSL_clear -does not affect the settings. -.Pp -The following -.Em bug workaround -options are available: -.Bl -tag -width Ds -.It Dv SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS -Disables a countermeasure against a TLS 1.0 protocol vulnerability -affecting CBC ciphers, which cannot be handled by some broken SSL -implementations. -This option has no effect for connections using other ciphers. -.It Dv SSL_OP_ALL -This is currently an alias for -.Dv SSL_OP_LEGACY_SERVER_CONNECT . -.El -.Pp -It is usually safe to use -.Dv SSL_OP_ALL -to enable the bug workaround options if compatibility with somewhat broken -implementations is desired. -.Pp -The following -.Em modifying -options are available: -.Bl -tag -width Ds -.It Dv SSL_OP_CIPHER_SERVER_PREFERENCE -When choosing a cipher, use the server's preferences instead of the client -preferences. -When not set, the server will always follow the client's preferences. -When set, the server will choose following its own preferences. -.It Dv SSL_OP_COOKIE_EXCHANGE -Turn on Cookie Exchange as described in RFC 4347 Section 4.2.1. -Only affects DTLS connections. -.It Dv SSL_OP_LEGACY_SERVER_CONNECT -Allow legacy insecure renegotiation between OpenSSL and unpatched servers -.Em only : -this option is currently set by default. -See the -.Sx SECURE RENEGOTIATION -section for more details. -.It Dv SSL_OP_NO_DTLSv1 -Do not use the DTLSv1 protocol. -Deprecated; use -.Xr SSL_CTX_set_min_proto_version 3 -instead. -.It Dv SSL_OP_NO_DTLSv1_2 -Do not use the DTLSv1.2 protocol. -Deprecated; use -.Xr SSL_CTX_set_min_proto_version 3 -instead. -.It Dv SSL_OP_NO_QUERY_MTU -Do not query the MTU. -Only affects DTLS connections. -.It Dv SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION -When performing renegotiation as a server, always start a new session (i.e., -session resumption requests are only accepted in the initial handshake). -This option is not needed for clients. -.It Dv SSL_OP_NO_TICKET -Normally clients and servers using TLSv1.2 and earlier will, where possible, -transparently make use of -RFC 5077 tickets for stateless session resumption. -.Pp -If this option is set, this functionality is disabled and tickets will not be -used by clients or servers. -.It Dv SSL_OP_NO_TLSv1 -Do not use the TLSv1.0 protocol. -Deprecated; use -.Xr SSL_CTX_set_min_proto_version 3 -instead. -.It Dv SSL_OP_NO_TLSv1_1 -Do not use the TLSv1.1 protocol. -Deprecated; use -.Xr SSL_CTX_set_min_proto_version 3 -instead. -.It Dv SSL_OP_NO_TLSv1_2 -Do not use the TLSv1.2 protocol. -Deprecated; use -.Xr SSL_CTX_set_max_proto_version 3 -instead. -.El -.Pp -The following options used to be supported at some point in the past -and no longer have any effect: -.Dv SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION , -.Dv SSL_OP_EPHEMERAL_RSA , -.Dv SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER , -.Dv SSL_OP_MICROSOFT_SESS_ID_BUG , -.Dv SSL_OP_NETSCAPE_CA_DN_BUG , -.Dv SSL_OP_NETSCAPE_CHALLENGE_BUG , -.Dv SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG , -.Dv SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG , -.Dv SSL_OP_NO_COMPRESSION , -.Dv SSL_OP_NO_SSLv2 , -.Dv SSL_OP_NO_SSLv3 , -.Dv SSL_OP_PKCS1_CHECK_1 , -.Dv SSL_OP_PKCS1_CHECK_2 , -.Dv SSL_OP_SAFARI_ECDHE_ECDSA_BUG , -.Dv SSL_OP_SINGLE_DH_USE , -.Dv SSL_OP_SINGLE_ECDH_USE , -.Dv SSL_OP_SSLEAY_080_CLIENT_DH_BUG , -.Dv SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG , -.Dv SSL_OP_TLS_BLOCK_PADDING_BUG , -.Dv SSL_OP_TLS_D5_BUG , -.Dv SSL_OP_TLS_ROLLBACK_BUG , -.Dv SSL_OP_TLSEXT_PADDING . -.Sh SECURE RENEGOTIATION -OpenSSL 0.9.8m and later always attempts to use secure renegotiation as -described in RFC 5746. -This counters the prefix attack described in CVE-2009-3555 and elsewhere. -.Pp -This attack has far-reaching consequences which application writers should be -aware of. -In the description below an implementation supporting secure renegotiation is -referred to as -.Dq patched . -A server not supporting secure -renegotiation is referred to as -.Dq unpatched . -.Pp -The following sections describe the operations permitted by OpenSSL's secure -renegotiation implementation. -.Ss Patched client and server -Connections and renegotiation are always permitted by OpenSSL implementations. -.Ss Unpatched client and patched OpenSSL server -The initial connection succeeds but client renegotiation is denied by the -server with a -.Em no_renegotiation -warning alert. -.Pp -If the patched OpenSSL server attempts to renegotiate, a fatal -.Em handshake_failure -alert is sent. -This is because the server code may be unaware of the unpatched nature of the -client. -.Pp -Note that a bug in OpenSSL clients earlier than 0.9.8m (all of which -are unpatched) will result in the connection hanging if it receives a -.Em no_renegotiation -alert. -OpenSSL versions 0.9.8m and later will regard a -.Em no_renegotiation -alert as fatal and respond with a fatal -.Em handshake_failure -alert. -This is because the OpenSSL API currently has no provision to indicate to an -application that a renegotiation attempt was refused. -.Ss Patched OpenSSL client and unpatched server -If the option -.Dv SSL_OP_LEGACY_SERVER_CONNECT -is set then initial connections and renegotiation between patched OpenSSL -clients and unpatched servers succeeds. -If neither option is set then initial connections to unpatched servers will -fail. -.Pp -The option -.Dv SSL_OP_LEGACY_SERVER_CONNECT -is currently set by default even though it has security implications: -otherwise it would be impossible to connect to unpatched servers (i.e., all of -them initially) and this is clearly not acceptable. -Renegotiation is permitted because this does not add any additional security -issues: during an attack clients do not see any renegotiations anyway. -.Pp -As more servers become patched, the option -.Dv SSL_OP_LEGACY_SERVER_CONNECT -will -.Em not -be set by default in a future version of OpenSSL. -.Pp -OpenSSL client applications wishing to ensure they can connect to unpatched -servers should always -.Em set -.Dv SSL_OP_LEGACY_SERVER_CONNECT . -.Pp -OpenSSL client applications that want to ensure they can -.Em not -connect to unpatched servers (and thus avoid any security issues) should always -.Em clear -.Dv SSL_OP_LEGACY_SERVER_CONNECT -using -.Fn SSL_CTX_clear_options -or -.Fn SSL_clear_options . -.Sh RETURN VALUES -.Fn SSL_CTX_set_options -and -.Fn SSL_set_options -return the new options bitmask after adding -.Fa options . -.Pp -.Fn SSL_CTX_clear_options -and -.Fn SSL_clear_options -return the new options bitmask after clearing -.Fa options . -.Pp -.Fn SSL_CTX_get_options -and -.Fn SSL_get_options -return the current bitmask. -.Pp -.Fn SSL_get_secure_renegotiation_support -returns 1 is the peer supports secure renegotiation and 0 if it does not. -.Sh SEE ALSO -.Xr openssl 1 , -.Xr ssl 3 , -.Xr SSL_clear 3 , -.Xr SSL_CTX_ctrl 3 , -.Xr SSL_CTX_set_min_proto_version 3 , -.Xr SSL_new 3 -.Sh HISTORY -.Fn SSL_CTX_set_options -and -.Fn SSL_set_options -first appeared in SSLeay 0.9.0 and have been available since -.Ox 2.4 . -.Pp -.Fn SSL_CTX_get_options -and -.Fn SSL_get_options -first appeared in OpenSSL 0.9.2b and have been available since -.Ox 2.6 . -.Pp -.Fn SSL_CTX_clear_options , -.Fn SSL_clear_options , -and -.Fn SSL_get_secure_renegotiation_support -first appeared in OpenSSL 0.9.8m and have been available since -.Ox 4.9 . diff --git a/src/lib/libssl/man/SSL_CTX_set_quiet_shutdown.3 b/src/lib/libssl/man/SSL_CTX_set_quiet_shutdown.3 deleted file mode 100644 index 71463f1eca..0000000000 --- a/src/lib/libssl/man/SSL_CTX_set_quiet_shutdown.3 +++ /dev/null @@ -1,161 +0,0 @@ -.\" $OpenBSD: SSL_CTX_set_quiet_shutdown.3,v 1.6 2020/03/30 10:28:59 schwarze Exp $ -.\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 -.\" -.\" This file was written by Lutz Jaenicke . -.\" Copyright (c) 2001, 2005 The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: March 30 2020 $ -.Dt SSL_CTX_SET_QUIET_SHUTDOWN 3 -.Os -.Sh NAME -.Nm SSL_CTX_set_quiet_shutdown , -.Nm SSL_CTX_get_quiet_shutdown , -.Nm SSL_set_quiet_shutdown , -.Nm SSL_get_quiet_shutdown -.Nd manipulate shutdown behaviour -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft void -.Fn SSL_CTX_set_quiet_shutdown "SSL_CTX *ctx" "int mode" -.Ft int -.Fn SSL_CTX_get_quiet_shutdown "const SSL_CTX *ctx" -.Ft void -.Fn SSL_set_quiet_shutdown "SSL *ssl" "int mode" -.Ft int -.Fn SSL_get_quiet_shutdown "const SSL *ssl" -.Sh DESCRIPTION -.Fn SSL_CTX_set_quiet_shutdown -sets the -.Dq quiet shutdown -flag for -.Fa ctx -to be -.Fa mode . -.Vt SSL -objects created from -.Fa ctx -inherit the -.Fa mode -valid at the time -.Xr SSL_new 3 -is called. -.Fa mode -may be 0 or 1. -.Pp -.Fn SSL_CTX_get_quiet_shutdown -returns the -.Dq quiet shutdown -setting of -.Fa ctx . -.Pp -.Fn SSL_set_quiet_shutdown -sets the -.Dq quiet shutdown -flag for -.Fa ssl -to be -.Fa mode . -The setting stays valid until -.Fa ssl -is removed with -.Xr SSL_free 3 -or -.Fn SSL_set_quiet_shutdown -is called again. -It is not changed when -.Xr SSL_clear 3 -is called. -.Fa mode -may be 0 or 1. -.Pp -.Fn SSL_get_quiet_shutdown -returns the -.Dq quiet shutdown -setting of -.Fa ssl . -.Pp -Normally when a SSL connection is finished, the parties must send out -.Dq close notify -alert messages using -.Xr SSL_shutdown 3 -for a clean shutdown. -.Pp -When setting the -.Dq quiet shutdown -flag to 1, -.Xr SSL_shutdown 3 -will set the internal flags to -.Dv SSL_SENT_SHUTDOWN Ns | Ns Dv SSL_RECEIVED_SHUTDOWN -.Po -.Xr SSL_shutdown 3 -then behaves like -.Xr SSL_set_shutdown 3 -called with -.Dv SSL_SENT_SHUTDOWN Ns | Ns Dv SSL_RECEIVED_SHUTDOWN -.Pc . -The session is thus considered to be shut down, but no -.Dq close notify -alert is sent to the peer. -This behaviour violates the TLS standard. -.Pp -The default is normal shutdown behaviour as described by the TLS standard. -.Sh RETURN VALUES -.Fn SSL_CTX_get_quiet_shutdown -and -.Fn SSL_get_quiet_shutdown -return the current setting. -.Sh SEE ALSO -.Xr ssl 3 , -.Xr SSL_clear 3 , -.Xr SSL_free 3 , -.Xr SSL_new 3 , -.Xr SSL_set_shutdown 3 , -.Xr SSL_shutdown 3 -.Sh HISTORY -These functions first appeared in SSLeay 0.8.1 -and have been available since -.Ox 2.4 . diff --git a/src/lib/libssl/man/SSL_CTX_set_read_ahead.3 b/src/lib/libssl/man/SSL_CTX_set_read_ahead.3 deleted file mode 100644 index eae76eb472..0000000000 --- a/src/lib/libssl/man/SSL_CTX_set_read_ahead.3 +++ /dev/null @@ -1,144 +0,0 @@ -.\" $OpenBSD: SSL_CTX_set_read_ahead.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $ -.\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 -.\" -.\" This file was written by Matt Caswell . -.\" Copyright (c) 2015, 2016 The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: March 27 2018 $ -.Dt SSL_CTX_SET_READ_AHEAD 3 -.Os -.Sh NAME -.Nm SSL_CTX_set_read_ahead , -.Nm SSL_CTX_get_read_ahead , -.Nm SSL_set_read_ahead , -.Nm SSL_get_read_ahead , -.Nm SSL_CTX_get_default_read_ahead -.Nd manage whether to read as many input bytes as possible -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft void -.Fo SSL_CTX_set_read_ahead -.Fa "SSL_CTX *ctx" -.Fa "int yes" -.Fc -.Ft long -.Fo SSL_CTX_get_read_ahead -.Fa "SSL_CTX *ctx" -.Fc -.Ft void -.Fo SSL_set_read_ahead -.Fa "SSL *s" -.Fa "int yes" -.Fc -.Ft long -.Fo SSL_get_read_ahead -.Fa "const SSL *s" -.Fc -.Ft long -.Fo SSL_CTX_get_default_read_ahead -.Fa "SSL_CTX *ctx" -.Fc -.Sh DESCRIPTION -.Fn SSL_CTX_set_read_ahead -and -.Fn SSL_set_read_ahead -set whether as many input bytes as possible are read for non-blocking -reads. -For example if -.Ar x -bytes are currently required by OpenSSL, but -.Ar y -bytes are available from the underlying BIO (where -.Ar y No > Ar x ) , -then OpenSSL will read all -.Ar y -bytes into its buffer (provided that the buffer is large enough) if -reading ahead is on, or -.Ar x -bytes otherwise. -The parameter -.Fa yes -should be 0 to ensure reading ahead is off, or non zero otherwise. -.Pp -.Fn SSL_CTX_get_read_ahead -and -.Fn SSL_get_read_ahead -indicate whether reading ahead is set or not. -.Pp -.Fn SSL_CTX_get_default_read_ahead -is identical to -.Fn SSL_CTX_get_read_ahead . -.Pp -These functions are implemented as macros. -.Pp -These functions have no effect when used with DTLS. -.Sh RETURN VALUES -.Fn SSL_CTX_get_read_ahead -and -.Fn SSL_get_read_ahead -return 0 if reading ahead is off or non-zero otherwise, -except that the return values are undefined for DTLS. -.Sh SEE ALSO -.Xr ssl 3 , -.Xr SSL_pending 3 -.Sh HISTORY -.Fn SSL_set_read_ahead -and -.Fn SSL_get_read_ahead -appeared in SSLeay 0.4 or earlier and have been available since -.Ox 2.4 . -.Pp -.Fn SSL_CTX_set_read_ahead , -.Fn SSL_CTX_get_read_ahead , -and -.Fn SSL_CTX_get_default_read_ahead -first appeared in OpenSSL 0.9.2b and have been available since -.Ox 2.6 . -.Sh CAVEATS -Switching read ahead on can impact the behaviour of the -.Xr SSL_pending 3 -function. diff --git a/src/lib/libssl/man/SSL_CTX_set_security_level.3 b/src/lib/libssl/man/SSL_CTX_set_security_level.3 deleted file mode 100644 index 529352cf0f..0000000000 --- a/src/lib/libssl/man/SSL_CTX_set_security_level.3 +++ /dev/null @@ -1,159 +0,0 @@ -.\" $OpenBSD: SSL_CTX_set_security_level.3,v 1.1 2022/07/13 20:52:36 schwarze Exp $ -.\" -.\" Copyright (c) 2022 Ingo Schwarze -.\" -.\" Permission to use, copy, modify, and distribute this software for any -.\" purpose with or without fee is hereby granted, provided that the above -.\" copyright notice and this permission notice appear in all copies. -.\" -.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES -.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF -.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR -.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF -.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -.\" -.Dd $Mdocdate: July 13 2022 $ -.Dt SSL_CTX_SET_SECURITY_LEVEL 3 -.Os -.Sh NAME -.Nm SSL_CTX_set_security_level , -.Nm SSL_set_security_level , -.Nm SSL_CTX_get_security_level , -.Nm SSL_get_security_level -.Nd change security level for TLS -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft void -.Fo SSL_CTX_set_security_level -.Fa "SSL_CTX *ctx" -.Fa "int level" -.Fc -.Ft void -.Fo SSL_set_security_level -.Fa "SSL *s" -.Fa "int level" -.Fc -.Ft int -.Fo SSL_CTX_get_security_level -.Fa "const SSL_CTX *ctx" -.Fc -.Ft int -.Fo SSL_get_security_level -.Fa "const SSL *s" -.Fc -.Sh DESCRIPTION -A security level is a set of restrictions on algorithms, key lengths, -protocol versions, and other features in TLS connections. -These restrictions apply in addition to those that exist from individually -selecting supported features, for example ciphers, curves, or algorithms. -.Pp -The following table shows properties of the various security levels: -.Bl -column # sec 15360 ECC TLS SHA1 -offset indent -.It # Ta sec Ta \0\0RSA Ta ECC Ta TLS Ta MAC -.It 0 Ta \0\00 Ta \0\0\0\00 Ta \0\00 Ta 1.0 Ta MD5 -.It 1 Ta \080 Ta \01024 Ta 160 Ta 1.0 Ta RC4 -.It 2 Ta 112 Ta \02048 Ta 224 Ta 1.0 Ta -.It 3 Ta 128 Ta \03072 Ta 256 Ta 1.1 Ta SHA1 -.It 4 Ta 192 Ta \07680 Ta 384 Ta 1.2 Ta -.It 5 Ta 256 Ta 15360 Ta 512 Ta 1.2 Ta -.El -.Pp -The meaning of the columns is as follows: -.Pp -.Bl -tag -width features -compact -.It # -The number of the -.Fa level . -.It sec -The minimum security strength measured in bits, which is approximately -the binary logarithm of the number of operations an attacker has -to perform in order to break a cryptographic key. -This minimum strength is enforced for all relevant parameters -including cipher suite encryption algorithms, ECC curves, signature -algorithms, DH parameter sizes, and certificate algorithms and key -sizes. -See SP800-57 below -.Sx SEE ALSO -for details on individual algorithms. -.It RSA -The minimum key length in bits for the RSA, DSA, and DH algorithms. -.It ECC -The minimum key length in bits for ECC algorithms. -.It TLS -The minimum TLS protocol version. -.It MAC -Cipher suites using the given MACs are allowed on this level -and on lower levels, but not on higher levels. -.El -.Pp -Level 0 is only provided for backward compatibility and permits everything. -.Pp -Level 3 and higher disable support for session tickets -and only accept cipher suites that provide forward secrecy. -.Pp -The functions -.Fn SSL_CTX_set_security_level -and -.Fn SSL_set_security_level -choose the security -.Fa level -for -.Fa ctx -or -.Fa s , -respectively. -If not set, security level 1 is used. -.Pp -.Xr SSL_CTX_new 3 -initializes the security level of the new object to 1. -.Pp -.Xr SSL_new 3 -and -.Xr SSL_set_SSL_CTX 3 -copy the security level from the context to the SSL object. -.Pp -.Xr SSL_dup 3 -copies the security level from the old to the new object. -.Sh RETURN VALUES -.Fn SSL_CTX_get_security_level -and -.Fn SSL_get_security_level -return the security level configured in -.Fa ctx -or -.Fa s , -respectively. -.Sh SEE ALSO -.Xr EVP_PKEY_security_bits 3 , -.Xr RSA_security_bits 3 , -.Xr ssl 3 , -.Xr SSL_CTX_new 3 , -.Xr SSL_new 3 -.Rs -.%A Elaine Barker -.%T Recommendation for Key Management -.%I U.S. National Institute of Standards and Technology -.%R NIST Special Publication 800-57 Part 1 Revision 5 -.%U https://doi.org/10.6028/NIST.SP.800-57pt1r5 -.%C Gaithersburg, MD -.%D May 2020 -.Re -.Sh HISTORY -These functions first appeared in OpenSSL 1.1.0 -and have been available since -.Ox 7.2 . -.Sh CAVEATS -Applications which do not check the return values -of configuration functions will misbehave. -For example, if an application does not check the return value -after trying to set a certificate and the certificate is rejected -because of the security level, the application may behave as if -no certificate had been provided at all. -.Pp -While some restrictions may be handled gracefully by negotiations -between the client and the server, other restrictions may be -fatal and abort the TLS handshake. -For example, this can happen if the peer certificate contains a key -that is too short or if the DH parameter size is too small. diff --git a/src/lib/libssl/man/SSL_CTX_set_session_cache_mode.3 b/src/lib/libssl/man/SSL_CTX_set_session_cache_mode.3 deleted file mode 100644 index 1fe67b2a7e..0000000000 --- a/src/lib/libssl/man/SSL_CTX_set_session_cache_mode.3 +++ /dev/null @@ -1,198 +0,0 @@ -.\" $OpenBSD: SSL_CTX_set_session_cache_mode.3,v 1.7 2019/06/12 09:36:30 schwarze Exp $ -.\" OpenSSL 67adf0a7 Dec 25 19:58:38 2016 +0100 -.\" -.\" This file was written by Lutz Jaenicke and -.\" Geoff Thorpe . -.\" Copyright (c) 2001, 2002 The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: June 12 2019 $ -.Dt SSL_CTX_SET_SESSION_CACHE_MODE 3 -.Os -.Sh NAME -.Nm SSL_CTX_set_session_cache_mode , -.Nm SSL_CTX_get_session_cache_mode -.Nd enable/disable session caching -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft long -.Fn SSL_CTX_set_session_cache_mode "SSL_CTX ctx" "long mode" -.Ft long -.Fn SSL_CTX_get_session_cache_mode "SSL_CTX ctx" -.Sh DESCRIPTION -.Fn SSL_CTX_set_session_cache_mode -enables/disables session caching by setting the operational mode for -.Ar ctx -to -.Ar mode . -.Pp -.Fn SSL_CTX_get_session_cache_mode -returns the currently used cache mode. -.Pp -The OpenSSL library can store/retrieve SSL/TLS sessions for later reuse. -The sessions can be held in memory for each -.Fa ctx , -if more than one -.Vt SSL_CTX -object is being maintained, the sessions are unique for each -.Vt SSL_CTX -object. -.Pp -In order to reuse a session, a client must send the session's id to the server. -It can only send exactly one id. -The server then either agrees to reuse the session or it starts a full -handshake (to create a new session). -.Pp -A server will look up the session in its internal session storage. -If the session is not found in internal storage or lookups for the internal -storage have been deactivated -.Pq Dv SSL_SESS_CACHE_NO_INTERNAL_LOOKUP , -the server will try the external storage if available. -.Pp -Since a client may try to reuse a session intended for use in a different -context, the session id context must be set by the server (see -.Xr SSL_CTX_set_session_id_context 3 ) . -.Pp -The following session cache modes and modifiers are available: -.Bl -tag -width Ds -.It Dv SSL_SESS_CACHE_OFF -No session caching for client or server takes place. -.It Dv SSL_SESS_CACHE_CLIENT -Client sessions are added to the session cache. -As there is no reliable way for the OpenSSL library to know whether a session -should be reused or which session to choose (due to the abstract BIO layer the -SSL engine does not have details about the connection), -the application must select the session to be reused by using the -.Xr SSL_set_session 3 -function. -This option is not activated by default. -.It Dv SSL_SESS_CACHE_SERVER -Server sessions are added to the session cache. -When a client proposes a session to be reused, the server looks for the -corresponding session in (first) the internal session cache (unless -.Dv SSL_SESS_CACHE_NO_INTERNAL_LOOKUP -is set), then (second) in the external cache if available. -If the session is found, the server will try to reuse the session. -This is the default. -.It Dv SSL_SESS_CACHE_BOTH -Enable both -.Dv SSL_SESS_CACHE_CLIENT -and -.Dv SSL_SESS_CACHE_SERVER -at the same time. -.It Dv SSL_SESS_CACHE_NO_AUTO_CLEAR -Normally the session cache is checked for expired sessions every 255 -connections using the -.Xr SSL_CTX_flush_sessions 3 -function. -Since this may lead to a delay which cannot be controlled, -the automatic flushing may be disabled and -.Xr SSL_CTX_flush_sessions 3 -can be called explicitly by the application. -.It Dv SSL_SESS_CACHE_NO_INTERNAL_LOOKUP -By setting this flag, session-resume operations in an SSL/TLS server will not -automatically look up sessions in the internal cache, -even if sessions are automatically stored there. -If external session caching callbacks are in use, -this flag guarantees that all lookups are directed to the external cache. -As automatic lookup only applies for SSL/TLS servers, -the flag has no effect on clients. -.It Dv SSL_SESS_CACHE_NO_INTERNAL_STORE -Depending on the presence of -.Dv SSL_SESS_CACHE_CLIENT -and/or -.Dv SSL_SESS_CACHE_SERVER , -sessions negotiated in an SSL/TLS handshake may be cached for possible reuse. -Normally a new session is added to the internal cache as well as any external -session caching (callback) that is configured for the -.Vt SSL_CTX . -This flag will prevent sessions being stored in the internal cache -(though the application can add them manually using -.Xr SSL_CTX_add_session 3 ) . -Note: -in any SSL/TLS servers where external caching is configured, any successful -session lookups in the external cache (e.g., for session-resume requests) would -normally be copied into the local cache before processing continues \(en this -flag prevents these additions to the internal cache as well. -.It Dv SSL_SESS_CACHE_NO_INTERNAL -Enable both -.Dv SSL_SESS_CACHE_NO_INTERNAL_LOOKUP -and -.Dv SSL_SESS_CACHE_NO_INTERNAL_STORE -at the same time. -.El -.Pp -The default mode is -.Dv SSL_SESS_CACHE_SERVER . -.Sh RETURN VALUES -.Fn SSL_CTX_set_session_cache_mode -returns the previously set cache mode. -.Pp -.Fn SSL_CTX_get_session_cache_mode -returns the currently set cache mode. -.Sh SEE ALSO -.Xr ssl 3 , -.Xr SSL_CTX_add_session 3 , -.Xr SSL_CTX_ctrl 3 , -.Xr SSL_CTX_flush_sessions 3 , -.Xr SSL_CTX_sess_number 3 , -.Xr SSL_CTX_sess_set_cache_size 3 , -.Xr SSL_CTX_sess_set_get_cb 3 , -.Xr SSL_CTX_set_session_id_context 3 , -.Xr SSL_CTX_set_timeout 3 , -.Xr SSL_session_reused 3 , -.Xr SSL_set_session 3 -.Sh HISTORY -.Fn SSL_CTX_set_session_cache_mode -and -.Fn SSL_CTX_get_session_cache_mode -first appeared in SSLeay 0.6.1 and have been available since -.Ox 2.4 . -.Pp -.Dv SSL_SESS_CACHE_NO_INTERNAL_STORE -and -.Dv SSL_SESS_CACHE_NO_INTERNAL -were introduced in OpenSSL 0.9.6h. diff --git a/src/lib/libssl/man/SSL_CTX_set_session_id_context.3 b/src/lib/libssl/man/SSL_CTX_set_session_id_context.3 deleted file mode 100644 index 06fd9348ae..0000000000 --- a/src/lib/libssl/man/SSL_CTX_set_session_id_context.3 +++ /dev/null @@ -1,160 +0,0 @@ -.\" $OpenBSD: SSL_CTX_set_session_id_context.3,v 1.6 2019/06/08 15:25:43 schwarze Exp $ -.\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 -.\" -.\" This file was written by Lutz Jaenicke . -.\" Copyright (c) 2001, 2004 The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: June 8 2019 $ -.Dt SSL_CTX_SET_SESSION_ID_CONTEXT 3 -.Os -.Sh NAME -.Nm SSL_CTX_set_session_id_context , -.Nm SSL_set_session_id_context -.Nd set context within which session can be reused (server side only) -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft int -.Fo SSL_CTX_set_session_id_context -.Fa "SSL_CTX *ctx" -.Fa "const unsigned char *sid_ctx" -.Fa "unsigned int sid_ctx_len" -.Fc -.Ft int -.Fo SSL_set_session_id_context -.Fa "SSL *ssl" -.Fa "const unsigned char *sid_ctx" -.Fa "unsigned int sid_ctx_len" -.Fc -.Sh DESCRIPTION -.Fn SSL_CTX_set_session_id_context -sets the context -.Fa sid_ctx -of length -.Fa sid_ctx_len -within which a session can be reused for the -.Fa ctx -object. -.Pp -.Fn SSL_set_session_id_context -sets the context -.Fa sid_ctx -of length -.Fa sid_ctx_len -within which a session can be reused for the -.Fa ssl -object. -.Pp -Sessions are generated within a certain context. -When exporting/importing sessions with -.Xr i2d_SSL_SESSION 3 -and -.Xr d2i_SSL_SESSION 3 , -it would be possible to re-import a session generated from another context -(e.g., another application), which might lead to malfunctions. -Therefore each application must set its own session id context -.Fa sid_ctx -which is used to distinguish the contexts and is stored in exported sessions. -The -.Fa sid_ctx -can be any kind of binary data with a given length; it is therefore possible -to use, for instance, the name of the application, the hostname, the service -name... -.Pp -The session id context becomes part of the session. -The session id context is set by the SSL/TLS server. -The -.Fn SSL_CTX_set_session_id_context -and -.Fn SSL_set_session_id_context -functions are therefore only useful on the server side. -.Pp -OpenSSL clients will check the session id context returned by the server when -reusing a session. -.Pp -The maximum length of the -.Fa sid_ctx -is limited to -.Dv SSL_MAX_SSL_SESSION_ID_LENGTH . -.Sh WARNINGS -If the session id context is not set on an SSL/TLS server and client -certificates are used, stored sessions will not be reused but a fatal error -will be flagged and the handshake will fail. -.Pp -If a server returns a different session id context to an OpenSSL client -when reusing a session, an error will be flagged and the handshake will -fail. -OpenSSL servers will always return the correct session id context, -as an OpenSSL server checks the session id context itself before reusing -a session as described above. -.Sh RETURN VALUES -.Fn SSL_CTX_set_session_id_context -and -.Fn SSL_set_session_id_context -return the following values: -.Bl -tag -width Ds -.It 0 -The length -.Fa sid_ctx_len -of the session id context -.Fa sid_ctx -exceeded -the maximum allowed length of -.Dv SSL_MAX_SSL_SESSION_ID_LENGTH . -The error is logged to the error stack. -.It 1 -The operation succeeded. -.El -.Sh SEE ALSO -.Xr ssl 3 , -.Xr SSL_SESSION_set1_id_context 3 -.Sh HISTORY -.Fn SSL_set_session_id_context -first appeared in OpenSSL 0.9.2b. -.Fn SSL_CTX_set_session_id_context -first appeared in OpenSSL 0.9.3. -Both functions have been available since -.Ox 2.6 . diff --git a/src/lib/libssl/man/SSL_CTX_set_ssl_version.3 b/src/lib/libssl/man/SSL_CTX_set_ssl_version.3 deleted file mode 100644 index b1bdb92bb0..0000000000 --- a/src/lib/libssl/man/SSL_CTX_set_ssl_version.3 +++ /dev/null @@ -1,146 +0,0 @@ -.\" $OpenBSD: SSL_CTX_set_ssl_version.3,v 1.5 2021/05/11 19:48:56 tb Exp $ -.\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 -.\" -.\" This file was written by Lutz Jaenicke . -.\" Copyright (c) 2000, 2001, 2005 The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: May 11 2021 $ -.Dt SSL_CTX_SET_SSL_VERSION 3 -.Os -.Sh NAME -.Nm SSL_CTX_set_ssl_version , -.Nm SSL_set_ssl_method , -.Nm SSL_CTX_get_ssl_method , -.Nm SSL_get_ssl_method -.Nd choose a new TLS/SSL method -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft int -.Fn SSL_CTX_set_ssl_version "SSL_CTX *ctx" "const SSL_METHOD *method" -.Ft int -.Fn SSL_set_ssl_method "SSL *s" "const SSL_METHOD *method" -.Ft const SSL_METHOD * -.Fn SSL_CTX_get_ssl_method "SSL_CTX *ctx" -.Ft const SSL_METHOD * -.Fn SSL_get_ssl_method "SSL *ssl" -.Sh DESCRIPTION -.Fn SSL_CTX_set_ssl_version -sets a new default TLS/SSL -.Fa method -for -.Vt SSL -objects newly created from this -.Fa ctx . -.Vt SSL -objects already created with -.Xr SSL_new 3 -are not affected, except when -.Xr SSL_clear 3 -is called. -.Pp -.Fn SSL_set_ssl_method -sets a new TLS/SSL -.Fa method -for a particular -.Vt SSL -object -.Fa s . -It may be reset when -.Xr SSL_clear 3 -is called. -.Pp -.Fn SSL_CTX_get_ssl_method -and -.Fn SSL_get_ssl_method -return a function pointer to the TLS/SSL method set in -.Fa ctx -and -.Fa ssl , -respectively. -.Pp -The available -.Fa method -choices are described in -.Xr SSL_CTX_new 3 . -.Pp -When -.Xr SSL_clear 3 -is called and no session is connected to an -.Vt SSL -object, the method of the -.Vt SSL -object is reset to the method currently set in the corresponding -.Vt SSL_CTX -object. -.Sh RETURN VALUES -The following return values can occur for -.Fn SSL_CTX_set_ssl_version -and -.Fn SSL_set_ssl_method : -.Bl -tag -width Ds -.It 0 -The new choice failed. -Check the error stack to find out the reason. -.It 1 -The operation succeeded. -.El -.Sh SEE ALSO -.Xr ssl 3 , -.Xr SSL_clear 3 , -.Xr SSL_CTX_new 3 , -.Xr SSL_new 3 , -.Xr SSL_set_connect_state 3 -.Sh HISTORY -.Fn SSL_CTX_set_ssl_version , -.Fn SSL_set_ssl_method , -and -.Fn SSL_get_ssl_method -first appeared in SSLeay 0.8.0 and have been available since -.Ox 2.4 . -.Fn SSL_CTX_get_ssl_method -first appeared in OpenSSL 1.1.0 and has been available since -.Ox 7.0 . diff --git a/src/lib/libssl/man/SSL_CTX_set_timeout.3 b/src/lib/libssl/man/SSL_CTX_set_timeout.3 deleted file mode 100644 index ab99e2016e..0000000000 --- a/src/lib/libssl/man/SSL_CTX_set_timeout.3 +++ /dev/null @@ -1,118 +0,0 @@ -.\" $OpenBSD: SSL_CTX_set_timeout.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $ -.\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 -.\" -.\" This file was written by Lutz Jaenicke . -.\" Copyright (c) 2001 The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: March 27 2018 $ -.Dt SSL_CTX_SET_TIMEOUT 3 -.Os -.Sh NAME -.Nm SSL_CTX_set_timeout , -.Nm SSL_CTX_get_timeout -.Nd manipulate timeout values for session caching -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft long -.Fn SSL_CTX_set_timeout "SSL_CTX *ctx" "long t" -.Ft long -.Fn SSL_CTX_get_timeout "SSL_CTX *ctx" -.Sh DESCRIPTION -.Fn SSL_CTX_set_timeout -sets the timeout for newly created sessions for -.Fa ctx -to -.Fa t . -The timeout value -.Fa t -must be given in seconds. -.Pp -.Fn SSL_CTX_get_timeout -returns the currently set timeout value for -.Fa ctx . -.Pp -Whenever a new session is created, it is assigned a maximum lifetime. -This lifetime is specified by storing the creation time of the session and the -timeout value valid at this time. -If the actual time is later than creation time plus timeout, -the session is not reused. -.Pp -Due to this realization, all sessions behave according to the timeout value -valid at the time of the session negotiation. -Changes of the timeout value do not affect already established sessions. -.Pp -The expiration time of a single session can be modified using the -.Xr SSL_SESSION_get_time 3 -family of functions. -.Pp -Expired sessions are removed from the internal session cache, whenever -.Xr SSL_CTX_flush_sessions 3 -is called, either directly by the application or automatically (see -.Xr SSL_CTX_set_session_cache_mode 3 ) . -.Pp -The default value for session timeout is decided on a per-protocol basis; see -.Xr SSL_get_default_timeout 3 . -All currently supported protocols have the same default timeout value of 300 -seconds. -.Sh RETURN VALUES -.Fn SSL_CTX_set_timeout -returns the previously set timeout value. -.Pp -.Fn SSL_CTX_get_timeout -returns the currently set timeout value. -.Sh SEE ALSO -.Xr ssl 3 , -.Xr SSL_CTX_flush_sessions 3 , -.Xr SSL_CTX_set_session_cache_mode 3 , -.Xr SSL_get_default_timeout 3 , -.Xr SSL_SESSION_get_time 3 -.Sh HISTORY -.Fn SSL_CTX_set_timeout -and -.Fn SSL_CTX_get_timeout -first appeared in SSLeay 0.6.1 and have been available since -.Ox 2.4 . diff --git a/src/lib/libssl/man/SSL_CTX_set_tlsext_servername_callback.3 b/src/lib/libssl/man/SSL_CTX_set_tlsext_servername_callback.3 deleted file mode 100644 index 2b54406de8..0000000000 --- a/src/lib/libssl/man/SSL_CTX_set_tlsext_servername_callback.3 +++ /dev/null @@ -1,247 +0,0 @@ -.\" $OpenBSD: SSL_CTX_set_tlsext_servername_callback.3,v 1.6 2021/09/01 13:56:03 schwarze Exp $ -.\" full merge up to: OpenSSL 190b9a03 Jun 28 15:46:13 2017 +0800 -.\" selective merge up to: OpenSSL 6328d367 Jul 4 21:58:30 2020 +0200 -.\" -.\" This file was written by Jon Spillett , -.\" Paul Yang , and -.\" Matt Caswell . -.\" Copyright (c) 2017, 2019 The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: September 1 2021 $ -.Dt SSL_CTX_SET_TLSEXT_SERVERNAME_CALLBACK 3 -.Os -.Sh NAME -.Nm SSL_CTX_set_tlsext_servername_callback , -.Nm SSL_CTX_set_tlsext_servername_arg , -.Nm SSL_get_servername_type , -.Nm SSL_get_servername , -.Nm SSL_set_tlsext_host_name -.Nd handle server name indication (SNI) -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft long -.Fo SSL_CTX_set_tlsext_servername_callback -.Fa "SSL_CTX *ctx" -.Fa "int (*cb)(SSL *ssl, int *alert, void *arg)" -.Fc -.Ft long -.Fo SSL_CTX_set_tlsext_servername_arg -.Fa "SSL_CTX *ctx" -.Fa "void *arg" -.Fc -.Ft const char * -.Fo SSL_get_servername -.Fa "const SSL *ssl" -.Fa "const int type" -.Fc -.Ft int -.Fo SSL_get_servername_type -.Fa "const SSL *ssl" -.Fc -.Ft int -.Fo SSL_set_tlsext_host_name -.Fa "const SSL *ssl" -.Fa "const char *name" -.Fc -.Sh DESCRIPTION -.Fn SSL_CTX_set_tlsext_servername_callback -sets the application callback -.Fa cb -used by a server to perform any actions or configuration required based -on the servername extension received in the incoming connection. -Like the ALPN callback, it is executed during Client Hello processing. -When -.Fa cb -is -.Dv NULL , -SNI is not used. -.Pp -The servername callback should return one of the following values: -.Bl -tag -width Ds -.It Dv SSL_TLSEXT_ERR_OK -This is used to indicate that the servername requested by the client -has been accepted. -Typically a server will call -.Xr SSL_set_SSL_CTX 3 -in the callback to set up a different configuration -for the selected servername in this case. -.It Dv SSL_TLSEXT_ERR_ALERT_FATAL -In this case the servername requested by the client is not accepted -and the handshake will be aborted. -The value of the alert to be used should be stored in the location -pointed to by the -.Fa alert -parameter to the callback. -By default this value is initialised to -.Dv SSL_AD_UNRECOGNIZED_NAME . -.It Dv SSL_TLSEXT_ERR_ALERT_WARNING -If this value is returned, then the servername is not accepted by the server. -However, the handshake will continue and send a warning alert instead. -The value of the alert should be stored in the location pointed to by the -.Fa alert -parameter as for -.Dv SSL_TLSEXT_ERR_ALERT_FATAL -above. -Note that TLSv1.3 does not support warning alerts, so if TLSv1.3 has -been negotiated then this return value is treated the same way as -.Dv SSL_TLSEXT_ERR_NOACK . -.It Dv SSL_TLSEXT_ERR_NOACK -This return value indicates -that the servername is not accepted by the server. -No alerts are sent -and the server will not acknowledge the requested servername. -.El -.Pp -.Fn SSL_CTX_set_tlsext_servername_arg -sets a context-specific argument to be passed into the callback via the -.Fa arg -parameter for -.Fa ctx . -.ig end_of_get_servername_details -.\" I would suggest to comment out that second wall text of dubious -.\" usefulness and see if we can meet all these documented API -.\" requirements in the future or decide that it's not worth the -.