diff --git a/CHANGES b/CHANGES index 67b0f565d1..af491c8f71 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,17 @@ Changes between 0.9.5a and 0.9.6 [xx XXX 2000] + *) Remove 'optimized' squaring variant in BN_mod_mul_montgomery, + it can return incorrect results. + (Note: The buggy variant was not enabled in OpenSSL 0.9.5a, + but it was in 0.9.6-beta[12].) + [Bodo Moeller] + + *) Disable the check for content being present when verifying detached + signatures in pk7_smime.c. Some versions of Netscape (wrongly) + include zero length content when signing messages. + [Steve Henson] + *) New BIO_shutdown_wr macro, which invokes the BIO_C_SHUTDOWN_WR BIO_ctrl (for BIO pairs). diff --git a/Configure b/Configure index 0c92260a06..8c4a728799 100755 --- a/Configure +++ b/Configure @@ -225,16 +225,16 @@ my %table=( # Since there is mention of this in shlib/hpux10-cc.sh "hpux-parisc-cc-o4","cc:-Ae +O4 +ESlit -z -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY:::-ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl", "hpux-parisc-gcc","gcc:-O3 -DB_ENDIAN -DBN_DIV2W:::-ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl", -"hpux64-parisc-cc","cc:-Ae +DD64 +O3 +ESlit -z -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT:-ldld:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::::::::::dl", +"hpux64-parisc-cc","cc:-Ae +DD64 +O3 +ESlit -z -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT:-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::::::::::dlfcn", # More attempts at unified 10.X and 11.X targets for HP C compiler. # # Chris Ruemmler # Kevin Steves -"hpux-parisc-cc","cc:+O3 +Optrs_strongly_typed +Olibcalls -Ae +ESlit -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY::-D_REENTRANT:-ldl:MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::::::::::dl", -"hpux-parisc2-cc","cc:+DA2.0 +DS2.0 +O3 +Optrs_strongly_typed +Olibcalls -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT:-ldl:SIXTY_FOUR_BIT MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/pa-risc2.o:::::::::dl", -"hpux64-parisc2-cc","cc:+DD64 +O3 +Optrs_strongly_typed +Olibcalls -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT:-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/pa-risc2W.o:::::::::dl", -"hpux-parisc1_1-cc","cc:+DA1.1 +DS1.1 +O3 +Optrs_strongly_typed +Olibcalls -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT:-ldl:MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::::::::::dl", +"hpux-parisc-cc","cc:+O3 +Optrs_strongly_typed +Olibcalls -Ae +ESlit -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY::-D_REENTRANT:-ldld:MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::::::::::dl", +"hpux-parisc2-cc","cc:+DA2.0 +DS2.0 +O3 +Optrs_strongly_typed +Olibcalls -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT:-ldld:SIXTY_FOUR_BIT MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/pa-risc2.o:::::::::dl", +"hpux64-parisc2-cc","cc:+DD64 +O3 +Optrs_strongly_typed +Olibcalls -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT:-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/pa-risc2W.o:::::::::dlfcn", +"hpux-parisc1_1-cc","cc:+DA1.1 +DS1.1 +O3 +Optrs_strongly_typed +Olibcalls -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT:-ldld:MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::::::::::dl", # HPUX 9.X config. # Don't use the bundled cc. It is broken. Use HP ANSI C if possible, or diff --git a/FAQ b/FAQ index a381d1d862..f0d768916a 100644 --- a/FAQ +++ b/FAQ @@ -135,7 +135,7 @@ installing the SUNski package from Sun patch 105710-01 (Sparc) which adds a /dev/random device and make sure it gets used, usually through $RANDFILE. There are probably similar patches for the other Solaris versions. However, be warned that /dev/random is usually a blocking -device, which may have som effects