\" effort. -- tb@ Aug 30, 2021 -.Pp -The behaviour of -.Fn SSL_get_servername -depends on a number of different factors. -In particular note that in TLSv1.3, -the servername is negotiated in every handshake. -In TLSv1.2 the servername is only negotiated on initial handshakes -and not on resumption handshakes. -.Bl -tag -width Ds -.It On the client, before the handshake: -If a servername has been set via a call to -.Fn SSL_set_tlsext_host_name , -then it will return that servername. -If one has not been set, but a TLSv1.2 resumption is being attempted -and the session from the original handshake had a servername -accepted by the server, then it will return that servername. -Otherwise it returns -.Dv NULL . -.It On the client, during or after the handshake,\ - if a TLSv1.2 (or below) resumption occurred: -If the session from the original handshake had a servername accepted by the -server, then it will return that servername. -Otherwise it returns the servername set via -.Fn SSL_set_tlsext_host_name -or -.Dv NULL -if it was not called. -.It On the client, during or after the handshake,\ - if a TLSv1.2 (or below) resumption did not occur: -It will return the servername set via -.Fn SSL_set_tlsext_host_name -or -.Dv NULL -if it was not called. -.It On the server, before the handshake: -The function will always return -.Dv NULL -before the handshake. -.It On the server, after the servername extension has been processed,\ - if a TLSv1.2 (or below) resumption occurred: -If a servername was accepted by the server in the original handshake, -then it will return that servername, or -.Dv NULL -otherwise. -.It On the server, after the servername extension has been processed,\ - if a TLSv1.2 (or below) resumption did not occur: -The function will return the servername -requested by the client in this handshake or -.Dv NULL -if none was requested. -.El -.Pp -Note that the early callback occurs before a servername extension -from the client is processed. -The servername, certificate and ALPN callbacks occur -after a servername extension from the client is processed. -.end_of_get_servername_details -.Pp -.Fn SSL_set_tlsext_host_name -sets the server name indication ClientHello extension -to contain the value -.Fa name , -or clears it if -.Fa name -is -.Dv NULL . -The type of server name indication -extension is set to -.Dv TLSEXT_NAMETYPE_host_name -as defined in RFC 3546. -.Pp -All three functions are implemented as macros. -.Sh RETURN VALUES -.Fn SSL_CTX_set_tlsext_servername_callback -and -.Fn SSL_CTX_set_tlsext_servername_arg -always return 1 indicating success. -.Pp -.Fn SSL_get_servername -returns a servername extension value of the specified type if provided -in the Client Hello, or -.Dv NULL -otherwise. -.Pp -.Fn SSL_get_servername_type -returns the servername type or -1 if no servername is present. -Currently the only supported type (defined in RFC 3546) is -.Dv TLSEXT_NAMETYPE_host_name . -.Pp -.Fn SSL_set_tlsext_host_name -returns 1 on success or 0 in case of an error. -.Sh SEE ALSO -.Xr ssl 3 , -.Xr SSL_CTX_callback_ctrl 3 , -.Xr SSL_CTX_set_alpn_select_cb 3 -.Sh HISTORY -These functions first appeared in OpenSSL 0.9.8f -and have been available since -.Ox 4.5 . diff --git a/src/lib/libssl/man/SSL_CTX_set_tlsext_status_cb.3 b/src/lib/libssl/man/SSL_CTX_set_tlsext_status_cb.3 deleted file mode 100644 index d5979af1e8..0000000000 --- a/src/lib/libssl/man/SSL_CTX_set_tlsext_status_cb.3 +++ /dev/null @@ -1,238 +0,0 @@ -.\" $OpenBSD: SSL_CTX_set_tlsext_status_cb.3,v 1.8 2021/09/11 18:58:41 schwarze Exp $ -.\" full merge up to: OpenSSL 43c34894 Nov 30 16:04:51 2015 +0000 -.\" selective merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100 -.\" -.\" This file was written by Matt Caswell . -.\" Copyright (c) 2015, 2016 The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: September 11 2021 $ -.Dt SSL_CTX_SET_TLSEXT_STATUS_CB 3 -.Os -.Sh NAME -.Nm SSL_CTX_set_tlsext_status_cb , -.Nm SSL_CTX_get_tlsext_status_cb , -.Nm SSL_CTX_set_tlsext_status_arg , -.Nm SSL_CTX_get_tlsext_status_arg , -.Nm SSL_set_tlsext_status_type , -.Nm SSL_get_tlsext_status_type , -.Nm SSL_get_tlsext_status_ocsp_resp , -.Nm SSL_set_tlsext_status_ocsp_resp -.Nd OCSP Certificate Status Request functions -.Sh SYNOPSIS -.In openssl/tls1.h -.Ft long -.Fo SSL_CTX_set_tlsext_status_cb -.Fa "SSL_CTX *ctx" -.Fa "int (*callback)(SSL *, void *)" -.Fc -.Ft long -.Fo SSL_CTX_get_tlsext_status_cb -.Fa "SSL_CTX *ctx" -.Fa "int (*callback)(SSL *, void *)" -.Fc -.Ft long -.Fo SSL_CTX_set_tlsext_status_arg -.Fa "SSL_CTX *ctx" -.Fa "void *arg" -.Fc -.Ft long -.Fo SSL_CTX_get_tlsext_status_arg -.Fa "SSL_CTX *ctx" -.Fa "void **arg" -.Fc -.Ft long -.Fo SSL_set_tlsext_status_type -.Fa "SSL *s" -.Fa "int type" -.Fc -.Ft long -.Fo SSL_get_tlsext_status_type -.Fa "SSL *s" -.Fc -.Ft long -.Fo SSL_get_tlsext_status_ocsp_resp -.Fa ssl -.Fa "unsigned char **resp" -.Fc -.Ft long -.Fo SSL_set_tlsext_status_ocsp_resp -.Fa ssl -.Fa "unsigned char *resp" -.Fa "int len" -.Fc -.Sh DESCRIPTION -A client application may request that a server send back an OCSP status -response (also known as OCSP stapling). -To do so the client should call the -.Fn SSL_set_tlsext_status_type -function on an individual -.Vt SSL -object prior to the start of the handshake. -Currently the only supported type is -.Dv TLSEXT_STATUSTYPE_ocsp . -This value should be passed in the -.Fa type -argument. -.Pp -The client should additionally provide a callback function to decide -what to do with the returned OCSP response by calling -.Fn SSL_CTX_set_tlsext_status_cb . -The callback function should determine whether the returned OCSP -response is acceptable or not. -The callback will be passed as an argument the value previously set via -a call to -.Fn SSL_CTX_set_tlsext_status_arg . -Note that the callback will not be called in the event of a handshake -where session resumption occurs (because there are no Certificates -exchanged in such a handshake). -.Pp -The callback previously set via -.Fn SSL_CTX_set_tlsext_status_cb -can be retrieved by calling -.Fn SSL_CTX_get_tlsext_status_cb , -and the argument by calling -.Fn SSL_CTX_get_tlsext_status_arg . -.Pp -On the client side, -.Fn SSL_get_tlsext_status_type -can be used to determine whether the client has previously called -.Fn SSL_set_tlsext_status_type . -It will return -.Dv TLSEXT_STATUSTYPE_ocsp -if it has been called or \-1 otherwise. -On the server side, -.Fn SSL_get_tlsext_status_type -can be used to determine whether the client requested OCSP stapling. -If the client requested it, then this function will return -.Dv TLSEXT_STATUSTYPE_ocsp , -or \-1 otherwise. -.Pp -The response returned by the server can be obtained via a call to -.Fn SSL_get_tlsext_status_ocsp_resp . -The value -.Pf * Fa resp -will be updated to point to the OCSP response data and the return value -will be the length of that data. -If the server has not provided any response data, then -.Pf * Fa resp -will be -.Dv NULL -and the return value from -.Fn SSL_get_tlsext_status_ocsp_resp -will be -1. -.Pp -A server application must also call the -.Fn SSL_CTX_set_tlsext_status_cb -function if it wants to be able to provide clients with OCSP Certificate -Status responses. -Typically the server callback would obtain the server certificate that -is being sent back to the client via a call to -.Xr SSL_get_certificate 3 , -obtain the OCSP response to be sent back, and then set that response -data by calling -.Fn SSL_set_tlsext_status_ocsp_resp . -A pointer to the response data should be provided in the -.Fa resp -argument, and the length of that data should be in the -.Fa len -argument. -.Sh RETURN VALUES -The callback when used on the client side should return a negative -value on error, 0 if the response is not acceptable (in which case -the handshake will fail), or a positive value if it is acceptable. -.Pp -The callback when used on the server side should return with either -.Dv SSL_TLSEXT_ERR_OK -(meaning that the OCSP response that has been set should be returned), -.Dv SSL_TLSEXT_ERR_NOACK -(meaning that an OCSP response should not be returned), or -.Dv SSL_TLSEXT_ERR_ALERT_FATAL -(meaning that a fatal error has occurred). -.Pp -.Fn SSL_CTX_set_tlsext_status_cb , -.Fn SSL_CTX_get_tlsext_status_cb , -.Fn SSL_CTX_set_tlsext_status_arg , -.Fn SSL_CTX_get_tlsext_status_arg , -.Fn SSL_set_tlsext_status_type , -and -.Fn SSL_set_tlsext_status_ocsp_resp -always return 1, indicating success. -.Pp -.Fn SSL_get_tlsext_status_type -returns -.Dv TLSEXT_STATUSTYPE_ocsp -on the client side if -.Fn SSL_set_tlsext_status_type -was previously called, or on the server side -if the client requested OCSP stapling. -Otherwise \-1 is returned. -.Pp -.Fn SSL_get_tlsext_status_ocsp_resp -returns the length of the OCSP response data -or \-1 if there is no OCSP response data. -.Sh SEE ALSO -.Xr ssl 3 , -.Xr SSL_CTX_callback_ctrl 3 -.Sh HISTORY -.Fn SSL_CTX_set_tlsext_status_cb , -.Fn SSL_CTX_set_tlsext_status_arg , -.Fn SSL_set_tlsext_status_type , -.Fn SSL_get_tlsext_status_ocsp_resp , -and -.Fn SSL_set_tlsext_status_ocsp_resp -first appeared in OpenSSL 0.9.8h and have been available since -.Ox 4.5 . -.Pp -.Fn SSL_CTX_get_tlsext_status_cb -and -.Fn SSL_CTX_get_tlsext_status_arg -first appeared in OpenSSL 1.1.0 and have been available since -.Ox 6.3 . -.Pp -.Fn SSL_get_tlsext_status_type -first appeared in OpenSSL 1.1.0 and has been available since -.Ox 7.0 . diff --git a/src/lib/libssl/man/SSL_CTX_set_tlsext_ticket_key_cb.3 b/src/lib/libssl/man/SSL_CTX_set_tlsext_ticket_key_cb.3 deleted file mode 100644 index b6ccabaeca..0000000000 --- a/src/lib/libssl/man/SSL_CTX_set_tlsext_ticket_key_cb.3 +++ /dev/null @@ -1,300 +0,0 @@ -.\" $OpenBSD: SSL_CTX_set_tlsext_ticket_key_cb.3,v 1.8 2022/01/25 18:01:20 tb Exp $ -.\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 -.\" -.\" This file was written by Rich Salz -.\" Copyright (c) 2014, 2015, 2016 The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: January 25 2022 $ -.Dt SSL_CTX_SET_TLSEXT_TICKET_KEY_CB 3 -.Os -.Sh NAME -.Nm SSL_CTX_set_tlsext_ticket_key_cb -.Nd set a callback for session ticket processing -.Sh SYNOPSIS -.In openssl/tls1.h -.Ft long -.Fo SSL_CTX_set_tlsext_ticket_key_cb -.Fa "SSL_CTX sslctx" -.Fa "int (*cb)(SSL *s, unsigned char key_name[16],\ - unsigned char iv[EVP_MAX_IV_LENGTH],\ - EVP_CIPHER_CTX *ctx, HMAC_CTX *hctx, int enc)" -.Fc -.Sh DESCRIPTION -.Fn SSL_CTX_set_tlsext_ticket_key_cb -sets a callback function -.Fa cb -for handling session tickets for the ssl context -.Fa sslctx . -Session tickets, defined in RFC 5077, provide an enhanced session -resumption capability where the server implementation is not required to -maintain per session state. -.Pp -The callback function -.Fa cb -will be called for every client instigated TLS session when session -ticket extension is presented in the TLS hello message. -It is the responsibility of this function to create or retrieve the -cryptographic parameters and to maintain their state. -.Pp -The OpenSSL library uses the callback function to help implement a -common TLS ticket construction state according to RFC 5077 Section 4 such -that per session state is unnecessary and a small set of cryptographic -variables needs to be maintained by the callback function -implementation. -.Pp -In order to reuse a session, a TLS client must send a session ticket -extension to the server. -The client can only send exactly one session ticket. -The server, through the callback function, either agrees to reuse the -session ticket information or it starts a full TLS handshake to create a -new session ticket. -.Pp -The callback is called with -.Fa ctx -and -.Fa hctx -which were newly allocated with -.Xr EVP_CIPHER_CTX_new 3 -and -.Xr HMAC_CTX_new 3 , -respectively. -.Pp -For new sessions tickets, when the client doesn't present a session -ticket, or an attempted retrieval of the ticket failed, or a renew -option was indicated, the callback function will be called with -.Fa enc -equal to 1. -The OpenSSL library expects that the function will set an arbitrary -.Fa key_name , -initialize -.Fa iv , -and set the cipher context -.Fa ctx -and the hash context -.Fa hctx . -.Pp -The -.Fa key_name -is 16 characters long and is used as a key identifier. -.Pp -The -.Fa iv -length is the length of the IV of the corresponding cipher. -The maximum IV length is -.Dv EVP_MAX_IV_LENGTH -bytes defined in -.In openssl/evp.h . -.Pp -The initialization vector -.Fa iv -should be a random value. -The cipher context -.Fa ctx -should use the initialisation vector -.Fa iv . -The cipher context can be set using -.Xr EVP_EncryptInit_ex 3 . -The hmac context can be set using -.Xr HMAC_Init_ex 3 . -.Pp -When the client presents a session ticket, the callback function -with be called with -.Fa enc -set to 0 indicating that the -.Fa cb -function should retrieve a set of parameters. -In this case -.Fa key_name -and -.Fa iv -have already been parsed out of the session ticket. -The OpenSSL library expects that the -.Em key_name -will be used to retrieve a cryptographic parameters and that the -cryptographic context -.Fa ctx -will be set with the retrieved parameters and the initialization vector -.Fa iv -using a function like -.Xr EVP_DecryptInit_ex 3 . -The -.Fa hctx -needs to be set using -.Xr HMAC_Init_ex 3 . -.Pp -If the -.Fa key_name -is still valid but a renewal of the ticket is required, the callback -function should return 2. -The library will call the callback again with an argument of -.Fa enc -equal to 1 to set the new ticket. -.Pp -The return value of the -.Fa cb -function is used by OpenSSL to determine what further processing will -occur. -The following return values have meaning: -.Bl -tag -width Ds -.It 2 -This indicates that the -.Fa ctx -and -.Fa hctx -have been set and the session can continue on those parameters. -Additionally it indicates that the session ticket is in a renewal period -and should be replaced. -The OpenSSL library will call -.Fa cb -again with an -.Fa enc -argument of 1 to set the new ticket (see RFC 5077 3.3 paragraph 2). -.It 1 -This indicates that the -.Fa ctx -and -.Fa hctx -have been set and the session can continue on those parameters. -.It 0 -This indicates that it was not possible to set/retrieve a session ticket -and the SSL/TLS session will continue by negotiating a set of -cryptographic parameters or using the alternate SSL/TLS resumption -mechanism, session ids. -.Pp -If called with -.Fa enc -equal to 0, the library will call the -.Fa cb -again to get a new set of parameters. -.It less than 0 -This indicates an error. -.El -.Pp -Session resumption shortcuts the TLS so that the client certificate -negotiation don't occur. -It makes up for this by storing client certificate and all other -negotiated state information encrypted within the ticket. -In a resumed session the applications will have all this state -information available exactly as if a full negotiation had occurred. -.Pp -If an attacker can obtain the key used to encrypt a session ticket, they -can obtain the master secret for any ticket using that key and decrypt -any traffic using that session: even if the ciphersuite supports forward -secrecy. -As a result applications may wish to use multiple keys and avoid using -long term keys stored in files. -.Pp -Applications can use longer keys to maintain a consistent level of -security. -For example if a ciphersuite uses 256 bit ciphers but only a 128 bit -ticket key the overall security is only 128 bits because breaking the -ticket key will enable an attacker to obtain the session keys. -.Sh RETURN VALUES -This function returns 0 to indicate that the callback function was set. -.Sh EXAMPLES -Reference Implementation: -.Bd -literal -SSL_CTX_set_tlsext_ticket_key_cb(SSL, ssl_tlsext_ticket_key_cb); -\&.... -static int ssl_tlsext_ticket_key_cb(SSL *s, unsigned char key_name[16], - unsigned char *iv, EVP_CIPHER_CTX *ctx, HMAC_CTX *hctx, int enc) -{ - if (enc) { /* create new session */ - if (RAND_bytes(iv, EVP_MAX_IV_LENGTH)) - return -1; /* insufficient random */ - - key = currentkey(); /* something you need to implement */ - if (!key) { - /* current key doesn't exist or isn't valid */ - key = createkey(); - /* something that you need to implement. - * createkey needs to initialise a name, - * an aes_key, a hmac_key, and optionally - * an expire time. */ - if (!key) /* key couldn't be created */ - return 0; - } - memcpy(key_name, key->name, 16); - - EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, - key->aes_key, iv); - HMAC_Init_ex(&hctx, key->hmac_key, 16, EVP_sha256(), NULL); - - return 1; - - } else { /* retrieve session */ - key = findkey(name); - - if (!key || key->expire < now()) - return 0; - - HMAC_Init_ex(&hctx, key->hmac_key, 16, EVP_sha256(), NULL); - EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, - key->aes_key, iv ); - - if (key->expire < (now() - RENEW_TIME)) - /* this session will get a new ticket - * even though the current is still valid */ - return 2; - - return 1; - } -} -.Ed -.Sh SEE ALSO -.Xr ssl 3 , -.Xr SSL_CTX_add_session 3 , -.Xr SSL_CTX_callback_ctrl 3 , -.Xr SSL_CTX_sess_number 3 , -.Xr SSL_CTX_sess_set_get_cb 3 , -.Xr SSL_CTX_set_session_id_context 3 , -.Xr SSL_session_reused 3 , -.Xr SSL_set_session 3 -.Sh HISTORY -.Fn SSL_CTX_set_tlsext_ticket_key_cb -first appeared in OpenSSL 0.9.8h and has been available since -.Ox 4.5 . diff --git a/src/lib/libssl/man/SSL_CTX_set_tlsext_use_srtp.3 b/src/lib/libssl/man/SSL_CTX_set_tlsext_use_srtp.3 deleted file mode 100644 index 04c4833c6a..0000000000 --- a/src/lib/libssl/man/SSL_CTX_set_tlsext_use_srtp.3 +++ /dev/null @@ -1,197 +0,0 @@ -.\" $OpenBSD: SSL_CTX_set_tlsext_use_srtp.3,v 1.6 2021/06/11 19:41:39 jmc Exp $ -.\" full merge up to: OpenSSL b0edda11 Mar 20 13:00:17 2018 +0000 -.\" -.\" This file was written by Matt Caswell . -.\" Copyright (c) 2017 The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: June 11 2021 $ -.Dt SSL_CTX_SET_TLSEXT_USE_SRTP 3 -.Os -.Sh NAME -.Nm SSL_CTX_set_tlsext_use_srtp , -.Nm SSL_set_tlsext_use_srtp , -.Nm SSL_get_srtp_profiles , -.Nm SSL_get_selected_srtp_profile -.Nd Configure and query SRTP support -.Sh SYNOPSIS -.In openssl/srtp.h -.Ft int -.Fo SSL_CTX_set_tlsext_use_srtp -.Fa "SSL_CTX *ctx" -.Fa "const char *profiles" -.Fc -.Ft int -.Fo SSL_set_tlsext_use_srtp -.Fa "SSL *ssl" -.Fa "const char *profiles" -.Fc -.Ft STACK_OF(SRTP_PROTECTION_PROFILE) * -.Fo SSL_get_srtp_profiles -.Fa "SSL *ssl" -.Fc -.Ft SRTP_PROTECTION_PROFILE * -.Fo SSL_get_selected_srtp_profile -.Fa "SSL *ssl" -.Fc -.Sh DESCRIPTION -SRTP is the Secure Real-Time Transport Protocol. -OpenSSL implements support for the "use_srtp" DTLS extension -defined in RFC 5764. -This provides a mechanism for establishing SRTP keying material, -algorithms and parameters using DTLS. -This capability may be used as part of an implementation that -conforms to RFC 5763. -OpenSSL does not implement SRTP itself or RFC 5763. -Note that OpenSSL does not support the use of SRTP Master Key -Identifiers (MKIs). -Also note that this extension is only supported in DTLS. -Any SRTP configuration is ignored if a TLS connection is attempted. -.Pp -An OpenSSL client wishing to send the "use_srtp" extension should call -.Fn SSL_CTX_set_tlsext_use_srtp -to set its use for all -.Vt SSL -objects subsequently created from -.Fa ctx . -Alternatively a client may call -.Fn SSL_set_tlsext_use_srtp -to set its use for an individual -.Vt SSL -object. -The -.Fa profiles -parameter should point to a NUL-terminated, colon delimited list of -SRTP protection profile names. -.Pp -The currently supported protection profile names are: -.Bl -tag -width Ds -.It Dv SRTP_AES128_CM_SHA1_80 -This corresponds to SRTP_AES128_CM_HMAC_SHA1_80 defined in RFC 5764. -.It Dv SRTP_AES128_CM_SHA1_32 -This corresponds to SRTP_AES128_CM_HMAC_SHA1_32 defined in RFC 5764. -.It Dv SRTP_AEAD_AES_128_GCM -This corresponds to SRTP_AEAD_AES_128_GCM defined in RFC 7714. -.It Dv SRTP_AEAD_AES_256_GCM -This corresponds to SRTP_AEAD_AES_256_GCM defined in RFC 7714. -.El -.Pp -Supplying an unrecognised protection profile name results in an error. -.Pp -An OpenSSL server wishing to support the "use_srtp" extension should -also call -.Fn SSL_CTX_set_tlsext_use_srtp -or -.Fn SSL_set_tlsext_use_srtp -to indicate the protection profiles that it is willing to negotiate. -.Pp -The currently configured list of protection profiles for either a client -or a server can be obtained by calling -.Fn SSL_get_srtp_profiles . -This returns a stack of -.Vt SRTP_PROTECTION_PROFILE -objects. -The memory pointed to in the return value of this function should not be -freed by the caller. -.Pp -After a handshake has been completed, the negotiated SRTP protection -profile (if any) can be obtained (on the client or the server) by -calling -.Fn SSL_get_selected_srtp_profile . -This function returns -.Dv NULL -if no SRTP protection profile was negotiated. -The memory returned from this function should not be freed by the -caller. -.Pp -If an SRTP protection profile has been successfully negotiated, -then the SRTP keying material (on both the client and server) -should be obtained by calling -.Xr SSL_export_keying_material 3 -with a -.Fa label -of -.Qq EXTRACTOR-dtls_srtp , -a -.Fa context -of -.Dv NULL , -and a -.Fa use_context -argument of 0. -The total length of keying material obtained should be equal to two -times the sum of the master key length and the salt length as defined -for the protection profile in use. -This provides the client write master key, the server write master key, -the client write master salt and the server write master salt in that -order. -.Sh RETURN VALUES -Contrary to OpenSSL conventions, -.Fn SSL_CTX_set_tlsext_use_srtp -and -.Fn SSL_set_tlsext_use_srtp -return 0 on success or 1 on error. -.Pp -.Fn SSL_get_srtp_profiles -returns a stack of -.Vt SRTP_PROTECTION_PROFILE -objects on success or -.Dv NULL -on error or if no protection profiles have been configured. -.Pp -.Fn SSL_get_selected_srtp_profile -returns a pointer to an -.Vt SRTP_PROTECTION_PROFILE -object if one has been negotiated or -.Dv NULL -otherwise. -.Sh SEE ALSO -.Xr ssl 3 , -.Xr SSL_export_keying_material 3 -.Sh HISTORY -These functions first appeared in OpenSSL 1.0.1 -and have been available since -.Ox 5.3 . diff --git a/src/lib/libssl/man/SSL_CTX_set_tmp_dh_callback.3 b/src/lib/libssl/man/SSL_CTX_set_tmp_dh_callback.3 deleted file mode 100644 index 8be504d3b3..0000000000 --- a/src/lib/libssl/man/SSL_CTX_set_tmp_dh_callback.3 +++ /dev/null @@ -1,230 +0,0 @@ -.\" $OpenBSD: SSL_CTX_set_tmp_dh_callback.3,v 1.10 2022/03/31 17:27:18 naddy Exp $ -.\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 -.\" -.\" This file was written by Lutz Jaenicke . -.\" Copyright (c) 2001, 2014, 2015 The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: March 31 2022 $ -.Dt SSL_CTX_SET_TMP_DH_CALLBACK 3 -.Os -.Sh NAME -.Nm SSL_CTX_set_tmp_dh_callback , -.Nm SSL_CTX_set_tmp_dh , -.Nm SSL_set_tmp_dh_callback , -.Nm SSL_set_tmp_dh -.Nd handle DH keys for ephemeral key exchange -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft void -.Fo SSL_CTX_set_tmp_dh_callback -.Fa "SSL_CTX *ctx" -.Fa "DH *(*tmp_dh_callback)(SSL *ssl, int is_export, int keylength)" -.Fc -.Ft long -.Fn SSL_CTX_set_tmp_dh "SSL_CTX *ctx" "DH *dh" -.Ft void -.Fo SSL_set_tmp_dh_callback -.Fa "SSL *ssl" -.Fa "DH *(*tmp_dh_callback)(SSL *ssl, int is_export, int keylength" -.Fc -.Ft long -.Fn SSL_set_tmp_dh "SSL *ssl" "DH *dh" -.Sh DESCRIPTION -.Fn SSL_CTX_set_tmp_dh_callback -sets the callback function for -.Fa ctx -to be used when a DH parameters are required to -.Fa tmp_dh_callback . -The callback is inherited by all -.Vt ssl -objects created from -.Fa ctx . -.Pp -.Fn SSL_CTX_set_tmp_dh -sets DH parameters to be used by -.Fa ctx . -The key is inherited by all -.Fa ssl -objects created from -.Fa ctx . -.Pp -.Fn SSL_set_tmp_dh_callback -sets the callback only for -.Fa ssl . -.Pp -.Fn SSL_set_tmp_dh -sets the parameters only for -.Fa ssl . -.Pp -These functions apply to SSL/TLS servers only. -.Pp -When using a cipher with RSA authentication, -an ephemeral DH key exchange can take place. -Ciphers with DSA keys always use ephemeral DH keys as well. -In these cases, the session data are negotiated using the ephemeral/temporary -DH key and the key supplied and certified by the certificate chain is only used -for signing. -Anonymous ciphers (without a permanent server key) also use ephemeral DH keys. -.Pp -Using ephemeral DH key exchange yields forward secrecy, -as the connection can only be decrypted when the DH key is known. -By generating a temporary DH key inside the server application that is lost -when the application is left, it becomes impossible for attackers to decrypt -past sessions, even if they get hold of the normal (certified) key, -as this key was only used for signing. -.Pp -In order to perform a DH key exchange, the server must use a DH group -(DH parameters) and generate a DH key. -The server will always generate a new DH key during the negotiation. -.Pp -As generating DH parameters is extremely time consuming, an application should -not generate the parameters on the fly but supply the parameters. -DH parameters can be reused, -as the actual key is newly generated during the negotiation. -The risk in reusing DH parameters is that an attacker may specialize on a very -often used DH group. -Applications should therefore generate their own DH parameters during the -installation process using the -.Xr openssl 1 -.Cm dhparam -application. -This application guarantees that "strong" primes are used. -.Pp -Files -.Pa dh2048.pem -and -.Pa dh4096.pem -in the -.Pa apps -directory of the current version of the OpenSSL distribution contain the -.Sq SKIP -DH parameters, -which use safe primes and were generated verifiably pseudo-randomly. -These files can be converted into C code using the -.Fl C -option of the -.Xr openssl 1 -.Cm dhparam -application. -Generation of custom DH parameters during installation should still -be preferred to stop an attacker from specializing on a commonly -used group. -The file -.Pa dh1024.pem -contains old parameters that must not be used by applications. -.Pp -An application may either directly specify the DH parameters or can supply the -DH parameters via a callback function. -.Pp -Previous versions of the callback used -.Fa is_export -and -.Fa keylength -parameters to control parameter generation for export and non-export -cipher suites. -Modern servers that do not support export ciphersuites are advised -to either use -.Fn SSL_CTX_set_tmp_dh -or alternatively, use the callback but ignore -.Fa keylength -and -.Fa is_export -and simply supply at least 2048-bit parameters in the callback. -.Sh RETURN VALUES -.Fn SSL_CTX_set_tmp_dh -and -.Fn SSL_set_tmp_dh -do return 1 on success and 0 on failure. -Check the error queue to find out the reason of failure. -.Sh EXAMPLES -Set up DH parameters with a key length of 2048 bits. -Error handling is partly left out. -.Pp -Command-line parameter generation: -.Pp -.Dl openssl dhparam -out dh_param_2048.pem 2048 -.Pp -Code for setting up parameters during server initialization: -.Bd -literal -SSL_CTX ctx = SSL_CTX_new(); -\&... - -/* Set up ephemeral DH parameters. */ -DH *dh_2048 = NULL; -FILE *paramfile; -paramfile = fopen("dh_param_2048.pem", "r"); -if (paramfile) { - dh_2048 = PEM_read_DHparams(paramfile, NULL, NULL, NULL); - fclose(paramfile); -} else { - /* Error. */ -} -if (dh_2048 == NULL) { - /* Error. */ -} -if (SSL_CTX_set_tmp_dh(ctx, dh_2048) != 1) { - /* Error. */ -} -.Ed -.Sh SEE ALSO -.Xr openssl 1 , -.Xr ssl 3 , -.Xr SSL_CTX_set_cipher_list 3 , -.Xr SSL_CTX_set_options 3 , -.Xr SSL_set_tmp_ecdh 3 -.Sh HISTORY -.Fn SSL_CTX_set_tmp_dh_callback -and -.Fn SSL_CTX_set_tmp_dh -first appeared in SSLeay 0.8.0 and have been available since -.Ox 2.4 . -.Pp -.Fn SSL_set_tmp_dh_callback -and -.Fn SSL_set_tmp_dh -first appeared in OpenSSL 0.9.2b and have been available since -.Ox 2.6 . diff --git a/src/lib/libssl/man/SSL_CTX_set_tmp_rsa_callback.3 b/src/lib/libssl/man/SSL_CTX_set_tmp_rsa_callback.3 deleted file mode 100644 index b4c3a3c647..0000000000 --- a/src/lib/libssl/man/SSL_CTX_set_tmp_rsa_callback.3 +++ /dev/null @@ -1,114 +0,0 @@ -.\" $OpenBSD: SSL_CTX_set_tmp_rsa_callback.3,v 1.9 2022/03/29 14:27:59 naddy Exp $ -.\" OpenSSL 0b30fc90 Dec 19 15:23:05 2013 -0500 -.\" -.\" This file was written by Lutz Jaenicke . -.\" Copyright (c) 2001, 2006, 2013 The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: March 29 2022 $ -.Dt SSL_CTX_SET_TMP_RSA_CALLBACK 3 -.Os -.Sh NAME -.Nm SSL_CTX_set_tmp_rsa_callback , -.Nm SSL_CTX_set_tmp_rsa , -.Nm SSL_CTX_need_tmp_RSA , -.Nm SSL_set_tmp_rsa_callback , -.Nm SSL_set_tmp_rsa , -.Nm SSL_need_tmp_RSA -.Nd handle RSA keys for ephemeral key exchange -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft void -.Fo SSL_CTX_set_tmp_rsa_callback -.Fa "SSL_CTX *ctx" -.Fa "RSA *(*tmp_rsa_callback)(SSL *ssl, int is_export, int keylength)" -.Fc -.Ft long -.Fn SSL_CTX_set_tmp_rsa "SSL_CTX *ctx" "RSA *rsa" -.Ft long -.Fn SSL_CTX_need_tmp_RSA "SSL_CTX *ctx" -.Ft void -.Fo SSL_set_tmp_rsa_callback -.Fa "SSL_CTX *ctx" -.Fa "RSA *(*tmp_rsa_callback)(SSL *ssl, int is_export, int keylength)" -.Fc -.Ft long -.Fn SSL_set_tmp_rsa "SSL *ssl" "RSA *rsa" -.Ft long -.Fn SSL_need_tmp_RSA "SSL *ssl" -.Sh DESCRIPTION -Since they mattered only for deliberately insecure RSA authentication -mandated by historical U.S. export restrictions, these functions -are all deprecated and have no effect except that -.Fn SSL_CTX_set_tmp_rsa_callback , -.Fn SSL_CTX_set_tmp_rsa , -.Fn SSL_set_tmp_rsa_callback , -and -.Fn SSL_set_tmp_rsa -issue error messages when called. -.Sh RETURN VALUES -These functions always return 0, indicating failure. -.Sh SEE ALSO -.Xr ssl 3 , -.Xr SSL_CTX_set_cipher_list 3 , -.Xr SSL_CTX_set_options 3 , -.Xr SSL_CTX_set_tmp_dh_callback 3 , -.Xr SSL_new 3 , -.Xr SSL_set_tmp_ecdh 3 -.Sh HISTORY -.Fn SSL_CTX_set_tmp_rsa_callback , -.Fn SSL_CTX_set_tmp_rsa , -and -.Fn SSL_CTX_need_tmp_RSA -first appeared in SSLeay 0.8.0 and have been available since -.Ox 2.4 . -.Pp -.Fn SSL_set_tmp_rsa_callback , -.Fn SSL_set_tmp_rsa , -and -.Fn SSL_need_tmp_RSA -first appeared in OpenSSL 0.9.2b and have been available since -.Ox 2.6 . diff --git a/src/lib/libssl/man/SSL_CTX_set_verify.3 b/src/lib/libssl/man/SSL_CTX_set_verify.3 deleted file mode 100644 index 1ed86407e9..0000000000 --- a/src/lib/libssl/man/SSL_CTX_set_verify.3 +++ /dev/null @@ -1,479 +0,0 @@ -.\" $OpenBSD: SSL_CTX_set_verify.3,v 1.9 2021/06/12 16:59:53 jmc Exp $ -.\" full merge up to: OpenSSL 9b86974e Aug 17 15:21:33 2015 -0400 -.\" selective merge up to: OpenSSL 1cb7eff4 Sep 10 13:56:40 2019 +0100 -.\" -.\" This file was written by Lutz Jaenicke . -.\" Copyright (c) 2000, 2001, 2002, 2003, 2014 The OpenSSL Project. -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: June 12 2021 $ -.Dt SSL_CTX_SET_VERIFY 3 -.Os -.Sh NAME -.Nm SSL_CTX_set_verify , -.Nm SSL_set_verify , -.Nm SSL_CTX_set_verify_depth , -.Nm SSL_set_verify_depth -.Nd set peer certificate verification parameters -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft void -.Fo SSL_CTX_set_verify -.Fa "SSL_CTX *ctx" -.Fa "int mode" -.Fa "int (*verify_callback)(int, X509_STORE_CTX *)" -.Fc -.Ft void -.Fo SSL_set_verify -.Fa "SSL *s" -.Fa "int mode" -.Fa "int (*verify_callback)(int, X509_STORE_CTX *)" -.Fc -.Ft void -.Fn SSL_CTX_set_verify_depth "SSL_CTX *ctx" "int depth" -.Ft void -.Fn SSL_set_verify_depth "SSL *s" "int depth" -.Ft int -.Fn verify_callback "int preverify_ok" "X509_STORE_CTX *x509_ctx" -.Sh DESCRIPTION -.Fn SSL_CTX_set_verify -sets the verification flags for -.Fa ctx -to be -.Fa mode -and -specifies the -.Fa verify_callback -function to be used. -If no callback function shall be specified, the -.Dv NULL -pointer can be used for -.Fa verify_callback . -.Pp -.Fn SSL_set_verify -sets the verification flags for -.Fa ssl -to be -.Fa mode -and specifies the -.Fa verify_callback -function to be used. -If no callback function shall be specified, the -.Dv NULL -pointer can be used for -.Fa verify_callback . -In this case last -.Fa verify_callback -set specifically for this -.Fa ssl -remains. -If no special callback was set before, the default callback for the underlying -.Fa ctx -is used, that was valid at the time -.Fa ssl -was created with -.Xr SSL_new 3 . -Within the callback function, -.Xr SSL_get_ex_data_X509_STORE_CTX_idx 3 -can be called to get the data index of the current -.Vt SSL -object that is doing the verification. -.Pp -.Fn SSL_CTX_set_verify_depth -sets the maximum -.Fa depth -for the certificate chain verification that shall be allowed for -.Fa ctx . -(See the -.Sx BUGS -section.) -.Pp -.Fn SSL_set_verify_depth -sets the maximum -.Fa depth -for the certificate chain verification that shall be allowed for -.Fa ssl . -(See the -.Sx BUGS -section.) -.Pp -The verification of certificates can be controlled by a set of bitwise ORed -.Fa mode -flags: -.Bl -tag -width Ds -.It Dv SSL_VERIFY_NONE -.Em Server mode : -the server will not send a client certificate request to the client, -so the client will not send a certificate. -.Pp -.Em Client mode : -if not using an anonymous cipher (by default disabled), -the server will send a certificate which will be checked. -The result of the certificate verification process can be checked after the -TLS/SSL handshake using the -.Xr SSL_get_verify_result 3 -function. -The handshake will be continued regardless of the verification result. -.It Dv SSL_VERIFY_PEER -.Em Server mode : -the server sends a client certificate request to the client. -The certificate returned (if any) is checked. -If the verification process fails, -the TLS/SSL handshake is immediately terminated with an alert message -containing the reason for the verification failure. -The behaviour can be controlled by the additional -.Dv SSL_VERIFY_FAIL_IF_NO_PEER_CERT -and -.Dv SSL_VERIFY_CLIENT_ONCE -flags. -.Pp -.Em Client mode : -the server certificate is verified. -If the verification process fails, -the TLS/SSL handshake is immediately terminated with an alert message -containing the reason for the verification failure. -If no server certificate is sent, because an anonymous cipher is used, -.Dv SSL_VERIFY_PEER -is ignored. -.It Dv SSL_VERIFY_FAIL_IF_NO_PEER_CERT -.Em Server mode : -if the client did not return a certificate, the TLS/SSL -handshake is immediately terminated with a -.Dq handshake failure -alert. -This flag must be used together with -.Dv SSL_VERIFY_PEER . -.Pp -.Em Client mode : -ignored -.It Dv SSL_VERIFY_CLIENT_ONCE -.Em Server mode : -only request a client certificate on the initial TLS/SSL handshake. -Do not ask for a client certificate again in case of a renegotiation. -This flag must be used together with -.Dv SSL_VERIFY_PEER . -.Pp -.Em Client mode : -ignored -.El -.Pp -Exactly one of the -.Fa mode -flags -.Dv SSL_VERIFY_NONE -and -.Dv SSL_VERIFY_PEER -must be set at any time. -.Pp -The actual verification procedure is performed either using the built-in -verification procedure or using another application provided verification -function set with -.Xr SSL_CTX_set_cert_verify_callback 3 . -The following descriptions apply in the case of the built-in procedure. -An application provided procedure also has access to the verify depth -information and the -.Fa verify_callback Ns () -function, but the way this information is used may be different. -.Pp -.Fn SSL_CTX_set_verify_depth -and -.Fn SSL_set_verify_depth -set the limit up to which depth certificates in a chain are used during the -verification procedure. -If the certificate chain is longer than allowed, -the certificates above the limit are ignored. -Error messages are generated as if these certificates would not be present, -most likely a -.Dv X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY -will be issued. -The depth count is -.Dq level 0: peer certificate , -.Dq level 1: CA certificate , -.Dq level 2: higher level CA certificate , -and so on. -Setting the maximum depth to 2 allows the levels 0, 1, and 2. -The default depth limit is 100, -allowing for the peer certificate and an additional 100 CA certificates. -.Pp -The -.Fa verify_callback -function is used to control the behaviour when the -.Dv SSL_VERIFY_PEER -flag is set. -It must be supplied by the application and receives two arguments: -.Fa preverify_ok -indicates whether the verification of the certificate in question was passed -(preverify_ok=1) or not (preverify_ok=0). -.Fa x509_ctx -is a pointer to the complete context used -for the certificate chain verification. -.Pp -The certificate chain is checked starting with the deepest nesting level -(the root CA certificate) and worked upward to the peer's certificate. -At each level signatures and issuer attributes are checked. -Whenever a verification error is found, the error number is stored in -.Fa x509_ctx -and -.Fa verify_callback -is called with -.Fa preverify_ok -equal to 0. -By applying -.Fn X509_CTX_store_* -functions -.Fa verify_callback -can locate the certificate in question and perform additional steps (see -.Sx EXAMPLES ) . -If no error is found for a certificate, -.Fa verify_callback -is called with -.Fa preverify_ok -equal to 1 before advancing to the next level. -.Pp -The return value of -.Fa verify_callback -controls the strategy of the further verification process. -If -.Fa verify_callback -returns 0, the verification process is immediately stopped with -.Dq verification failed -state. -If -.Dv SSL_VERIFY_PEER -is set, a verification failure alert is sent to the peer and the TLS/SSL -handshake is terminated. -If -.Fa verify_callback -returns 1, the verification process is continued. -If -.Fa verify_callback -always returns 1, -the TLS/SSL handshake will not be terminated with respect to verification -failures and the connection will be established. -The calling process can however retrieve the error code of the last -verification error using -.Xr SSL_get_verify_result 3 -or by maintaining its own error storage managed by -.Fa verify_callback . -.Pp -If no -.Fa verify_callback -is specified, the default callback will be used. -Its return value is identical to -.Fa preverify_ok , -so that any verification -failure will lead to a termination of the TLS/SSL handshake with an -alert message, if -.Dv SSL_VERIFY_PEER -is set. -.Sh EXAMPLES -The following code sequence realizes an example -.Fa verify_callback -function that will always continue the TLS/SSL handshake regardless of -verification failure, if wished. -The callback realizes a verification depth limit with more informational output. -.Pp -All verification errors are printed; -information about the certificate chain is printed on request. -The example is realized for a server that does allow but not require client -certificates. -.Pp -The example makes use of the ex_data technique to store application data -into/retrieve application data from the -.Vt SSL -structure (see -.Xr SSL_get_ex_new_index 3 , -.Xr SSL_get_ex_data_X509_STORE_CTX_idx 3 ) . -.Bd -literal -\&... - -typedef struct { - int verbose_mode; - int verify_depth; - int always_continue; -} mydata_t; -int mydata_index; -\&... -static int -verify_callback(int preverify_ok, X509_STORE_CTX *ctx) -{ - char buf[256]; - X509 *err_cert; - int err, depth; - SSL *ssl; - mydata_t *mydata; - - err_cert = X509_STORE_CTX_get_current_cert(ctx); - err = X509_STORE_CTX_get_error(ctx); - depth = X509_STORE_CTX_get_error_depth(ctx); - - /* - * Retrieve the pointer to the SSL of the connection currently - * treated * and the application specific data stored into the - * SSL object. - */ - ssl = X509_STORE_CTX_get_ex_data(ctx, - SSL_get_ex_data_X509_STORE_CTX_idx()); - mydata = SSL_get_ex_data(ssl, mydata_index); - - X509_NAME_oneline(X509_get_subject_name(err_cert), buf, 256); - - /* - * Catch a too long certificate chain. The depth limit set using - * SSL_CTX_set_verify_depth() is by purpose set to "limit+1" so - * that whenever the "depth>verify_depth" condition is met, we - * have violated the limit and want to log this error condition. - * We must do it here, because the CHAIN_TOO_LONG error would not - * be found explicitly; only errors introduced by cutting off the - * additional certificates would be logged. - */ - if (depth > mydata->verify_depth) { - preverify_ok = 0; - err = X509_V_ERR_CERT_CHAIN_TOO_LONG; - X509_STORE_CTX_set_error(ctx, err); - } - if (!preverify_ok) { - printf("verify error:num=%d:%s:depth=%d:%s\en", err, - X509_verify_cert_error_string(err), depth, buf); - } else if (mydata->verbose_mode) { - printf("depth=%d:%s\en", depth, buf); - } - - /* - * At this point, err contains the last verification error. - * We can use it for something special - */ - if (!preverify_ok && (err == - X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT)) { - X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert), - buf, 256); - printf("issuer= %s\en", buf); - } - - if (mydata->always_continue) - return 1; - else - return preverify_ok; -} -\&... - -mydata_t mydata; - -\&... - -mydata_index = SSL_get_ex_new_index(0, "mydata index", NULL, NULL, NULL); - -\&... - -SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE, - verify_callback); - -/* - * Let the verify_callback catch the verify_depth error so that we get - * an appropriate error in the logfile. - */ -SSL_CTX_set_verify_depth(verify_depth + 1); - -/* - * Set up the SSL specific data into "mydata" and store it into the SSL - * structure. - */ -mydata.verify_depth = verify_depth; ... -SSL_set_ex_data(ssl, mydata_index, &mydata); - -\&... - -SSL_accept(ssl); /* check of success left out for clarity */ -if (peer = SSL_get_peer_certificate(ssl)) { - if (SSL_get_verify_result(ssl) == X509_V_OK) { - /* The client sent a certificate which verified OK */ - } -} -.Ed -.Sh SEE ALSO -.Xr ssl 3 , -.Xr SSL_CTX_get_verify_mode 3 , -.Xr SSL_CTX_load_verify_locations 3 , -.Xr SSL_CTX_set_cert_verify_callback 3 , -.Xr SSL_get_ex_data_X509_STORE_CTX_idx 3 , -.Xr SSL_get_ex_new_index 3 , -.Xr SSL_get_peer_certificate 3 , -.Xr SSL_get_verify_result 3 , -.Xr SSL_new 3 , -.Xr SSL_set1_host 3 -.Sh HISTORY -.Fn SSL_set_verify -appeared in SSLeay 0.4 or earlier. -.Fn SSL_CTX_set_verify -first appeared in SSLeay 0.6.4. -Both functions have been available since -.Ox 2.4 . -.Pp -.Fn SSL_CTX_set_verify_depth -and -.Fn SSL_set_verify_depth -first appeared in OpenSSL 0.9.3 and have been available since -.Ox 2.6 . -.Sh BUGS -In client mode, it is not checked whether the -.Dv SSL_VERIFY_PEER -flag is set, but whether -.Dv SSL_VERIFY_NONE -is not set. -This can lead to unexpected behaviour, if the -.Dv SSL_VERIFY_PEER -and -.Dv SSL_VERIFY_NONE -are not used as required (exactly one must be set at any time). -.Pp -The certificate verification depth set with -.Fn SSL[_CTX]_verify_depth -stops the verification at a certain depth. -The error message produced will be that of an incomplete certificate chain and -not -.Dv X509_V_ERR_CERT_CHAIN_TOO_LONG -as may be expected. diff --git a/src/lib/libssl/man/SSL_CTX_use_certificate.3 b/src/lib/libssl/man/SSL_CTX_use_certificate.3 deleted file mode 100644 index fac1245f1c..0000000000 --- a/src/lib/libssl/man/SSL_CTX_use_certificate.3 +++ /dev/null @@ -1,451 +0,0 @@ -.\" $OpenBSD: SSL_CTX_use_certificate.3,v 1.16 2021/03/31 16:53:30 tb Exp $ -.\" full merge up to: OpenSSL 3aaa1bd0 Mar 28 16:35:25 2017 +1000 -.\" selective merge up to: OpenSSL d1f7a1e6 Apr 26 14:05:40 2018 +0100 -.\" -.\" This file was written by Lutz Jaenicke . -.\" Copyright (c) 2000, 2001, 2002, 2003, 2005 The OpenSSL Project. -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: March 31 2021 $ -.Dt SSL_CTX_USE_CERTIFICATE 3 -.Os -.Sh NAME -.Nm SSL_CTX_use_certificate , -.Nm SSL_CTX_use_certificate_ASN1 , -.Nm SSL_CTX_use_certificate_file , -.Nm SSL_use_certificate , -.Nm SSL_use_certificate_ASN1 , -.Nm SSL_use_certificate_chain_file , -.Nm SSL_use_certificate_file , -.Nm SSL_CTX_use_certificate_chain_file , -.Nm SSL_CTX_use_certificate_chain_mem , -.Nm SSL_CTX_use_PrivateKey , -.Nm SSL_CTX_use_PrivateKey_ASN1 , -.Nm SSL_CTX_use_PrivateKey_file , -.Nm SSL_CTX_use_RSAPrivateKey , -.Nm SSL_CTX_use_RSAPrivateKey_ASN1 , -.Nm SSL_CTX_use_RSAPrivateKey_file , -.Nm SSL_use_PrivateKey_file , -.Nm SSL_use_PrivateKey_ASN1 , -.Nm SSL_use_PrivateKey , -.Nm SSL_use_RSAPrivateKey , -.Nm SSL_use_RSAPrivateKey_ASN1 , -.Nm SSL_use_RSAPrivateKey_file , -.Nm SSL_CTX_check_private_key , -.Nm SSL_check_private_key -.Nd load certificate and key data -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft int -.Fn SSL_CTX_use_certificate "SSL_CTX *ctx" "X509 *x" -.Ft int -.Fn SSL_CTX_use_certificate_ASN1 "SSL_CTX *ctx" "int len" "unsigned char *d" -.Ft int -.Fn SSL_CTX_use_certificate_file "SSL_CTX *ctx" "const char *file" "int type" -.Ft int -.Fn SSL_use_certificate "SSL *ssl" "X509 *x" -.Ft int -.Fn SSL_use_certificate_ASN1 "SSL *ssl" "unsigned char *d" "int len" -.Ft int -.Fn SSL_use_certificate_chain_file "SSL *ssl" "const char *file" -.Ft int -.Fn SSL_use_certificate_file "SSL *ssl" "const char *file" "int type" -.Ft int -.Fn SSL_CTX_use_certificate_chain_file "SSL_CTX *ctx" "const char *file" -.Ft int -.Fn SSL_CTX_use_certificate_chain_mem "SSL_CTX *ctx" "void *buf" "int len" -.Ft int -.Fn SSL_CTX_use_PrivateKey "SSL_CTX *ctx" "EVP_PKEY *pkey" -.Ft int -.Fo SSL_CTX_use_PrivateKey_ASN1 -.Fa "int pk" "SSL_CTX *ctx" "unsigned char *d" "long len" -.Fc -.Ft int -.Fn SSL_CTX_use_PrivateKey_file "SSL_CTX *ctx" "const char *file" "int type" -.Ft int -.Fn SSL_CTX_use_RSAPrivateKey "SSL_CTX *ctx" "RSA *rsa" -.Ft int -.Fn SSL_CTX_use_RSAPrivateKey_ASN1 "SSL_CTX *ctx" "unsigned char *d" "long len" -.Ft int -.Fn SSL_CTX_use_RSAPrivateKey_file "SSL_CTX *ctx" "const char *file" "int type" -.Ft int -.Fn SSL_use_PrivateKey "SSL *ssl" "EVP_PKEY *pkey" -.Ft int -.Fn SSL_use_PrivateKey_ASN1 "int pk" "SSL *ssl" "unsigned char *d" "long len" -.Ft int -.Fn SSL_use_PrivateKey_file "SSL *ssl" "const char *file" "int type" -.Ft int -.Fn SSL_use_RSAPrivateKey "SSL *ssl" "RSA *rsa" -.Ft int -.Fn SSL_use_RSAPrivateKey_ASN1 "SSL *ssl" "const unsigned char *d" "long len" -.Ft int -.Fn SSL_use_RSAPrivateKey_file "SSL *ssl" "const char *file" "int type" -.Ft int -.Fn SSL_CTX_check_private_key "const SSL_CTX *ctx" -.Ft int -.Fn SSL_check_private_key "const SSL *ssl" -.Sh DESCRIPTION -These functions load the certificates and private keys into the -.Vt SSL_CTX -or -.Vt SSL -object, respectively. -.Pp -The -.Fn SSL_CTX_* -class of functions loads the certificates and keys into the -.Vt SSL_CTX -object -.Fa ctx . -The information is passed to -.Vt SSL -objects -.Fa ssl -created from -.Fa ctx -with -.Xr SSL_new 3 -by copying, so that changes applied to -.Fa ctx -do not propagate to already existing -.Vt SSL -objects. -.Pp -The -.Fn SSL_* -class of functions only loads certificates and keys into a specific -.Vt SSL -object. -The specific information is kept when -.Xr SSL_clear 3 -is called for this -.Vt SSL -object. -.Pp -.Fn SSL_CTX_use_certificate -loads the certificate -.Fa x -into -.Fa ctx ; -.Fn SSL_use_certificate -loads -.Fa x -into -.Fa ssl . -The rest of the certificates needed to form the complete certificate chain can -be specified using the -.Xr SSL_CTX_add_extra_chain_cert 3 -function. -.Pp -.Fn SSL_CTX_use_certificate_ASN1 -loads the ASN1 encoded certificate from the memory location -.Fa d -(with length -.Fa len ) -into -.Fa ctx ; -.Fn SSL_use_certificate_ASN1 -loads the ASN1 encoded certificate into -.Fa ssl . -.Pp -.Fn SSL_CTX_use_certificate_file -loads the first certificate stored in -.Fa file -into -.Fa ctx . -The formatting -.Fa type -of the certificate must be specified from the known types -.Dv SSL_FILETYPE_PEM -and -.Dv SSL_FILETYPE_ASN1 . -.Fn SSL_use_certificate_file -loads the certificate from -.Fa file -into -.Fa ssl . -See the -.Sx NOTES -section on why -.Fn SSL_CTX_use_certificate_chain_file -should be preferred. -.Pp -The -.Fn SSL_CTX_use_certificate_chain* -functions load a certificate chain into -.Fa ctx . -The certificates must be in PEM format and must be sorted starting with the -subject's certificate (actual client or server certificate), -followed by intermediate CA certificates if applicable, -and ending at the highest level (root) CA. -With the exception of -.Fn SSL_use_certificate_chain_file , -there is no corresponding function working on a single -.Vt SSL -object. -.Pp -.Fn SSL_CTX_use_PrivateKey -adds -.Fa pkey -as private key to -.Fa ctx . -.Fn SSL_CTX_use_RSAPrivateKey -adds the private key -.Fa rsa -of type RSA to -.Fa ctx . -.Fn SSL_use_PrivateKey -adds -.Fa pkey -as private key to -.Fa ssl ; -.Fn SSL_use_RSAPrivateKey -adds -.Fa rsa -as private key of type RSA to -.Fa ssl . -If a certificate has already been set and the private does not belong to the -certificate, an error is returned. -To change a certificate private key pair, -the new certificate needs to be set with -.Fn SSL_use_certificate -or -.Fn SSL_CTX_use_certificate -before setting the private key with -.Fn SSL_CTX_use_PrivateKey -or -.Fn SSL_use_PrivateKey . -.Pp -.Fn SSL_CTX_use_PrivateKey_ASN1 -adds the private key of type -.Fa pk -stored at memory location -.Fa d -(length -.Fa len ) -to -.Fa ctx . -.Fn SSL_CTX_use_RSAPrivateKey_ASN1 -adds the private key of type RSA stored at memory location -.Fa d -(length -.Fa len ) -to -.Fa ctx . -.Fn SSL_use_PrivateKey_ASN1 -and -.Fn SSL_use_RSAPrivateKey_ASN1 -add the private key to -.Fa ssl . -.Pp -.Fn SSL_CTX_use_PrivateKey_file -adds the first private key found in -.Fa file -to -.Fa ctx . -The formatting -.Fa type -of the private key must be specified from the known types -.Dv SSL_FILETYPE_PEM -and -.Dv SSL_FILETYPE_ASN1 . -.Fn SSL_CTX_use_RSAPrivateKey_file -adds the first private RSA key found in -.Fa file -to -.Fa ctx . -.Fn SSL_use_PrivateKey_file -adds the first private key found in -.Fa file -to -.Fa ssl ; -.Fn SSL_use_RSAPrivateKey_file -adds the first private RSA key found to -.Fa ssl . -.Pp -The -.Fn SSL_CTX_check_private_key -function is seriously misnamed. -It compares the -.Em public -key components and parameters of an OpenSSL private key with the -corresponding certificate loaded into -.Fa ctx . -If more than one key/certificate pair (RSA/DSA) is installed, -the last item installed will be compared. -If, e.g., the last item was an RSA certificate or key, -the RSA key/certificate pair will be checked. -.Fn SSL_check_private_key -performs the same -.Em public -key comparison for -.Fa ssl . -If no key/certificate was explicitly added for this -.Fa ssl , -the last item added into -.Fa ctx -will be checked. -.Pp -Despite the name, neither -.Fn SSL_CTX_check_private_key -nor -.Fn SSL_check_private_key -checks whether the private key component is indeed a private key, -nor whether it matches the public key component. -They merely compare the public materials (e.g. exponent and modulus of -an RSA key) and/or key parameters (e.g. EC params of an EC key) of a -key pair. -.Sh NOTES -The internal certificate store of OpenSSL can hold several private -key/certificate pairs at a time. -The certificate used depends on the cipher selected. -See also -.Xr SSL_CTX_set_cipher_list 3 . -.Pp -When reading certificates and private keys from file, files of type -.Dv SSL_FILETYPE_ASN1 -(also known as -.Em DER , -binary encoding) can only contain one certificate or private key; consequently, -.Fn SSL_CTX_use_certificate_chain_file -is only applicable to PEM formatting. -Files of type -.Dv SSL_FILETYPE_PEM -can contain more than one item. -.Pp -.Fn SSL_CTX_use_certificate_chain_file -adds the first certificate found in the file to the certificate store. -The other certificates are added to the store of chain certificates using -.Xr SSL_CTX_add1_chain_cert 3 . -It is recommended to use the -.Fn SSL_CTX_use_certificate_chain_file -instead of the -.Fn SSL_CTX_use_certificate_file -function in order to allow the use of complete certificate chains even when no -trusted CA storage is used or when the CA issuing the certificate shall not be -added to the trusted CA storage. -.Pp -If additional certificates are needed to complete the chain during the TLS -negotiation, CA certificates are additionally looked up in the locations of -trusted CA certificates (see -.Xr SSL_CTX_load_verify_locations 3 ) . -.Pp -The private keys loaded from file can be encrypted. -In order to successfully load encrypted keys, -a function returning the passphrase must have been supplied (see -.Xr SSL_CTX_set_default_passwd_cb 3 ) . -(Certificate files might be encrypted as well from the technical point of view, -it however does not make sense as the data in the certificate is considered -public anyway.) -.Sh RETURN VALUES -On success, the functions return 1. -Otherwise check out the error stack to find out the reason. -.Sh SEE ALSO -.Xr ssl 3 , -.Xr SSL_clear 3 , -.Xr SSL_CTX_add1_chain_cert 3 , -.Xr SSL_CTX_add_extra_chain_cert 3 , -.Xr SSL_CTX_load_verify_locations 3 , -.Xr SSL_CTX_set_cipher_list 3 , -.Xr SSL_CTX_set_client_CA_list 3 , -.Xr SSL_CTX_set_client_cert_cb 3 , -.Xr SSL_CTX_set_default_passwd_cb 3 , -.Xr SSL_new 3 , -.Xr X509_check_private_key 3 -.Sh HISTORY -.Fn SSL_use_certificate , -.Fn SSL_use_certificate_file , -.Fn SSL_use_RSAPrivateKey , -and -.Fn SSL_use_RSAPrivateKey_file -appeared in SSLeay 0.4 or earlier. -.Fn SSL_use_certificate_ASN1 -and -.Fn SSL_use_RSAPrivateKey_ASN1 -first appeared in SSLeay 0.5.1. -.Fn SSL_use_PrivateKey_file , -.Fn SSL_use_PrivateKey_ASN1 , -and -.Fn SSL_use_PrivateKey -first appeared in SSLeay 0.6.0. -.Fn SSL_CTX_use_certificate , -.Fn SSL_CTX_use_certificate_ASN1 , -.Fn SSL_CTX_use_certificate_file , -.Fn SSL_CTX_use_PrivateKey , -.Fn SSL_CTX_use_PrivateKey_ASN1 , -.Fn SSL_CTX_use_PrivateKey_file , -.Fn SSL_CTX_use_RSAPrivateKey , -.Fn SSL_CTX_use_RSAPrivateKey_ASN1 , -and -.Fn SSL_CTX_use_RSAPrivateKey_file -first appeared in SSLeay 0.6.1. -.Fn SSL_CTX_check_private_key -and -.Fn SSL_check_private_key -first appeared in SSLeay 0.6.5. -All these functions have been available since -.Ox 2.4 . -.Pp -.Fn SSL_CTX_use_certificate_chain_file -first appeared in OpenSSL 0.9.4 and has been available since -.Ox 2.6 . -.Pp -.Fn SSL_use_certificate_chain_file -first appeared in OpenSSL 1.1.0 and has been available since -.Ox 6.9 . -.Pp -Support for DER encoded private keys -.Pq Dv SSL_FILETYPE_ASN1 -in -.Fn SSL_CTX_use_PrivateKey_file -and -.Fn SSL_use_PrivateKey_file -was added in 0.9.8. -.Pp -.Fn SSL_CTX_use_certificate_chain_mem -first appeared in -.Ox 5.7 . diff --git a/src/lib/libssl/man/SSL_SESSION_free.3 b/src/lib/libssl/man/SSL_SESSION_free.3 deleted file mode 100644 index 3f785e95e5..0000000000 --- a/src/lib/libssl/man/SSL_SESSION_free.3 +++ /dev/null @@ -1,148 +0,0 @@ -.\" $OpenBSD: SSL_SESSION_free.3,v 1.7 2019/06/12 09:36:30 schwarze Exp $ -.\" full merge up to: OpenSSL b31db505 Mar 24 16:01:50 2017 +0000 -.\" -.\" This file was written by Lutz Jaenicke -.\" and Matt Caswell . -.\" Copyright (c) 2000, 2001, 2009, 2017 The OpenSSL Project. -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: June 12 2019 $ -.Dt SSL_SESSION_FREE 3 -.Os -.Sh NAME -.Nm SSL_SESSION_up_ref , -.Nm SSL_SESSION_free -.Nd SSL_SESSION reference counting -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft int -.Fn SSL_SESSION_up_ref "SSL_SESSION *session" -.Ft void -.Fn SSL_SESSION_free "SSL_SESSION *session" -.Sh DESCRIPTION -.Fn SSL_SESSION_up_ref -increments the reference count of the given -.Fa session -by 1. -.Pp -.Fn SSL_SESSION_free -decrements the reference count of the given -.Fa session -by 1. -If the reference count reaches 0, it frees the memory used by the -.Fa session . -If -.Fa session -is a -.Dv NULL -pointer, no action occurs. -.Pp -.Vt SSL_SESSION -objects are allocated when a TLS/SSL handshake operation is successfully -completed. -Depending on the settings, see -.Xr SSL_CTX_set_session_cache_mode 3 , -the -.Vt SSL_SESSION -objects are internally referenced by the -.Vt SSL_CTX -and linked into its session cache. -.Vt SSL -objects may be using the -.Vt SSL_SESSION -object; as a session may be reused, several -.Vt SSL -objects may be using one -.Vt SSL_SESSION -object at the same time. -It is therefore crucial to keep the reference count (usage information) correct -and not delete a -.Vt SSL_SESSION -object that is still used, as this may lead to program failures due to dangling -pointers. -These failures may also appear delayed, e.g., when an -.Vt SSL_SESSION -object is completely freed as the reference count incorrectly becomes 0, but it -is still referenced in the internal session cache and the cache list is -processed during a -.Xr SSL_CTX_flush_sessions 3 -operation. -.Pp -.Fn SSL_SESSION_free -must only be called for -.Vt SSL_SESSION -objects, for which the reference count was explicitly incremented (e.g., by -calling -.Xr SSL_get1_session 3 ; -see -.Xr SSL_get_session 3 ) -or when the -.Vt SSL_SESSION -object was generated outside a TLS handshake operation, e.g., by using -.Xr d2i_SSL_SESSION 3 . -It must not be called on other -.Vt SSL_SESSION -objects, as this would cause incorrect reference counts and therefore program -failures. -.Sh RETURN VALUES -.Fn SSL_SESSION_up_ref -returns 1 on success or 0 on error. -.Sh SEE ALSO -.Xr d2i_SSL_SESSION 3 , -.Xr ssl 3 , -.Xr SSL_CTX_flush_sessions 3 , -.Xr SSL_CTX_set_session_cache_mode 3 , -.Xr SSL_get_session 3 , -.Xr SSL_SESSION_new 3 -.Sh HISTORY -.Fn SSL_SESSION_free -first appeared in SSLeay 0.5.2 and has been available since -.Ox 2.4 . -.Pp -.Fn SSL_SESSION_up_ref -first appeared in OpenSSL 1.1.0 and has been available since -.Ox 6.3 . diff --git a/src/lib/libssl/man/SSL_SESSION_get0_cipher.3 b/src/lib/libssl/man/SSL_SESSION_get0_cipher.3 deleted file mode 100644 index 239a426dbd..0000000000 --- a/src/lib/libssl/man/SSL_SESSION_get0_cipher.3 +++ /dev/null @@ -1,94 +0,0 @@ -.\" $OpenBSD: SSL_SESSION_get0_cipher.3,v 1.1 2021/05/12 14:16:25 tb Exp $ -.\" full merge up to: OpenSSL d42e7759f Mar 30 19:40:04 2017 +0200 -.\" selective merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100 -.\" -.\" This file was written by Rich Salz . -.\" Copyright (c) 2016, 2017 The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: May 12 2021 $ -.Dt SSL_SESSION_GET0_CIPHER 3 -.Os -.Sh NAME -.Nm SSL_SESSION_get0_cipher -.Nd retrieve the SSL cipher associated with a session -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft const SSL_CIPHER * -.Fo SSL_SESSION_get0_cipher -.Fa "const SSL_SESSION *session" -.Fc -.Sh DESCRIPTION -.Fn SSL_SESSION_get0_cipher -retrieves the cipher that was used by the connection when the session -was created, or -.Dv NULL -if it cannot be determined. -.Pp -The value returned is a pointer to an object maintained within -.Fa session -and should not be released. -.Sh RETURN VALUES -.Fn SSL_SESSION_get0_cipher -returns the -.Vt SSL_CIPHER -associated with -.Fa session -or -.Dv NULL -if it cannot be determined. -.Sh SEE ALSO -.Xr ssl 3 , -.Xr SSL_CIPHER_get_name 3 , -.Xr SSL_get_current_cipher 3 , -.Xr SSL_get_session 3 , -.Xr SSL_SESSION_new 3 -.Sh HISTORY -The -.Fn SSL_SESSION_get0_cipher -function first appeared in OpenSSL 1.1.0 -and has been available since -.Ox 7.0 . diff --git a/src/lib/libssl/man/SSL_SESSION_get0_peer.3 b/src/lib/libssl/man/SSL_SESSION_get0_peer.3 deleted file mode 100644 index 6b1ef6680e..0000000000 --- a/src/lib/libssl/man/SSL_SESSION_get0_peer.3 +++ /dev/null @@ -1,80 +0,0 @@ -.\" $OpenBSD: SSL_SESSION_get0_peer.3,v 1.2 2018/03/23 05:50:30 schwarze Exp $ -.\" OpenSSL SSL_SESSION_get0_peer.pod b31db505 Mar 24 16:01:50 2017 +0000 -.\" -.\" This file was written by Matt Caswell -.\" Copyright (c) 2017 The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: March 23 2018 $ -.Dt SSL_SESSION_GET0_PEER 3 -.Os -.Sh NAME -.Nm SSL_SESSION_get0_peer -.Nd get details about peer's certificate for a session -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft X509 * -.Fo SSL_SESSION_get0_peer -.Fa "SSL_SESSION *s" -.Fc -.Sh DESCRIPTION -.Fn SSL_SESSION_get0_peer -returns a pointer to the peer certificate associated with the session -.Fa s -or -.Dv NULL -if no peer certificate is available. -The caller should not free the returned value, unless -.Xr X509_up_ref 3 -has also been called. -.Sh SEE ALSO -.Xr ssl 3 , -.Xr SSL_get_session 3 , -.Xr SSL_SESSION_new 3 -.Sh HISTORY -.Fn SSL_SESSION_get0_peer -first appeared in OpenSSL 1.0.1 and has been available since -.Ox 5.3 . diff --git a/src/lib/libssl/man/SSL_SESSION_get_compress_id.3 b/src/lib/libssl/man/SSL_SESSION_get_compress_id.3 deleted file mode 100644 index aedc216a15..0000000000 --- a/src/lib/libssl/man/SSL_SESSION_get_compress_id.3 +++ /dev/null @@ -1,78 +0,0 @@ -.\" $OpenBSD: SSL_SESSION_get_compress_id.3,v 1.3 2018/03/23 05:50:30 schwarze Exp $ -.\" OpenSSL SSL_SESSION_get_compress_id.pod b31db505 Mar 24 16:01:50 2017 -.\" -.\" This file was written by Matt Caswell -.\" Copyright (c) 2017 The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: March 23 2018 $ -.Dt SSL_SESSION_GET_COMPRESS_ID 3 -.Os -.Sh NAME -.Nm SSL_SESSION_get_compress_id -.Nd get details about the compression associated with a session -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft unsigned int -.Fo SSL_SESSION_get_compress_id -.Fa "const SSL_SESSION *s" -.Fc -.Sh DESCRIPTION -If compression has been negotiated for an ssl session, -.Fn SSL_SESSION_get_compress_id -returns the id for the compression method, or 0 otherwise. -The only built-in supported compression method is zlib, -which has an id of 1. -.Sh SEE ALSO -.Xr ssl 3 , -.Xr SSL_get_session 3 , -.Xr SSL_SESSION_get_id 3 , -.Xr SSL_SESSION_get_protocol_version 3 , -.Xr SSL_SESSION_new 3 -.Sh HISTORY -.Fn SSL_SESSION_get_compress_id -first appeared in OpenSSL 1.0.1 and has been available since -.Ox 5.3 . diff --git a/src/lib/libssl/man/SSL_SESSION_get_ex_new_index.3 b/src/lib/libssl/man/SSL_SESSION_get_ex_new_index.3 deleted file mode 100644 index 9fd6949b6a..0000000000 --- a/src/lib/libssl/man/SSL_SESSION_get_ex_new_index.3 +++ /dev/null @@ -1,134 +0,0 @@ -.\" $OpenBSD: SSL_SESSION_get_ex_new_index.3,v 1.3 2018/03/21 08:06:34 schwarze Exp $ -.\" OpenSSL 9b86974e Aug 17 15:21:33 2015 -0400 -.\" -.\" This file was written by Lutz Jaenicke . -.\" Copyright (c) 2001, 2005 The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: March 21 2018 $ -.Dt SSL_SESSION_GET_EX_NEW_INDEX 3 -.Os -.Sh NAME -.Nm SSL_SESSION_get_ex_new_index , -.Nm SSL_SESSION_set_ex_data , -.Nm SSL_SESSION_get_ex_data -.Nd internal application specific data functions -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft int -.Fo SSL_SESSION_get_ex_new_index -.Fa "long argl" -.Fa "void *argp" -.Fa "CRYPTO_EX_new *new_func" -.Fa "CRYPTO_EX_dup *dup_func" -.Fa "CRYPTO_EX_free *free_func" -.Fc -.Ft int -.Fn SSL_SESSION_set_ex_data "SSL_SESSION *session" "int idx" "void *arg" -.Ft void * -.Fn SSL_SESSION_get_ex_data "const SSL_SESSION *session" "int idx" -.Bd -literal - typedef int new_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad, - int idx, long argl, void *argp); - typedef void free_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad, - int idx, long argl, void *argp); - typedef int dup_func(CRYPTO_EX_DATA *to, CRYPTO_EX_DATA *from, void *from_d, - int idx, long argl, void *argp); -.Ed -.Sh DESCRIPTION -Several OpenSSL structures can have application specific data attached to them. -These functions are used internally by OpenSSL to manipulate -application-specific data attached to a specific structure. -.Pp -.Fn SSL_SESSION_get_ex_new_index -is used to register a new index for application-specific data. -.Pp -.Fn SSL_SESSION_set_ex_data -is used to store application data at -.Fa arg -for -.Fa idx -into the -.Fa session -object. -.Pp -.Fn SSL_SESSION_get_ex_data -is used to retrieve the information for -.Fa idx -from -.Fa session . -.Pp -A detailed description for the -.Fn *_get_ex_new_index -functionality -can be found in -.Xr RSA_get_ex_new_index 3 . -The -.Fn *_get_ex_data -and -.Fn *_set_ex_data -functionality is described in -.Xr CRYPTO_set_ex_data 3 . -.Sh WARNINGS -The application data is only maintained for sessions held in memory. -The application data is not included when dumping the session with -.Xr i2d_SSL_SESSION 3 -(and all functions indirectly calling the dump functions like -.Xr PEM_write_SSL_SESSION 3 -and -.Xr PEM_write_bio_SSL_SESSION 3 ) -and can therefore not be restored. -.Sh SEE ALSO -.Xr CRYPTO_set_ex_data 3 , -.Xr RSA_get_ex_new_index 3 , -.Xr ssl 3 -.Sh HISTORY -.Fn SSL_SESSION_get_ex_new_index , -.Fn SSL_SESSION_set_ex_data , -and -.Fn SSL_SESSION_get_ex_data -first appeared in SSLeay 0.9.0 and have been available since -.Ox 2.4 . diff --git a/src/lib/libssl/man/SSL_SESSION_get_id.3 b/src/lib/libssl/man/SSL_SESSION_get_id.3 deleted file mode 100644 index 6d0de1e52e..0000000000 --- a/src/lib/libssl/man/SSL_SESSION_get_id.3 +++ /dev/null @@ -1,112 +0,0 @@ -.\" $OpenBSD: SSL_SESSION_get_id.3,v 1.6 2018/03/24 00:55:37 schwarze Exp $ -.\" full merge up to: -.\" OpenSSL SSL_SESSION_set1_id 17b60280 Dec 21 09:08:25 2017 +0100 -.\" -.\" This file was written by Remi Gacogne -.\" and Matt Caswell . -.\" Copyright (c) 2016, 2017 The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: March 24 2018 $ -.Dt SSL_SESSION_GET_ID 3 -.Os -.Sh NAME -.Nm SSL_SESSION_get_id , -.Nm SSL_SESSION_set1_id -.Nd get and set the SSL session ID -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft const unsigned char * -.Fo SSL_SESSION_get_id -.Fa "const SSL_SESSION *s" -.Fa "unsigned int *len" -.Fc -.Ft int -.Fo SSL_SESSION_set1_id -.Fa "SSL_SESSION *s" -.Fa "const unsigned char *sid" -.Fa "unsigned int sid_len" -.Fc -.Sh DESCRIPTION -.Fn SSL_SESSION_get_id -returns a pointer to the internal session ID value for the session -.Fa s . -The length of the ID in bytes is stored in -.Pf * Fa len . -The length may be 0. -The caller should not free the returned pointer directly. -.Pp -.Fn SSL_SESSION_set1_id -sets the session ID for -.Fa s -to a copy of the -.Fa sid -of length -.Fa sid_len . -.Sh RETURN VALUES -.Fn SSL_SESSION_get_id -returns a pointer to the session ID value. -.Pp -.Fn SSL_SESSION_set1_id -returns 1 for success and 0 for failure, -for example if the supplied session ID length exceeds -.Dv SSL_MAX_SSL_SESSION_ID_LENGTH . -.Sh SEE ALSO -.Xr ssl 3 , -.Xr SSL_copy_session_id 3 , -.Xr SSL_get_session 3 , -.Xr SSL_SESSION_get_compress_id 3 , -.Xr SSL_SESSION_get_protocol_version 3 , -.Xr SSL_SESSION_has_ticket 3 , -.Xr SSL_SESSION_new 3 -.Sh HISTORY -.Fn SSL_SESSION_get_id -first appeared in OpenSSL 0.9.8 and has been available since -.Ox 4.5 . -.Pp -.Fn SSL_SESSION_set1_id -first appeared in OpenSSL 1.1.0 and has been available since -.Ox 6.3 . diff --git a/src/lib/libssl/man/SSL_SESSION_get_protocol_version.3 b/src/lib/libssl/man/SSL_SESSION_get_protocol_version.3 deleted file mode 100644 index f14c0490e9..0000000000 --- a/src/lib/libssl/man/SSL_SESSION_get_protocol_version.3 +++ /dev/null @@ -1,84 +0,0 @@ -.\" $OpenBSD: SSL_SESSION_get_protocol_version.3,v 1.2 2018/03/24 00:55:37 schwarze Exp $ -.\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 -.\" -.\" This file was written by TJ Saunders -.\" Copyright (c) 2016 The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: March 24 2018 $ -.Dt SSL_SESSION_GET_PROTOCOL_VERSION 3 -.Os -.Sh NAME -.Nm SSL_SESSION_get_protocol_version -.Nd get the session protocol version -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft int -.Fo SSL_SESSION_get_protocol_version -.Fa "const SSL_SESSION *s" -.Fc -.Sh DESCRIPTION -.Fn SSL_SESSION_get_protocol_version -returns the protocol version number used by the session -.Fa s . -.Sh RETURN VALUES -.Fn SSL_SESSION_get_protocol_version -returns a constant like -.Dv TLS1_VERSION -or -.Dv TLS1_2_VERSION . -.Sh SEE ALSO -.Xr ssl 3 , -.Xr SSL_get_session 3 , -.Xr SSL_SESSION_get0_peer 3 , -.Xr SSL_SESSION_get_compress_id 3 , -.Xr SSL_SESSION_get_id 3 , -.Xr SSL_SESSION_get_time 3 , -.Xr SSL_SESSION_new 3 -.Sh HISTORY -.Fn SSL_SESSION_get_protocol_version -first appeared in OpenSSL 1.1.0 and has been available since -.Ox 6.3 . diff --git a/src/lib/libssl/man/SSL_SESSION_get_time.3 b/src/lib/libssl/man/SSL_SESSION_get_time.3 deleted file mode 100644 index aaadec5137..0000000000 --- a/src/lib/libssl/man/SSL_SESSION_get_time.3 +++ /dev/null @@ -1,165 +0,0 @@ -.\" $OpenBSD: SSL_SESSION_get_time.3,v 1.8 2019/06/08 15:25:43 schwarze Exp $ -.\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 -.\" -.\" This file was written by Lutz Jaenicke . -.\" Copyright (c) 2001, 2005, 2006, 2016 The OpenSSL Project. -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: June 8 2019 $ -.Dt SSL_SESSION_GET_TIME 3 -.Os -.Sh NAME -.Nm SSL_SESSION_get_time , -.Nm SSL_SESSION_set_time , -.Nm SSL_SESSION_get_timeout , -.Nm SSL_SESSION_set_timeout , -.Nm SSL_get_time , -.Nm SSL_set_time , -.Nm SSL_get_timeout , -.Nm SSL_set_timeout -.Nd retrieve and manipulate session time and timeout settings -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft long -.Fn SSL_SESSION_get_time "const SSL_SESSION *s" -.Ft long -.Fn SSL_SESSION_set_time "SSL_SESSION *s" "long tm" -.Ft long -.Fn SSL_SESSION_get_timeout "const SSL_SESSION *s" -.Ft long -.Fn SSL_SESSION_set_timeout "SSL_SESSION *s" "long tm" -.Ft long -.Fn SSL_get_time "const SSL_SESSION *s" -.Ft long -.Fn SSL_set_time "SSL_SESSION *s" "long tm" -.Ft long -.Fn SSL_get_timeout "const SSL_SESSION *s" -.Ft long -.Fn SSL_set_timeout "SSL_SESSION *s" "long tm" -.Sh DESCRIPTION -.Fn SSL_SESSION_get_time -returns the time at which the session -.Fa s -was established. -The time is given in seconds since the Epoch and therefore compatible to the -time delivered by the -.Xr time 3 -call. -.Pp -.Fn SSL_SESSION_set_time -replaces the creation time of the session -.Fa s -with -the chosen value -.Fa tm . -.Pp -.Fn SSL_SESSION_get_timeout -returns the timeout value set for session -.Fa s -in seconds. -.Pp -.Fn SSL_SESSION_set_timeout -sets the timeout value for session -.Fa s -in seconds to -.Fa tm . -.Pp -The -.Fn SSL_get_time , -.Fn SSL_set_time , -.Fn SSL_get_timeout , -and -.Fn SSL_set_timeout -functions are synonyms for the -.Fn SSL_SESSION_* -counterparts. -.Pp -Sessions are expired by examining the creation time and the timeout value. -Both are set at creation time of the session to the actual time and the default -timeout value at creation, respectively, as set by -.Xr SSL_CTX_set_timeout 3 . -Using these functions it is possible to extend or shorten the lifetime of the -session. -.Sh RETURN VALUES -.Fn SSL_SESSION_get_time -and -.Fn SSL_SESSION_get_timeout -return the currently valid values. -.Pp -.Fn SSL_SESSION_set_time -and -.Fn SSL_SESSION_set_timeout -return 1 on success. -.Pp -If any of the function is passed the -.Dv NULL -pointer for the session -.Fa s , -0 is returned. -.Sh SEE ALSO -.Xr ssl 3 , -.Xr SSL_CTX_set_timeout 3 , -.Xr SSL_get_default_timeout 3 , -.Xr SSL_get_session 3 , -.Xr SSL_SESSION_has_ticket 3 , -.Xr SSL_SESSION_new 3 -.Sh HISTORY -.Fn SSL_get_time , -.Fn SSL_get_timeout , -and -.Fn SSL_set_timeout -appeared in SSLeay 0.4 or earlier. -.Fn SSL_set_time -first appeared in SSLeay 0.5.2. -.Fn SSL_SESSION_get_time , -.Fn SSL_SESSION_set_time , -.Fn SSL_SESSION_get_timeout , -and -.Fn SSL_SESSION_set_timeout -first appeared in SSLeay 0.9.0. -All these functions have been available since -.Ox 2.4 . diff --git a/src/lib/libssl/man/SSL_SESSION_has_ticket.3 b/src/lib/libssl/man/SSL_SESSION_has_ticket.3 deleted file mode 100644 index 322b49feef..0000000000 --- a/src/lib/libssl/man/SSL_SESSION_has_ticket.3 +++ /dev/null @@ -1,85 +0,0 @@ -.\" $OpenBSD: SSL_SESSION_has_ticket.3,v 1.2 2018/03/24 00:55:37 schwarze Exp $ -.\" full merge up to: OpenSSL f2baac27 Feb 8 15:43:16 2015 +0000 -.\" selective merge up to: OpenSSL 61f805c1 Jan 16 01:01:46 2018 +0800 -.\" -.\" This file was written by Matt Caswell . -.\" Copyright (c) 2015 The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: March 24 2018 $ -.Dt SSL_SESSION_HAS_TICKET 3 -.Os -.Sh NAME -.Nm SSL_SESSION_has_ticket , -.Nm SSL_SESSION_get_ticket_lifetime_hint -.Nd get details about the ticket associated with a session -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft int -.Fo SSL_SESSION_has_ticket -.Fa "const SSL_SESSION *s" -.Fc -.Ft unsigned long -.Fo SSL_SESSION_get_ticket_lifetime_hint -.Fa "const SSL_SESSION *s" -.Fc -.Sh DESCRIPTION -.Fn SSL_SESSION_has_ticket -returns 1 if there is a Session Ticket associated with -.Fa s -or 0 otherwise. -.Pp -.Fn SSL_SESSION_get_ticket_lifetime_hint -returns the lifetime hint in seconds associated with the session ticket. -.Sh SEE ALSO -.Xr ssl 3 , -.Xr SSL_SESSION_get_id 3 , -.Xr SSL_SESSION_get_time 3 , -.Xr SSL_SESSION_new 3 -.Sh HISTORY -These functions first appeared in OpenSSL 1.1.0 -and have been available since -.Ox 6.3 . diff --git a/src/lib/libssl/man/SSL_SESSION_is_resumable.3 b/src/lib/libssl/man/SSL_SESSION_is_resumable.3 deleted file mode 100644 index 48d7d17889..0000000000 --- a/src/lib/libssl/man/SSL_SESSION_is_resumable.3 +++ /dev/null @@ -1,81 +0,0 @@ -.\" $OpenBSD: SSL_SESSION_is_resumable.3,v 1.1 2021/09/14 14:08:15 schwarze Exp $ -.\" full merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100 -.\" -.\" This file was written by Matt Caswell . -.\" Copyright (c) 2017 The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: September 14 2021 $ -.Dt SSL_SESSION_IS_RESUMABLE 3 -.Os -.Sh NAME -.Nm SSL_SESSION_is_resumable -.Nd determine whether an SSL_SESSION object can be used for resumption -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft int -.Fo SSL_SESSION_is_resumable -.Fa "const SSL_SESSION *session" -.Fc -.Sh DESCRIPTION -.Fn SSL_SESSION_is_resumable -determines whether the -.Fa session -object can be used to resume a session. -Note that attempting to resume with a non-resumable session -will result in a full handshake. -.Sh RETURN VALUES -.Fn SSL_SESSION_is_resumable -returns 1 if the session is resumable or 0 otherwise. -It always returns 0 with LibreSSL. -.Sh SEE ALSO -.Xr ssl 3 , -.Xr SSL_CTX_sess_set_new_cb 3 , -.Xr SSL_get_session 3 -.Sh HISTORY -.Fn SSL_SESSION_is_resumable -first appeared in OpenSSL 1.1.1 and has been available since -.Ox 7.0 . diff --git a/src/lib/libssl/man/SSL_SESSION_new.3 b/src/lib/libssl/man/SSL_SESSION_new.3 deleted file mode 100644 index 2dcdb264c1..0000000000 --- a/src/lib/libssl/man/SSL_SESSION_new.3 +++ /dev/null @@ -1,78 +0,0 @@ -.\" $OpenBSD: SSL_SESSION_new.3,v 1.9 2021/09/14 14:08:15 schwarze Exp $ -.\" -.\" Copyright (c) 2016 Ingo Schwarze -.\" -.\" Permission to use, copy, modify, and distribute this software for any -.\" purpose with or without fee is hereby granted, provided that the above -.\" copyright notice and this permission notice appear in all copies. -.\" -.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES -.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF -.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR -.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF -.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -.\" -.Dd $Mdocdate: September 14 2021 $ -.Dt SSL_SESSION_NEW 3 -.Os -.Sh NAME -.Nm SSL_SESSION_new -.Nd construct a new SSL_SESSION object -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft SSL_SESSION * -.Fn SSL_SESSION_new void -.Sh DESCRIPTION -.Fn SSL_SESSION_new -allocates and initializes a new -.Vt SSL_SESSION -object. -The reference count is set to 1, the time to the current time, and -the timeout to five minutes. -.Pp -When the object is no longer needed, it can be destructed with -.Xr SSL_SESSION_free 3 . -.Pp -.Fn SSL_SESSION_new -is used internally, for example by -.Xr SSL_connect 3 . -.Sh RETURN VALUES -.Fn SSL_SESSION_new -returns the new -.Vt SSL_SESSION -object or -.Dv NULL -if insufficient memory is available. -.Pp -After failure, -.Xr ERR_get_error 3 -returns -.Dv ERR_R_MALLOC_FAILURE . -.Sh SEE ALSO -.Xr d2i_SSL_SESSION 3 , -.Xr PEM_read_SSL_SESSION 3 , -.Xr ssl 3 , -.Xr SSL_connect 3 , -.Xr SSL_copy_session_id 3 , -.Xr SSL_CTX_add_session 3 , -.Xr SSL_CTX_sess_set_get_cb 3 , -.Xr SSL_get_session 3 , -.Xr SSL_SESSION_free 3 , -.Xr SSL_SESSION_get0_peer 3 , -.Xr SSL_SESSION_get_compress_id 3 , -.Xr SSL_SESSION_get_ex_new_index 3 , -.Xr SSL_SESSION_get_id 3 , -.Xr SSL_SESSION_get_master_key 3 , -.Xr SSL_SESSION_get_protocol_version 3 , -.Xr SSL_SESSION_get_time 3 , -.Xr SSL_SESSION_has_ticket 3 , -.Xr SSL_SESSION_is_resumable 3 , -.Xr SSL_SESSION_print 3 , -.Xr SSL_SESSION_set1_id_context 3 , -.Xr SSL_set_session 3 -.Sh HISTORY -.Fn SSL_SESSION_new -first appeared in SSLeay 0.5.2 and has been available since -.Ox 2.4 . diff --git a/src/lib/libssl/man/SSL_SESSION_print.3 b/src/lib/libssl/man/SSL_SESSION_print.3 deleted file mode 100644 index e92debde0e..0000000000 --- a/src/lib/libssl/man/SSL_SESSION_print.3 +++ /dev/null @@ -1,74 +0,0 @@ -.\" $OpenBSD: SSL_SESSION_print.3,v 1.4 2019/06/12 09:36:30 schwarze Exp $ -.\" -.\" Copyright (c) 2016 Ingo Schwarze -.\" -.\" Permission to use, copy, modify, and distribute this software for any -.\" purpose with or without fee is hereby granted, provided that the above -.\" copyright notice and this permission notice appear in all copies. -.\" -.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES -.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF -.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR -.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF -.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -.\" -.Dd $Mdocdate: June 12 2019 $ -.Dt SSL_SESSION_PRINT 3 -.Os -.Sh NAME -.Nm SSL_SESSION_print , -.Nm SSL_SESSION_print_fp -.Nd print some properties of an SSL_SESSION object -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft int -.Fo SSL_SESSION_print -.Fa "BIO *bp" -.Fa "const SSL_SESSION *session" -.Fc -.Ft int -.Fo SSL_SESSION_print_fp -.Fa "FILE *fp" -.Fa "const SSL_SESSION *session" -.Fc -.Sh DESCRIPTION -.Fn SSL_SESSION_print -prints some properties of -.Fa session -in a human-readable format to the -.Fa "BIO *bp" , -including protocol version, cipher name, session ID, -session ID context, master key, session ticket lifetime hint, -session ticket, start time, timeout, and verify return code. -.Pp -.Fn SSL_SESSION_print_fp -does the same as -.Fn SSL_SESSION_print -except that it prints to the -.Fa "FILE *fp" . -.Sh RETURN VALUES -.Fn SSL_SESSION_print -and -.Fn SSL_SESSION_print_fp -return 1 for success or 0 for failure. -.Pp -In some cases, the reason for failure can be determined with -.Xr ERR_get_error 3 . -.Sh SEE ALSO -.Xr d2i_SSL_SESSION 3 , -.Xr PEM_read_SSL_SESSION 3 , -.Xr ssl 3 , -.Xr SSL_get_session 3 , -.Xr SSL_SESSION_free 3 , -.Xr SSL_SESSION_get_ex_new_index 3 , -.Xr SSL_SESSION_get_time 3 , -.Xr SSL_SESSION_new 3 -.Sh HISTORY -.Fn SSL_SESSION_print -first appeared in SSLeay 0.5.2. -.Fn SSL_SESSION_print_fp -first appeared in SSLeay 0.6.0. -Both functions have been available since -.Ox 2.4 . diff --git a/src/lib/libssl/man/SSL_SESSION_set1_id_context.3 b/src/lib/libssl/man/SSL_SESSION_set1_id_context.3 deleted file mode 100644 index dd7595baca..0000000000 --- a/src/lib/libssl/man/SSL_SESSION_set1_id_context.3 +++ /dev/null @@ -1,113 +0,0 @@ -.\" $OpenBSD: SSL_SESSION_set1_id_context.3,v 1.4 2018/03/24 00:55:37 schwarze Exp $ -.\" full merge up to: -.\" OpenSSL SSL_SESSION_get0_id_context b31db505 Mar 24 16:01:50 2017 -.\" -.\" This file was written by Matt Caswell -.\" Copyright (c) 2017 The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: March 24 2018 $ -.Dt SSL_SESSION_SET1_ID_CONTEXT 3 -.Os -.Sh NAME -.Nm SSL_SESSION_get0_id_context , -.Nm SSL_SESSION_set1_id_context -.Nd get and set the SSL ID context associated with a session -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft const unsigned char * -.Fo SSL_SESSION_get0_id_context -.Fa "const SSL_SESSION *s" -.Fa "unsigned int *len" -.Fc -.Ft int -.Fo SSL_SESSION_set1_id_context -.Fa "SSL_SESSION *s" -.Fa "const unsigned char *sid_ctx" -.Fa "unsigned int sid_ctx_len" -.Fc -.Sh DESCRIPTION -.Fn SSL_SESSION_get0_id_context -returns the ID context associated with -.Fa s . -The length of the ID context in bytes is written to -.Pf * Fa len -if -.Fa len -is not -.Dv NULL . -.Pp -.Fn SSL_SESSION_set1_id_context -takes a copy of the provided ID context given in -.Fa sid_ctx -and associates it with the session -.Fa s . -The length of the ID context is given by -.Fa sid_ctx_len -which must not exceed -.Dv SSL_MAX_SID_CTX_LENGTH -bytes. -.Sh RETURN VALUES -.Fn SSL_SESSION_get0_id_context -returns an internal pointer to an object maintained within -.Fa s -that should not be freed by the caller. -.Pp -.Fn SSL_SESSION_set1_id_context -returns 1 on success or 0 on error. -.Sh SEE ALSO -.Xr ssl 3 , -.Xr SSL_CTX_set_session_id_context 3 , -.Xr SSL_get_session 3 , -.Xr SSL_SESSION_new 3 -.Sh HISTORY -.Fn SSL_SESSION_set1_id_context -first appeared in OpenSSL 1.0.1 and has been available since -.Ox 5.3 . -.Pp -.Fn SSL_SESSION_get0_id_context -first appeared in OpenSSL 1.1.0 and has been available since -.Ox 6.3 . diff --git a/src/lib/libssl/man/SSL_accept.3 b/src/lib/libssl/man/SSL_accept.3 deleted file mode 100644 index fb1d89eb57..0000000000 --- a/src/lib/libssl/man/SSL_accept.3 +++ /dev/null @@ -1,155 +0,0 @@ -.\" $OpenBSD: SSL_accept.3,v 1.6 2019/06/08 15:25:43 schwarze Exp $ -.\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 -.\" -.\" This file was written by Lutz Jaenicke . -.\" Copyright (c) 2000, 2001, 2002, 2003 The OpenSSL Project. -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: June 8 2019 $ -.Dt SSL_ACCEPT 3 -.Os -.Sh NAME -.Nm SSL_accept -.Nd wait for a TLS/SSL client to initiate a TLS/SSL handshake -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft int -.Fn SSL_accept "SSL *ssl" -.Sh DESCRIPTION -.Fn SSL_accept -waits for a TLS/SSL client to initiate the TLS/SSL handshake. -The communication channel must already have been set and assigned to the -.Fa ssl -object by setting an underlying -.Vt BIO . -.Pp -The behaviour of -.Fn SSL_accept -depends on the underlying -.Vt BIO . -.Pp -If the underlying -.Vt BIO -is -.Em blocking , -.Fn SSL_accept -will only return once the handshake has been finished or an error occurred. -.Pp -If the underlying -.Vt BIO -is -.Em non-blocking , -.Fn SSL_accept -will also return when the underlying -.Vt BIO -could not satisfy the needs of -.Fn SSL_accept -to continue the handshake, indicating the problem by the return value \(mi1. -In this case a call to -.Xr SSL_get_error 3 -with the -return value of -.Fn SSL_accept -will yield -.Dv SSL_ERROR_WANT_READ -or -.Dv SSL_ERROR_WANT_WRITE . -The calling process then must repeat the call after taking appropriate action -to satisfy the needs of -.Fn SSL_accept . -The action depends on the underlying -.Dv BIO . -When using a non-blocking socket, nothing is to be done, but -.Xr select 2 -can be used to check for the required condition. -When using a buffering -.Vt BIO , -like a -.Vt BIO -pair, data must be written into or retrieved out of the -.Vt BIO -before being able to continue. -.Sh RETURN VALUES -The following return values can occur: -.Bl -tag -width Ds -.It 0 -The TLS/SSL handshake was not successful but was shut down controlled and by -the specifications of the TLS/SSL protocol. -Call -.Xr SSL_get_error 3 -with the return value -.Fa ret -to find out the reason. -.It 1 -The TLS/SSL handshake was successfully completed, -and a TLS/SSL connection has been established. -.It <0 -The TLS/SSL handshake was not successful because a fatal error occurred either -at the protocol level or a connection failure occurred. -The shutdown was not clean. -It can also occur of action is need to continue the operation for non-blocking -.Vt BIO Ns -s. -Call -.Xr SSL_get_error 3 -with the return value -.Fa ret -to find out the reason. -.El -.Sh SEE ALSO -.Xr BIO_new 3 , -.Xr ssl 3 , -.Xr SSL_connect 3 , -.Xr SSL_CTX_new 3 , -.Xr SSL_do_handshake 3 , -.Xr SSL_get_error 3 , -.Xr SSL_set_connect_state 3 , -.Xr SSL_shutdown 3 -.Sh HISTORY -.Fn SSL_accept -appeared in SSLeay 0.4 or earlier and has been available since -.Ox 2.4 . diff --git a/src/lib/libssl/man/SSL_alert_type_string.3 b/src/lib/libssl/man/SSL_alert_type_string.3 deleted file mode 100644 index 79cbdaa988..0000000000 --- a/src/lib/libssl/man/SSL_alert_type_string.3 +++ /dev/null @@ -1,244 +0,0 @@ -.\" $OpenBSD: SSL_alert_type_string.3,v 1.5 2018/03/27 17:35:50 schwarze Exp $ -.\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 -.\" -.\" This file was written by Lutz Jaenicke . -.\" Copyright (c) 2001, 2011 The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: March 27 2018 $ -.Dt SSL_ALERT_TYPE_STRING 3 -.Os -.Sh NAME -.Nm SSL_alert_type_string , -.Nm SSL_alert_type_string_long , -.Nm SSL_alert_desc_string , -.Nm SSL_alert_desc_string_long -.Nd get textual description of alert information -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft const char * -.Fn SSL_alert_type_string "int value" -.Ft const char * -.Fn SSL_alert_type_string_long "int value" -.Ft const char * -.Fn SSL_alert_desc_string "int value" -.Ft const char * -.Fn SSL_alert_desc_string_long "int value" -.Sh DESCRIPTION -.Fn SSL_alert_type_string -returns a one letter string indicating the type of the alert specified by -.Fa value . -.Pp -.Fn SSL_alert_type_string_long -returns a string indicating the type of the alert specified by -.Fa value . -.Pp -.Fn SSL_alert_desc_string -returns a two letter string as a short form describing the reason of the alert -specified by -.Fa value . -.Pp -.Fn SSL_alert_desc_string_long -returns a string describing the reason of the alert specified by -.Fa value . -.Pp -When one side of an SSL/TLS communication wants to inform the peer about -a special situation, it sends an alert. -The alert is sent as a special message and does not influence the normal data -stream (unless its contents results in the communication being canceled). -.Pp -A warning alert is sent, when a non-fatal error condition occurs. -The -.Dq close notify -alert is sent as a warning alert. -Other examples for non-fatal errors are certificate errors -.Po -.Dq certificate expired , -.Dq unsupported certificate -.Pc , -for which a warning alert may be sent. -(The sending party may, however, decide to send a fatal error.) -The receiving side may cancel the connection on reception of a warning alert at -its discretion. -.Pp -Several alert messages must be sent as fatal alert messages as specified -by the TLS RFC. -A fatal alert always leads to a connection abort. -.Sh RETURN VALUES -The following strings can occur for -.Fn SSL_alert_type_string -or -.Fn SSL_alert_type_string_long : -.Bl -tag -width Ds -.It \(dqW\(dq/\(dqwarning\(dq -.It \(dqF\(dq/\(dqfatal\(dq -.It \(dqU\(dq/\(dqunknown\(dq -This indicates that no support is available for this alert type. -Probably -.Fa value -does not contain a correct alert message. -.El -.Pp -The following strings can occur for -.Fn SSL_alert_desc_string -or -.Fn SSL_alert_desc_string_long : -.Bl -tag -width Ds -.It \(dqCN\(dq/\(dqclose notify\(dq -The connection shall be closed. -This is a warning alert. -.It \(dqUM\(dq/\(dqunexpected message\(dq -An inappropriate message was received. -This alert is always fatal and should never be observed in communication -between proper implementations. -.It \(dqBM\(dq/\(dqbad record mac\(dq -This alert is returned if a record is received with an incorrect MAC. -This message is always fatal. -.It \(dqDF\(dq/\(dqdecompression failure\(dq -The decompression function received improper input -(e.g., data that would expand to excessive length). -This message is always fatal. -.It \(dqHF\(dq/\(dqhandshake failure\(dq -Reception of a handshake_failure alert message indicates that the sender was -unable to negotiate an acceptable set of security parameters given the options -available. -This is a fatal error. -.It \(dqNC\(dq/\(dqno certificate\(dq -A client, that was asked to send a certificate, does not send a certificate -(SSLv3 only). -.It \(dqBC\(dq/\(dqbad certificate\(dq -A certificate was corrupt, contained signatures that did not verify correctly, -etc. -.It \(dqUC\(dq/\(dqunsupported certificate\(dq -A certificate was of an unsupported type. -.It \(dqCR\(dq/\(dqcertificate revoked\(dq -A certificate was revoked by its signer. -.It \(dqCE\(dq/\(dqcertificate expired\(dq -A certificate has expired or is not currently valid. -.It \(dqCU\(dq/\(dqcertificate unknown\(dq -Some other (unspecified) issue arose in processing the certificate, -rendering it unacceptable. -.It \(dqIP\(dq/\(dqillegal parameter\(dq -A field in the handshake was out of range or inconsistent with other fields. -This is always fatal. -.It \(dqDC\(dq/\(dqdecryption failed\(dq -A TLSCiphertext decrypted in an invalid way: either it wasn't an even multiple -of the block length or its padding values, when checked, weren't correct. -This message is always fatal. -.It \(dqRO\(dq/\(dqrecord overflow\(dq -A TLSCiphertext record was received which had a length more than -2^14+2048 bytes, or a record decrypted to a TLSCompressed record with more than -2^14+1024 bytes. -This message is always fatal. -.It \(dqCA\(dq/\(dqunknown CA\(dq -A valid certificate chain or partial chain was received, -but the certificate was not accepted because the CA certificate could not be -located or couldn't be matched with a known, trusted CA. -This message is always fatal. -.It \(dqAD\(dq/\(dqaccess denied\(dq -A valid certificate was received, but when access control was applied, -the sender decided not to proceed with negotiation. -This message is always fatal. -.It \(dqDE\(dq/\(dqdecode error\(dq -A message could not be decoded because some field was out of the specified -range or the length of the message was incorrect. -This message is always fatal. -.It \(dqCY\(dq/\(dqdecrypt error\(dq -A handshake cryptographic operation failed, including being unable to correctly -verify a signature, decrypt a key exchange, or validate a finished message. -.It \(dqER\(dq/\(dqexport restriction\(dq -A negotiation not in compliance with export restrictions was detected; -for example, attempting to transfer a 1024 bit ephemeral RSA key for the -RSA_EXPORT handshake method. -This message is always fatal. -.It \(dqPV\(dq/\(dqprotocol version\(dq -The protocol version the client has attempted to negotiate is recognized, -but not supported. -(For example, old protocol versions might be avoided for security reasons.) -This message is always fatal. -.It \(dqIS\(dq/\(dqinsufficient security\(dq -Returned instead of handshake_failure when a negotiation has failed -specifically because the server requires ciphers more secure than those -supported by the client. -This message is always fatal. -.It \(dqIE\(dq/\(dqinternal error\(dq -An internal error unrelated to the peer or the correctness of the protocol -makes it impossible to continue (such as a memory allocation failure). -This message is always fatal. -.It \(dqUS\(dq/\(dquser canceled\(dq -This handshake is being canceled for some reason unrelated to a protocol -failure. -If the user cancels an operation after the handshake is complete, -just closing the connection by sending a close_notify is more appropriate. -This alert should be followed by a close_notify. -This message is generally a warning. -.It \(dqNR\(dq/\(dqno renegotiation\(dq -Sent by the client in response to a hello request or by the server in response -to a client hello after initial handshaking. -Either of these would normally lead to renegotiation; when that is not -appropriate, the recipient should respond with this alert; at that point, -the original requester can decide whether to proceed with the connection. -One case where this would be appropriate would be where a server has spawned a -process to satisfy a request; the process might receive security parameters -(key length, authentication, etc.) at startup and it might be difficult to -communicate changes to these parameters after that point. -This message is always a warning. -.It \(dqUP\(dq/\(dqunknown PSK identity\(dq -Sent by the server to indicate that it does not recognize a PSK identity or an -SRP identity. -.It \(dqUK\(dq/\(dqunknown\(dq -This indicates that no description is available for this alert type. -Probably -.Fa value -does not contain a correct alert message. -.El -.Sh SEE ALSO -.Xr ssl 3 , -.Xr SSL_CTX_set_info_callback 3 -.Sh HISTORY -These functions first appeared in SSLeay 0.8.0 -and have been available since -.Ox 2.4 . diff --git a/src/lib/libssl/man/SSL_clear.3 b/src/lib/libssl/man/SSL_clear.3 deleted file mode 100644 index 809c3b20f4..0000000000 --- a/src/lib/libssl/man/SSL_clear.3 +++ /dev/null @@ -1,144 +0,0 @@ -.\" $OpenBSD: SSL_clear.3,v 1.5 2021/06/11 19:41:39 jmc Exp $ -.\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 -.\" -.\" This file was written by Lutz Jaenicke . -.\" Copyright (c) 2000, 2001, 2002, 2011, 2015 The OpenSSL Project. -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: June 11 2021 $ -.Dt SSL_CLEAR 3 -.Os -.Sh NAME -.Nm SSL_clear -.Nd reset SSL object to allow another connection -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft int -.Fn SSL_clear "SSL *ssl" -.Sh DESCRIPTION -Reset -.Fa ssl -to allow another connection. -All settings (method, ciphers, BIOs) are kept. -.Pp -.Fn SSL_clear -is used to prepare an -.Vt SSL -object for a new connection. -While all settings are kept, -a side effect is the handling of the current SSL session. -If a session is still -.Em open , -it is considered bad and will be removed from the session cache, -as required by RFC 2246. -A session is considered open if -.Xr SSL_shutdown 3 -was not called for the connection or at least -.Xr SSL_set_shutdown 3 -was used to -set the -.Dv SSL_SENT_SHUTDOWN -state. -.Pp -If a session was closed cleanly, -the session object will be kept and all settings corresponding. -This explicitly means that for example the special method used during the -session will be kept for the next handshake. -So if the session was a TLSv1 session, a -.Vt SSL -client object will use a TLSv1 client method for the next handshake and a -.Vt SSL -server object will use a TLSv1 server method, even if -.Fn TLS_*_method Ns s -were chosen on startup. -This might lead to connection failures (see -.Xr SSL_new 3 ) -for a description of the method's properties. -.Sh RETURN VALUES -The following return values can occur: -.Bl -tag -width Ds -.It 0 -The -.Fn SSL_clear -operation could not be performed. -Check the error stack to find out the reason. -.It 1 -The -.Fn SSL_clear -operation was successful. -.El -.Sh SEE ALSO -.Xr ssl 3 , -.Xr SSL_CTX_set_client_cert_cb 3 , -.Xr SSL_CTX_set_options 3 , -.Xr SSL_free 3 , -.Xr SSL_new 3 , -.Xr SSL_set_shutdown 3 , -.Xr SSL_shutdown 3 -.Sh HISTORY -.Fn SSL_clear -first appeared in SSLeay 0.4.5b and has been available since -.Ox 2.4 . -.Sh CAVEATS -.Fn SSL_clear -resets the -.Vt SSL -object to allow for another connection. -The reset operation however keeps several settings of the last sessions -(some of these settings were made automatically during the last handshake). -It only makes sense for a new connection with the exact same peer that shares -these settings, -and may fail if that peer changes its settings between connections. -Use the sequence -.Xr SSL_get_session 3 ; -.Xr SSL_new 3 ; -.Xr SSL_set_session 3 ; -.Xr SSL_free 3 -instead to avoid such failures (or simply -.Xr SSL_free 3 ; -.Xr SSL_new 3 -if session reuse is not desired). diff --git a/src/lib/libssl/man/SSL_connect.3 b/src/lib/libssl/man/SSL_connect.3 deleted file mode 100644 index d5b962a480..0000000000 --- a/src/lib/libssl/man/SSL_connect.3 +++ /dev/null @@ -1,154 +0,0 @@ -.\" $OpenBSD: SSL_connect.3,v 1.6 2018/03/27 17:35:50 schwarze Exp $ -.\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 -.\" -.\" This file was written by Lutz Jaenicke . -.\" Copyright (c) 2000, 2001, 2002, 2003 The OpenSSL Project. -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: March 27 2018 $ -.Dt SSL_CONNECT 3 -.Os -.Sh NAME -.Nm SSL_connect -.Nd initiate the TLS/SSL handshake with a TLS/SSL server -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft int -.Fn SSL_connect "SSL *ssl" -.Sh DESCRIPTION -.Fn SSL_connect -initiates the TLS/SSL handshake with a server. -The communication channel must already have been set and assigned to the -.Fa ssl -by setting an underlying -.Vt BIO . -.Pp -The behaviour of -.Fn SSL_connect -depends on the underlying -.Vt BIO . -.Pp -If the underlying -.Vt BIO -is -.Em blocking , -.Fn SSL_connect -will only return once the handshake has been finished or an error occurred. -.Pp -If the underlying -.Vt BIO -is -.Em non-blocking , -.Fn SSL_connect -will also return when the underlying -.Vt BIO -could not satisfy the needs of -.Fn SSL_connect -to continue the handshake, indicating the problem with the return value \(mi1. -In this case a call to -.Xr SSL_get_error 3 -with the return value of -.Fn SSL_connect -will yield -.Dv SSL_ERROR_WANT_READ -or -.Dv SSL_ERROR_WANT_WRITE . -The calling process then must repeat the call after taking appropriate action -to satisfy the needs of -.Fn SSL_connect . -The action depends on the underlying -.Vt BIO . -When using a non-blocking socket, nothing is to be done, but -.Xr select 2 -can be used to check for the required condition. -When using a buffering -.Vt BIO , -like a -.Vt BIO -pair, data must be written into or retrieved out of the -.Vt BIO -before being able to continue. -.Sh RETURN VALUES -The following return values can occur: -.Bl -tag -width Ds -.It 0 -The TLS/SSL handshake was not successful but was shut down controlled and -by the specifications of the TLS/SSL protocol. -Call -.Xr SSL_get_error 3 -with the return value -.Fa ret -to find out the reason. -.It 1 -The TLS/SSL handshake was successfully completed, -and a TLS/SSL connection has been established. -.It <0 -The TLS/SSL handshake was not successful, because either a fatal error occurred -at the protocol level or a connection failure occurred. -The shutdown was not clean. -It can also occur if action is needed to continue the operation for -non-blocking -.Vt BIO Ns s . -Call -.Xr SSL_get_error 3 -with the return value -.Fa ret -to find out the reason. -.El -.Sh SEE ALSO -.Xr BIO_new 3 , -.Xr ssl 3 , -.Xr SSL_accept 3 , -.Xr SSL_CTX_new 3 , -.Xr SSL_do_handshake 3 , -.Xr SSL_get_error 3 , -.Xr SSL_set_connect_state 3 , -.Xr SSL_shutdown 3 -.Sh HISTORY -.Fn SSL_connect -appeared in SSLeay 0.4 or earlier and has been available since -.Ox 2.4 . diff --git a/src/lib/libssl/man/SSL_copy_session_id.3 b/src/lib/libssl/man/SSL_copy_session_id.3 deleted file mode 100644 index a7a7a8aa99..0000000000 --- a/src/lib/libssl/man/SSL_copy_session_id.3 +++ /dev/null @@ -1,79 +0,0 @@ -.\" $OpenBSD: SSL_copy_session_id.3,v 1.7 2019/06/12 09:36:30 schwarze Exp $ -.\" -.\" Copyright (c) 2016 Ingo Schwarze -.\" -.\" Permission to use, copy, modify, and distribute this software for any -.\" purpose with or without fee is hereby granted, provided that the above -.\" copyright notice and this permission notice appear in all copies. -.\" -.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES -.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF -.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR -.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF -.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -.\" -.Dd $Mdocdate: June 12 2019 $ -.Dt SSL_COPY_SESSION_ID 3 -.Os -.Sh NAME -.Nm SSL_copy_session_id -.Nd copy session details between SSL objects -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft int -.Fo SSL_copy_session_id -.Fa "SSL *to" -.Fa "const SSL *from" -.Fc -.Sh DESCRIPTION -.Fn SSL_copy_session_id -copies the following data from -.Fa from -to -.Fa to : -.Bl -dash -.It -the pointer to the -.Vt SSL_SESSION -object, incrementing its reference count by 1 -.It -the pointer to the -.Vt SSL_METHOD -object; if that changes the method, protocol-specific data is -reinitialized -.It -the pointer to the -.Vt CERT -object, incrementing its reference count by 1 -.It -the session ID context -.El -.Pp -This function is used internally by -.Xr SSL_dup 3 -and by -.Xr BIO_ssl_copy_session_id 3 . -.Sh RETURN VALUES -.Fn SSL_copy_session_id -returns 1 on success and 0 on error. -.Sh SEE ALSO -.Xr BIO_ssl_copy_session_id 3 , -.Xr ssl 3 , -.Xr SSL_dup 3 , -.Xr SSL_get_session 3 , -.Xr SSL_SESSION_get_id 3 , -.Xr SSL_SESSION_new 3 , -.Xr SSL_set_session 3 , -.Xr SSL_set_session_id_context 3 -.Sh HISTORY -.Fn SSL_copy_session_id -appeared in SSLeay 0.4 or earlier and has been available since -.Ox 2.4 . -.Sh BUGS -Failures of -.Xr CRYPTO_add 3 -are silently ignored and may leave -.Fa to -in an invalid or inconsistent state. diff --git a/src/lib/libssl/man/SSL_do_handshake.3 b/src/lib/libssl/man/SSL_do_handshake.3 deleted file mode 100644 index e9327b4229..0000000000 --- a/src/lib/libssl/man/SSL_do_handshake.3 +++ /dev/null @@ -1,152 +0,0 @@ -.\" $OpenBSD: SSL_do_handshake.3,v 1.6 2018/03/27 17:35:50 schwarze Exp $ -.\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 -.\" -.\" This file was written by Martin Sjoegren . -.\" Copyright (c) 2002 The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: March 27 2018 $ -.Dt SSL_DO_HANDSHAKE 3 -.Os -.Sh NAME -.Nm SSL_do_handshake -.Nd perform a TLS/SSL handshake -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft int -.Fn SSL_do_handshake "SSL *ssl" -.Sh DESCRIPTION -.Fn SSL_do_handshake -will wait for a SSL/TLS handshake to take place. -If the connection is in client mode, the handshake will be started. -The handshake routines may have to be explicitly set in advance using either -.Xr SSL_set_connect_state 3 -or -.Xr SSL_set_accept_state 3 . -.Pp -The behaviour of -.Fn SSL_do_handshake -depends on the underlying -.Vt BIO . -.Pp -If the underlying -.Vt BIO -is -.Em blocking , -.Fn SSL_do_handshake -will only return once the handshake has been finished or an error occurred. -.Pp -If the underlying -.Vt BIO -is -.Em non-blocking , -.Fn SSL_do_handshake -will also return when the underlying -.Vt BIO -could not satisfy the needs of -.Fn SSL_do_handshake -to continue the handshake. -In this case a call to -.Xr SSL_get_error 3 -with the return value of -.Fn SSL_do_handshake -will yield -.Dv SSL_ERROR_WANT_READ -or -.Dv SSL_ERROR_WANT_WRITE . -The calling process then must repeat the call after taking appropriate action -to satisfy the needs of -.Fn SSL_do_handshake . -The action depends on the underlying -.Vt BIO . -When using a non-blocking socket, nothing is to be done, but -.Xr select 2 -can be used to check for the required condition. -When using a buffering -.Vt BIO , -like a -.Vt BIO -pair, data must be written into or retrieved out of the -.Vt BIO -before being able to continue. -.Sh RETURN VALUES -The following return values can occur: -.Bl -tag -width Ds -.It 0 -The TLS/SSL handshake was not successful but was shut down controlled and -by the specifications of the TLS/SSL protocol. -Call -.Xr SSL_get_error 3 -with the return value -.Fa ret -to find out the reason. -.It 1 -The TLS/SSL handshake was successfully completed, -and a TLS/SSL connection has been established. -.It <0 -The TLS/SSL handshake was not successful because either a fatal error occurred -at the protocol level or a connection failure occurred. -The shutdown was not clean. -It can also occur if action is needed to continue the operation for -non-blocking -.Vt BIO Ns s . -Call -.Xr SSL_get_error 3 -with the return value -.Fa ret -to find out the reason. -.El -.Sh SEE ALSO -.Xr BIO_new 3 , -.Xr ssl 3 , -.Xr SSL_accept 3 , -.Xr SSL_connect 3 , -.Xr SSL_get_error 3 , -.Xr SSL_set_connect_state 3 -.Sh HISTORY -.Fn SSL_do_handshake -first appeared in SSLeay 0.8.0 and has been available since -.Ox 2.4 . diff --git a/src/lib/libssl/man/SSL_dup.3 b/src/lib/libssl/man/SSL_dup.3 deleted file mode 100644 index a83440b431..0000000000 --- a/src/lib/libssl/man/SSL_dup.3 +++ /dev/null @@ -1,62 +0,0 @@ -.\" $OpenBSD: SSL_dup.3,v 1.5 2022/07/13 22:05:53 schwarze Exp $ -.\" -.\" Copyright (c) 2016 Ingo Schwarze -.\" -.\" Permission to use, copy, modify, and distribute this software for any -.\" purpose with or without fee is hereby granted, provided that the above -.\" copyright notice and this permission notice appear in all copies. -.\" -.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES -.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF -.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR -.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF -.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -.\" -.Dd $Mdocdate: July 13 2022 $ -.Dt SSL_DUP 3 -.Os -.Sh NAME -.Nm SSL_dup -.Nd deep copy of an SSL object -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft SSL * -.Fo SSL_dup -.Fa "SSL *ssl" -.Fc -.Sh DESCRIPTION -.Fn SSL_dup -constructs a new -.Vt SSL -object in the same context as -.Fa ssl -and copies much of the contained data from -.Fa ssl -to the new -.Vt SSL -object, but many fields, for example tlsext data, are not copied. -.Pp -As an exception from deep copying, if a session is already established, -the new object shares -.Fa ssl->cert -with the original object. -.Sh RETURN VALUES -.Fn SSL_dup -returns the new -.Vt SSL -object or -.Dv NULL -on failure. -.Sh SEE ALSO -.Xr ssl 3 , -.Xr SSL_clear 3 , -.Xr SSL_copy_session_id 3 , -.Xr SSL_free 3 , -.Xr SSL_new 3 , -.Xr SSL_set_security_level 3 -.Sh HISTORY -.Fn SSL_dup -first appeared in SSLeay 0.8.0 and has been available since -.Ox 2.4 . diff --git a/src/lib/libssl/man/SSL_dup_CA_list.3 b/src/lib/libssl/man/SSL_dup_CA_list.3 deleted file mode 100644 index d073b07176..0000000000 --- a/src/lib/libssl/man/SSL_dup_CA_list.3 +++ /dev/null @@ -1,54 +0,0 @@ -.\" $OpenBSD: SSL_dup_CA_list.3,v 1.6 2019/06/12 09:36:30 schwarze Exp $ -.\" -.\" Copyright (c) 2016 Ingo Schwarze -.\" -.\" Permission to use, copy, modify, and distribute this software for any -.\" purpose with or without fee is hereby granted, provided that the above -.\" copyright notice and this permission notice appear in all copies. -.\" -.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES -.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF -.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR -.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF -.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -.\" -.Dd $Mdocdate: June 12 2019 $ -.Dt SSL_DUP_CA_LIST 3 -.Os -.Sh NAME -.Nm SSL_dup_CA_list -.Nd deep copy of a stack of X.509 Name objects -.\" The capital "N" in "Name" is intentional (X.509 syntax). -.Sh SYNOPSIS -.Ft STACK_OF(X509_NAME) * -.Fo SSL_dup_CA_list -.Fa "const STACK_OF(X509_NAME) *sk" -.Fc -.Sh DESCRIPTION -.Fn SSL_dup_CA_list -constructs a new -.Vt STACK_OF(X509_NAME) -object and places copies of all the -.Vt X509_NAME -objects found on -.Fa sk -on it. -.Sh RETURN VALUES -.Fn SSL_dup_CA_list -returns the new -.Vt STACK_OF(X509_NAME) -or -.Dv NULL -on failure. -.Sh SEE ALSO -.Xr ssl 3 , -.Xr SSL_CTX_set_client_CA_list 3 , -.Xr SSL_get_client_CA_list 3 , -.Xr SSL_load_client_CA_file 3 , -.Xr X509_NAME_new 3 -.Sh HISTORY -.Fn SSL_dup_CA_list -first appeared in SSLeay 0.8.0 and has been available since -.Ox 2.4 . diff --git a/src/lib/libssl/man/SSL_export_keying_material.3 b/src/lib/libssl/man/SSL_export_keying_material.3 deleted file mode 100644 index e32a5c5d61..0000000000 --- a/src/lib/libssl/man/SSL_export_keying_material.3 +++ /dev/null @@ -1,133 +0,0 @@ -.\" $OpenBSD: SSL_export_keying_material.3,v 1.3 2019/06/12 09:36:30 schwarze Exp $ -.\" OpenSSL a599574b Jun 28 17:18:27 2017 +0100 -.\" OpenSSL 23cec1f4 Jun 21 13:55:02 2017 +0100 -.\" -.\" This file was written by Matt Caswell . -.\" Copyright (c) 2017 The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: June 12 2019 $ -.Dt SSL_EXPORT_KEYING_MATERIAL 3 -.Os -.Sh NAME -.Nm SSL_export_keying_material -.Nd obtain keying material for application use -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft int -.Fo SSL_export_keying_material -.Fa "SSL *s" -.Fa "unsigned char *out" -.Fa "size_t olen" -.Fa "const char *label" -.Fa "size_t llen" -.Fa "const unsigned char *context" -.Fa "size_t contextlen" -.Fa "int use_context" -.Fc -.Sh DESCRIPTION -During the creation of a TLS or DTLS connection, -shared keying material is established between the two endpoints. -The function -.Fn SSL_export_keying_material -enables an application to use some of this keying material -for its own purposes in accordance with RFC 5705. -.Pp -An application may need to securely establish the context -within which this keying material will be used. -For example, this may include identifiers for the application session, -application algorithms or parameters, or the lifetime of the context. -The context value is left to the application but must be the same on -both sides of the communication. -.Pp -For a given SSL connection -.Fa s , -.Fa olen -bytes of data will be written to -.Fa out . -The application specific context should be supplied -in the location pointed to by -.Fa context -and should be -.Fa contextlen -bytes long. -Provision of a context is optional. -If the context should be omitted entirely, then -.Fa use_context -should be set to 0. -Otherwise it should be any other value. -If -.Fa use_context -is 0, then the values of -.Fa context -and -.Fa contextlen -are ignored. -.Pp -In TLSv1.2 and below, a zero length context is treated differently -from no context at all, and will result in different keying material -being returned. -.Pp -An application specific label should be provided in the location pointed -to by -.Fa label -and should be -.Fa llen -bytes long. -Typically this will be a value from the -.Lk https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#exporter-labels "IANA Exporter Label Registry" . -.Pp -Alternatively, labels beginning with "EXPERIMENTAL" are permitted by the -standard to be used without registration. -.Sh RETURN VALUES -.Fn SSL_export_keying_material -returns 1 on success or 0 or -1 on failure. -.Sh SEE ALSO -.Xr ssl 3 -.Sh HISTORY -.Fn SSL_export_keying_material -first appeared in OpenSSL 1.0.1 and has been available since -.Ox 5.3 . diff --git a/src/lib/libssl/man/SSL_free.3 b/src/lib/libssl/man/SSL_free.3 deleted file mode 100644 index c713ded121..0000000000 --- a/src/lib/libssl/man/SSL_free.3 +++ /dev/null @@ -1,115 +0,0 @@ -.\" $OpenBSD: SSL_free.3,v 1.6 2021/06/11 19:41:39 jmc Exp $ -.\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 -.\" -.\" This file was written by Lutz Jaenicke . -.