on OpenSSL. +device, which may have some effects on OpenSSL. * Why does the linker complain about undefined symbols? @@ -194,7 +194,7 @@ unsigned char *buf, *p; int len; len = i2d_PKCS7(p7, NULL); -buf = OPENSSL_Malloc(len); /* or Malloc, error checking omitted */ +buf = OPENSSL_malloc(len); /* or Malloc, error checking omitted */ p = buf; i2d_PKCS7(p7, &p); diff --git a/NEWS b/NEWS index 7c30b76124..31077d2094 100644 --- a/NEWS +++ b/NEWS @@ -5,6 +5,15 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. + Major changes between OpenSSL 0.9.5a and OpenSSL 0.9.6: + + o Some documentation for BIO and SSL libraries. + o Enhanced chain verification using key identifiers. + o New sign and verify options to 'dgst' application. + o Support for DER and PEM encoded messages in 'smime' application. + o New 'rsautl' application, low level RSA utility. + + Major changes between OpenSSL 0.9.5 and OpenSSL 0.9.5a: o Bug fixes for Win32, SuSE Linux, NeXTSTEP and FreeBSD 2.2.8 diff --git a/README b/README index 46252db971..686c437cb1 100644 --- a/README +++ b/README @@ -163,6 +163,9 @@ the string "[PATCH]" in the subject. Please be sure to include a textual explanation of what your patch does. + Note: For legal reasons, contributions from the US can be accepted only + if a copy of the patch is sent to crypt@bxa.doc.gov + The preferred format for changes is "diff -u" output. You might generate it like this: diff --git a/STATUS b/STATUS index bc5708f3e1..25e91e5a25 100644 --- a/STATUS +++ b/STATUS @@ -1,6 +1,6 @@ OpenSSL STATUS Last modified at - ______________ $Date: 2000/09/17 15:56:27 $ + ______________ $Date: 2000/09/20 13:45:41 $ DEVELOPMENT STATE @@ -37,6 +37,44 @@ aix-gcc (AIX 4.3.2) - passed VMS/Alpha - failed Some things were missing [FIXED] + 0.9.6-beta2 is available: + linux/openbsd (all platforms?) - mod_exp bug + sunos-gcc - passed + aix-gcc - passed + Win32 w/ VC6 or Mingw32 - failed + RAND_poll(), a few uninitialised vars [FIXED] + RAND_poll() should used LoadLibrary instead of + GetModuleHandle [FIXED] + Major compilation problem with VC6 on NT. + [FIXED] + Mingw32 says "175: parse error before `DWORD'" + [FIXED?] + Win32 w/ CygWin - success? + VMS/Alpha 7.1 (CPQ C 5.6-003, TCP/IP 5.0) - success + Just a small warning in dso_vms.c [FIXED] + VMS/Alpha 7.2-1 (CPQ 5.6-003, TCP/IP 5.0A) - success + VMS/VAX 7.2-1 (CPQ 5.2-003, TCP/IP 5.0) - success + hpux-parisc-cc (HP-UX B.11.00) - success + hpux-parisc2-cc (11.00) - success + hpux64-parisc2-cc (11.00) - success + hpux-parisc1_1-cc (11.00) - success + hpux-parisc-cc (10.20 w/ -ldld) - success + hpux-parisc-gcc (10.20 w/ -ldld) - success + hpux-parisc-cc [engine] (10.20 w/ -ldld)- success + hpux-parisc-gcc [endine] (10.20 w/ -ldld)- success + All hpux 10.20 targets succeeded provided -ldl + has been changed to -ldld. + solaris-sparcv9-gcc (2.6/ultra5) - success + solaris-sparcv9-cc (SunOS 5.7 SC3.0) - failed + Complaints about a number of -x parameters to + the compiler and failed to compile an + assembler file. Maybe a too old + compiler? + FreeBSD (2.2.5-RELEASE) - success + alpha-cc [engine] (OSF1 5.0A) - success + irix-mips3-cc [engine] (Irix 6.2) - success + One has to do the same as for OpenBSD in + speed.c [FIXED] o OpenSSL 0.9.5a: Released on April 1st, 2000 o OpenSSL 0.9.5: Released on February 28th, 2000 o OpenSSL 0.9.4: Released on August 09th, 1999 diff --git a/TABLE b/TABLE index d2d06f3b12..359ad0eccb 100644 --- a/TABLE +++ b/TABLE @@ -1165,7 +1165,7 @@ $cc = cc $cflags = +O3 +Optrs_strongly_typed +Olibcalls -Ae +ESlit -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY $unistd = $thread_cflag = -D_REENTRANT -$lflags = -ldl +$lflags = -ldld $bn_ops = MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT $bn_obj = $des_obj = @@ -1225,7 +1225,7 @@ $cc = cc $cflags = +DA1.1 +DS1.1 +O3 +Optrs_strongly_typed +Olibcalls -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY $unistd = $thread_cflag = -D_REENTRANT -$lflags = -ldl +$lflags = -ldld $bn_ops = MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT $bn_obj = $des_obj = @@ -1245,7 +1245,7 @@ $cc = cc $cflags = +DA2.0 +DS2.0 +O3 +Optrs_strongly_typed +Olibcalls -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY $unistd = $thread_cflag = -D_REENTRANT -$lflags = -ldl +$lflags = -ldld $bn_ops = SIXTY_FOUR_BIT MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT $bn_obj = asm/pa-risc2.o $des_obj = @@ -1345,7 +1345,7 @@ $cc = cc $cflags = -Ae +DD64 +O3 +ESlit -z -DB_ENDIAN -DMD32_XARRAY $unistd = $thread_cflag = -D_REENTRANT -$lflags = -ldld +$lflags = -ldl $bn_ops = SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT $bn_obj = $des_obj = @@ -1356,7 +1356,7 @@ $cast_obj = $rc4_obj = $rmd160_obj = $rc5_obj = -$dso_scheme = dl +$dso_scheme = dlfcn $shared_target= $shared_cflag = @@ -1376,7 +1376,7 @@ $cast_obj = $rc4_obj = $rmd160_obj = $rc5_obj = -$dso_scheme = dl +$dso_scheme = dlfcn $shared_target= $shared_cflag = diff --git a/apps/dgst.c b/apps/dgst.c index dbfa387f33..590f8dc4ee 100644 --- a/apps/dgst.c +++ b/apps/dgst.c @@ -75,7 +75,7 @@ #define PROG dgst_main void do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, char binout, - EVP_PKEY *key, unsigned char *sigin, unsigned int siglen); + EVP_PKEY *key, unsigned char *sigin, int siglen); int MAIN(int, char **); @@ -98,7 +98,7 @@ int MAIN(int argc, char **argv) char out_bin = -1, want_pub = 0, do_verify = 0; EVP_PKEY *sigkey = NULL; unsigned char *sigbuf = NULL; - unsigned int siglen = 0; + int siglen = 0; char *engine=NULL; apps_startup(); @@ -307,7 +307,7 @@ int MAIN(int argc, char **argv) } siglen = BIO_read(sigbio, sigbuf, siglen); BIO_free(sigbio); - if(siglen == 0) { + if(siglen <= 0) { BIO_printf(bio_err, "Error reading signature file %s\n", sigfile); ERR_print_errors(bio_err); @@ -358,7 +358,7 @@ end: } void do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, char binout, - EVP_PKEY *key, unsigned char *sigin, unsigned int siglen) + EVP_PKEY *key, unsigned char *sigin, int siglen) { int len; int i; @@ -372,7 +372,7 @@ void do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, char binout, { EVP_MD_CTX *ctx; BIO_get_md_ctx(bp, &ctx); - i = EVP_VerifyFinal(ctx, sigin, siglen, key); + i = EVP_VerifyFinal(ctx, sigin, (unsigned int)siglen, key); if(i > 0) BIO_printf(out, "Verified OK\n"); else if(i == 0) BIO_printf(out, "Verification Failure\n"); else diff --git a/apps/pkcs12.c b/apps/pkcs12.c index 2cc9a0caee..95b2c65e2f 100644 --- a/apps/pkcs12.c +++ b/apps/pkcs12.c @@ -903,14 +903,14 @@ int print_attribs (BIO *out, STACK_OF(X509_ATTRIBUTE) *attrlst, char *name) break; case V_ASN1_OCTET_STRING: - hex_prin(out, av->value.bit_string->data, - av->value.bit_string->length); + hex_prin(out, av->value.octet_string->data, + av->value.octet_string->length); BIO_printf(out, "\n"); break; case V_ASN1_BIT_STRING: - hex_prin(out, av->value.octet_string->data, - av->value.octet_string->length); + hex_prin(out, av->value.bit_string->data, + av->value.bit_string->length); BIO_printf(out, "\n"); break; diff --git a/apps/speed.c b/apps/speed.c index f4aa784670..dfaa506bb1 100644 --- a/apps/speed.c +++ b/apps/speed.c @@ -88,7 +88,7 @@ #elif !defined(MSDOS) && (!defined(VMS) || defined(__DECC)) # define TIMES #endif -#if !defined(_UNICOS) && !defined(__OpenBSD__) +#if !defined(_UNICOS) && !defined(__OpenBSD__) && !defined(sgi) && !defined(__FreeBSD__) && !