\" Copyright (c) 2000, 2001 The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: June 11 2021 $ -.Dt SSL_FREE 3 -.Os -.Sh NAME -.Nm SSL_free -.Nd free an allocated SSL structure -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft void -.Fn SSL_free "SSL *ssl" -.Sh DESCRIPTION -.Fn SSL_free -decrements the reference count of -.Fa ssl , -and removes the -.Vt SSL -structure pointed to by -.Fa ssl -and frees up the allocated memory if the reference count has reached 0. -If -.Fa ssl -is a -.Dv NULL -pointer, no action occurs. -.Pp -.Fn SSL_free -also calls the -.Xr free 3 Ns -ing procedures for indirectly affected items, if applicable: the buffering -.Vt BIO , -the read and write -.Vt BIOs , -cipher lists specially created for this -.Fa ssl , -the -.Sy SSL_SESSION . -Do not explicitly free these indirectly freed up items before or after calling -.Fn SSL_free , -as trying to free things twice may lead to program failure. -.Pp -The -.Fa ssl -session has reference counts from two users: the -.Vt SSL -object, for which the reference count is removed by -.Fn SSL_free -and the internal session cache. -If the session is considered bad, because -.Xr SSL_shutdown 3 -was not called for the connection and -.Xr SSL_set_shutdown 3 -was not used to set the -.Vt SSL_SENT_SHUTDOWN -state, the session will also be removed from the session cache as required by -RFC 2246. -.Sh SEE ALSO -.Xr ssl 3 , -.Xr SSL_clear 3 , -.Xr SSL_new 3 , -.Xr SSL_set_shutdown 3 , -.Xr SSL_shutdown 3 -.Sh HISTORY -.Fn SSL_free -appeared in SSLeay 0.4 or earlier and has been available since -.Ox 2.4 . diff --git a/src/lib/libssl/man/SSL_get_SSL_CTX.3 b/src/lib/libssl/man/SSL_get_SSL_CTX.3 deleted file mode 100644 index 60fda555bc..0000000000 --- a/src/lib/libssl/man/SSL_get_SSL_CTX.3 +++ /dev/null @@ -1,79 +0,0 @@ -.\" $OpenBSD: SSL_get_SSL_CTX.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $ -.\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 -.\" -.\" This file was written by Lutz Jaenicke . -.\" Copyright (c) 2001, 2005 The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: March 27 2018 $ -.Dt SSL_GET_SSL_CTX 3 -.Os -.Sh NAME -.Nm SSL_get_SSL_CTX -.Nd get the SSL_CTX from which an SSL is created -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft SSL_CTX * -.Fn SSL_get_SSL_CTX "const SSL *ssl" -.Sh DESCRIPTION -.Fn SSL_get_SSL_CTX -returns a pointer to the -.Vt SSL_CTX -object from which -.Fa ssl -was created with -.Xr SSL_new 3 . -.Sh RETURN VALUES -The pointer to the -.Vt SSL_CTX -object is returned. -.Sh SEE ALSO -.Xr ssl 3 , -.Xr SSL_new 3 -.Sh HISTORY -.Fn SSL_get_SSL_CTX -first appeared in SSLeay 0.5.1 and has been available since -.Ox 2.4 . diff --git a/src/lib/libssl/man/SSL_get_certificate.3 b/src/lib/libssl/man/SSL_get_certificate.3 deleted file mode 100644 index eb53ea49bf..0000000000 --- a/src/lib/libssl/man/SSL_get_certificate.3 +++ /dev/null @@ -1,64 +0,0 @@ -.\" $OpenBSD: SSL_get_certificate.3,v 1.5 2019/06/12 09:36:30 schwarze Exp $ -.\" -.\" Copyright (c) 2016 Ingo Schwarze -.\" -.\" Permission to use, copy, modify, and distribute this software for any -.\" purpose with or without fee is hereby granted, provided that the above -.\" copyright notice and this permission notice appear in all copies. -.\" -.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES -.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF -.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR -.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF -.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -.\" -.Dd $Mdocdate: June 12 2019 $ -.Dt SSL_GET_CERTIFICATE 3 -.Os -.Sh NAME -.Nm SSL_get_certificate , -.Nm SSL_get_privatekey -.Nd get SSL certificate and private key -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft X509 * -.Fo SSL_get_certificate -.Fa "const SSL *ssl" -.Fc -.Ft EVP_PKEY * -.Fo SSL_get_privatekey -.Fa "const SSL *ssl" -.Fc -.Sh DESCRIPTION -These functions retrieve certificate and key data from an -.Vt SSL -object. -They return internal pointers that must not be freed by the application -program. -.Sh RETURN VALUES -.Fn SSL_get_certificate -returns the active X.509 certificate currently used by -.Fa ssl -or -.Dv NULL -if none is active. -.Pp -.Fn SSL_get_privatekey -returns the active private key currently used by -.Fa ssl -or -.Dv NULL -if none is active. -.Sh SEE ALSO -.Xr ssl 3 , -.Xr SSL_check_private_key 3 , -.Xr SSL_use_certificate 3 -.Sh HISTORY -.Fn SSL_get_certificate -first appeared in SSLeay 0.5.2a. -.Fn SSL_get_privatekey -first appeared in SSLeay 0.8.0. -Both functions have been available since -.Ox 2.4 . diff --git a/src/lib/libssl/man/SSL_get_ciphers.3 b/src/lib/libssl/man/SSL_get_ciphers.3 deleted file mode 100644 index 8030f0bbb1..0000000000 --- a/src/lib/libssl/man/SSL_get_ciphers.3 +++ /dev/null @@ -1,249 +0,0 @@ -.\" $OpenBSD: SSL_get_ciphers.3,v 1.11 2020/09/16 07:25:15 schwarze Exp $ -.\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 -.\" selective merge up to: OpenSSL 83cf7abf May 29 13:07:08 2018 +0100 -.\" -.\" This file is a derived work. -.\" The changes are covered by the following Copyright and license: -.\" -.\" Copyright (c) 2020 Ingo Schwarze -.\" -.\" Permission to use, copy, modify, and distribute this software for any -.\" purpose with or without fee is hereby granted, provided that the above -.\" copyright notice and this permission notice appear in all copies. -.\" -.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES -.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF -.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR -.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF -.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -.\" -.\" The original file was written by Lutz Jaenicke , -.\" Nick Mathewson , Kurt Roeckx , -.\" Kazuki Yamaguchi , and Benjamin Kaduk . -.\" Copyright (c) 2000, 2005, 2015, 2016, 2017 The OpenSSL Project. -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: September 16 2020 $ -.Dt SSL_GET_CIPHERS 3 -.Os -.Sh NAME -.Nm SSL_get_ciphers , -.Nm SSL_CTX_get_ciphers , -.Nm SSL_get1_supported_ciphers , -.Nm SSL_get_client_ciphers , -.Nm SSL_get_cipher_list -.Nd get lists of available SSL_CIPHERs -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft STACK_OF(SSL_CIPHER) * -.Fn SSL_get_ciphers "const SSL *ssl" -.Ft STACK_OF(SSL_CIPHER) * -.Fn SSL_CTX_get_ciphers "const SSL_CTX *ctx" -.Ft STACK_OF(SSL_CIPHER) * -.Fn SSL_get1_supported_ciphers "SSL *ssl" -.Ft STACK_OF(SSL_CIPHER) * -.Fn SSL_get_client_ciphers "const SSL *ssl" -.Ft const char * -.Fn SSL_get_cipher_list "const SSL *ssl" "int priority" -.Sh DESCRIPTION -.Fn SSL_get_ciphers -returns the stack of available -.Vt SSL_CIPHER Ns s -for -.Fa ssl , -sorted by preference. -.Pp -.Fn SSL_CTX_get_ciphers -returns the stack of available -.Vt SSL_CIPHER Ns s -for -.Fa ctx . -.Pp -.Fn SSL_get1_supported_ciphers -returns a stack of enabled -.Vt SSL_CIPHER Ns s -for -.Fa ssl -as it would be sent in a ClientHello, sorted by preference. -The list depends on settings like the cipher list, the supported -protocol versions, the security level, and the enabled signature -algorithms. -The list of ciphers that would be sent in a ClientHello can differ -from the list of ciphers that would be acceptable when acting as a -server. -For example, -additional ciphers may be usable by a server if there is a gap in the -list of supported protocols, and some ciphers may not be usable by a -server if there is not a suitable certificate configured. -.Pp -.Fn SSL_get_client_ciphers -returns the stack of available -.Vt SSL_CIPHER Ns s -matching the list received from the client on -.Fa ssl . -.Pp -The details of the ciphers obtained by -.Fn SSL_get_ciphers , -.Fn SSL_CTX_get_ciphers , -.Fn SSL_get1_supported_ciphers , -and -.Fn SSL_get_client_ciphers -can be obtained using the -.Xr SSL_CIPHER_get_name 3 -family of functions. -.Pp -.Fn SSL_get_cipher_list -is deprecated \(em use -.Fn SSL_get_ciphers -instead \(em and badly misnamed; it does not return a list -but the name of one element of the return value of -.Fn SSL_get_ciphers , -with the index given by the -.Fa priority -argument. -Passing 0 selects the cipher with the highest priority. -To iterate over all available ciphers in decreasing priority, -repeatedly increment the argument by 1 until -.Dv NULL -is returned. -.Sh RETURN VALUES -.Fn SSL_get_ciphers -returns an internal pointer to a list of ciphers or -.Dv NULL -if -.Fa ssl -is -.Dv NULL -or if no ciphers are available. -The returned pointer may not only become invalid when -.Fa ssl -is destroyed or when -.Xr SSL_set_cipher_list 3 -is called on it, but also when the -.Vt SSL_CTX -object in use by -.Fa ssl -at the time of the call is freed or when -.Xr SSL_CTX_set_cipher_list 3 -is called on that context object. -.Pp -.Fn SSL_CTX_get_ciphers -returns an internal pointer to a list of ciphers or -.Dv NULL -if -.Fa ctx -is -.Dv NULL -or if no ciphers are available. -The returned pointer becomes invalid when -.Fa ctx -is destroyed or when -.Xr SSL_CTX_set_cipher_list 3 -is called on it. -.Pp -.Fn SSL_get1_supported_ciphers -returns a newly allocated list of ciphers or -.Dv NULL -if -.Fa ssl -is -.Dv NULL , -if no ciphers are available, or if an error occurs. -When the returned pointer is no longer needed, the caller is -responsible for freeing it using -.Fn sk_SSL_CIPHER_free . -.Pp -.Fn SSL_get_client_ciphers -returns an internal pointer to a list of ciphers or -.Dv NULL -if -.Fa ssl -is -.Dv NULL , -has no active session, -or is not operating in server mode. -The returned pointer becomes invalid when the -.Vt SSL_SESSION -object is destroyed, even if the -.Fa ssl -object remains valid. -It may also become invalid in other circumstances, -for example when processing a new ClientHello. -.Pp -.Fn SSL_get_cipher_list -returns an internal pointer to a string or -.Dv NULL -if -.Fa ssl -is -.Dv NULL , -if no ciphers are available, or if -.Fa priority -is greater than or equal to the number of available ciphers. -.Sh SEE ALSO -.Xr ssl 3 , -.Xr SSL_CIPHER_get_name 3 , -.Xr SSL_CTX_set_cipher_list 3 -.Sh HISTORY -.Fn SSL_get_cipher_list -first appeared in SSLeay 0.5.2. -.Fn SSL_get_ciphers -first appeared in SSLeay 0.8.0. -Both functions have been available since -.Ox 2.4 . -.Pp -.Fn SSL_CTX_get_ciphers -first appeared in OpenSSL 1.1.0 and has been available since -.Ox 6.3 . -.Pp -.Fn SSL_get1_supported_ciphers -and -.Fn SSL_get_client_ciphers -first appeared in OpenSSL 1.1.0 and has been available since -.Ox 6.5 . diff --git a/src/lib/libssl/man/SSL_get_client_CA_list.3 b/src/lib/libssl/man/SSL_get_client_CA_list.3 deleted file mode 100644 index e80e5cb6f5..0000000000 --- a/src/lib/libssl/man/SSL_get_client_CA_list.3 +++ /dev/null @@ -1,96 +0,0 @@ -.\" $OpenBSD: SSL_get_client_CA_list.3,v 1.5 2018/03/27 17:35:50 schwarze Exp $ -.\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 -.\" -.\" This file was written by Lutz Jaenicke . -.\" Copyright (c) 2000, 2001, 2002, 2005 The OpenSSL Project. -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: March 27 2018 $ -.Dt SSL_GET_CLIENT_CA_LIST 3 -.Os -.Sh NAME -.Nm SSL_get_client_CA_list , -.Nm SSL_CTX_get_client_CA_list -.Nd get list of client CAs -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft STACK_OF(X509_NAME) * -.Fn SSL_get_client_CA_list "const SSL *s" -.Ft STACK_OF(X509_NAME) * -.Fn SSL_CTX_get_client_CA_list "const SSL_CTX *ctx" -.Sh DESCRIPTION -.Fn SSL_CTX_get_client_CA_list -returns the list of client CAs explicitly set for -.Fa ctx -using -.Xr SSL_CTX_set_client_CA_list 3 . -.Pp -.Fn SSL_get_client_CA_list -returns the list of client CAs explicitly set for -.Fa ssl -using -.Fn SSL_set_client_CA_list -or -.Fa ssl Ns 's -.Vt SSL_CTX -object with -.Xr SSL_CTX_set_client_CA_list 3 , -when in server mode. -In client mode, -.Fn SSL_get_client_CA_list -returns the list of client CAs sent from the server, if any. -.Sh SEE ALSO -.Xr ssl 3 , -.Xr SSL_CTX_set_client_CA_list 3 , -.Xr SSL_CTX_set_client_cert_cb 3 , -.Xr X509_NAME_new 3 -.Sh HISTORY -.Fn SSL_get_client_CA_list -and -.Fn SSL_CTX_get_client_CA_list -first appeared in SSLeay 0.8.0 and have been available since -.Ox 2.4 . diff --git a/src/lib/libssl/man/SSL_get_client_random.3 b/src/lib/libssl/man/SSL_get_client_random.3 deleted file mode 100644 index eda74db355..0000000000 --- a/src/lib/libssl/man/SSL_get_client_random.3 +++ /dev/null @@ -1,150 +0,0 @@ -.\" $OpenBSD: SSL_get_client_random.3,v 1.2 2018/03/24 00:55:37 schwarze Exp $ -.\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100 -.\" -.\" This file was written by Nick Mathewson -.\" Copyright (c) 2015 The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: March 24 2018 $ -.Dt SSL_GET_CLIENT_RANDOM 3 -.Os -.Sh NAME -.Nm SSL_get_client_random , -.Nm SSL_get_server_random , -.Nm SSL_SESSION_get_master_key -.Nd get internal TLS handshake random values and master key -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft size_t -.Fo SSL_get_client_random -.Fa "const SSL *ssl" -.Fa "unsigned char *out" -.Fa "size_t outlen" -.Fc -.Ft size_t -.Fo SSL_get_server_random -.Fa "const SSL *ssl" -.Fa "unsigned char *out" -.Fa "size_t outlen" -.Fc -.Ft size_t -.Fo SSL_SESSION_get_master_key -.Fa "const SSL_SESSION *session" -.Fa "unsigned char *out" -.Fa "size_t outlen" -.Fc -.Sh DESCRIPTION -.Fn SSL_get_client_random -extracts the random value that was sent from the client to the server -during the initial TLS handshake. -It copies at most -.Fa outlen -bytes of this value into the buffer -.Fa out . -If -.Fa outlen -is zero, nothing is copied. -.Pp -.Fn SSL_get_server_random -behaves the same, but extracts the random value that was sent -from the server to the client during the initial TLS handshake. -.Pp -.Fn SSL_SESSION_get_master_key -behaves the same, but extracts the master secret used to guarantee the -security of the TLS session. -The security of the TLS session depends on keeping the master key -secret: do not expose it, or any information about it, to anybody. -To calculate another secret value that depends on the master secret, -use -.Xr SSL_export_keying_material 3 -instead. -.Pp -All these functions expose internal values from the TLS handshake, -for use in low-level protocols. -Avoid using them unless implementing a feature -that requires access to the internal protocol details. -.Pp -Despite the names of -.Fn SSL_get_client_random -and -.Fn SSL_get_server_random , -they are not random number generators. -Instead, they return the mostly-random values that were already -generated and used in the TLS protocol. -.Pp -In current versions of the TLS protocols, -the length of client_random and server_random is always -.Dv SSL3_RANDOM_SIZE -bytes. -Support for other -.Fa outlen -arguments is provided for the unlikely event that a future -version or variant of TLS uses some other length. -.Pp -Finally, though the client_random and server_random values are called -.Dq random , -many TLS implementations generate four bytes of those values -based on their view of the current time. -.Sh RETURN VALUES -If -.Fa outlen -is greater than 0, these functions return the number of bytes -actually copied, which is less than or equal to -.Fa outlen . -If -.Fa outlen -is 0, these functions return the maximum number of bytes they would -copy \(em that is, the length of the underlying field. -.Sh SEE ALSO -.Xr ssl 3 , -.Xr SSL_export_keying_material 3 , -.Xr SSL_SESSION_get_id 3 , -.Xr SSL_SESSION_get_time 3 , -.Xr SSL_SESSION_new 3 -.Sh HISTORY -These functions first appeared in OpenSSL 1.1.0 -and have been available since -.Ox 6.3 . diff --git a/src/lib/libssl/man/SSL_get_current_cipher.3 b/src/lib/libssl/man/SSL_get_current_cipher.3 deleted file mode 100644 index 6b951d03ca..0000000000 --- a/src/lib/libssl/man/SSL_get_current_cipher.3 +++ /dev/null @@ -1,122 +0,0 @@ -.\" $OpenBSD: SSL_get_current_cipher.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $ -.\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 -.\" -.\" This file was written by Lutz Jaenicke . -.\" Copyright (c) 2000, 2005, 2016 The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: March 27 2018 $ -.Dt SSL_GET_CURRENT_CIPHER 3 -.Os -.Sh NAME -.Nm SSL_get_current_cipher , -.Nm SSL_get_cipher , -.Nm SSL_get_cipher_name , -.Nm SSL_get_cipher_bits , -.Nm SSL_get_cipher_version -.Nd get SSL_CIPHER of a connection -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft const SSL_CIPHER * -.Fn SSL_get_current_cipher "const SSL *ssl" -.Ft const char * -.Fn SSL_get_cipher "const SSL *ssl" -.Ft const char * -.Fn SSL_get_cipher_name "const SSL *ssl" -.Ft int -.Fn SSL_get_cipher_bits "const SSL *ssl" "int *np" -.Ft char * -.Fn SSL_get_cipher_version "const SSL *ssl" -.Sh DESCRIPTION -.Fn SSL_get_current_cipher -returns a pointer to an -.Vt SSL_CIPHER -object containing the description of the actually used cipher of a connection -established with the -.Fa ssl -object. -See -.Xr SSL_CIPHER_get_name 3 -for more details. -.Pp -.Fn SSL_get_cipher_name -obtains the name of the currently used cipher. -.Fn SSL_get_cipher -is identical to -.Fn SSL_get_cipher_name . -.Pp -.Fn SSL_get_cipher_bits -obtains the number of secret/algorithm bits used and -.Fn SSL_get_cipher_version -returns the protocol name. -.Pp -.Fn SSL_get_cipher , -.Fn SSL_get_cipher_name , -.Fn SSL_get_cipher_bits , -and -.Fn SSL_get_cipher_version -are implemented as macros. -.Sh RETURN VALUES -.Fn SSL_get_current_cipher -returns the cipher actually used, or -.Dv NULL -if no session has been established. -.Sh SEE ALSO -.Xr ssl 3 , -.Xr SSL_CIPHER_get_name 3 -.Sh HISTORY -.Fn SSL_get_cipher -appeared in SSLeay 0.4 or earlier. -.Fn SSL_get_cipher_bits -first appeared in SSLeay 0.6.4. -.Fn SSL_get_cipher_name -and -.Fn SSL_get_cipher_version -first appeared in SSLeay 0.8.0. -.Fn SSL_get_current_cipher -first appeared in SSLeay 0.8.1. -These functions have been available since -.Ox 2.4 . diff --git a/src/lib/libssl/man/SSL_get_default_timeout.3 b/src/lib/libssl/man/SSL_get_default_timeout.3 deleted file mode 100644 index 47737d8ee0..0000000000 --- a/src/lib/libssl/man/SSL_get_default_timeout.3 +++ /dev/null @@ -1,85 +0,0 @@ -.\" $OpenBSD: SSL_get_default_timeout.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $ -.\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 -.\" -.\" This file was written by Lutz Jaenicke . -.\" Copyright (c) 2001, 2005 The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: March 27 2018 $ -.Dt SSL_GET_DEFAULT_TIMEOUT 3 -.Os -.Sh NAME -.Nm SSL_get_default_timeout -.Nd get default session timeout value -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft long -.Fn SSL_get_default_timeout "const SSL *ssl" -.Sh DESCRIPTION -.Fn SSL_get_default_timeout -returns the default timeout value assigned to -.Vt SSL_SESSION -objects negotiated for the protocol valid for -.Fa ssl . -.Pp -Whenever a new session is negotiated, it is assigned a timeout value, -after which it will not be accepted for session reuse. -If the timeout value was not explicitly set using -.Xr SSL_CTX_set_timeout 3 , -the hardcoded default timeout for the protocol will be used. -.Pp -.Fn SSL_get_default_timeout -return this hardcoded value, which is 300 seconds for all currently supported -protocols (SSLv2, SSLv3, and TLSv1). -.Sh SEE ALSO -.Xr ssl 3 , -.Xr SSL_CTX_flush_sessions 3 , -.Xr SSL_CTX_set_session_cache_mode 3 , -.Xr SSL_SESSION_get_time 3 -.Sh HISTORY -.Fn SSL_get_default_timeout -first appeared in SSLeay 0.8.0 and has been available since -.Ox 2.4 . diff --git a/src/lib/libssl/man/SSL_get_error.3 b/src/lib/libssl/man/SSL_get_error.3 deleted file mode 100644 index 5d325b3f56..0000000000 --- a/src/lib/libssl/man/SSL_get_error.3 +++ /dev/null @@ -1,217 +0,0 @@ -.\" $OpenBSD: SSL_get_error.3,v 1.5 2018/04/29 07:37:01 guenther Exp $ -.\" OpenSSL a528d4f0 Oct 27 13:40:11 2015 -0400 -.\" -.\" This file was written by Bodo Moeller . -.\" Copyright (c) 2000, 2001, 2002, 2005 The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: April 29 2018 $ -.Dt SSL_GET_ERROR 3 -.Os -.Sh NAME -.Nm SSL_get_error -.Nd obtain result code for TLS/SSL I/O operation -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft int -.Fn SSL_get_error "const SSL *ssl" "int ret" -.Sh DESCRIPTION -.Fn SSL_get_error -returns a result code (suitable for the C -.Dq switch -statement) for a preceding call to -.Xr SSL_connect 3 , -.Xr SSL_accept 3 , -.Xr SSL_do_handshake 3 , -.Xr SSL_read 3 , -.Xr SSL_peek 3 , -or -.Xr SSL_write 3 -on -.Fa ssl . -The value returned by that TLS/SSL I/O function must be passed to -.Fn SSL_get_error -in parameter -.Fa ret . -.Pp -In addition to -.Fa ssl -and -.Fa ret , -.Fn SSL_get_error -inspects the current thread's OpenSSL error queue. -Thus, -.Fn SSL_get_error -must be used in the same thread that performed the TLS/SSL I/O operation, -and no other OpenSSL function calls should appear in between. -The current thread's error queue must be empty before the TLS/SSL I/O operation -is attempted, or -.Fn SSL_get_error -will not work reliably. -.Sh RETURN VALUES -The following return values can currently occur: -.Bl -tag -width Ds -.It Dv SSL_ERROR_NONE -The TLS/SSL I/O operation completed. -This result code is returned if and only if -.Fa ret -> 0. -.It Dv SSL_ERROR_ZERO_RETURN -The TLS/SSL connection has been closed. -If the protocol version is SSL 3.0 or TLS 1.0, this result code is returned -only if a closure alert has occurred in the protocol, i.e., if the connection -has been closed cleanly. -Note that in this case -.Dv SSL_ERROR_ZERO_RETURN -does not necessarily indicate that the underlying transport has been closed. -.It Dv SSL_ERROR_WANT_READ , Dv SSL_ERROR_WANT_WRITE -The operation did not complete; -the same TLS/SSL I/O function should be called again later. -If, by then, the underlying -.Vt BIO -has data available for reading (if the result code is -.Dv SSL_ERROR_WANT_READ ) -or allows writing data -.Pq Dv SSL_ERROR_WANT_WRITE , -then some TLS/SSL protocol progress will take place, -i.e., at least part of a TLS/SSL record will be read or written. -Note that the retry may again lead to a -.Dv SSL_ERROR_WANT_READ -or -.Dv SSL_ERROR_WANT_WRITE -condition. -There is no fixed upper limit for the number of iterations that may be -necessary until progress becomes visible at application protocol level. -.Pp -For socket -.Fa BIO Ns -s (e.g., when -.Fn SSL_set_fd -was used), -.Xr select 2 -or -.Xr poll 2 -on the underlying socket can be used to find out when the TLS/SSL I/O function -should be retried. -.Pp -Caveat: Any TLS/SSL I/O function can lead to either of -.Dv SSL_ERROR_WANT_READ -and -.Dv SSL_ERROR_WANT_WRITE . -In particular, -.Xr SSL_read 3 -or -.Xr SSL_peek 3 -may want to write data and -.Xr SSL_write 3 -may want -to read data. -This is mainly because TLS/SSL handshakes may occur at any time during the -protocol (initiated by either the client or the server); -.Xr SSL_read 3 , -.Xr SSL_peek 3 , -and -.Xr SSL_write 3 -will handle any pending handshakes. -.It Dv SSL_ERROR_WANT_CONNECT , Dv SSL_ERROR_WANT_ACCEPT -The operation did not complete; the same TLS/SSL I/O function should be -called again later. -The underlying BIO was not connected yet to the peer and the call would block -in -.Xr connect 2 Ns / Ns -.Xr accept 2 . -The SSL function should be -called again when the connection is established. -These messages can only appear with a -.Xr BIO_s_connect 3 -or -.Xr BIO_s_accept 3 -.Vt BIO , -respectively. -In order to find out when the connection has been successfully established, -on many platforms -.Xr select 2 -or -.Xr poll 2 -for writing on the socket file descriptor can be used. -.It Dv SSL_ERROR_WANT_X509_LOOKUP -The operation did not complete because an application callback set by -.Xr SSL_CTX_set_client_cert_cb 3 -has asked to be called again. -The TLS/SSL I/O function should be called again later. -Details depend on the application. -.It Dv SSL_ERROR_SYSCALL -Some I/O error occurred. -The OpenSSL error queue may contain more information on the error. -If the error queue is empty (i.e., -.Fn ERR_get_error -returns 0), -.Fa ret -can be used to find out more about the error: -If -.Fa ret -== 0, an -.Dv EOF -was observed that violates the protocol. -If -.Fa ret -== \(mi1, the underlying -.Vt BIO -reported an -I/O error (for socket I/O on Unix systems, consult -.Dv errno -for details). -.It Dv SSL_ERROR_SSL -A failure in the SSL library occurred, usually a protocol error. -The OpenSSL error queue contains more information on the error. -.El -.Sh SEE ALSO -.Xr err 3 , -.Xr ssl 3 -.Sh HISTORY -.Fn SSL_get_error -first appeared in SSLeay 0.8.0 and have been available since -.Ox 2.4 . diff --git a/src/lib/libssl/man/SSL_get_ex_data_X509_STORE_CTX_idx.3 b/src/lib/libssl/man/SSL_get_ex_data_X509_STORE_CTX_idx.3 deleted file mode 100644 index a249cda6ac..0000000000 --- a/src/lib/libssl/man/SSL_get_ex_data_X509_STORE_CTX_idx.3 +++ /dev/null @@ -1,116 +0,0 @@ -.\" $OpenBSD: SSL_get_ex_data_X509_STORE_CTX_idx.3,v 1.5 2022/02/06 00:29:02 jsg Exp $ -.\" OpenSSL 9b86974e Aug 17 15:21:33 2015 -0400 -.\" -.\" This file was written by Lutz Jaenicke . -.\" Copyright (c) 2001 The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: February 6 2022 $ -.Dt SSL_GET_EX_DATA_X509_STORE_CTX_IDX 3 -.Os -.Sh NAME -.Nm SSL_get_ex_data_X509_STORE_CTX_idx -.Nd get ex_data index to access SSL structure from X509_STORE_CTX -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft int -.Fn SSL_get_ex_data_X509_STORE_CTX_idx void -.Sh DESCRIPTION -.Fn SSL_get_ex_data_X509_STORE_CTX_idx -returns the index number under which the pointer to the -.Vt SSL -object is stored into the -.Vt X509_STORE_CTX -object. -.Pp -Whenever a -.Vt X509_STORE_CTX -object is created for the verification of the peer's certificate during a -handshake, a pointer to the -.Vt SSL -object is stored into the -.Vt X509_STORE_CTX -object to identify the connection affected. -To retrieve this pointer the -.Xr X509_STORE_CTX_get_ex_data 3 -function can be used with the correct index. -This index is globally the same for all -.Vt X509_STORE_CTX -objects and can be retrieved using -.Fn SSL_get_ex_data_X509_STORE_CTX_idx . -The index value is set when -.Fn SSL_get_ex_data_X509_STORE_CTX_idx -is first called either by the application program directly or indirectly during -other SSL setup functions or during the handshake. -.Pp -The value depends on other index values defined for -.Vt X509_STORE_CTX -objects before the SSL index is created. -.Sh RETURN VALUES -.Bl -tag -width Ds -.It \(>=0 -The index value to access the pointer. -.It <0 -An error occurred, check the error stack for a detailed error message. -.El -.Sh EXAMPLES -The index returned from -.Fn SSL_get_ex_data_X509_STORE_CTX_idx -provides access to -.Vt SSL -object for the connection during the -.Fn verify_callback -when checking the peer's certificate. -Check the example in -.Xr SSL_CTX_set_verify 3 . -.Sh SEE ALSO -.Xr CRYPTO_set_ex_data 3 , -.Xr ssl 3 , -.Xr SSL_CTX_set_verify 3 -.Sh HISTORY -.Fn SSL_get_ex_data_X509_STORE_CTX_idx -first appeared in SSLeay 0.9.1 and has been available since -.Ox 2.6 . diff --git a/src/lib/libssl/man/SSL_get_ex_new_index.3 b/src/lib/libssl/man/SSL_get_ex_new_index.3 deleted file mode 100644 index cecd25fa44..0000000000 --- a/src/lib/libssl/man/SSL_get_ex_new_index.3 +++ /dev/null @@ -1,136 +0,0 @@ -.\" $OpenBSD: SSL_get_ex_new_index.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $ -.\" OpenSSL 9b86974e Aug 17 15:21:33 2015 -0400 -.\" -.\" This file was written by Lutz Jaenicke . -.\" Copyright (c) 2001, 2005 The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: March 27 2018 $ -.Dt SSL_GET_EX_NEW_INDEX 3 -.Os -.Sh NAME -.Nm SSL_get_ex_new_index , -.Nm SSL_set_ex_data , -.Nm SSL_get_ex_data -.Nd internal application specific data functions -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft int -.Fo SSL_get_ex_new_index -.Fa "long argl" -.Fa "void *argp" -.Fa "CRYPTO_EX_new *new_func" -.Fa "CRYPTO_EX_dup *dup_func" -.Fa "CRYPTO_EX_free *free_func" -.Fc -.Ft int -.Fn SSL_set_ex_data "SSL *ssl" "int idx" "void *arg" -.Ft void * -.Fn SSL_get_ex_data "const SSL *ssl" "int idx" -.Bd -literal -typedef int new_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad, - int idx, long argl, void *argp); -typedef void free_func(void *parent, void *ptr, CRYPTO_EX_DATA *ad, - int idx, long argl, void *argp); -typedef int dup_func(CRYPTO_EX_DATA *to, CRYPTO_EX_DATA *from, void *from_d, - int idx, long argl, void *argp); -.Ed -.Sh DESCRIPTION -Several OpenSSL structures can have application specific data attached to them. -These functions are used internally by OpenSSL to manipulate application -specific data attached to a specific structure. -.Pp -.Fn SSL_get_ex_new_index -is used to register a new index for application specific data. -.Pp -.Fn SSL_set_ex_data -is used to store application data at -.Fa arg -for -.Fa idx -into the -.Fa ssl -object. -.Pp -.Fn SSL_get_ex_data -is used to retrieve the information for -.Fa idx -from -.Fa ssl . -.Pp -A detailed description for the -.Fn *_get_ex_new_index -functionality can be found in -.Xr RSA_get_ex_new_index 3 . -The -.Fn *_get_ex_data -and -.Fn *_set_ex_data -functionality is described in -.Xr CRYPTO_set_ex_data 3 . -.Sh EXAMPLES -An example of how to use the functionality is included in the example -.Fn verify_callback -in -.Xr SSL_CTX_set_verify 3 . -.Sh SEE ALSO -.Xr CRYPTO_set_ex_data 3 , -.Xr RSA_get_ex_new_index 3 , -.Xr ssl 3 , -.Xr SSL_CTX_set_verify 3 -.Sh HISTORY -Precursor functions -.Fn SSL_set_app_data -and -.Fn SSL_get_app_data -first appeared in SSLeay 0.6.1. -.Pp -.Fn SSL_get_ex_new_index , -.Fn SSL_set_ex_data , -and -.Fn SSL_get_ex_data -first appeared in SSLeay 0.9.0 and have been available since -.Ox 2.4 . diff --git a/src/lib/libssl/man/SSL_get_fd.3 b/src/lib/libssl/man/SSL_get_fd.3 deleted file mode 100644 index 1e093424cb..0000000000 --- a/src/lib/libssl/man/SSL_get_fd.3 +++ /dev/null @@ -1,103 +0,0 @@ -.\" $OpenBSD: SSL_get_fd.3,v 1.6 2018/03/27 17:35:50 schwarze Exp $ -.\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 -.\" -.\" This file was written by Lutz Jaenicke . -.\" Copyright (c) 2000, 2005, 2013 The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: March 27 2018 $ -.Dt SSL_GET_FD 3 -.Os -.Sh NAME -.Nm SSL_get_fd , -.Nm SSL_get_rfd , -.Nm SSL_get_wfd -.Nd get file descriptor linked to an SSL object -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft int -.Fn SSL_get_fd "const SSL *ssl" -.Ft int -.Fn SSL_get_rfd "const SSL *ssl" -.Ft int -.Fn SSL_get_wfd "const SSL *ssl" -.Sh DESCRIPTION -.Fn SSL_get_fd -returns the file descriptor which is linked to -.Fa ssl . -.Fn SSL_get_rfd -and -.Fn SSL_get_wfd -return the file descriptors for the read or the write channel, -which can be different. -If the read and the write channel are different, -.Fn SSL_get_fd -will return the file descriptor of the read channel. -.Sh RETURN VALUES -The following return values can occur: -.Bl -tag -width Ds -.It \(mi1 -The operation failed, because the underlying -.Vt BIO -is not of the correct type (suitable for file descriptors). -.It \(>=0 -The file descriptor linked to -.Fa ssl . -.El -.Sh SEE ALSO -.Xr BIO_new 3 , -.Xr ssl 3 , -.Xr SSL_set_fd 3 -.Sh HISTORY -.Fn SSL_get_fd -appeared in SSLeay 0.4 or earlier and has been available since -.Ox 2.4 . -.Pp -.Fn SSL_get_rfd -and -.Fn SSL_get_wfd -first appeared in OpenSSL 0.9.6c and have been available since -.Ox 3.2 . diff --git a/src/lib/libssl/man/SSL_get_finished.3 b/src/lib/libssl/man/SSL_get_finished.3 deleted file mode 100644 index 3cfb655ea0..0000000000 --- a/src/lib/libssl/man/SSL_get_finished.3 +++ /dev/null @@ -1,77 +0,0 @@ -.\" $OpenBSD: SSL_get_finished.3,v 1.2 2021/01/30 10:48:15 tb Exp $ -.\" -.\" Copyright (c) 2020 Theo Buehler -.\" -.\" Permission to use, copy, modify, and distribute this software for any -.\" purpose with or without fee is hereby granted, provided that the above -.\" copyright notice and this permission notice appear in all copies. -.\" -.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES -.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF -.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR -.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF -.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -.\" -.Dd $Mdocdate: January 30 2021 $ -.Dt SSL_GET_FINISHED 3 -.Os -.Sh NAME -.Nm SSL_get_finished , -.Nm SSL_get_peer_finished -.Nd get last sent or last expected finished message -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft size_t -.Fn SSL_get_finished "const SSL *ssl" "void *buf" "size_t count" -.Ft size_t -.Fn SSL_get_peer_finished "const SSL *ssl" "void *buf" "size_t count" -.Sh DESCRIPTION -.Fn SSL_get_finished -and -.Fn SSL_get_peer_finished -copy -.Fa count -bytes from the last finished message sent to the peer -or expected from the peer into the -caller-provided buffer -.Fa buf . -.Pp -The finished message is computed from a checksum of the handshake records -exchanged with the peer. -Its length depends on the ciphersuite in use and is at most -.Dv EVP_MAX_MD_SIZE , -i.e., 64 bytes. -.\" In TLSv1.3 the length is equal to the length of the hash algorithm -.\" used by the hash-based message authentication code (HMAC), -.\" which is currently either 32 bytes for SHA-256 or 48 bytes for SHA-384. -.\" In TLSv1.2 the length defaults to 12 bytes, but it can explicitly be -.\" specified by the ciphersuite to be longer. -.\" In TLS versions 1.1 and 1.0, the finished message has a fixed length -.\" of 12 bytes. -.Sh RETURN VALUES -.Fn SSL_get_finished -and -.Fn SSL_get_peer_finished -return the number of bytes copied into -.Fa buf . -The return value is zero if the handshake has not reached the -finished message. -.Sh SEE ALSO -.Xr ssl 3 , -.Xr SSL_get_session 3 , -.Xr SSL_set_session 3 -.Sh STANDARDS -RFC 8446: The Transport Layer Security (TLS) Protocol Version 1.3, -section 4.4.4: Finished. -.Pp -RFC 5246: The Transport Layer Security (TLS) Protocol Version 1.2, -section 7.4.9: Finished. -.Sh HISTORY -.Fn SSL_get_finished -and -.Fn SSL_get_peer_finished -first appeared in SSLeay 0.9.5 -and have been available since -.Ox 2.7 . diff --git a/src/lib/libssl/man/SSL_get_peer_cert_chain.3 b/src/lib/libssl/man/SSL_get_peer_cert_chain.3 deleted file mode 100644 index eb2ae53dc4..0000000000 --- a/src/lib/libssl/man/SSL_get_peer_cert_chain.3 +++ /dev/null @@ -1,107 +0,0 @@ -.\" $OpenBSD: SSL_get_peer_cert_chain.3,v 1.5 2018/03/27 17:35:50 schwarze Exp $ -.\" OpenSSL SSL_get_peer_cert_chain.pod 1f164c6f Jan 18 01:40:36 2017 +0100 -.\" OpenSSL SSL_get_peer_cert_chain.pod 9b86974e Aug 17 15:21:33 2015 -0400 -.\" -.\" This file was written by Lutz Jaenicke . -.\" Copyright (c) 2000, 2005, 2014, 2016 The OpenSSL Project. -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: March 27 2018 $ -.Dt SSL_GET_PEER_CERT_CHAIN 3 -.Os -.Sh NAME -.Nm SSL_get_peer_cert_chain -.Nd get the X509 certificate chain sent by the peer -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft STACK_OF(X509) * -.Fn SSL_get_peer_cert_chain "const SSL *ssl" -.Sh DESCRIPTION -.Fn SSL_get_peer_cert_chain -returns a pointer to -.Dv STACK_OF Ns Po Vt X509 Pc -certificates forming the certificate chain of the peer. -If called on the client side, the stack also contains the peer's certificate; -if called on the server side, the peer's certificate must be obtained -separately using -.Xr SSL_get_peer_certificate 3 . -If the peer did not present a certificate, -.Dv NULL -is returned. -.Pp -.Fn SSL_get_peer_cert_chain -returns the peer chain as sent by the peer: it only consists of -certificates the peer has sent (in the order the peer has sent them) -and it is not a verified chain. -.Pp -If the session is resumed, peers do not send certificates, so a -.Dv NULL -pointer is returned. -Applications can call -.Fn SSL_session_reused -to determine whether a session is resumed. -.Pp -The reference count of the -.Dv STACK_OF Ns Po Vt X509 Pc -object is not incremented. -If the corresponding session is freed, the pointer must not be used any longer. -.Sh RETURN VALUES -The following return values can occur: -.Bl -tag -width Ds -.It Dv NULL -No certificate was presented by the peer or no connection was established or -the certificate chain is no longer available when a session is reused. -.It Pointer to a Dv STACK_OF Ns Po X509 Pc -The return value points to the certificate chain presented by the peer. -.El -.Sh SEE ALSO -.Xr ssl 3 , -.Xr SSL_get_peer_certificate 3 -.Sh HISTORY -.Fn SSL_get_peer_cert_chain -first appeared in SSLeay 0.8.0 and has been available since -.Ox 2.4 . diff --git a/src/lib/libssl/man/SSL_get_peer_certificate.3 b/src/lib/libssl/man/SSL_get_peer_certificate.3 deleted file mode 100644 index 99f9330288..0000000000 --- a/src/lib/libssl/man/SSL_get_peer_certificate.3 +++ /dev/null @@ -1,105 +0,0 @@ -.\" $OpenBSD: SSL_get_peer_certificate.3,v 1.6 2021/06/26 17:36:28 tb Exp $ -.\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 -.\" -.\" This file was written by Lutz Jaenicke . -.\" Copyright (c) 2000, 2001, 2005 The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: June 26 2021 $ -.Dt SSL_GET_PEER_CERTIFICATE 3 -.Os -.Sh NAME -.Nm SSL_get_peer_certificate -.Nd get the X509 certificate of the peer -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft X509 * -.Fn SSL_get_peer_certificate "const SSL *ssl" -.Sh DESCRIPTION -.Fn SSL_get_peer_certificate -returns a pointer to the X509 certificate the peer presented. -If the peer did not present a certificate, -.Dv NULL -is returned. -.Pp -Due to the protocol definition, a TLS/SSL server will always send a -certificate, if present. -A client will only send a certificate when explicitly requested to do so by the -server (see -.Xr SSL_CTX_set_verify 3 ) . -If an anonymous cipher is used, no certificates are sent. -.Pp -That a certificate is returned does not indicate information about the -verification state. -Use -.Xr SSL_get_verify_result 3 -to check the verification state. -.Pp -The reference count of the -.Vt X509 -object is incremented by one, so that it will not be destroyed when the session -containing the peer certificate is freed. -The -.Vt X509 -object must be explicitly freed using -.Xr X509_free 3 . -.Sh RETURN VALUES -The following return values can occur: -.Bl -tag -width Ds -.It Dv NULL -No certificate was presented by the peer or no connection was established. -.It Pointer to an X509 certificate -The return value points to the certificate presented by the peer. -.El -.Sh SEE ALSO -.Xr ssl 3 , -.Xr SSL_CTX_set_verify 3 , -.Xr SSL_get0_peername 3 , -.Xr SSL_get_verify_result 3 -.Sh HISTORY -.Fn SSL_get_peer_certificate -appeared in SSLeay 0.4 or earlier and has been available since -.Ox 2.4 . diff --git a/src/lib/libssl/man/SSL_get_rbio.3 b/src/lib/libssl/man/SSL_get_rbio.3 deleted file mode 100644 index 38096fbecf..0000000000 --- a/src/lib/libssl/man/SSL_get_rbio.3 +++ /dev/null @@ -1,98 +0,0 @@ -.\" $OpenBSD: SSL_get_rbio.3,v 1.5 2018/03/27 17:35:50 schwarze Exp $ -.\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 -.\" -.\" This file was written by Lutz Jaenicke . -.\" Copyright (c) 2000, 2013 The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: March 27 2018 $ -.Dt SSL_GET_RBIO 3 -.Os -.Sh NAME -.Nm SSL_get_rbio , -.Nm SSL_get_wbio -.Nd get BIO linked to an SSL object -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft BIO * -.Fn SSL_get_rbio "SSL *ssl" -.Ft BIO * -.Fn SSL_get_wbio "SSL *ssl" -.Sh DESCRIPTION -.Fn SSL_get_rbio -and -.Fn SSL_get_wbio -return pointers to the -.Vt BIO Ns s -for the read or the write channel, which can be different. -The reference count of the -.Vt BIO -is not incremented. -.Sh RETURN VALUES -The following return values can occur: -.Bl -tag -width Ds -.It Dv NULL -No -.Vt BIO -was connected to the -.Vt SSL -object. -.It Any other pointer -The -.Vt BIO -linked to -.Fa ssl . -.El -.Sh SEE ALSO -.Xr BIO_new 3 , -.Xr ssl 3 , -.Xr SSL_set_bio 3 -.Sh HISTORY -.Fn SSL_get_rbio -and -.Fn SSL_get_wbio -first appeared in SSLeay 0.6.0 and have been available since -.Ox 2.4 . diff --git a/src/lib/libssl/man/SSL_get_server_tmp_key.3 b/src/lib/libssl/man/SSL_get_server_tmp_key.3 deleted file mode 100644 index aeeb358240..0000000000 --- a/src/lib/libssl/man/SSL_get_server_tmp_key.3 +++ /dev/null @@ -1,89 +0,0 @@ -.\" $OpenBSD: SSL_get_server_tmp_key.3,v 1.4 2019/06/12 09:36:30 schwarze Exp $ -.\" OpenSSL SSL_get_server_tmp_key.pod 508fafd8 Apr 3 15:41:21 2017 +0100 -.\" -.\" This file was written by Matt Caswell -.\" Copyright (c) 2017 The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: June 12 2019 $ -.Dt SSL_GET_SERVER_TMP_KEY 3 -.Os -.Sh NAME -.Nm SSL_get_server_tmp_key -.Nd temporary server key during a handshake -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft long -.Fo SSL_get_server_tmp_key -.Fa "SSL *ssl" -.Fa "EVP_PKEY **key" -.Fc -.Sh DESCRIPTION -.Fn SSL_get_server_tmp_key -retrieves the temporary key provided by the server -and used during key exchange. -For example, if ECDHE is in use, -this represents the server's public ECDHE key. -.Pp -In case of success, a copy of the key is stored in -.Pf * Fa key . -It is the caller's responsibility to free this key after use using -.Xr EVP_PKEY_free 3 . -.Pp -This function may only be called by the client. -.Pp -This function is implemented as a macro. -.Sh RETURN VALUES -.Fn SSL_get_server_tmp_key -returns 1 on success or 0 on failure. -.Sh SEE ALSO -.Xr EVP_PKEY_free 3 , -.Xr ssl 3 , -.Xr SSL_ctrl 3 -.Sh HISTORY -.Fn SSL_get_server_tmp_key -first appeared in OpenSSL 1.0.2 and has been available since -.Ox 6.1 . diff --git a/src/lib/libssl/man/SSL_get_session.3 b/src/lib/libssl/man/SSL_get_session.3 deleted file mode 100644 index 2ab43fdd3e..0000000000 --- a/src/lib/libssl/man/SSL_get_session.3 +++ /dev/null @@ -1,163 +0,0 @@ -.\" $OpenBSD: SSL_get_session.3,v 1.8 2022/03/31 17:27:18 naddy Exp $ -.\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 -.\" -.\" This file was written by Lutz Jaenicke . -.\" Copyright (c) 2000, 2001, 2005, 2013, 2016 The OpenSSL Project. -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: March 31 2022 $ -.Dt SSL_GET_SESSION 3 -.Os -.Sh NAME -.Nm SSL_get_session , -.Nm SSL_get0_session , -.Nm SSL_get1_session -.Nd retrieve TLS/SSL session data -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft SSL_SESSION * -.Fn SSL_get_session "const SSL *ssl" -.Ft SSL_SESSION * -.Fn SSL_get0_session "const SSL *ssl" -.Ft SSL_SESSION * -.Fn SSL_get1_session "SSL *ssl" -.Sh DESCRIPTION -.Fn SSL_get_session -returns a pointer to the -.Vt SSL_SESSION -actually used in -.Fa ssl . -The reference count of the -.Vt SSL_SESSION -is not incremented, so that the pointer can become invalid by other operations. -.Pp -.Fn SSL_get0_session -is the same as -.Fn SSL_get_session . -.Pp -.Fn SSL_get1_session -is the same as -.Fn SSL_get_session , -but the reference count of the -.Vt SSL_SESSION -is incremented by one. -.Pp -The -.Fa ssl -session contains all information required to re-establish the connection -without a new handshake. -.Pp -.Fn SSL_get0_session -returns a pointer to the actual session. -As the reference counter is not incremented, -the pointer is only valid while the connection is in use. -If -.Xr SSL_clear 3 -or -.Xr SSL_free 3 -is called, the session may be removed completely (if considered bad), -and the pointer obtained will become invalid. -Even if the session is valid, -it can be removed at any time due to timeout during -.Xr SSL_CTX_flush_sessions 3 . -.Pp -If the data is to be kept, -.Fn SSL_get1_session -will increment the reference count, so that the session will not be implicitly -removed by other operations but stays in memory. -In order to remove the session, -.Xr SSL_SESSION_free 3 -must be explicitly called once to decrement the reference count again. -.Pp -.Vt SSL_SESSION -objects keep internal link information about the session cache list when being -inserted into one -.Vt SSL_CTX -object's session cache. -One -.Vt SSL_SESSION -object, regardless of its reference count, must therefore only be used with one -.Vt SSL_CTX -object (and the -.Vt SSL -objects created from this -.Vt SSL_CTX -object). -.Sh RETURN VALUES -The following return values can occur: -.Bl -tag -width Ds -.It Dv NULL -There is no session available in -.Fa ssl . -.It Pointer to an Vt SSL_SESSION -The return value points to the data of an -.Vt SSL -session. -.El -.Sh SEE ALSO -.Xr ssl 3 , -.Xr SSL_clear 3 , -.Xr SSL_free 3 , -.Xr SSL_SESSION_free 3 , -.Xr SSL_SESSION_get0_peer 3 , -.Xr SSL_SESSION_get_compress_id 3 , -.Xr SSL_SESSION_get_id 3 , -.Xr SSL_SESSION_get_protocol_version 3 , -.Xr SSL_SESSION_get_time 3 , -.Xr SSL_SESSION_new 3 , -.Xr SSL_SESSION_print 3 , -.Xr SSL_set_session 3 -.Sh HISTORY -.Fn SSL_get_session -first appeared in SSLeay 0.5.2 and has been available since -.Ox 2.4 . -.Pp -.Fn SSL_get0_session -and -.Fn SSL_get1_session -first appeared in OpenSSL 0.9.5 and have been available since -.Ox 2.7 . diff --git a/src/lib/libssl/man/SSL_get_shared_ciphers.3 b/src/lib/libssl/man/SSL_get_shared_ciphers.3 deleted file mode 100644 index 207e8c42eb..0000000000 --- a/src/lib/libssl/man/SSL_get_shared_ciphers.3 +++ /dev/null @@ -1,103 +0,0 @@ -.\" $OpenBSD: SSL_get_shared_ciphers.3,v 1.5 2021/01/09 10:50:02 tb Exp $ -.\" -.\" Copyright (c) 2016 Ingo Schwarze -.\" -.\" Permission to use, copy, modify, and distribute this software for any -.\" purpose with or without fee is hereby granted, provided that the above -.\" copyright notice and this permission notice appear in all copies. -.\" -.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES -.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF -.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR -.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF -.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -.\" -.Dd $Mdocdate: January 9 2021 $ -.Dt SSL_GET_SHARED_CIPHERS 3 -.Os -.Sh NAME -.Nm SSL_get_shared_ciphers -.Nd ciphers supported by both client and server -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft char * -.Fo SSL_get_shared_ciphers -.Fa "const SSL *ssl" -.Fa "char *buf" -.Fa "int len" -.Fc -.Sh DESCRIPTION -If -.Fa ssl -contains a session in server mode, -.Fn SSL_get_shared_ciphers -puts as many names of ciphers that are supported by both the client -and the server into the buffer -.Fa buf -as the buffer is long enough to contain. -Names are separated by colons. -At most -.Fa len -bytes are written to -.Fa buf -including the terminating NUL character. -.Sh RETURN VALUES -.Fn SSL_get_shared_ciphers -returns -.Fa buf -on success or -.Dv NULL -on failure. -The following situations cause failure: -.Bl -bullet -.It -.Xr SSL_is_server 3 -is false, i.e., -.Ar ssl -is not set to server mode. -.It -.Xr SSL_get_ciphers 3 -is -.Dv NULL -or empty, i.e., no ciphers are available for use by the server. -.It -.Xr SSL_get_session 3 -is -.Dv NULL , -i.e., -.Ar ssl -contains no session. -.It -.Xr SSL_get_client_ciphers 3 -is -.Dv NULL -or empty, i.e., -.Ar ssl -contains no information about ciphers supported by the client, -or the client does not support any ciphers. -.It -The -.Fa len -argument is less than 2. -.El -.Sh SEE ALSO -.Xr ssl 3 , -.Xr SSL_get_ciphers 3 -.Sh HISTORY -.Fn SSL_get_shared_ciphers -first appeared in SSLeay 0.4.5b and has been available since -.Ox 2.4 . -.Sh BUGS -If the list is too long to fit into -.Fa len -bytes, it is silently truncated after the last cipher name that fits, -and all following ciphers are skipped. -If the buffer is very short such that even the first cipher name -does not fit, an empty string is returned even when some shared -ciphers are actually available. -.Pp -There is no easy way to find out how much space is required for -.Fa buf -or whether the supplied space was sufficient. diff --git a/src/lib/libssl/man/SSL_get_state.3 b/src/lib/libssl/man/SSL_get_state.3 deleted file mode 100644 index 297bbce876..0000000000 --- a/src/lib/libssl/man/SSL_get_state.3 +++ /dev/null @@ -1,161 +0,0 @@ -.\" $OpenBSD: SSL_get_state.3,v 1.5 2019/06/12 09:36:30 schwarze Exp $ -.\" -.\" Copyright (c) 2016 Ingo Schwarze -.\" -.\" Permission to use, copy, modify, and distribute this software for any -.\" purpose with or without fee is hereby granted, provided that the above -.\" copyright notice and this permission notice appear in all copies. -.\" -.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES -.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF -.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR -.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF -.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -.\" -.Dd $Mdocdate: June 12 2019 $ -.Dt SSL_GET_STATE 3 -.Os -.Sh NAME -.Nm SSL_get_state , -.Nm SSL_state , -.Nm SSL_in_accept_init , -.Nm SSL_in_before , -.Nm SSL_in_connect_init , -.Nm SSL_in_init , -.Nm SSL_is_init_finished -.Nd inspect the state of the SSL state machine -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft int -.Fo SSL_get_state -.Fa "const SSL *ssl" -.Fc -.Ft int -.Fo SSL_state -.Fa "const SSL *ssl" -.Fc -.Ft int -.Fo SSL_in_accept_init -.Fa "const SSL *ssl" -.Fc -.Ft int -.Fo SSL_in_before -.Fa "const SSL *ssl" -.Fc -.Ft int -.Fo SSL_in_connect_init -.Fa "const SSL *ssl" -.Fc -.Ft int -.Fo SSL_in_init -.Fa "const SSL *ssl" -.Fc -.Ft int -.Fo SSL_is_init_finished -.Fa "const SSL *ssl" -.Fc -.Sh DESCRIPTION -.Fn SSL_get_state -returns an encoded representation of the current state of the SSL -state machine. -.Fn SSL_state -is a deprecated alias for -.Fn SSL_get_state . -.Pp -The following bits may be set: -.Bl -tag -width Ds -.It Dv SSL_ST_ACCEPT -This bit is set by -.Xr SSL_accept 3 -and by -.Xr SSL_set_accept_state 3 . -It indicates that -.Fa ssl -is set up for server mode and no client initiated the TLS handshake yet. -The function -.Fn SSL_in_accept_init -returns non-zero if this bit is set or 0 otherwise. -.It Dv SSL_ST_BEFORE -This bit is set by the -.Xr SSL_accept 3 , -.Xr SSL_connect 3 , -.Xr SSL_set_accept_state 3 , -and -.Xr SSL_set_connect_state 3 -functions. -It indicates that the TLS handshake was not initiated yet. -The function -.Fn SSL_in_before -returns non-zero if this bit is set or 0 otherwise. -.It Dv SSL_ST_CONNECT -This bit is set by -.Xr SSL_connect 3 -and by -.Xr SSL_set_connect_state 3 . -It indicates that -.Fa ssl -is set up for client mode and no TLS handshake was initiated yet. -The function -.Fn SSL_in_connect_init -returns non-zero if this bit is set or 0 otherwise. -.El -.Pp -The following masks can be used: -.Bl -tag -width Ds -.It Dv SSL_ST_INIT -Set if -.Dv SSL_ST_ACCEPT -or -.Dv SSL_ST_CONNECT -is set. -The function -.Fn SSL_in_init -returns a non-zero value if one of these is set or 0 otherwise. -.It Dv SSL_ST_MASK -This mask includes all bits except -.Dv SSL_ST_ACCEPT , -.Dv SSL_ST_BEFORE , -and -.Dv SSL_ST_CONNECT . -.It Dv SSL_ST_OK -The state is set to this value when a connection is established. -The function -.Fn SSL_is_init_finished -returns a non-zero value if the state equals this constant, or 0 otherwise. -.It Dv SSL_ST_RENEGOTIATE -The program is about to renegotiate, for example when entering -.Xr SSL_read 3 -or -.Xr SSL_write 3 -right after -.Xr SSL_renegotiate 3 -was called. -.El -.Pp -The meaning of other bits is protocol-dependent. -Application programs usually do not need to inspect any of those -other bits. -.Pp -All these functions may be implemented as macros. -.Sh SEE ALSO -.Xr ssl 3 , -.Xr SSL_renegotiate 3 , -.Xr SSL_set_connect_state 3 -.Sh HISTORY -.Fn SSL_is_init_finished -first appeared in SSLeay 0.4.5b. -.Fn SSL_state -first appeared in SSLeay 0.5.2. -.Fn SSL_in_accept_init , -.Fn SSL_in_connect_init , -and -.Fn SSL_in_init -first appeared in SSLeay 0.6.0. -.Fn SSL_in_before -first appeared in SSLeay 0.8.0. -.Fn SSL_get_state -first appeared in SSLeay 0.9.0. -All these functions have been available since -.Ox 2.4 . diff --git a/src/lib/libssl/man/SSL_get_verify_result.3 b/src/lib/libssl/man/SSL_get_verify_result.3 deleted file mode 100644 index 180cf1bb73..0000000000 --- a/src/lib/libssl/man/SSL_get_verify_result.3 +++ /dev/null @@ -1,102 +0,0 @@ -.\" $OpenBSD: SSL_get_verify_result.3,v 1.6 2021/06/26 17:36:28 tb Exp $ -.\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 -.\" -.\" This file was written by Lutz Jaenicke . -.\" Copyright (c) 2000, 2001, 2005 The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: June 26 2021 $ -.Dt SSL_GET_VERIFY_RESULT 3 -.Os -.Sh NAME -.Nm SSL_get_verify_result -.Nd get result of peer certificate verification -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft long -.Fn SSL_get_verify_result "const SSL *ssl" -.Sh DESCRIPTION -.Fn SSL_get_verify_result -returns the result of the verification of the X509 certificate presented by the -peer, if any. -.Pp -.Fn SSL_get_verify_result -can only return one error code while the verification of a certificate can fail -because of many reasons at the same time. -Only the last verification error that occurred during the processing is -available from -.Fn SSL_get_verify_result . -.Pp -The verification result is part of the established session and is restored when -a session is reused. -.Sh RETURN VALUES -The following return values can currently occur: -.Bl -tag -width Ds -.It Dv X509_V_OK -The verification succeeded or no peer certificate was presented. -.It Any other value -Documented in -.Xr openssl 1 . -.El -.Sh SEE ALSO -.Xr openssl 1 , -.Xr ssl 3 , -.Xr SSL_CTX_set_verify 3 , -.Xr SSL_get0_peername 3 , -.Xr SSL_get_peer_certificate 3 , -.Xr SSL_set_verify_result 3 -.Sh HISTORY -.Fn SSL_get_verify_result -first appeared in SSLeay 0.6.1 and has been available since -.Ox 2.4 . -.Sh BUGS -If no peer certificate was presented, the returned result code is -.Dv X509_V_OK . -This is because no verification error occurred; -however, it does not indicate success. -.Fn SSL_get_verify_result -is only useful in connection with -.Xr SSL_get_peer_certificate 3 . diff --git a/src/lib/libssl/man/SSL_get_version.3 b/src/lib/libssl/man/SSL_get_version.3 deleted file mode 100644 index a6cefb055b..0000000000 --- a/src/lib/libssl/man/SSL_get_version.3 +++ /dev/null @@ -1,123 +0,0 @@ -.\" $OpenBSD: SSL_get_version.3,v 1.9 2021/04/15 16:13:22 tb Exp $ -.\" full merge up to: OpenSSL e417070c Jun 8 11:37:06 2016 -0400 -.\" selective merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100 -.\" -.\" This file was written by Lutz Jaenicke . -.\" Copyright (c) 2001, 2005, 2014 The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: April 15 2021 $ -.Dt SSL_GET_VERSION 3 -.Os -.Sh NAME -.Nm SSL_get_version , -.Nm SSL_is_dtls , -.Nm SSL_version -.\" The following are intentionally undocumented because -.\" - the longer term plan is to remove them -.\" - nothing appears to be using them in the wild -.\" - and they have the wrong namespace prefix -.\" Nm TLS1_get_version -.\" Nm TLS1_get_client_version -.Nd get the protocol information of a connection -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft const char * -.Fn SSL_get_version "const SSL *ssl" -.Ft int -.Fn SSL_is_dtls "const SSL *ssl" -.Ft int -.Fn SSL_version "const SSL *ssl" -.Sh DESCRIPTION -.Fn SSL_get_version -returns the name of the protocol used for the connection -.Fa ssl . -.Pp -.Fn SSL_is_dtls -returns 1 if the connection is using DTLS, 0 if not. -.Pp -.Fn SSL_version -returns an integer constant representing that protocol. -.Pp -These functions only return reliable results -after the initial handshake has been completed. -.Sh RETURN VALUES -The following strings or integers can be returned by -.Fn SSL_get_version -and -.Fn SSL_version : -.Bl -tag -width Ds -.It Qo TLSv1 Qc No or Dv TLS1_VERSION -The connection uses the TLSv1.0 protocol. -.It Qo TLSv1.1 Qc No or Dv TLS1_1_VERSION -The connection uses the TLSv1.1 protocol. -.It Qo TLSv1.2 Qc No or Dv TLS1_2_VERSION -The connection uses the TLSv1.2 protocol. -.It Qo TLSv1.3 Qc No or Dv TLS1_3_VERSION -The connection uses the TLSv1.3 protocol. -.It Qo DTLSv1 Qc No or Dv DTLS1_VERSION -The connection uses the Datagram Transport Layer Security 1.0 protocol. -.It Qo DTLSv1.2 Qc No or Dv DTLS1_2_VERSION -The connection uses the Datagram Transport Layer Security 1.2 protocol. -.It Qq unknown -This indicates an unknown protocol version; -it cannot currently happen with LibreSSL. -.El -.Pp -.Fn SSL_is_dtls -returns 1 if the connection uses DTLS, 0 if not. -.Sh SEE ALSO -.Xr ssl 3 -.Sh HISTORY -.Fn SSL_get_version -and -.Fn SSL_version -first appeared in SSLeay 0.8.0 and have been available since -.Ox 2.4 . -.Pp -.Fn SSL_is_dtls -first appeared in OpenSSL 1.1.0 and has been available since -.Ox 6.9 . diff --git a/src/lib/libssl/man/SSL_library_init.3 b/src/lib/libssl/man/SSL_library_init.3 deleted file mode 100644 index 053c1e6fcb..0000000000 --- a/src/lib/libssl/man/SSL_library_init.3 +++ /dev/null @@ -1,98 +0,0 @@ -.\" $OpenBSD: SSL_library_init.3,v 1.7 2019/06/14 13:41:31 schwarze Exp $ -.\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 -.\" -.\" This file was written by Lutz Jaenicke . -.\" Copyright (c) 2000, 2006, 2010 The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: June 14 2019 $ -.Dt SSL_LIBRARY_INIT 3 -.Os -.Sh NAME -.Nm SSL_library_init , -.Nm OpenSSL_add_ssl_algorithms , -.Nm SSLeay_add_ssl_algorithms -.Nd initialize SSL library by registering algorithms -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft int -.Fn SSL_library_init void -.Ft int -.Fn OpenSSL_add_ssl_algorithms void -.Ft int -.Fn SSLeay_add_ssl_algorithms void -.Sh DESCRIPTION -These functions are deprecated. -It is never useful for any application program to call any of them explicitly. -The library automatically calls them internally whenever needed. -.Pp -.Fn SSL_library_init -registers the available ciphers and digests -which are used directly or indirectly by TLS. -.Pp -.Fn OpenSSL_add_ssl_algorithms -and -.Fn SSLeay_add_ssl_algorithms -are synonyms for -.Fn SSL_library_init -and are implemented as macros. -.Sh RETURN VALUES -.Fn SSL_library_init -always returns 1. -.Sh SEE ALSO -.Xr ssl 3 -.Sh HISTORY -.Fn SSLeay_add_ssl_algorithms -first appeared in SSLeay 0.8.0 and has been available since -.Ox 2.4 . -.Pp -.Fn SSL_library_init -first appeared in OpenSSL 0.9.2b and has been available since -.Ox 2.6 . -.Pp -.Fn OpenSSL_add_ssl_algorithms -first appeared in OpenSSL 0.9.5 and has been available since -.Ox 2.7 . diff --git a/src/lib/libssl/man/SSL_load_client_CA_file.3 b/src/lib/libssl/man/SSL_load_client_CA_file.3 deleted file mode 100644 index f782d96dce..0000000000 --- a/src/lib/libssl/man/SSL_load_client_CA_file.3 +++ /dev/null @@ -1,185 +0,0 @@ -.\" $OpenBSD: SSL_load_client_CA_file.3,v 1.9 2019/06/12 09:36:30 schwarze Exp $ -.\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 -.\" -.\" This file is a derived work. -.\" The changes are covered by the following Copyright and license: -.\" -.\" Copyright (c) 2016 Ingo Schwarze -.\" -.\" Permission to use, copy, modify, and distribute this software for any -.\" purpose with or without fee is hereby granted, provided that the above -.\" copyright notice and this permission notice appear in all copies. -.\" -.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES -.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF -.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR -.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF -.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -.\" -.\" The original file was written by Lutz Jaenicke . -.\" Copyright (c) 2000 The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: June 12 2019 $ -.Dt SSL_LOAD_CLIENT_CA_FILE 3 -.Os -.Sh NAME -.Nm SSL_load_client_CA_file , -.Nm SSL_add_file_cert_subjects_to_stack , -.Nm SSL_add_dir_cert_subjects_to_stack -.Nd load certificate names from files -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft STACK_OF(X509_NAME) * -.Fn SSL_load_client_CA_file "const char *file" -.Ft int -.Fo SSL_add_file_cert_subjects_to_stack -.Fa "STACK_OF(X509_NAME) *stack" -.Fa "const char *file" -.Fc -.Ft int -.Fo SSL_add_dir_cert_subjects_to_stack -.Fa "STACK_OF(X509_NAME) *stack" -.Fa "const char *dir" -.Fc -.Sh DESCRIPTION -.Fn SSL_load_client_CA_file -reads PEM formatted certificates from -.Fa file -and returns a new -.Vt STACK_OF(X509_NAME) -with the subject names found. -While the name suggests the specific usage as a support function for -.Xr SSL_CTX_set_client_CA_list 3 , -it is not limited to CA certificates. -.Pp -.Fn SSL_add_file_cert_subjects_to_stack -is similar except that the names are added to the existing -.Fa stack . -.Pp -.Fn SSL_add_dir_cert_subjects_to_stack -calls -.Fn SSL_add_file_cert_subjects_to_stack -on every file in the directory -.Fa dir . -.Pp -If a name is already on the stack, all these functions skip it and -do not add it again. -.Sh RETURN VALUES -.Fn SSL_load_client_CA_file -returns a pointer to the new -.Vt STACK_OF(X509_NAME) -or -.Dv NULL on failure . -.Pp -.Fn SSL_add_file_cert_subjects_to_stack -and -.Fn SSL_add_dir_cert_subjects_to_stack -return 1 for success or 0 for failure. -.Pp -All these functions treat empty files and directories as failures. -.Pp -In some cases of failure, the reason can be determined with -.Xr ERR_get_error 3 . -.Sh EXAMPLES -Load names of CAs from a file and use it as a client CA list: -.Bd -literal -SSL_CTX *ctx; -STACK_OF(X509_NAME) *cert_names; -\&... -cert_names = SSL_load_client_CA_file("/path/to/CAfile.pem"); -if (cert_names != NULL) - SSL_CTX_set_client_CA_list(ctx, cert_names); -else - error_handling(); -\&... -.Ed -.Sh SEE ALSO -.Xr PEM_read_bio_X509 3 , -.Xr ssl 3 , -.Xr SSL_CTX_set_client_CA_list 3 , -.Xr X509_get_subject_name 3 , -.Xr X509_NAME_new 3 -.Sh HISTORY -.Fn SSL_load_client_CA_file -first appeared in SSLeay 0.8.0 and has been available since -.Ox 2.4 . -.Pp -.Fn SSL_add_file_cert_subjects_to_stack -and -.Fn SSL_add_dir_cert_subjects_to_stack -first appeared in OpenSSL 0.9.2b and have been available since -.Ox 2.6 . -.Sh AUTHORS -.Fn SSL_add_file_cert_subjects_to_stack -and -.Fn SSL_add_dir_cert_subjects_to_stack -were written by -.An Ben Laurie Aq Mt ben@openssl.org -in 1999. -.Sh BUGS -In some cases of failure, for example for empty files and directories, -these functions fail to report an error, in the sense that -.Xr ERR_get_error 3 -does not work. -.Pp -Even in case of failure, for example when parsing one of the -files or certificates fails, -.Fn SSL_add_file_cert_subjects_to_stack -and -.Fn SSL_add_dir_cert_subjects_to_stack -may still have added some certificates to the stack. -.Pp -The behaviour of -.Fn SSL_add_dir_cert_subjects_to_stack -is non-deterministic. -If parsing one file fails, parsing of the whole directory is aborted. -Files in the directory are not parsed in any specific order. -For example, adding an empty file to -.Fa dir -may or may not cause some of the other files to be ignored. diff --git a/src/lib/libssl/man/SSL_new.3 b/src/lib/libssl/man/SSL_new.3 deleted file mode 100644 index 22c5dbf2db..0000000000 --- a/src/lib/libssl/man/SSL_new.3 +++ /dev/null @@ -1,110 +0,0 @@ -.\" $OpenBSD: SSL_new.3,v 1.7 2022/07/13 22:05:53 schwarze Exp $ -.\" full merge up to: OpenSSL 1c7ae3dd Mar 29 19:17:55 2017 +1000 -.\" -.\" This file was written by Richard Levitte -.\" and Matt Caswell . -.\" Copyright (c) 2000, 2016 The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: July 13 2022 $ -.Dt SSL_NEW 3 -.Os -.Sh NAME -.Nm SSL_new , -.Nm SSL_up_ref -.Nd create a new SSL structure for a connection -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft SSL * -.Fn SSL_new "SSL_CTX *ctx" -.Ft int -.Fn SSL_up_ref "SSL *ssl" -.Sh DESCRIPTION -.Fn SSL_new -creates a new -.Vt SSL -structure which is needed to hold the data for a TLS/SSL connection. -The new structure inherits the settings of the underlying context -.Fa ctx : -connection method, options, verification settings, -timeout settings, security level. -The reference count of the new structure is set to 1. -.Pp -.Fn SSL_up_ref -increments the reference count of -.Fa ssl -by 1. -.Sh RETURN VALUES -The following return values can occur: -.Bl -tag -width Ds -.It Dv NULL -The creation of a new -.Vt SSL -structure failed. -Check the error stack to find out the reason. -.It Pointer to an Vt SSL No structure -The return value points to an allocated -.Vt SSL -structure. -.El -.Pp -.Fn SSL_up_ref -returns 1 for success or 0 for failure. -.Sh SEE ALSO -.Xr ssl 3 , -.Xr SSL_clear 3 , -.Xr SSL_CTX_set_options 3 , -.Xr SSL_CTX_set_security_level 3 , -.Xr SSL_free 3 , -.Xr SSL_get_SSL_CTX 3 -.Sh HISTORY -.Fn SSL_new -appeared in SSLeay 0.4 or earlier and has been available since -.Ox 2.4 . -.Pp -.Fn SSL_up_ref -first appeared in OpenSSL 1.1.0 and has been available since -.Ox 6.3 . diff --git a/src/lib/libssl/man/SSL_num_renegotiations.3 b/src/lib/libssl/man/SSL_num_renegotiations.3 deleted file mode 100644 index 6a81b76a60..0000000000 --- a/src/lib/libssl/man/SSL_num_renegotiations.3 +++ /dev/null @@ -1,75 +0,0 @@ -.\" $OpenBSD: SSL_num_renegotiations.3,v 1.5 2019/06/12 09:36:30 schwarze Exp $ -.\" -.\" Copyright (c) 2016 Ingo Schwarze -.\" -.\" Permission to use, copy, modify, and distribute this software for any -.\" purpose with or without fee is hereby granted, provided that the above -.\" copyright notice and this permission notice appear in all copies. -.\" -.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES -.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF -.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR -.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF -.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -.\" -.Dd $Mdocdate: June 12 2019 $ -.Dt SSL_NUM_RENEGOTIATIONS 3 -.Os -.Sh NAME -.Nm SSL_num_renegotiations , -.Nm SSL_clear_num_renegotiations , -.Nm SSL_total_renegotiations -.Nd renegotiation counters -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft long -.Fo SSL_num_renegotiations -.Fa "SSL *ssl" -.Fc -.Ft long -.Fo SSL_clear_num_renegotiations -.Fa "SSL *ssl" -.Fc -.Ft long -.Fo SSL_total_renegotiations -.Fa "SSL *ssl" -.Fc -.Sh DESCRIPTION -.Fn SSL_num_renegotiations -reports the number of renegotiations initiated in -.Fa ssl -since -.Xr SSL_new 3 , -.Xr SSL_clear 3 , -or -.Fn SSL_clear_num_renegotiations -was last called on that object. -.Pp -.Fn SSL_clear_num_renegotiations -does the same and additionally resets the renegotiation counter to 0. -.Pp -.Fn SSL_total_renegotiations -reports the number of renegotiations initiated in -.Fa ssl -since -.Xr SSL_new 3 -or -.Xr SSL_clear 3 -was last called on that object. -.Pp -These functions are implemented as macros. -.Sh RETURN VALUES -All these functions return a number of renegotiations. -.Sh SEE ALSO -.Xr BIO_set_ssl_renegotiate_bytes 3 , -.Xr ssl 3 , -.Xr SSL_ctrl 3 , -.Xr SSL_read 3 , -.Xr SSL_renegotiate 3 , -.Xr SSL_write 3 -.Sh HISTORY -These functions first appeared in SSLeay 0.9.0 -and have been available since -.Ox 2.4 . diff --git a/src/lib/libssl/man/SSL_pending.3 b/src/lib/libssl/man/SSL_pending.3 deleted file mode 100644 index bbc2e9bdd2..0000000000 --- a/src/lib/libssl/man/SSL_pending.3 +++ /dev/null @@ -1,90 +0,0 @@ -.\" $OpenBSD: SSL_pending.3,v 1.5 2020/01/23 03:40:18 beck Exp $ -.\" OpenSSL a528d4f0 Oct 27 13:40:11 2015 -0400 -.\" -.\" This file was written by Lutz Jaenicke , -.\" Bodo Moeller , and Matt Caswell . -.\" Copyright (c) 2000, 2005, 2015, 2016 The OpenSSL Project. -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: January 23 2020 $ -.Dt SSL_PENDING 3 -.Os -.Sh NAME -.Nm SSL_pending -.Nd obtain number of readable bytes buffered in an SSL object -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft int -.Fn SSL_pending "const SSL *ssl" -.Sh DESCRIPTION -Data is received in whole blocks known as records from the peer. -A whole record is processed, for example decrypted, in one go and -is buffered until it is read by the application via a call to -.Xr SSL_read 3 . -.Pp -.Fn SSL_pending -returns the number of bytes of application data which are available -for immediate read. -.Pp -.Fn SSL_pending -takes into account only bytes from the TLS/SSL record that is -currently being processed (if any). -.Sh RETURN VALUES -.Fn SSL_pending -returns the number of buffered and processed application data -bytes that are pending and are available for immediate read. -.Sh SEE ALSO -.Xr ssl 3 , -.Xr SSL_read 3 -.Sh HISTORY -.Fn SSL_pending -appeared in SSLeay 0.4 or earlier and has been available since -.Ox 2.4 . -.Sh BUGS -Up to OpenSSL 0.9.6, -.Fn SSL_pending -did not check if the record type of pending data is application data. diff --git a/src/lib/libssl/man/SSL_read.3 b/src/lib/libssl/man/SSL_read.3 deleted file mode 100644 index bb72a8ed82..0000000000 --- a/src/lib/libssl/man/SSL_read.3 +++ /dev/null @@ -1,278 +0,0 @@ -.\" $OpenBSD: SSL_read.3,v 1.8 2021/10/24 15:10:13 schwarze Exp $ -.\" full merge up to: OpenSSL 5a2443ae Nov 14 11:37:36 2016 +0000 -.\" partial merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100 -.\" -.\" This file was written by Lutz Jaenicke and -.\" Matt Caswell . -.\" Copyright (c) 2000, 2001, 2008, 2016 The OpenSSL Project. -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: October 24 2021 $ -.Dt SSL_READ 3 -.Os -.Sh NAME -.Nm SSL_read_ex , -.Nm SSL_read , -.Nm SSL_peek_ex , -.Nm SSL_peek -.Nd read bytes from a TLS connection -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft int -.Fn SSL_read_ex "SSL *ssl" "void *buf" "size_t num" "size_t *readbytes" -.Ft int -.Fn SSL_read "SSL *ssl" "void *buf" "int num" -.Ft int -.Fn SSL_peek_ex "SSL *ssl" "void *buf" "size_t num" "size_t *readbytes" -.Ft int -.Fn SSL_peek "SSL *ssl" "void *buf" "int num" -.Sh DESCRIPTION -.Fn SSL_read_ex -and -.Fn SSL_read -try to read -.Fa num -bytes from the specified -.Fa ssl -into the buffer -.Fa buf . -On success -.Fn SSL_read_ex -stores the number of bytes actually read in -.Pf * Fa readbytes . -.Pp -.Fn SSL_peek_ex -and -.Fn SSL_peek -are identical to -.Fn SSL_read_ex -and -.Fn SSL_read , -respectively, -except that no bytes are removed from the underlying BIO during -the read, such that a subsequent call to -.Fn SSL_read_ex -or -.Fn SSL_read -will yield at least the same bytes once again. -.Pp -In the following, -.Fn SSL_read_ex , -.Fn SSL_read , -.Fn SSL_peek_ex , -and -.Fn SSL_peek -are called -.Dq read functions . -.Pp -If necessary, a read function will negotiate a TLS session, if -not already explicitly performed by -.Xr SSL_connect 3 -or -.Xr SSL_accept 3 . -If the peer requests a re-negotiation, it will be performed -transparently during the read function operation. -The behaviour of the read functions depends on the underlying -.Vt BIO . -.Pp -For the transparent negotiation to succeed, the -.Fa ssl -must have been initialized to client or server mode. -This is done by calling -.Xr SSL_set_connect_state 3 -or -.Xr SSL_set_accept_state 3 -before the first call to a read function. -.Pp -The read functions work based on the TLS records. -The data are received in records (with a maximum record size of 16kB). -Only when a record has been completely received, it can be processed -(decrypted and checked for integrity). -Therefore, data that was not retrieved at the last read call can -still be buffered inside the TLS layer and will be retrieved on the -next read call. -If -.Fa num -is higher than the number of bytes buffered, the read functions -will return with the bytes buffered. -If no more bytes are in the buffer, the read functions will trigger -the processing of the next record. -Only when the record has been received and processed completely -will the read functions return reporting success. -At most the contents of the record will be returned. -As the size of a TLS record may exceed the maximum packet size -of the underlying transport (e.g., TCP), it may be necessary to -read several packets from the transport layer before the record is -complete and the read call can succeed. -.Pp -If the underlying -.Vt BIO -is blocking, -a read function will only return once the read operation has been -finished or an error occurred, except when a renegotiation takes -place, in which case an -.Dv SSL_ERROR_WANT_READ -may occur. -This behavior can be controlled with the -.Dv SSL_MODE_AUTO_RETRY -flag of the -.Xr SSL_CTX_set_mode 3 -call. -.Pp -If the underlying -.Vt BIO -is non-blocking, a read function will also return when the underlying -.Vt BIO -could not satisfy the needs of the function to continue the operation. -In this case a call to -.Xr SSL_get_error 3 -with the return value of the read function will yield -.Dv SSL_ERROR_WANT_READ -or -.Dv SSL_ERROR_WANT_WRITE . -As at any time a re-negotiation is possible, a read function may -also cause write operations. -The calling process must then repeat the call after taking appropriate -action to satisfy the needs of the read function. -The action depends on the underlying -.Vt BIO . -When using a non-blocking socket, nothing is to be done, but -.Xr select 2 -can be used to check for the required condition. -When using a buffering -.Vt BIO , -like a -.Vt BIO -pair, data must be written into or retrieved out of the -.Vt BIO -before being able to continue. -.Pp -.Xr SSL_pending 3 -can be used to find out whether there are buffered bytes available for -immediate retrieval. -In this case a read function can be called without blocking or -actually receiving new data from the underlying socket. -.Pp -When a read function operation has to be repeated because of -.Dv SSL_ERROR_WANT_READ -or -.Dv SSL_ERROR_WANT_WRITE , -it must be repeated with the same arguments. -.Sh RETURN VALUES -.Fn SSL_read_ex -and -.Fn SSL_peek_ex -return 1 for success or 0 for failure. -Success means that one or more application data bytes -have been read from the SSL connection. -Failure means that no bytes could be read from the SSL connection. -Failures can be retryable (e.g. we are waiting for more bytes to be -delivered by the network) or non-retryable (e.g. a fatal network error). -In the event of a failure, call -.Xr SSL_get_error 3 -to find out the reason which indicates whether the call is retryable or not. -.Pp -For -.Fn SSL_read -and -.Fn SSL_peek , -the following return values can occur: -.Bl -tag -width Ds -.It >0 -The read operation was successful. -The return value is the number of bytes actually read from the -TLS connection. -.It 0 -The read operation was not successful. -The reason may either be a clean shutdown due to a -.Dq close notify -alert sent by the peer (in which case the -.Dv SSL_RECEIVED_SHUTDOWN -flag in the ssl shutdown state is set (see -.Xr SSL_shutdown 3 -and -.Xr SSL_set_shutdown 3 ) . -It is also possible that the peer simply shut down the underlying transport and -the shutdown is incomplete. -Call -.Xr SSL_get_error 3 -with the return value to find out whether an error occurred or the connection -was shut down cleanly -.Pq Dv SSL_ERROR_ZERO_RETURN . -.It <0 -The read operation was not successful, because either an error occurred or -action must be taken by the calling process. -Call -.Xr SSL_get_error 3 -with the return value to find out the reason. -.El -.Sh SEE ALSO -.Xr BIO_new 3 , -.Xr ssl 3 , -.Xr SSL_accept 3 , -.Xr SSL_connect 3 , -.Xr SSL_CTX_new 3 , -.Xr SSL_CTX_set_mode 3 , -.Xr SSL_get_error 3 , -.Xr SSL_pending 3 , -.Xr SSL_set_connect_state 3 , -.Xr SSL_set_shutdown 3 , -.Xr SSL_shutdown 3 , -.Xr SSL_write 3 -.Sh HISTORY -.Fn SSL_read -appeared in SSLeay 0.4 or earlier. -.Fn SSL_peek -first appeared in SSLeay 0.6.6. -Both functions have been available since -.Ox 2.4 . -.Pp -.Fn SSL_read_ex -and -.Fn SSL_peek_ex -first appeared in OpenSSL 1.1.1 and have been available since -.Ox 7.1 . diff --git a/src/lib/libssl/man/SSL_read_early_data.3 b/src/lib/libssl/man/SSL_read_early_data.3 deleted file mode 100644 index 1435c15935..0000000000 --- a/src/lib/libssl/man/SSL_read_early_data.3 +++ /dev/null @@ -1,174 +0,0 @@ -.