(defined(__bsdi) || defined(__bsdi__)) # define TIMEB #endif diff --git a/crypto/bn/bn_mont.c b/crypto/bn/bn_mont.c index ca58ad33d2..8cf1febacc 100644 --- a/crypto/bn/bn_mont.c +++ b/crypto/bn/bn_mont.c @@ -85,16 +85,7 @@ int BN_mod_mul_montgomery(BIGNUM *r, BIGNUM *a, BIGNUM *b, if (a == b) { -#if 1 - bn_wexpand(tmp,a->top*2); - bn_wexpand(tmp2,a->top*4); - bn_sqr_recursive(tmp->d,a->d,a->top,tmp2->d); - tmp->top=a->top*2; - if (tmp->top > 0 && tmp->d[tmp->top-1] == 0) - tmp->top--; -#else if (!BN_sqr(tmp,a,ctx)) goto err; -#endif } else { diff --git a/crypto/bn/bn_sqr.c b/crypto/bn/bn_sqr.c index fe00c5f69a..75f4f38392 100644 --- a/crypto/bn/bn_sqr.c +++ b/crypto/bn/bn_sqr.c @@ -188,7 +188,7 @@ void bn_sqr_normal(BN_ULONG *r, BN_ULONG *a, int n, BN_ULONG *tmp) #ifdef BN_RECURSION /* r is 2*n words in size, - * a and b are both n words in size. + * a and b are both n words in size. (There's not actually a 'b' here ...) * n must be a power of 2. * We multiply and return the result. * t must be 2*n words in size diff --git a/crypto/dso/dso_vms.c b/crypto/dso/dso_vms.c index d2c06ddafa..8ff7090129 100644 --- a/crypto/dso/dso_vms.c +++ b/crypto/dso/dso_vms.c @@ -340,7 +340,7 @@ static void *vms_bind_var(DSO *dso, const char *symname) static DSO_FUNC_TYPE vms_bind_func(DSO *dso, const char *symname) { DSO_FUNC_TYPE sym = 0; - vms_bind_sym(dso, symname, &sym); + vms_bind_sym(dso, symname, (void **)&sym); return sym; } diff --git a/crypto/pkcs7/pk7_smime.c b/crypto/pkcs7/pk7_smime.c index 2ececcd07e..d716f9faeb 100644 --- a/crypto/pkcs7/pk7_smime.c +++ b/crypto/pkcs7/pk7_smime.c @@ -172,12 +172,17 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, PKCS7err(PKCS7_F_PKCS7_VERIFY,PKCS7_R_NO_CONTENT); return 0; } +#if 0 + /* NB: this test commented out because some versions of Netscape + * illegally include zero length content when signing data. + */ /* Check for data and content: two sets of data */ if(!PKCS7_get_detached(p7) && indata) { PKCS7err(PKCS7_F_PKCS7_VERIFY,PKCS7_R_CONTENT_AND_DATA_PRESENT); return 0; } +#endif sinfos = PKCS7_get_signer_info(p7); diff --git a/crypto/rand/rand_win.c b/crypto/rand/rand_win.c index 5ef197341f..d3fe50d341 100644 --- a/crypto/rand/rand_win.c +++ b/crypto/rand/rand_win.c @@ -171,9 +171,13 @@ typedef BOOL (WINAPI *MODULE32)(HANDLE, LPMODULEENTRY32); #include #include +#if 0 /* Some compilers use LMSTR, others (VC6, for example) use LPTSTR. + * This part is disabled until a fix is found. + */ typedef NET_API_STATUS (NET_API_FUNCTION * NETSTATGET) (LMSTR, LMSTR, DWORD, DWORD, LPBYTE*); typedef NET_API_STATUS (NET_API_FUNCTION * NETFREE)(LPBYTE); +#endif /* 0 */ int RAND_poll(void) { @@ -184,18 +188,26 @@ int RAND_poll(void) HWND h; HMODULE advapi, kernel, user, netapi; - CRYPTACQUIRECONTEXT acquire; - CRYPTGENRANDOM gen; - CRYPTRELEASECONTEXT release; - NETSTATGET netstatget; - NETFREE netfree; + CRYPTACQUIRECONTEXT acquire = 0; + CRYPTGENRANDOM gen = 0; + CRYPTRELEASECONTEXT release = 0; +#if 0 /* This part is disabled until a fix for the problem with the + * definition of NETSTATGET is found. + */ + NETSTATGET netstatget = 0; + NETFREE netfree = 0; +#endif /* 0 */ /* load functions dynamically - not available on all systems */ - advapi = GetModuleHandle("ADVAPI32.DLL"); - kernel = GetModuleHandle("KERNEL32.DLL"); - user = GetModuleHandle("USER32.DLL"); - netapi = GetModuleHandle("NETAPI32.DLL"); + advapi = LoadLibrary("ADVAPI32.DLL"); + kernel = LoadLibrary("KERNEL32.DLL"); + user = LoadLibrary("USER32.DLL"); + netapi = LoadLibrary("NETAPI32.DLL"); +#if 0 /* This part is disabled until a fix for the problem with the + * definition of NETSTATGET is found. Also, note that VC6 doesn't + * understand strings starting with L". + */ if (netapi) { netstatget = (NETSTATGET) GetProcAddress(netapi,"NetStatisticsGet"); @@ -218,6 +230,13 @@ int RAND_poll(void) } } + if (netapi) + FreeLibrary(netapi); +#endif /* 0 */ + +#if 0 /* It appears like this can cause an exception deep within ADVAPI32.DLL + * at random times. Reported by Jeffrey Altman. + */ /* Read Performance