\" $OpenBSD: SSL_read_early_data.3,v 1.4 2021/11/26 13:48:22 jsg Exp $ -.\" content checked up to: OpenSSL 6328d367 Jul 4 21:58:30 2020 +0200 -.\" -.\" Copyright (c) 2020 Ingo Schwarze -.\" -.\" Permission to use, copy, modify, and distribute this software for any -.\" purpose with or without fee is hereby granted, provided that the above -.\" copyright notice and this permission notice appear in all copies. -.\" -.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES -.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF -.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR -.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF -.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -.\" -.Dd $Mdocdate: November 26 2021 $ -.Dt SSL_READ_EARLY_DATA 3 -.Os -.Sh NAME -.Nm SSL_CTX_set_max_early_data , -.Nm SSL_set_max_early_data , -.Nm SSL_SESSION_set_max_early_data , -.Nm SSL_CTX_get_max_early_data , -.Nm SSL_get_max_early_data , -.Nm SSL_SESSION_get_max_early_data , -.Nm SSL_write_early_data , -.Nm SSL_read_early_data , -.Nm SSL_get_early_data_status -.Nd transmit application data during the handshake -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft int -.Fo SSL_CTX_set_max_early_data -.Fa "SSL_CTX *ctx" -.Fa "uint32_t max_bytes" -.Fc -.Ft int -.Fo SSL_set_max_early_data -.Fa "SSL *ssl" -.Fa "uint32_t max_bytes" -.Fc -.Ft int -.Fo SSL_SESSION_set_max_early_data -.Fa "SSL_SESSION *session" -.Fa "uint32_t max_bytes" -.Fc -.Ft uint32_t -.Fo SSL_CTX_get_max_early_data -.Fa "const SSL_CTX *ctx" -.Fc -.Ft uint32_t -.Fo SSL_get_max_early_data -.Fa "const SSL *ssl" -.Fc -.Ft uint32_t -.Fo SSL_SESSION_get_max_early_data -.Fa "const SSL_SESSION *session" -.Fc -.Ft int -.Fo SSL_write_early_data -.Fa "SSL *ssl" -.Fa "const void *buf" -.Fa "size_t len" -.Fa "size_t *written" -.Fc -.Ft int -.Fo SSL_read_early_data -.Fa "SSL *ssl" -.Fa "void *buf" -.Fa "size_t maxlen" -.Fa "size_t *readbytes" -.Fc -.Ft int -.Fo SSL_get_early_data_status -.Fa "const SSL *ssl" -.Fc -.Sh DESCRIPTION -In LibreSSL, these functions have no effect. -They are only provided because some application programs -expect the API to be available when TLSv1.3 is supported. -Using these functions is strongly discouraged because they provide -marginal benefit in the first place even when implemented and -used as designed, because they have absurdly complicated semantics, -and because when they are used, inconspicuous oversights are likely -to cause serious security vulnerabilities. -.Pp -If these functions are used, other TLS implementations -may allow the transfer of application data during the initial handshake. -Even when used as designed, security of the connection is compromised; -in particular, application data is exchanged with unauthenticated peers, -and there is no forward secrecy. -Other downsides include an increased risk of replay attacks. -.Pp -.Fn SSL_CTX_set_max_early_data , -.Fn SSL_set_max_early_data , -and -.Fn SSL_SESSION_set_max_early_data -are intended to configure the maximum number of bytes per session -that can be transmitted during the handshake. -With LibreSSL, all arguments are ignored. -.Pp -An endpoint can attempt to send application data with -.Fn SSL_write_early_data -during the handshake. -With LibreSSL, such attempts always fail and set -.Pf * Fa written -to 0. -.Pp -A server can attempt to read application data from the client using -.Fn SSL_read_early_data -during the handshake. -With LibreSSL, no such data is ever accepted and -.Pf * Fa readbytes -is always set to 0. -.Sh RETURN VALUES -.Fn SSL_CTX_set_max_early_data , -.Fn SSL_set_max_early_data , -and -.Fn SSL_SESSION_set_max_early_data -return 1 for success or 0 for failure. -With LibreSSL, they always succeed. -.Pp -.Fn SSL_CTX_get_max_early_data , -.Fn SSL_get_max_early_data , -and -.Fn SSL_SESSION_get_max_early_data -return the maximum number of bytes of application data -that will be accepted from the peer during the handshake. -With LibreSSL, they always return 0. -.Pp -.Fn SSL_write_early_data -returns 1 for success or 0 for failure. -With LibreSSL, it always fails. -.Pp -With LibreSSL, -.Fn SSL_read_early_data -always returns -.Dv SSL_READ_EARLY_DATA_FINISH -on the server side and -.Dv SSL_READ_EARLY_DATA_ERROR -on the client side. -.Dv SSL_READ_EARLY_DATA_SUCCESS -can occur with other implementations, but not with LibreSSL. -.Pp -With LibreSSL, -.Fn SSL_get_early_data_status -always returns -.Dv SSL_EARLY_DATA_REJECTED . -With other implementations, it might also return -.Dv SSL_EARLY_DATA_NOT_SENT -or -.Dv SSL_EARLY_DATA_ACCEPTED . -.Sh SEE ALSO -.Xr ssl 3 , -.Xr SSL_read 3 , -.Xr SSL_write 3 -.Sh STANDARDS -RFC 8446: The Transport Layer Security (TLS) Protocol Version 1.3: -.Bl -tag -width "section 4.2.10" -compact -.It Section 2.3 -0-RTT data -.It Section 4.2.10 -Early Data Indication -.It Section 8 -0-RTT and Anti-Replay -.It Appendix E.5 -Replay Attacks on 0-RTT -.El -.Sh HISTORY -These functions first appeared in OpenSSL 1.1.1 -and have been available since -.Ox 7.0 . diff --git a/src/lib/libssl/man/SSL_renegotiate.3 b/src/lib/libssl/man/SSL_renegotiate.3 deleted file mode 100644 index 8188d37323..0000000000 --- a/src/lib/libssl/man/SSL_renegotiate.3 +++ /dev/null @@ -1,166 +0,0 @@ -.\" $OpenBSD: SSL_renegotiate.3,v 1.9 2019/06/12 09:36:30 schwarze Exp $ -.\" OpenSSL SSL_key_update.pod 4fbfe86a Feb 16 17:04:40 2017 +0000 -.\" -.\" This file is a derived work. -.\" Some parts are covered by the following Copyright and license: -.\" -.\" Copyright (c) 2016, 2017 Ingo Schwarze -.\" -.\" Permission to use, copy, modify, and distribute this software for any -.\" purpose with or without fee is hereby granted, provided that the above -.\" copyright notice and this permission notice appear in all copies. -.\" -.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES -.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF -.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR -.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF -.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -.\" -.\" Other parts were written by Matt Caswell . -.\" Copyright (c) 2017 The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: June 12 2019 $ -.Dt SSL_RENEGOTIATE 3 -.Os -.Sh NAME -.Nm SSL_renegotiate , -.Nm SSL_renegotiate_abbreviated , -.Nm SSL_renegotiate_pending -.Nd initiate a new TLS handshake -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft int -.Fo SSL_renegotiate -.Fa "SSL *ssl" -.Fc -.Ft int -.Fo SSL_renegotiate_abbreviated -.Fa "SSL *ssl" -.Fc -.Ft int -.Fo SSL_renegotiate_pending -.Fa "SSL *ssl" -.Fc -.Sh DESCRIPTION -When called from the client side, -.Fn SSL_renegotiate -schedules a completely new handshake over an existing TLS connection. -The next time an I/O operation such as -.Fn SSL_read -or -.Fn SSL_write -takes place on the connection, a check is performed to confirm -that it is a suitable time to start a renegotiation. -If so, a new handshake is initiated immediately. -An existing session associated with the connection is not resumed. -.Pp -This function is automatically called by -.Xr SSL_read 3 -and -.Xr SSL_write 3 -whenever the renegotiation byte count set by -.Xr BIO_set_ssl_renegotiate_bytes 3 -or the timeout set by -.Xr BIO_set_ssl_renegotiate_timeout 3 -are exceeded. -.Pp -When called from the client side, -.Fn SSL_renegotiate_abbreviated -is similar to -.Fn SSL_renegotiate -except that resuming the session associated with the current -connection is attempted in the new handshake. -.Pp -When called from the server side, -.Fn SSL_renegotiate -and -.Fn SSL_renegotiate_abbreviated -behave identically. -They both schedule a request for a new handshake to be sent to the client. -The next time an I/O operation is performed, the same checks as on -the client side are performed and then, if appropriate, the request -is sent. -The client may or may not respond with a new handshake and it may -or may not attempt to resume an existing session. -If a new handshake is started, it is handled transparently during -any I/O function. -.Pp -If a LibreSSL client receives a renegotiation request from a server, -it is also handled transparently during any I/O function. -The client attempts to resume the current session in the new -handshake. -For historical reasons, DTLS clients do not attempt to resume -the session in the new handshake. -.Sh RETURN VALUES -.Fn SSL_renegotiate -and -.Fn SSL_renegotiate_abbreviated -return 1 on success or 0 on error. -.Pp -.Fn SSL_renegotiate_pending -returns 1 if a renegotiation or renegotiation request has been -scheduled but not yet acted on, or 0 otherwise. -.Sh SEE ALSO -.Xr ssl 3 , -.Xr SSL_do_handshake 3 , -.Xr SSL_num_renegotiations 3 , -.Xr SSL_read 3 , -.Xr SSL_write 3 -.Sh HISTORY -.Fn SSL_renegotiate -first appeared in SSLeay 0.8.0 and has been available since -.Ox 2.4 . -.Pp -.Fn SSL_renegotiate_pending -first appeared in OpenSSL 0.9.7 and has been available since -.Ox 3.2 . -.Pp -.Fn SSL_renegotiate_abbreviated -first appeared in OpenSSL 1.0.1 and has been available since -.Ox 5.3 . diff --git a/src/lib/libssl/man/SSL_rstate_string.3 b/src/lib/libssl/man/SSL_rstate_string.3 deleted file mode 100644 index 99613ba3c0..0000000000 --- a/src/lib/libssl/man/SSL_rstate_string.3 +++ /dev/null @@ -1,108 +0,0 @@ -.\" $OpenBSD: SSL_rstate_string.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $ -.\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 -.\" -.\" This file was written by Lutz Jaenicke . -.\" Copyright (c) 2001 The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: March 27 2018 $ -.Dt SSL_RSTATE_STRING 3 -.Os -.Sh NAME -.Nm SSL_rstate_string , -.Nm SSL_rstate_string_long -.Nd get textual description of state of an SSL object during read operation -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft const char * -.Fn SSL_rstate_string "SSL *ssl" -.Ft const char * -.Fn SSL_rstate_string_long "SSL *ssl" -.Sh DESCRIPTION -.Fn SSL_rstate_string -returns a 2-letter string indicating the current read state of the -.Vt SSL -object -.Fa ssl . -.Pp -.Fn SSL_rstate_string_long -returns a string indicating the current read state of the -.Vt SSL -object -.Fa ssl . -.Pp -When performing a read operation, the SSL/TLS engine must parse the record, -consisting of header and body. -When working in a blocking environment, -.Fn SSL_rstate_string[_long] -should always return -.Qo RD Qc Ns / Ns Qo read done Qc . -.Pp -This function should only seldom be needed in applications. -.Sh RETURN VALUES -.Fn SSL_rstate_string -and -.Fn SSL_rstate_string_long -can return the following values: -.Bl -tag -width Ds -.It Qo RH Qc Ns / Ns Qo read header Qc -The header of the record is being evaluated. -.It Qo RB Qc Ns / Ns Qo read body Qc -The body of the record is being evaluated. -.It Qo RD Qc Ns / Ns Qo read done Qc -The record has been completely processed. -.It Qo unknown Qc Ns / Ns Qo unknown Qc -The read state is unknown. -This should never happen. -.El -.Sh SEE ALSO -.Xr ssl 3 -.Sh HISTORY -.Fn SSL_rstate_string -and -.Fn SSL_rstate_string_long -first appeared in SSLeay 0.6.0 and have been available since -.Ox 2.4 . diff --git a/src/lib/libssl/man/SSL_session_reused.3 b/src/lib/libssl/man/SSL_session_reused.3 deleted file mode 100644 index add61a904b..0000000000 --- a/src/lib/libssl/man/SSL_session_reused.3 +++ /dev/null @@ -1,84 +0,0 @@ -.\" $OpenBSD: SSL_session_reused.3,v 1.6 2019/06/12 09:36:30 schwarze Exp $ -.\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 -.\" -.\" This file was written by Lutz Jaenicke . -.\" Copyright (c) 2001 The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: June 12 2019 $ -.Dt SSL_SESSION_REUSED 3 -.Os -.Sh NAME -.Nm SSL_session_reused -.Nd query whether a reused session was negotiated during handshake -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft int -.Fn SSL_session_reused "SSL *ssl" -.Sh DESCRIPTION -Query whether a reused session was negotiated during the handshake. -.Pp -During the negotiation, a client can propose to reuse a session. -The server then looks up the session in its cache. -If both client and server agree on the session, -it will be reused and a flag is set that can be queried by the application. -.Sh RETURN VALUES -The following return values can occur: -.Bl -tag -width Ds -.It 0 -A new session was negotiated. -.It 1 -A session was reused. -.El -.Sh SEE ALSO -.Xr ssl 3 , -.Xr SSL_ctrl 3 , -.Xr SSL_CTX_set_session_cache_mode 3 , -.Xr SSL_set_session 3 -.Sh HISTORY -.Fn SSL_session_reused -first appeared in SSLeay 0.8.0 and has been available since -.Ox 2.4 . diff --git a/src/lib/libssl/man/SSL_set1_host.3 b/src/lib/libssl/man/SSL_set1_host.3 deleted file mode 100644 index 2a3935c3f2..0000000000 --- a/src/lib/libssl/man/SSL_set1_host.3 +++ /dev/null @@ -1,172 +0,0 @@ -.\" $OpenBSD: SSL_set1_host.3,v 1.4 2021/03/31 16:56:46 tb Exp $ -.\" selective merge up to: OpenSSL 6328d367 Jul 4 21:58:30 2020 +0200 -.\" -.\" This file was written by Viktor Dukhovni -.\" Copyright (c) 2015 The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: March 31 2021 $ -.Dt SSL_SET1_HOST 3 -.Os -.Sh NAME -.Nm SSL_set1_host , -.Nm SSL_set_hostflags , -.Nm SSL_get0_peername -.Nd SSL server verification parameters -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft int -.Fo SSL_set1_host -.Fa "SSL *ssl" -.Fa "const char *hostname" -.Fc -.Ft void -.Fo SSL_set_hostflags -.Fa "SSL *ssl" -.Fa "unsigned int flags" -.Fc -.Ft const char * -.Fo SSL_get0_peername -.Fa "SSL *ssl" -.Fc -.Sh DESCRIPTION -.Fn SSL_set1_host -configures a server hostname check in the -.Fa ssl -client, setting the expected DNS hostname to -.Fa hostname -and clearing any previously specified hostname. -If -.Fa hostname -is -.Dv NULL -or the empty string, name checks are not performed on the peer certificate. -If a nonempty -.Fa hostname -is specified, certificate verification automatically checks the peer -hostname via -.Xr X509_check_host 3 -with -.Fa flags -set to 0. -.Pp -.Fn SSL_set_hostflags -sets the flags that will be passed to -.Xr X509_check_host 3 -when name checks are applicable, -by default the flags value is 0. -See -.Xr X509_check_host 3 -for the list of available flags and their meaning. -.Pp -.Fn SSL_get0_peername -returns the DNS hostname or subject CommonName from the peer certificate -that matched one of the reference identifiers. -Unless wildcard matching is disabled, the name matched in the peer -certificate may be a wildcard name. -A reference identifier starting with -.Sq \&. -indicates a parent domain prefix rather than a fixed name. -In this case, the matched peername may be a sub-domain -of the reference identifier. -The returned string is owned by the library and is no longer valid -once the associated -.Fa ssl -object is cleared or freed, or if a renegotiation takes place. -Applications must not free the return value. -.Pp -SSL clients are advised to use these functions in preference to -explicitly calling -.Xr X509_check_host 3 . -.Sh RETURN VALUES -.Fn SSL_set1_host -returns 1 for success or 0 for failure. -.Pp -.Fn SSL_get0_peername -returns the matched peername or -.Dv NULL -if peername verification is not applicable -or no trusted peername was matched. -Use -.Xr SSL_get_verify_result 3 -to determine whether verification succeeded. -.Sh EXAMPLES -The calls below check the hostname. -Wildcards are supported, but they must match the entire label. -The actual name matched in the certificate (which might be a wildcard) -is retrieved, and must be copied by the application if it is to be -retained beyond the lifetime of the SSL connection. -.Bd -literal -if (!SSL_set1_host(ssl, "smtp.example.com")) - /* error */ - -/* XXX: Perform SSL_connect() handshake and handle errors here */ - -if (SSL_get_verify_result(ssl) == X509_V_OK) { - const char *peername = SSL_get0_peername(ssl); - - if (peername != NULL) - /* Name checks were in scope and matched the peername */ -} -.Ed -.Sh SEE ALSO -.Xr ssl 3 , -.Xr SSL_CTX_set_verify 3 , -.Xr SSL_get_peer_certificate 3 , -.Xr SSL_get_verify_result 3 , -.Xr X509_check_host 3 , -.Xr X509_VERIFY_PARAM_set1_host 3 -.Sh HISTORY -All three functions first appeared in OpenSSL 1.1.0. -.Fn SSL_set1_host -has been available since -.Ox 6.5 , -and -.Fn SSL_set_hostflags -and -.Fn SSL_get0_peername -since -.Ox 6.9 . diff --git a/src/lib/libssl/man/SSL_set1_param.3 b/src/lib/libssl/man/SSL_set1_param.3 deleted file mode 100644 index cd8ad40ad0..0000000000 --- a/src/lib/libssl/man/SSL_set1_param.3 +++ /dev/null @@ -1,137 +0,0 @@ -.\" $OpenBSD: SSL_set1_param.3,v 1.6 2022/09/10 10:22:46 jsg Exp $ -.\" full merge up to: -.\" OpenSSL man3/SSL_CTX_get0_param 99d63d46 Oct 26 13:56:48 2016 -0400 -.\" -.\" This file was written by Dr. Stephen Henson . -.\" Copyright (c) 2015 The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: September 10 2022 $ -.Dt SSL_SET1_PARAM 3 -.Os -.Sh NAME -.Nm SSL_CTX_get0_param , -.Nm SSL_get0_param , -.Nm SSL_CTX_set1_param , -.Nm SSL_set1_param -.Nd get and set verification parameters -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft X509_VERIFY_PARAM * -.Fo SSL_CTX_get0_param -.Fa "SSL_CTX *ctx" -.Fc -.Ft X509_VERIFY_PARAM * -.Fo SSL_get0_param -.Fa "SSL *ssl" -.Fc -.Ft int -.Fo SSL_CTX_set1_param -.Fa "SSL_CTX *ctx" -.Fa "X509_VERIFY_PARAM *vpm" -.Fc -.Ft int -.Fo SSL_set1_param -.Fa "SSL *ssl" -.Fa "X509_VERIFY_PARAM *vpm" -.Fc -.Sh DESCRIPTION -.Fn SSL_CTX_get0_param -and -.Fn SSL_get0_param -retrieve an internal pointer to the verification parameters for -.Fa ctx -or -.Fa ssl , -respectively. -The returned pointer must not be freed by the calling application, -but the application can modify the parameters pointed to, -to suit its needs: for example to add a hostname check. -.Pp -.Fn SSL_CTX_set1_param -and -.Fn SSL_set1_param -set the verification parameters to -.Fa vpm -for -.Fa ctx -or -.Fa ssl . -.Sh RETURN VALUES -.Fn SSL_CTX_get0_param -and -.Fn SSL_get0_param -return a pointer to an -.Vt X509_VERIFY_PARAM -structure. -.Pp -.Fn SSL_CTX_set1_param -and -.Fn SSL_set1_param -return 1 for success or 0 for failure. -.Sh EXAMPLES -Check that the hostname matches -.Pa www.foo.com -in the peer certificate: -.Bd -literal -offset indent -X509_VERIFY_PARAM *vpm = SSL_get0_param(ssl); -X509_VERIFY_PARAM_set1_host(vpm, "www.foo.com", 0); -.Ed -.Sh SEE ALSO -.Xr ssl 3 , -.Xr X509_VERIFY_PARAM_set_flags 3 -.Sh HISTORY -.Fn SSL_CTX_set1_param -and -.Fn SSL_set1_param -first appeared in OpenSSL 1.0.0 and have been available since -.Ox 4.9 . -.Pp -.Fn SSL_CTX_get0_param -and -.Fn SSL_get0_param -first appeared in OpenSSL 1.0.2 and have been available since -.Ox 6.3 . diff --git a/src/lib/libssl/man/SSL_set_SSL_CTX.3 b/src/lib/libssl/man/SSL_set_SSL_CTX.3 deleted file mode 100644 index 2abaefb292..0000000000 --- a/src/lib/libssl/man/SSL_set_SSL_CTX.3 +++ /dev/null @@ -1,67 +0,0 @@ -.\" $OpenBSD: SSL_set_SSL_CTX.3,v 1.4 2022/07/13 22:05:53 schwarze Exp $ -.\" -.\" Copyright (c) 2020 Ingo Schwarze -.\" -.\" Permission to use, copy, modify, and distribute this software for any -.\" purpose with or without fee is hereby granted, provided that the above -.\" copyright notice and this permission notice appear in all copies. -.\" -.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES -.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF -.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR -.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF -.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -.\" -.Dd $Mdocdate: July 13 2022 $ -.Dt SSL_SET_SSL_CTX 3 -.Os -.Sh NAME -.Nm SSL_set_SSL_CTX -.Nd modify an SSL connection object to use another context -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft SSL_CTX * -.Fo SSL_set_SSL_CTX -.Fa "SSL *ssl" -.Fa "SSL_CTX* ctx" -.Fc -.Sh DESCRIPTION -.Fn SSL_set_SSL_CTX -causes -.Fa ssl -to use the context -.Fa ctx . -.Pp -If -.Fa ctx -is -.Dv NULL , -.Fa ssl -reverts to using the context that it was initially created from with -.Xr SSL_new 3 . -.Pp -If -.Fa ssl -already uses -.Fa ctx , -no action occurs. -.Sh RETURN VALUES -.Fn SSL_set_SSL_CTX -returns an internal pointer to the context that -.Fa ssl -is using as a result of the call, or -.Dv NULL -if memory allocation fails. -.Sh SEE ALSO -.Xr ssl 3 , -.Xr SSL_clear 3 , -.Xr SSL_CTX_new 3 , -.Xr SSL_get_SSL_CTX 3 , -.Xr SSL_new 3 , -.Xr SSL_set_security_level 3 -.Sh HISTORY -.Fn SSL_set_SSL_CTX -first appeared in OpenSSL 0.9.8f and has been available since -.Ox 4.5 . diff --git a/src/lib/libssl/man/SSL_set_bio.3 b/src/lib/libssl/man/SSL_set_bio.3 deleted file mode 100644 index e727f442d6..0000000000 --- a/src/lib/libssl/man/SSL_set_bio.3 +++ /dev/null @@ -1,99 +0,0 @@ -.\" $OpenBSD: SSL_set_bio.3,v 1.6 2020/10/08 18:21:30 tb Exp $ -.\" OpenSSL acb5b343 Sep 16 16:00:38 2000 +0000 -.\" -.\" This file was written by Lutz Jaenicke . -.\" Copyright (c) 2000 The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: October 8 2020 $ -.Dt SSL_SET_BIO 3 -.Os -.Sh NAME -.Nm SSL_set_bio -.Nd connect the SSL object with a BIO -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft void -.Fn SSL_set_bio "SSL *ssl" "BIO *rbio" "BIO *wbio" -.Sh DESCRIPTION -.Fn SSL_set_bio -connects the -.Vt BIO Ns -s -.Fa rbio -and -.Fa wbio -for the read and write operations of the TLS/SSL (encrypted) side of -.Fa ssl . -.Pp -The SSL engine inherits the behaviour of -.Fa rbio -and -.Fa wbio , -respectively. -If a -.Vt BIO -is non-blocking, the -.Fa ssl -will also have non-blocking behaviour. -.Pp -If there was already a -.Vt BIO -connected to -.Fa ssl , -.Xr BIO_free 3 -will be called (for both the reading and writing side, if different). -.Sh SEE ALSO -.Xr BIO_new 3 , -.Xr ssl 3 , -.Xr SSL_accept 3 , -.Xr SSL_connect 3 , -.Xr SSL_get_rbio 3 , -.Xr SSL_shutdown 3 -.Sh HISTORY -.Fn SSL_set_bio -first appeared in SSLeay 0.6.0 and has been available since -.Ox 2.4 . diff --git a/src/lib/libssl/man/SSL_set_connect_state.3 b/src/lib/libssl/man/SSL_set_connect_state.3 deleted file mode 100644 index c2072c4370..0000000000 --- a/src/lib/libssl/man/SSL_set_connect_state.3 +++ /dev/null @@ -1,153 +0,0 @@ -.\" $OpenBSD: SSL_set_connect_state.3,v 1.6 2018/03/27 17:35:50 schwarze Exp $ -.\" full merge up to OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 -.\" selective merge up to: OpenSSL dbd007d7 Jul 28 13:31:27 2017 +0800 -.\" -.\" This file was written by Lutz Jaenicke -.\" and Paul Yang . -.\" Copyright (c) 2001, 2017 The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: March 27 2018 $ -.Dt SSL_SET_CONNECT_STATE 3 -.Os -.Sh NAME -.Nm SSL_set_connect_state , -.Nm SSL_set_accept_state , -.Nm SSL_is_server -.Nd prepare SSL object to work in client or server mode -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft void -.Fn SSL_set_connect_state "SSL *ssl" -.Ft void -.Fn SSL_set_accept_state "SSL *ssl" -.Ft int -.Fn SSL_is_server "const SSL *ssl" -.Sh DESCRIPTION -.Fn SSL_set_connect_state -sets -.Fa ssl -to work in client mode. -.Pp -.Fn SSL_set_accept_state -sets -.Fa ssl -to work in server mode. -.Pp -.Fn SSL_is_server -checks whether -.Fa ssl -is set to server mode. -.Pp -When the -.Vt SSL_CTX -object was created with -.Xr SSL_CTX_new 3 , -it was either assigned a dedicated client method, a dedicated server method, or -a generic method, that can be used for both client and server connections. -(The method might have been changed with -.Xr SSL_CTX_set_ssl_version 3 -or -.Xr SSL_set_ssl_method 3 . ) -.Pp -When beginning a new handshake, the SSL engine must know whether it must call -the connect (client) or accept (server) routines. -Even though it may be clear from the method chosen whether client or server -mode was requested, the handshake routines must be explicitly set. -.Pp -When using the -.Xr SSL_connect 3 -or -.Xr SSL_accept 3 -routines, the correct handshake routines are automatically set. -When performing a transparent negotiation using -.Xr SSL_write 3 -or -.Xr SSL_read 3 , -the handshake routines must be explicitly set in advance using either -.Fn SSL_set_connect_state -or -.Fn SSL_set_accept_state . -.Pp -If -.Fn SSL_is_server -is called before -.Fn SSL_set_connect_state -or -.Fn SSL_set_accept_state -was called either automatically or explicitly, -the result depends on what method was used when the -.Fa SSL_CTX -was created. -If a generic method or a dedicated server method was passed to -.Xr SSL_CTX_new 3 , -.Fn SSL_is_server -returns 1; otherwise, it returns 0. -.Sh RETURN VALUES -.Fn SSL_is_server -returns 1 if -.Fa ssl -is set to server mode or 0 if it is set to client mode. -.Sh SEE ALSO -.Xr ssl 3 , -.Xr SSL_accept 3 , -.Xr SSL_connect 3 , -.Xr SSL_CTX_new 3 , -.Xr SSL_CTX_set_ssl_version 3 , -.Xr SSL_do_handshake 3 , -.Xr SSL_new 3 , -.Xr SSL_read 3 , -.Xr SSL_write 3 -.Sh HISTORY -.Fn SSL_set_connect_state -and -.Fn SSL_set_accept_state -first appeared in SSLeay 0.6.0 and have been available since -.Ox 2.4 . -.Pp -.Fn SSL_is_server -first appeared in OpenSSL 1.0.2 and has been available since -.Ox 6.3 . diff --git a/src/lib/libssl/man/SSL_set_fd.3 b/src/lib/libssl/man/SSL_set_fd.3 deleted file mode 100644 index 7b9727e9ad..0000000000 --- a/src/lib/libssl/man/SSL_set_fd.3 +++ /dev/null @@ -1,129 +0,0 @@ -.\" $OpenBSD: SSL_set_fd.3,v 1.5 2018/03/27 17:35:50 schwarze Exp $ -.\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 -.\" -.\" This file was written by Lutz Jaenicke . -.\" Copyright (c) 2000, 2013 The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: March 27 2018 $ -.Dt SSL_SET_FD 3 -.Os -.Sh NAME -.Nm SSL_set_fd , -.Nm SSL_set_rfd , -.Nm SSL_set_wfd -.Nd connect the SSL object with a file descriptor -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft int -.Fn SSL_set_fd "SSL *ssl" "int fd" -.Ft int -.Fn SSL_set_rfd "SSL *ssl" "int fd" -.Ft int -.Fn SSL_set_wfd "SSL *ssl" "int fd" -.Sh DESCRIPTION -.Fn SSL_set_fd -sets the file descriptor -.Fa fd -as the input/output facility for the TLS/SSL (encrypted) side of -.Fa ssl . -.Fa fd -will typically be the socket file descriptor of a network connection. -.Pp -When performing the operation, a socket -.Vt BIO -is automatically created to interface between the -.Fa ssl -and -.Fa fd . -The -.Vt BIO -and hence the SSL engine inherit the behaviour of -.Fa fd . -If -.Fa fd -is non-blocking, the -.Fa ssl -will also have non-blocking behaviour. -.Pp -If there was already a -.Vt BIO -connected to -.Fa ssl , -.Xr BIO_free 3 -will be called (for both the reading and writing side, if different). -.Pp -.Fn SSL_set_rfd -and -.Fn SSL_set_wfd -perform the respective action, but only for the read channel or the write -channel, which can be set independently. -.Sh RETURN VALUES -The following return values can occur: -.Bl -tag -width Ds -.It 0 -The operation failed. -Check the error stack to find out why. -.It 1 -The operation succeeded. -.El -.Sh SEE ALSO -.Xr BIO_new 3 , -.Xr ssl 3 , -.Xr SSL_accept 3 , -.Xr SSL_connect 3 , -.Xr SSL_get_fd 3 , -.Xr SSL_set_bio 3 , -.Xr SSL_shutdown 3 -.Sh HISTORY -.Fn SSL_set_fd -appeared in SSLeay 0.4 or earlier. -.Fn SSL_set_rfd -and -.Fn SSL_set_wfd -first appeared in SSLeay 0.6.0. -These functions have been available since -.Ox 2.4 . diff --git a/src/lib/libssl/man/SSL_set_max_send_fragment.3 b/src/lib/libssl/man/SSL_set_max_send_fragment.3 deleted file mode 100644 index 7de087a743..0000000000 --- a/src/lib/libssl/man/SSL_set_max_send_fragment.3 +++ /dev/null @@ -1,97 +0,0 @@ -.\" $OpenBSD: SSL_set_max_send_fragment.3,v 1.5 2019/06/12 09:36:30 schwarze Exp $ -.\" OpenSSL doc/man3/SSL_CTX_set_split_send_fragment.pod -.\" OpenSSL 6782e5fd Oct 21 16:16:20 2016 +0100 -.\" -.\" This file was written by Matt Caswell . -.\" Copyright (c) 2016 The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: June 12 2019 $ -.Dt SSL_SET_MAX_SEND_FRAGMENT 3 -.Os -.Sh NAME -.Nm SSL_CTX_set_max_send_fragment , -.Nm SSL_set_max_send_fragment -.Nd control fragment sizes -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft long -.Fo SSL_CTX_set_max_send_fragment -.Fa "SSL_CTX *ctx" -.Fa "long m" -.Fc -.Ft long -.Fo SSL_set_max_send_fragment -.Fa "SSL *ssl" -.Fa "long m" -.Fc -.Sh DESCRIPTION -.Fn SSL_CTX_set_max_send_fragment -and -.Fn SSL_set_max_send_fragment -set the -.Sy max_send_fragment -parameter for SSL_CTX and SSL objects respectively. -This value restricts the amount of plaintext bytes that will be sent in -any one SSL/TLS record. -By default its value is SSL3_RT_MAX_PLAIN_LENGTH (16384). -These functions will only accept a value in the range 512 - -SSL3_RT_MAX_PLAIN_LENGTH. -.Pp -These functions are implemented using macros. -.Sh RETURN VALUES -These functions return 1 on success or 0 on failure. -.Sh SEE ALSO -.Xr ssl 3 , -.Xr SSL_ctrl 3 , -.Xr SSL_CTX_set_read_ahead 3 , -.Xr SSL_pending 3 -.Sh HISTORY -.Fn SSL_CTX_set_max_send_fragment -and -.Fn SSL_set_max_send_fragment -first appeared in OpenSSL 1.0.0 and have been available since -.Ox 4.9 . diff --git a/src/lib/libssl/man/SSL_set_psk_use_session_callback.3 b/src/lib/libssl/man/SSL_set_psk_use_session_callback.3 deleted file mode 100644 index 7f2bfcc010..0000000000 --- a/src/lib/libssl/man/SSL_set_psk_use_session_callback.3 +++ /dev/null @@ -1,86 +0,0 @@ -.\" $OpenBSD: SSL_set_psk_use_session_callback.3,v 1.1 2021/09/14 14:30:57 schwarze Exp $ -.\" OpenSSL man3/SSL_CTX_set_psk_client_callback.pod -.\" checked up to 24a535ea Sep 22 13:14:20 2020 +0100 -.\" -.\" Copyright (c) 2021 Ingo Schwarze -.\" -.\" Permission to use, copy, modify, and distribute this software for any -.\" purpose with or without fee is hereby granted, provided that the above -.\" copyright notice and this permission notice appear in all copies. -.\" -.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES -.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF -.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR -.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF -.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -.\" -.Dd $Mdocdate: September 14 2021 $ -.Dt SSL_SET_PSK_USE_SESSION_CALLBACK 3 -.Os -.Sh NAME -.Nm SSL_set_psk_use_session_callback , -.Nm SSL_psk_use_session_cb_func -.Nd set TLS pre-shared key client callback -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft typedef int -.Fo (*SSL_psk_use_session_cb_func) -.Fa "SSL *ssl" -.Fa "const EVP_MD *md" -.Fa "const unsigned char **id" -.Fa "size_t *idlen" -.Fa "SSL_SESSION **session" -.Fc -.Ft void -.Fo SSL_set_psk_use_session_callback -.Fa "SSL *ssl" -.Fa "SSL_psk_use_session_cb_func cb" -.Fc -.Sh DESCRIPTION -LibreSSL provides the stub function -.Fn SSL_set_psk_use_session_callback -to allow compiling application programs -that contain optional support for TLSv1.3 pre-shared keys. -.Pp -LibreSSL does not support TLS pre-shared keys, -and no action occurs when -.Fn SSL_set_psk_use_session_callback -is called. -In particular, both arguments are ignored. -During session negotiation, -LibreSSL never calls the callback -.Fa cb -and always behaves as if that callback succeeded and set the -.Pf * Fa session -pointer to -.Dv NULL . -That is, LibreSSL never sends a pre-shared key to the server -and never aborts the handshake for lack of a pre-shared key. -.Pp -With OpenSSL, a client application wishing to use TLSv1.3 pre-shared keys -can install a callback function -.Fa cb -using -.Fn SSL_set_psk_use_session_callback . -The OpenSSL library may call -.Fa cb -once or twice during session negotiation. -If the callback fails, OpenSSL aborts connection setup. -If the callback succeeds but sets the -.Pf * Fa session -pointer to -.Dv NULL , -OpenSSL continues the handshake -but does not send a pre-shared key to the server. -.Sh RETURN VALUES -The -.Fn SSL_psk_use_session_cb_func -callback is expected to return 1 on success or 0 on failure. -.Sh HISTORY -.Fn SSL_set_psk_use_session_callback -and -.Fn SSL_psk_use_session_cb_func -first appeared in OpenSSL 1.1.1 and have been available since -.Ox 7.0 . diff --git a/src/lib/libssl/man/SSL_set_session.3 b/src/lib/libssl/man/SSL_set_session.3 deleted file mode 100644 index 7d85f5ad0c..0000000000 --- a/src/lib/libssl/man/SSL_set_session.3 +++ /dev/null @@ -1,119 +0,0 @@ -.\" $OpenBSD: SSL_set_session.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $ -.\" OpenSSL 05ea606a May 20 20:52:46 2016 -0400 -.\" -.\" This file was written by Lutz Jaenicke . -.\" Copyright (c) 2000, 2001, 2016 The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: March 27 2018 $ -.Dt SSL_SET_SESSION 3 -.Os -.Sh NAME -.Nm SSL_set_session -.Nd set a TLS/SSL session to be used during TLS/SSL connect -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft int -.Fn SSL_set_session "SSL *ssl" "SSL_SESSION *session" -.Sh DESCRIPTION -.Fn SSL_set_session -sets -.Fa session -to be used when the TLS/SSL connection is to be established. -.Fn SSL_set_session -is only useful for TLS/SSL clients. -When the session is set, the reference count of -.Fa session -is incremented -by 1. -If the session is not reused, the reference count is decremented again during -.Fn SSL_connect . -Whether the session was reused can be queried with the -.Xr SSL_session_reused 3 -call. -.Pp -If there is already a session set inside -.Fa ssl -(because it was set with -.Fn SSL_set_session -before or because the same -.Fa ssl -was already used for a connection), -.Xr SSL_SESSION_free 3 -will be called for that session. -.Pp -.Vt SSL_SESSION -objects keep internal link information about the session cache list when being -inserted into one -.Vt SSL_CTX -object's session cache. -One -.Vt SSL_SESSION -object, regardless of its reference count, must therefore only be used with one -.Vt SSL_CTX -object (and the -.Vt SSL -objects created from this -.Vt SSL_CTX -object). -.Sh RETURN VALUES -The following return values can occur: -.Bl -tag -width Ds -.It 0 -The operation failed; check the error stack to find out the reason. -.It 1 -The operation succeeded. -.El -.Sh SEE ALSO -.Xr ssl 3 , -.Xr SSL_CTX_set_session_cache_mode 3 , -.Xr SSL_get_session 3 , -.Xr SSL_SESSION_free 3 , -.Xr SSL_session_reused 3 -.Sh HISTORY -.Fn SSL_set_session -first appeared in SSLeay 0.5.2 and has been available since -.Ox 2.4 . diff --git a/src/lib/libssl/man/SSL_set_shutdown.3 b/src/lib/libssl/man/SSL_set_shutdown.3 deleted file mode 100644 index 678086f88f..0000000000 --- a/src/lib/libssl/man/SSL_set_shutdown.3 +++ /dev/null @@ -1,138 +0,0 @@ -.\" $OpenBSD: SSL_set_shutdown.3,v 1.6 2021/06/11 19:41:39 jmc Exp $ -.\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 -.\" -.\" This file was written by Lutz Jaenicke . -.\" Copyright (c) 2001, 2005 The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: June 11 2021 $ -.Dt SSL_SET_SHUTDOWN 3 -.Os -.Sh NAME -.Nm SSL_set_shutdown , -.Nm SSL_get_shutdown -.Nd manipulate shutdown state of an SSL connection -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft void -.Fn SSL_set_shutdown "SSL *ssl" "int mode" -.Ft int -.Fn SSL_get_shutdown "const SSL *ssl" -.Sh DESCRIPTION -.Fn SSL_set_shutdown -sets the shutdown state of -.Fa ssl -to -.Fa mode . -.Pp -.Fn SSL_get_shutdown -returns the shutdown mode of -.Fa ssl . -.Pp -The shutdown state of an ssl connection is a bitmask of: -.Bl -tag -width Ds -.It 0 -No shutdown setting, yet. -.It Dv SSL_SENT_SHUTDOWN -A -.Dq close notify -shutdown alert was sent to the peer; the connection is being considered closed -and the session is closed and correct. -.It Dv SSL_RECEIVED_SHUTDOWN -A shutdown alert was received form the peer, either a normal -.Dq close notify -or a fatal error. -.El -.Pp -.Dv SSL_SENT_SHUTDOWN -and -.Dv SSL_RECEIVED_SHUTDOWN -can be set at the same time. -.Pp -The shutdown state of the connection is used to determine the state of the -.Fa ssl -session. -If the session is still open when -.Xr SSL_clear 3 -or -.Xr SSL_free 3 -is called, it is considered bad and removed according to RFC 2246. -The actual condition for a correctly closed session is -.Dv SSL_SENT_SHUTDOWN -(according to the TLS RFC, it is acceptable to only send the -.Dq close notify -alert but to not wait for the peer's answer when the underlying connection is -closed). -.Fn SSL_set_shutdown -can be used to set this state without sending a close alert to the peer (see -.Xr SSL_shutdown 3 ) . -.Pp -If a -.Dq close notify -was received, -.Dv SSL_RECEIVED_SHUTDOWN -will be set, but to set -.Dv SSL_SENT_SHUTDOWN -the application must still call -.Xr SSL_shutdown 3 -or -.Fn SSL_set_shutdown -itself. -.Sh RETURN VALUES -.Fn SSL_get_shutdown -returns the current setting. -.Sh SEE ALSO -.Xr ssl 3 , -.Xr SSL_clear 3 , -.Xr SSL_CTX_set_quiet_shutdown 3 , -.Xr SSL_free 3 , -.Xr SSL_shutdown 3 -.Sh HISTORY -.Fn SSL_set_shutdown -and -.Fn SSL_get_shutdown -first appeared in SSLeay 0.8.0 and have been available since -.Ox 2.4 . diff --git a/src/lib/libssl/man/SSL_set_tmp_ecdh.3 b/src/lib/libssl/man/SSL_set_tmp_ecdh.3 deleted file mode 100644 index 8fd2d9fd5b..0000000000 --- a/src/lib/libssl/man/SSL_set_tmp_ecdh.3 +++ /dev/null @@ -1,119 +0,0 @@ -.\" $OpenBSD: SSL_set_tmp_ecdh.3,v 1.6 2021/11/30 15:58:08 jsing Exp $ -.\" -.\" Copyright (c) 2017 Ingo Schwarze -.\" -.\" Permission to use, copy, modify, and distribute this software for any -.\" purpose with or without fee is hereby granted, provided that the above -.\" copyright notice and this permission notice appear in all copies. -.\" -.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES -.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF -.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR -.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF -.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -.\" -.Dd $Mdocdate: November 30 2021 $ -.Dt SSL_SET_TMP_ECDH 3 -.Os -.Sh NAME -.Nm SSL_set_tmp_ecdh , -.Nm SSL_CTX_set_tmp_ecdh , -.Nm SSL_set_ecdh_auto , -.Nm SSL_CTX_set_ecdh_auto , -.Nm SSL_set_tmp_ecdh_callback , -.Nm SSL_CTX_set_tmp_ecdh_callback -.Nd select a curve for ECDH ephemeral key exchange -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft long -.Fo SSL_set_tmp_ecdh -.Fa "SSL *ssl" -.Fa "EC_KEY *ecdh" -.Fc -.Ft long -.Fo SSL_CTX_set_tmp_ecdh -.Fa "SSL_CTX *ctx" -.Fa "EC_KEY *ecdh" -.Fc -.Ft long -.Fo SSL_set_ecdh_auto -.Fa "SSL *ssl" -.Fa "int state" -.Fc -.Ft long -.Fo SSL_CTX_set_ecdh_auto -.Fa "SSL_CTX *ctx" -.Fa "int state" -.Fc -.Ft void -.Fo SSL_set_tmp_ecdh_callback -.Fa "SSL *ssl" -.Fa "EC_KEY *(*ecdh)(SSL *ssl, int is_export, int keylength)" -.Fc -.Ft void -.Fo SSL_CTX_set_tmp_ecdh_callback -.Fa "SSL_CTX *ctx" -.Fa "EC_KEY *(*ecdh)(SSL *ssl, int is_export, int keylength)" -.Fc -.Sh DESCRIPTION -Automatic EC curve selection and generation is always enabled in -LibreSSL, and applications cannot manually provide EC keys for use -with ECDH key exchange. -.Pp -The only remaining effect of -.Fn SSL_set_tmp_ecdh -is that the curve of the given -.Fa ecdh -key becomes the only curve enabled for the -.Fa ssl -connection, so it is equivalent to calling -.Xr SSL_set1_groups_list 3 -with the same single curve name. -.Pp -.Fn SSL_CTX_set_tmp_ecdh -has the same effect on all connections that will be created from -.Fa ctx -in the future. -.Pp -The functions -.Fn SSL_set_ecdh_auto , -.Fn SSL_CTX_set_ecdh_auto , -.Fn SSL_set_tmp_ecdh_callback , -and -.Fn SSL_CTX_set_tmp_ecdh_callback -are deprecated and have no effect. -.Sh RETURN VALUES -.Fn SSL_set_tmp_ecdh -and -.Fn SSL_CTX_set_tmp_ecdh -return 1 on success or 0 on failure. -.Pp -.Fn SSL_set_ecdh_auto , -.Fn SSL_CTX_set_ecdh_auto , -.Fn SSL_set_tmp_ecdh_callback , -and -.Fn SSL_CTX_set_tmp_ecdh_callback -always return 1. -.Sh SEE ALSO -.Xr ssl 3 , -.Xr SSL_CTX_set1_groups 3 , -.Xr SSL_CTX_set_cipher_list 3 , -.Xr SSL_CTX_set_options 3 , -.Xr SSL_CTX_set_tmp_dh_callback 3 , -.Xr SSL_new 3 -.Sh HISTORY -.Fn SSL_set_tmp_ecdh , -.Fn SSL_CTX_set_tmp_ecdh , -.Fn SSL_set_tmp_ecdh_callback , -and -.Fn SSL_CTX_set_tmp_ecdh_callback -first appeared in OpenSSL 0.9.8 and have been available since -.Ox 4.5 . -.Pp -.Fn SSL_CTX_set_ecdh_auto -and -.Fn SSL_set_ecdh_auto -first appeared in OpenSSL 1.0.2 and have been available since -.Ox 5.7 . diff --git a/src/lib/libssl/man/SSL_set_verify_result.3 b/src/lib/libssl/man/SSL_set_verify_result.3 deleted file mode 100644 index 4b7cc6ec3c..0000000000 --- a/src/lib/libssl/man/SSL_set_verify_result.3 +++ /dev/null @@ -1,90 +0,0 @@ -.\" $OpenBSD: SSL_set_verify_result.3,v 1.5 2020/03/29 17:05:02 schwarze Exp $ -.\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 -.\" -.\" This file was written by Lutz Jaenicke . -.\" Copyright (c) 2000 The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: March 29 2020 $ -.Dt SSL_SET_VERIFY_RESULT 3 -.Os -.Sh NAME -.Nm SSL_set_verify_result -.Nd override result of peer certificate verification -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft void -.Fn SSL_set_verify_result "SSL *ssl" "long verify_result" -.Sh DESCRIPTION -.Fn SSL_set_verify_result -sets -.Fa verify_result -of the object -.Fa ssl -to be the result of the verification of the X509 certificate presented by the -peer, if any. -.Pp -.Fn SSL_set_verify_result -overrides the verification result. -It only changes the verification result of the -.Fa ssl -object. -It does not become part of the established session, so if the session is to be -reused later, the original value will reappear. -.Pp -The valid codes for -.Fa verify_result -are documented in -.Xr openssl 1 . -.Sh SEE ALSO -.Xr openssl 1 , -.Xr ssl 3 , -.Xr SSL_get_peer_certificate 3 , -.Xr SSL_get_verify_result 3 -.Sh HISTORY -.Fn SSL_set_verify_result -first appeared in SSLeay 0.6.1 and has been available since -.Ox 2.4 . diff --git a/src/lib/libssl/man/SSL_shutdown.3 b/src/lib/libssl/man/SSL_shutdown.3 deleted file mode 100644 index bfb1e91ea7..0000000000 --- a/src/lib/libssl/man/SSL_shutdown.3 +++ /dev/null @@ -1,253 +0,0 @@ -.\" $OpenBSD: SSL_shutdown.3,v 1.5 2018/03/27 17:35:50 schwarze Exp $ -.\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 -.\" -.\" This file was written by Lutz Jaenicke . -.\" Copyright (c) 2000, 2001, 2004, 2014 The OpenSSL Project. -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: March 27 2018 $ -.Dt SSL_SHUTDOWN 3 -.Os -.Sh NAME -.Nm SSL_shutdown -.Nd shut down a TLS/SSL connection -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft int -.Fn SSL_shutdown "SSL *ssl" -.Sh DESCRIPTION -.Fn SSL_shutdown -shuts down an active TLS/SSL connection. -It sends the -.Dq close notify -shutdown alert to the peer. -.Pp -.Fn SSL_shutdown -tries to send the -.Dq close notify -shutdown alert to the peer. -Whether the operation succeeds or not, the -.Dv SSL_SENT_SHUTDOWN -flag is set and a currently open session is considered closed and good and will -be kept in the session cache for further reuse. -.Pp -The shutdown procedure consists of 2 steps: the sending of the -.Dq close notify -shutdown alert and the reception of the peer's -.Dq close notify -shutdown alert. -According to the TLS standard, it is acceptable for an application to only send -its shutdown alert and then close the underlying connection without waiting for -the peer's response (this way resources can be saved, as the process can -already terminate or serve another connection). -When the underlying connection shall be used for more communications, -the complete shutdown procedure (bidirectional -.Dq close notify -alerts) must be performed, so that the peers stay synchronized. -.Pp -.Fn SSL_shutdown -supports both uni- and bidirectional shutdown by its 2 step behavior. -.Pp -When the application is the first party to send the -.Dq close notify -alert, -.Fn SSL_shutdown -will only send the alert and then set the -.Dv SSL_SENT_SHUTDOWN -flag (so that the session is considered good and will be kept in cache). -.Fn SSL_shutdown -will then return 0. -If a unidirectional shutdown is enough -(the underlying connection shall be closed anyway), this first call to -.Fn SSL_shutdown -is sufficient. -In order to complete the bidirectional shutdown handshake, -.Fn SSL_shutdown -must be called again. -The second call will make -.Fn SSL_shutdown -wait for the peer's -.Dq close notify -shutdown alert. -On success, the second call to -.Fn SSL_shutdown -will return 1. -.Pp -If the peer already sent the -.Dq close notify -alert and it was already processed implicitly inside another function -.Pq Xr SSL_read 3 , -the -.Dv SSL_RECEIVED_SHUTDOWN -flag is set. -.Fn SSL_shutdown -will send the -.Dq close notify -alert, set the -.Dv SSL_SENT_SHUTDOWN -flag and will immediately return with 1. -Whether -.Dv SSL_RECEIVED_SHUTDOWN -is already set can be checked using the -.Fn SSL_get_shutdown -(see also the -.Xr SSL_set_shutdown 3 -call). -.Pp -It is therefore recommended to check the return value of -.Fn SSL_shutdown -and call -.Fn SSL_shutdown -again, if the bidirectional shutdown is not yet complete (return value of the -first call is 0). -.Pp -The behaviour of -.Fn SSL_shutdown -additionally depends on the underlying -.Vt BIO . -.Pp -If the underlying -.Vt BIO -is -.Em blocking , -.Fn SSL_shutdown -will only return once the -handshake step has been finished or an error occurred. -.Pp -If the underlying -.Vt BIO -is -.Em non-blocking , -.Fn SSL_shutdown -will also return when the underlying -.Vt BIO -could not satisfy the needs of -.Fn SSL_shutdown -to continue the handshake. -In this case a call to -.Xr SSL_get_error 3 -with the -return value of -.Fn SSL_shutdown -will yield -.Dv SSL_ERROR_WANT_READ -or -.Dv SSL_ERROR_WANT_WRITE . -The calling process then must repeat the call after taking appropriate action -to satisfy the needs of -.Fn SSL_shutdown . -The action depends on the underlying -.Vt BIO . -When using a non-blocking socket, nothing is to be done, but -.Xr select 2 -can be used to check for the required condition. -When using a buffering -.Vt BIO , -like a -.Vt BIO -pair, data must be written into or retrieved out of the -.Vt BIO -before being able to continue. -.Pp -.Fn SSL_shutdown -can be modified to only set the connection to -.Dq shutdown -state but not actually send the -.Dq close notify -alert messages; see -.Xr SSL_CTX_set_quiet_shutdown 3 . -When -.Dq quiet shutdown -is enabled, -.Fn SSL_shutdown -will always succeed and return 1. -.Sh RETURN VALUES -The following return values can occur: -.Bl -tag -width Ds -.It 0 -The shutdown is not yet finished. -Call -.Fn SSL_shutdown -for a second time, if a bidirectional shutdown shall be performed. -The output of -.Xr SSL_get_error 3 -may be misleading, as an erroneous -.Dv SSL_ERROR_SYSCALL -may be flagged even though no error occurred. -.It 1 -The shutdown was successfully completed. -The -.Dq close notify -alert was sent and the peer's -.Dq close notify -alert was received. -.It \(mi1 -The shutdown was not successful because a fatal error occurred either -at the protocol level or a connection failure occurred. -It can also occur if action is need to continue the operation for non-blocking -.Vt BIO Ns -s. -Call -.Xr SSL_get_error 3 -with the return value -.Fa ret -to find out the reason. -.El -.Sh SEE ALSO -.Xr BIO_new 3 , -.Xr ssl 3 , -.Xr SSL_accept 3 , -.Xr SSL_clear 3 , -.Xr SSL_connect 3 , -.Xr SSL_CTX_set_quiet_shutdown 3 , -.Xr SSL_free 3 , -.Xr SSL_get_error 3 , -.Xr SSL_set_shutdown 3 -.Sh HISTORY -.Fn SSL_shutdown -first appeared in SSLeay 0.8.0 and has been available since -.Ox 2.4 . diff --git a/src/lib/libssl/man/SSL_state_string.3 b/src/lib/libssl/man/SSL_state_string.3 deleted file mode 100644 index 1070335448..0000000000 --- a/src/lib/libssl/man/SSL_state_string.3 +++ /dev/null @@ -1,110 +0,0 @@ -.\" $OpenBSD: SSL_state_string.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $ -.\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 -.\" -.\" This file was written by Lutz Jaenicke . -.\" Copyright (c) 2001, 2005 The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: March 27 2018 $ -.Dt SSL_STATE_STRING 3 -.Os -.Sh NAME -.Nm SSL_state_string , -.Nm SSL_state_string_long -.Nd get textual description of state of an SSL object -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft const char * -.Fn SSL_state_string "const SSL *ssl" -.Ft const char * -.Fn SSL_state_string_long "const SSL *ssl" -.Sh DESCRIPTION -.Fn SSL_state_string -returns a 6 letter string indicating the current state of the -.Vt SSL -object -.Fa ssl . -.Pp -.Fn SSL_state_string_long -returns a string indicating the current state of the -.Vt SSL -object -.Fa ssl . -.Pp -During its use, an -.Vt SSL -object passes several states. -The state is internally maintained. -Querying the state information is not very informative before or when a -connection has been established. -It however can be of significant interest during the handshake. -.Pp -When using non-blocking sockets, -the function call performing the handshake may return with -.Dv SSL_ERROR_WANT_READ -or -.Dv SSL_ERROR_WANT_WRITE -condition, so that -.Fn SSL_state_string[_long] -may be called. -.Pp -For both blocking or non-blocking sockets, -the details state information can be used within the -.Fn info_callback -function set with the -.Xr SSL_set_info_callback 3 -call. -.Sh RETURN VALUES -Detailed description of possible states to be included later. -.Sh SEE ALSO -.Xr ssl 3 , -.Xr SSL_CTX_set_info_callback 3 -.Sh HISTORY -.Fn SSL_state_string -and -.Fn SSL_state_string_long -first appeared in SSLeay 0.6.0 and have been available since -.Ox 2.4 . diff --git a/src/lib/libssl/man/SSL_want.3 b/src/lib/libssl/man/SSL_want.3 deleted file mode 100644 index 24e8645ba8..0000000000 --- a/src/lib/libssl/man/SSL_want.3 +++ /dev/null @@ -1,161 +0,0 @@ -.\" $OpenBSD: SSL_want.3,v 1.5 2018/03/27 17:35:50 schwarze Exp $ -.\" OpenSSL 9b86974e Aug 17 15:21:33 2015 -0400 -.\" -.\" This file was written by Lutz Jaenicke . -.\" Copyright (c) 2001, 2005 The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: March 27 2018 $ -.Dt SSL_WANT 3 -.Os -.Sh NAME -.Nm SSL_want , -.Nm SSL_want_nothing , -.Nm SSL_want_read , -.Nm SSL_want_write , -.Nm SSL_want_x509_lookup -.Nd obtain state information TLS/SSL I/O operation -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft int -.Fn SSL_want "const SSL *ssl" -.Ft int -.Fn SSL_want_nothing "const SSL *ssl" -.Ft int -.Fn SSL_want_read "const SSL *ssl" -.Ft int -.Fn SSL_want_write "const SSL *ssl" -.Ft int -.Fn SSL_want_x509_lookup "const SSL *ssl" -.Sh DESCRIPTION -.Fn SSL_want -returns state information for the -.Vt SSL -object -.Fa ssl . -.Pp -The other -.Fn SSL_want_* -calls are shortcuts for the possible states returned by -.Fn SSL_want . -.Pp -.Fn SSL_want -examines the internal state information of the -.Vt SSL -object. -Its return values are similar to those of -.Xr SSL_get_error 3 . -Unlike -.Xr SSL_get_error 3 , -which also evaluates the error queue, -the results are obtained by examining an internal state flag only. -The information must therefore only be used for normal operation under -non-blocking I/O. -Error conditions are not handled and must be treated using -.Xr SSL_get_error 3 . -.Pp -The result returned by -.Fn SSL_want -should always be consistent with the result of -.Xr SSL_get_error 3 . -.Sh RETURN VALUES -The following return values can currently occur for -.Fn SSL_want : -.Bl -tag -width Ds -.It Dv SSL_NOTHING -There is no data to be written or to be read. -.It Dv SSL_WRITING -There are data in the SSL buffer that must be written to the underlying -.Vt BIO -layer in order to complete the actual -.Fn SSL_* -operation. -A call to -.Xr SSL_get_error 3 -should return -.Dv SSL_ERROR_WANT_WRITE . -.It Dv SSL_READING -More data must be read from the underlying -.Vt BIO -layer in order to -complete the actual -.Fn SSL_* -operation. -A call to -.Xr SSL_get_error 3 -should return -.Dv SSL_ERROR_WANT_READ . -.It Dv SSL_X509_LOOKUP -The operation did not complete because an application callback set by -.Xr SSL_CTX_set_client_cert_cb 3 -has asked to be called again. -A call to -.Xr SSL_get_error 3 -should return -.Dv SSL_ERROR_WANT_X509_LOOKUP . -.El -.Pp -.Fn SSL_want_nothing , -.Fn SSL_want_read , -.Fn SSL_want_write , -and -.Fn SSL_want_x509_lookup -return 1 when the corresponding condition is true or 0 otherwise. -.Sh SEE ALSO -.Xr err 3 , -.Xr ssl 3 , -.Xr SSL_get_error 3 -.Sh HISTORY -.Fn SSL_want , -.Fn SSL_want_nothing , -.Fn SSL_want_read , -and -.Fn SSL_want_write -first appeared in SSLeay 0.5.2. -.Fn SSL_want_x509_lookup -first appeared in SSLeay 0.6.0. -These functions have been available since -.Ox 2.4 . diff --git a/src/lib/libssl/man/SSL_write.3 b/src/lib/libssl/man/SSL_write.3 deleted file mode 100644 index 2c6fbcef08..0000000000 --- a/src/lib/libssl/man/SSL_write.3 +++ /dev/null @@ -1,249 +0,0 @@ -.\" $OpenBSD: SSL_write.3,v 1.7 2021/10/24 15:10:13 schwarze Exp $ -.\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 -.\" partial merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100 -.\" -.\" This file was written by Lutz Jaenicke -.\" and Matt Caswell . -.\" Copyright (c) 2000, 2001, 2002, 2016 The OpenSSL Project. -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: October 24 2021 $ -.Dt SSL_WRITE 3 -.Os -.Sh NAME -.Nm SSL_write_ex , -.Nm SSL_write -.Nd write bytes to a TLS connection -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft int -.Fn SSL_write_ex "SSL *ssl" "const void *buf" "size_t num" "size_t *written" -.Ft int -.Fn SSL_write "SSL *ssl" "const void *buf" "int num" -.Sh DESCRIPTION -.Fn SSL_write_ex -and -.Fn SSL_write -write -.Fa num -bytes from the buffer -.Fa buf -into the specified -.Fa ssl -connection. -On success -.Fn SSL_write_ex -stores the number of bytes written in -.Pf * Fa written . -.Pp -In the following, -.Fn SSL_write_ex -and -.Fn SSL_write -are called -.Dq write functions . -.Pp -If necessary, a write function negotiates a TLS session, -if not already explicitly performed by -.Xr SSL_connect 3 -or -.Xr SSL_accept 3 . -If the peer requests a re-negotiation, -it will be performed transparently during the -write function operation. -The behaviour of the write functions depends on the underlying -.Vt BIO . -.Pp -For the transparent negotiation to succeed, the -.Fa ssl -must have been initialized to client or server mode. -This is done by calling -.Xr SSL_set_connect_state 3 -or -.Xr SSL_set_accept_state 3 -before the first call to a write function. -.Pp -If the underlying -.Vt BIO -is -.Em blocking , -the write function -will only return once the write operation has been finished or an error -occurred, except when a renegotiation takes place, in which case a -.Dv SSL_ERROR_WANT_READ -may occur. -This behaviour can be controlled with the -.Dv SSL_MODE_AUTO_RETRY -flag of the -.Xr SSL_CTX_set_mode 3 -call. -.Pp -If the underlying -.Vt BIO -is -.Em non-blocking , -the write function will also return when the underlying -.Vt BIO -could not satisfy the needs of the function to continue the operation. -In this case a call to -.Xr SSL_get_error 3 -with the return value of the write function will yield -.Dv SSL_ERROR_WANT_READ -or -.Dv SSL_ERROR_WANT_WRITE . -As at any time a re-negotiation is possible, a call to -a write function can also cause read operations. -The calling process then must repeat the call after taking appropriate action -to satisfy the needs of the write function. -The action depends on the underlying -.Vt BIO . -When using a non-blocking socket, nothing is to be done, but -.Xr select 2 -can be used to check for the required condition. -When using a buffering -.Vt BIO , -like a -.Vt BIO -pair, data must be written into or retrieved out of the BIO before being able -to continue. -.Pp -The write functions -will only return with success when the complete contents of -.Fa buf -of length -.Fa num -have been written. -This default behaviour can be changed with the -.Dv SSL_MODE_ENABLE_PARTIAL_WRITE -option of -.Xr SSL_CTX_set_mode 3 . -When this flag is set, the write functions will also return with -success when a partial write has been successfully completed. -In this case the write function operation is considered completed. -The bytes are sent and a new write call with a new buffer (with the -already sent bytes removed) must be started. -A partial write is performed with the size of a message block, -which is 16kB. -.Pp -When a write function call has to be repeated because -.Xr SSL_get_error 3 -returned -.Dv SSL_ERROR_WANT_READ -or -.Dv SSL_ERROR_WANT_WRITE , -it must be repeated with the same arguments. -.Pp -When calling -.Fn SSL_write -with -.Fa num Ns =0 -bytes to be sent, the behaviour is undefined. -.Fn SSL_write_ex -can be called with -.Fa num Ns =0 , -but will not send application data to the peer. -.Sh RETURN VALUES -.Fn SSL_write_ex -returns 1 for success or 0 for failure. -Success means that all requested application data bytes have been -written to the TLS connection or, if -.Dv SSL_MODE_ENABLE_PARTIAL_WRITE -is in use, at least one application data byte has been written -to the TLS connection. -Failure means that not all the requested bytes have been written yet (if -.Dv SSL_MODE_ENABLE_PARTIAL_WRITE -is not in use) or no bytes could be written to the TLS connection (if -.Dv SSL_MODE_ENABLE_PARTIAL_WRITE -is in use). -Failures can be retryable (e.g. the network write buffer has temporarily -filled up) or non-retryable (e.g. a fatal network error). -In the event of a failure, call -.Xr SSL_get_error 3 -to find out the reason -which indicates whether the call is retryable or not. -.Pp -For -.Fn SSL_write , -the following return values can occur: -.Bl -tag -width Ds -.It >0 -The write operation was successful. -The return value is the number of bytes actually written to the TLS -connection. -.It 0 -The write operation was not successful. -Probably the underlying connection was closed. -Call -.Xr SSL_get_error 3 -with the return value to find out whether an error occurred or the connection -was shut down cleanly -.Pq Dv SSL_ERROR_ZERO_RETURN . -.It <0 -The write operation was not successful, because either an error occurred or -action must be taken by the calling process. -Call -.Xr SSL_get_error 3 -with the return value to find out the reason. -.El -.Sh SEE ALSO -.Xr BIO_new 3 , -.Xr ssl 3 , -.Xr SSL_accept 3 , -.Xr SSL_connect 3 , -.Xr SSL_CTX_new 3 , -.Xr SSL_CTX_set_mode 3 , -.Xr SSL_get_error 3 , -.Xr SSL_read 3 , -.Xr SSL_set_connect_state 3 -.Sh HISTORY -.Fn SSL_write -appeared in SSLeay 0.4 or earlier and has been available since -.Ox 2.4 . -.Pp -.Fn SSL_write_ex -first appeared in OpenSSL 1.1.1 and has been available since -.Ox 7.1 . diff --git a/src/lib/libssl/man/d2i_SSL_SESSION.3 b/src/lib/libssl/man/d2i_SSL_SESSION.3 deleted file mode 100644 index 7a2bc529ab..0000000000 --- a/src/lib/libssl/man/d2i_SSL_SESSION.3 +++ /dev/null @@ -1,181 +0,0 @@ -.\" $OpenBSD: d2i_SSL_SESSION.3,v 1.7 2019/06/08 15:25:43 schwarze Exp $ -.\" OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100 -.\" -.\" This file was written by Lutz Jaenicke . -.\" Copyright (c) 2001, 2005, 2014 The OpenSSL Project. All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: June 8 2019 $ -.Dt D2I_SSL_SESSION 3 -.Os -.Sh NAME -.Nm d2i_SSL_SESSION , -.Nm i2d_SSL_SESSION -.Nd convert SSL_SESSION object from/to ASN1 representation -.Sh SYNOPSIS -.In openssl/ssl.h -.Ft SSL_SESSION * -.Fn d2i_SSL_SESSION "SSL_SESSION **a" "const unsigned char **pp" "long length" -.Ft int -.Fn i2d_SSL_SESSION "SSL_SESSION *in" "unsigned char **pp" -.Sh DESCRIPTION -.Fn d2i_SSL_SESSION -transforms the external ASN1 representation of an SSL/TLS session, -stored as binary data at location -.Fa pp -with length -.Fa length , -into -an -.Vt SSL_SESSION -object. -.Pp -.Fn i2d_SSL_SESSION -transforms the -.Vt SSL_SESSION -object -.Fa in -into the ASN1 representation and stores it into the memory location pointed to -by -.Fa pp . -The length of the resulting ASN1 representation is returned. -If -.Fa pp -is the -.Dv NULL -pointer, only the length is calculated and returned. -.Pp -The -.Vt SSL_SESSION -object is built from several -.Xr malloc 3 Ns --ed parts; it can therefore not be moved, copied or stored directly. -In order to store session data on disk or into a database, -it must be transformed into a binary ASN1 representation. -.Pp -When using -.Fn d2i_SSL_SESSION , -the -.Vt SSL_SESSION -object is automatically allocated. -The reference count is 1, so that the session must be explicitly removed using -.Xr SSL_SESSION_free 3 , -unless the -.Vt SSL_SESSION -object is completely taken over, when being called inside the -.Fn get_session_cb , -see -.Xr SSL_CTX_sess_set_get_cb 3 . -.Pp -.Vt SSL_SESSION -objects keep internal link information about the session cache list when being -inserted into one -.Vt SSL_CTX -object's session cache. -One -.Vt SSL_SESSION -object, regardless of its reference count, must therefore only be used with one -.Vt SSL_CTX -object (and the -.Vt SSL -objects created from this -.Vt SSL_CTX -object). -.Pp -When using -.Fn i2d_SSL_SESSION , -the memory location pointed to by -.Fa pp -must be large enough to hold the binary representation of the session. -There is no known limit on the size of the created ASN1 representation, -so call -.Fn i2d_SSL_SESSION -first with -.Fa pp Ns = Ns Dv NULL -to obtain the encoded size, before allocating the required amount of memory and -calling -.Fn i2d_SSL_SESSION -again. -Note that this will advance the value contained in -.Fa *pp -so it is necessary to save a copy of the original allocation. -For example: -.Bd -literal -offset indent -char *p, *pp; -int elen, len; - -elen = i2d_SSL_SESSION(sess, NULL); -p = pp = malloc(elen); -if (p != NULL) { - len = i2d_SSL_SESSION(sess, &pp); - assert(elen == len); - assert(p + len == pp); -} -.Ed -.Sh RETURN VALUES -.Fn d2i_SSL_SESSION -returns a pointer to the newly allocated -.Vt SSL_SESSION -object. -In case of failure a -.Dv NULL -pointer is returned and the error message can be retrieved from the error -stack. -.Pp -.Fn i2d_SSL_SESSION -returns the size of the ASN1 representation in bytes. -When the session is not valid, 0 is returned and no operation is performed. -.Sh SEE ALSO -.Xr d2i_X509 3 , -.Xr ssl 3 , -.Xr SSL_CTX_sess_set_get_cb 3 , -.Xr SSL_SESSION_free 3 -.Sh HISTORY -.Fn d2i_SSL_SESSION -and -.Fn i2d_SSL_SESSION -first appeared in SSLeay 0.5.2 and have been available since -.Ox 2.4 . diff --git a/src/lib/libssl/man/ssl.3 b/src/lib/libssl/man/ssl.3 deleted file mode 100644 index 4dd3d23f1c..0000000000 --- a/src/lib/libssl/man/ssl.3 +++ /dev/null @@ -1,367 +0,0 @@ -.\" $OpenBSD: ssl.3,v 1.22 2022/09/17 16:03:21 kn Exp $ -.\" full merge up to: OpenSSL e330f55d Nov 11 00:51:04 2016 +0100 -.\" selective merge up to: OpenSSL 322755cc Sep 1 08:40:51 2018 +0800 -.\" -.\" This file was written by Ralf S. Engelschall , -.\" Ben Laurie , and Ulf Moeller . -.\" Copyright (c) 1998-2002, 2005, 2013, 2015 The OpenSSL Project. -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: September 17 2022 $ -.Dt SSL 3 -.Os -.Sh NAME -.Nm ssl -.Nd OpenSSL SSL/TLS library -.Sh DESCRIPTION -The OpenSSL -.Nm ssl -library implements the Transport Layer Security (TLS v1) protocols. -.Pp -An -.Vt SSL_CTX -object is created as a framework to establish TLS/SSL enabled connections (see -.Xr SSL_CTX_new 3 ) . -Various options regarding certificates, algorithms, etc., can be set in this -object. -.Pp -When a network connection has been created, it can be assigned to an -.Vt SSL -object. -After the -.Vt SSL -object has been created using -.Xr SSL_new 3 , -.Xr SSL_set_fd 3 -or -.Xr SSL_set_bio 3 -can be used to associate the network connection with the object. -.Pp -Then the TLS/SSL handshake is performed using -.Xr SSL_accept 3 -or -.Xr SSL_connect 3 -respectively. -.Xr SSL_read 3 -and -.Xr SSL_write 3 -are used to read and write data on the TLS/SSL connection. -.Xr SSL_shutdown 3 -can be used to shut down the TLS/SSL connection. -.Sh DATA STRUCTURES -Currently the OpenSSL -.Nm ssl -library functions deal with the following data structures: -.Bl -tag -width Ds -.It Vt SSL_METHOD No (SSL Method) -That's a dispatch structure describing the internal -.Nm ssl -library methods/functions which implement the various protocol versions. -It's needed to create an -.Vt SSL_CTX . -See -.Xr TLS_method 3 -for constructors. -.It Vt SSL_CIPHER No (SSL Cipher) -This structure holds the algorithm information for a particular cipher which -is a core part of the SSL/TLS protocol. -The available ciphers are configured on an -.Vt SSL_CTX -basis and the actually used ones are then part of the -.Vt SSL_SESSION . -.It Vt SSL_CTX No (SSL Context) -That's the global context structure which is created by a server or client -once per program lifetime and which holds mainly default values for the -.Vt SSL -structures which are later created for the connections. -.It Vt SSL_SESSION No (SSL Session) -This is a structure containing the current TLS/SSL session details for a -connection: -.Vt SSL_CIPHER Ns s , -client and server certificates, keys, etc. -.It Vt SSL No (SSL Connection) -That's the main SSL/TLS structure which is created by a server or client per -established connection. -This actually is the core structure in the SSL API. -At run-time the application usually deals with this structure which has -links to mostly all other structures. -.El -.Sh HEADER FILES -Currently the OpenSSL -.Nm ssl -library provides the following C header files containing the prototypes for the -data structures and functions: -.Bl -tag -width Ds -.It Pa ssl.h -That's the common header file for the SSL/TLS API. -Include it into your program to make the API of the -.Nm ssl -library available. -It internally includes both more private SSL headers and headers from the -.Em crypto -library. -Whenever you need hardcore details on the internals of the SSL API, look inside -this header file. -.It Pa ssl2.h -That's the sub header file dealing with the SSLv2 protocol only. -.Bf Em - Usually you don't have to include it explicitly because it's already included -by -.Pa ssl.h . -.Ef -.It Pa ssl3.h -That's the sub header file dealing with the SSLv3 protocol only. -.Bf Em -Usually you don't have to include it explicitly because it's already included -by -.Pa ssl.h . -.Ef -.It Pa ssl23.h -That's the sub header file dealing with the combined use of the SSLv2 and SSLv3 -protocols. -.Bf Em -Usually you don't have to include it explicitly because it's already included -by -.Pa ssl.h . -.Ef -.It Pa tls1.h -That's the sub header file dealing with the TLSv1 protocol only. -.Bf Em -Usually you don't have to include it explicitly because it's already included -by -.Pa ssl.h . -.Ef -.El -.Sh API FUNCTIONS -.Ss Ciphers -The following pages describe functions acting on -.Vt SSL_CIPHER -objects: -.Xr SSL_get_ciphers 3 , -.Xr SSL_get_current_cipher 3 , -.Xr SSL_CIPHER_get_name 3 -.Ss Protocol contexts -The following pages describe functions acting on -.Vt SSL_CTX -objects. -.Pp -Constructors and destructors: -.Xr SSL_CTX_new 3 , -.Xr SSL_CTX_set_ssl_version 3 , -.Xr SSL_CTX_free 3 -.Pp -Certificate configuration: -.Xr SSL_CTX_add_extra_chain_cert 3 , -.Xr SSL_CTX_get0_certificate 3 , -.Xr SSL_CTX_load_verify_locations 3 , -.Xr SSL_CTX_set_cert_store 3 , -.Xr SSL_CTX_set_cert_verify_callback 3 , -.Xr SSL_CTX_set_client_cert_cb 3 , -.Xr SSL_CTX_set_default_passwd_cb 3 , -.Xr SSL_CTX_set_tlsext_status_cb 3 -.Pp -Session configuration: -.Xr SSL_CTX_add_session 3 , -.Xr SSL_CTX_flush_sessions 3 , -.Xr SSL_CTX_sess_number 3 , -.Xr SSL_CTX_sess_set_cache_size 3 , -.Xr SSL_CTX_sess_set_get_cb 3 , -.Xr SSL_CTX_sessions 3 , -.Xr SSL_CTX_set_session_cache_mode 3 , -.Xr SSL_CTX_set_timeout 3 , -.Xr SSL_CTX_set_tlsext_ticket_key_cb 3 -.Pp -Various configuration: -.Xr SSL_CTX_get_ex_new_index 3 , -.Xr SSL_CTX_set_tlsext_servername_callback 3 -.Ss Common configuration of contexts and connections -The functions on the following pages each come in two variants: -one to directly configure a single -.Vt SSL -connection and another to be called on an -.Vt SSL_CTX -object, to set up defaults for all future -.Vt SSL -connections created from that context. -.Pp -Protocol and algorithm configuration: -.Xr SSL_CTX_set_alpn_select_cb 3 , -.Xr SSL_CTX_set_cipher_list 3 , -.Xr SSL_CTX_set_min_proto_version 3 , -.Xr SSL_CTX_set_options 3 , -.Xr SSL_CTX_set_security_level 3 , -.Xr SSL_CTX_set_tlsext_use_srtp 3 , -.Xr SSL_CTX_set_tmp_dh_callback 3 , -.Xr SSL_CTX_set1_groups 3 -.Pp -Certificate configuration: -.Xr SSL_CTX_add1_chain_cert 3 , -.Xr SSL_CTX_get_verify_mode 3 , -.Xr SSL_CTX_set_client_CA_list 3 , -.Xr SSL_CTX_set_max_cert_list 3 , -.Xr SSL_CTX_set_verify 3 , -.Xr SSL_CTX_use_certificate 3 , -.Xr SSL_get_client_CA_list 3 -.Xr SSL_set1_param 3 -.Pp -Session configuration: -.Xr SSL_CTX_set_generate_session_id 3 , -.Xr SSL_CTX_set_session_id_context 3 -.Pp -Various configuration: -.Xr SSL_CTX_ctrl 3 , -.Xr SSL_CTX_set_info_callback 3 , -.Xr SSL_CTX_set_mode 3 , -.Xr SSL_CTX_set_msg_callback 3 , -.Xr SSL_CTX_set_quiet_shutdown 3 , -.Xr SSL_CTX_set_read_ahead 3 , -.Xr SSL_set_max_send_fragment 3 -.Ss Sessions -The following pages describe functions acting on -.Vt SSL_SESSION -objects. -.Pp -Constructors and destructors: -.Xr SSL_SESSION_new 3 , -.Xr SSL_SESSION_free 3 -.Pp -Accessors: -.Xr SSL_SESSION_get_compress_id 3 , -.Xr SSL_SESSION_get_ex_new_index 3 , -.Xr SSL_SESSION_get_id 3 , -.Xr SSL_SESSION_get_protocol_version 3 , -.Xr SSL_SESSION_get_time 3 , -.Xr SSL_SESSION_get0_peer 3 , -.Xr SSL_SESSION_has_ticket 3 , -.Xr SSL_SESSION_set1_id_context 3 -.Pp -Encoding and decoding: -.Xr d2i_SSL_SESSION 3 , -.Xr PEM_read_SSL_SESSION 3 , -.Xr SSL_SESSION_print 3 -.Ss Connections -The following pages describe functions acting on -.Vt SSL -connection objects: -.Pp -Constructors and destructors: -.Xr SSL_new 3 , -.Xr SSL_dup 3 , -.Xr SSL_free 3 , -.Xr BIO_f_ssl 3 -.Pp -To change the configuration: -.Xr SSL_clear 3 , -.Xr SSL_set_SSL_CTX 3 , -.Xr SSL_copy_session_id 3 , -.Xr SSL_set_bio 3 , -.Xr SSL_set_connect_state 3 , -.Xr SSL_set_fd 3 , -.Xr SSL_set_session 3 , -.Xr SSL_set1_host 3 , -.Xr SSL_set_verify_result 3 -.Pp -To inspect the configuration: -.Xr SSL_get_certificate 3 , -.Xr SSL_get_default_timeout 3 , -.Xr SSL_get_ex_new_index 3 , -.Xr SSL_get_fd 3 , -.Xr SSL_get_rbio 3 , -.Xr SSL_get_SSL_CTX 3 -.Pp -To transmit data: -.Xr DTLSv1_listen 3 , -.Xr SSL_accept 3 , -.Xr SSL_connect 3 , -.Xr SSL_do_handshake 3 , -.Xr SSL_read 3 , -.Xr SSL_read_early_data 3 , -.Xr SSL_renegotiate 3 , -.Xr SSL_shutdown 3 , -.Xr SSL_write 3 -.Pp -To inspect the state after a connection is established: -.Xr SSL_export_keying_material 3 , -.Xr SSL_get_client_random 3 , -.Xr SSL_get_ex_data_X509_STORE_CTX_idx 3 , -.Xr SSL_get_peer_cert_chain 3 , -.Xr SSL_get_peer_certificate 3 , -.Xr SSL_get_server_tmp_key 3 , -.Xr SSL_get_servername 3 , -.Xr SSL_get_session 3 , -.Xr SSL_get_shared_ciphers 3 , -.Xr SSL_get_verify_result 3 , -.Xr SSL_get_version 3 , -.Xr SSL_session_reused 3 -.Pp -To inspect the state during ongoing communication: -.Xr SSL_get_error 3 , -.Xr SSL_get_shutdown 3 , -.Xr SSL_get_state 3 , -.Xr SSL_num_renegotiations 3 , -.Xr SSL_pending 3 , -.Xr SSL_rstate_string 3 , -.Xr SSL_state_string 3 , -.Xr SSL_want 3 -.Ss Utility functions -.Xr SSL_alert_type_string 3 , -.Xr SSL_dup_CA_list 3 , -.Xr SSL_load_client_CA_file 3 -.Ss Obsolete functions -.Xr OPENSSL_init_ssl 3 , -.Xr SSL_COMP_add_compression_method 3 , -.Xr SSL_CTX_set_tmp_rsa_callback 3 , -.Xr SSL_library_init 3 , -.Xr SSL_set_tmp_ecdh 3 -.Sh SEE ALSO -.Xr openssl 1 , -.Xr crypto 3 , -.Xr tls_init 3 -.Sh HISTORY -The -.Nm -document appeared in OpenSSL 0.9.2. -- cgit v1.2.3-55-g6feb