Statistics from NT/2000 registry */ /* The size of the performance data can vary from call to call */ /* so we must guess the size of the buffer to use and increase */ @@ -245,9 +264,10 @@ int RAND_poll(void) RAND_add(&length, sizeof(length), 0); RAND_add(buf, length, 0); } - if ( buf ) + if (buf) free(buf); } +#endif /* 0 */ if (advapi) { @@ -289,6 +309,9 @@ int RAND_poll(void) } } + if (advapi) + FreeLibrary(advapi); + /* timer data */ readtimer(); @@ -347,6 +370,8 @@ int RAND_poll(void) w = queue(QS_ALLEVENTS); RAND_add(&w, sizeof(w), 0); } + + FreeLibrary(user); } /* Toolhelp32 snapshot: enumerate processes, threads, modules and heap @@ -443,6 +468,8 @@ int RAND_poll(void) CloseHandle(handle); } + + FreeLibrary(kernel); } #ifdef DEBUG @@ -502,11 +529,12 @@ void RAND_screen(void) /* function available for backward compatibility */ /* feed timing information to the PRNG */ static void readtimer(void) { - DWORD w, cyclecount; + DWORD w; LARGE_INTEGER l; static int have_perfc = 1; #ifndef __GNUC__ static int have_tsc = 1; + DWORD cyclecount; if (have_tsc) { __try { diff --git a/doc/crypto/BIO_ctrl.pod b/doc/crypto/BIO_ctrl.pod index acc46db8ce..722e8b8f46 100644 --- a/doc/crypto/BIO_ctrl.pod +++ b/doc/crypto/BIO_ctrl.pod @@ -47,8 +47,8 @@ BIO_reset() typically resets a BIO to some initial state, in the case of file related BIOs for example it rewinds the file pointer to the start of the file. -BIO_seek() resets a file related BIO's file position pointer to B -bytes from start of file. +BIO_seek() resets a file related BIO's (that is file descriptor and +FILE BIOs) file position pointer to B bytes from start of file. BIO_tell() returns the current file position of a file related BIO. @@ -73,10 +73,12 @@ macros which call BIO_ctrl(). =head1 RETURN VALUES -BIO_reset() returns 1 for success and 0 for failure. +BIO_reset() normally returns 1 for success and 0 or -1 for failure. File +BIOs are an exception, they return 0 for success and -1 for failure. BIO_seek() and BIO_tell() both return the current file position on success -and -1 for failure. +and -1 for failure, except file BIOs which for BIO_seek() always return 0 +for success and -1 for failure. BIO_flush() returns 1 for success and 0 or -1 for failure. @@ -102,14 +104,24 @@ case of a file BIO some data may be available in the FILE structures internal buffers but it is not possible to determine this in a portably way. For other types of BIO they may not be supported. -Filter BIOs if the do not internally handle a particular BIO_ctrl() +Filter BIOs if they do not internally handle a particular BIO_ctrl() operation usually pass the operation to the next BIO in the chain. This often means there is no need to locate the required BIO for a particular operation, it can be called on a chain and it will -be automatically passed to the relevant BIO. +be automatically passed to the relevant BIO. However this can cause +unexpected results: for example no current filter BIOs implement +BIO_seek(), but this may still succeed if the chain ends in a FILE +or file descriptor BIO. -Source/sink BIOs will return an error if the do not recognize the -BIO_ctrl() operation. +Source/sink BIOs return an 0 if they do not recognize the BIO_ctrl() +operation. + +=head1 BUGS + +Some of the return values are ambiguous and care should be taken. In +particular a return value of 0 can be returned if an operation is not +supported, if an error occurred, if EOF has not been reached and in +the case of BIO_seek() on a file BIO for a successful operation. =head1 SEE ALSO diff --git a/doc/crypto/BIO_s_file.pod b/doc/crypto/BIO_s_file.pod index d449702bff..b2a29263f4 100644 --- a/doc/crypto/BIO_s_file.pod +++ b/doc/crypto/BIO_s_file.pod @@ -38,7 +38,7 @@ BIO_reset() attempts to change the file pointer to the start of file using fseek(stream, 0, 0). BIO_seek() sets the file pointer to position B from start of file -using lseek(stream, ofs, 0). +using fseek(stream, ofs, 0). BIO_eof() calls feof(). @@ -105,7 +105,7 @@ Alternative technique: BIO *out; out = BIO_new(BIO_s_file()); if(out == NULL) /* Error ... */ - if(!BIO_read_filename(out, "filename.txt")) /* Error ... */ + if(!BIO_write_filename(out, "filename.txt")) /* Error ... */ BIO_printf(out, "Hello World\n"); BIO_free(out); @@ -127,6 +127,13 @@ BIO_tell() returns the current file position. BIO_read_filename(), BIO_write_filename(), BIO_append_filename() and BIO_rw_filename() return 1 for success or 0 for failure. +=head1 BUGS + +BIO_reset() and BIO_seek() are implemented using fseek() on the underlying +stream. The return value for fseek() is 0 for success or -1 if an error +occurred this differs from other types of BIO which will typically return +1 for success and a non positive value if an error occurred. + =head1 SEE ALSO L, L, diff --git a/doc/crypto/BN_bn2bin.pod b/doc/crypto/BN_bn2bin.pod index 05f9e628cc..c12af9c9f9 100644 --- a/doc/crypto/BN_bn2bin.pod +++ b/doc/crypto/BN_bn2bin.pod @@ -36,7 +36,7 @@ NULL, a new B is created. BN_bn2hex() and BN_bn2dec() return printable strings containing the hexadecimal and decimal encoding of B respectively. For negative numbers, the string is prefaced with a leading '-'. The string must be -Free()d later. +freed later using OPENSSL_free(). BN_hex2bn() converts the string B containing a hexadecimal number to a B and stores it in **B. If *B is NULL, a new diff --git a/doc/crypto/ERR_get_error.pod b/doc/crypto/ERR_get_error.pod index 04074ffa90..3551bacb8d 100644 --- a/doc/crypto/ERR_get_error.pod +++ b/doc/crypto/ERR_get_error.pod @@ -41,7 +41,7 @@ the error occurred in *B and *B, unless these are B. ERR_get_error_line_data() and ERR_peek_error_line_data() store additional data and flags associated with the error code in *B and *B, unless these are B. *B contains a string -if *B&B. If it has been allocated by Malloc(), +if *B&B. If it has been allocated by OPENSSL_malloc(), *B&B is true. =head1 RETURN VALUES diff --git a/doc/crypto/EVP_DigestInit.pod b/doc/crypto/EVP_DigestInit.pod index f87377945b..b8a231c642 100644 --- a/doc/crypto/EVP_DigestInit.pod +++ b/doc/crypto/EVP_DigestInit.pod @@ -50,12 +50,12 @@ EVP digest routines The EVP digest routines are a high level interface to message digests. -EVP_DigestInit() initialises a digest context B to use a digest +EVP_DigestInit() initializes a digest context B to use a digest B: this will typically be supplied by a function such as EVP_sha1(). EVP_DigestUpdate() hashes B bytes of data at B into the -digest context B. This funtion can be called several times on the +digest context B. This function can be called several times on the same B to hash additional data. EVP_DigestFinal() retrieves the digest value from B and places @@ -63,7 +63,7 @@ it in B. If the B parameter is not NULL then the number of bytes of data written (i.e. the length of the digest) will be written to the integer at B, at most B bytes will be written. After calling EVP_DigestFinal() no additional calls to EVP_DigestUpdate() -can be made, but EVP_DigestInit() can be called to initialiase a new +can be made, but EVP_DigestInit() can be called to initialize a new digest operation. EVP_MD_CTX_copy() can be used to copy the message digest state from @@ -102,7 +102,7 @@ returns is of zero length. EVP_get_digestbyname(), EVP_get_digestbynid() and EVP_get_digestbyobj() return an B structure when passed a digest name, a digest NID or -an ASN1_OBJECT structure respectively. The digest table must be initialised +an ASN1_OBJECT structure respectively. The digest table must be initialized using, for example, OpenSSL_add_all_digests() for these functions to work. =head1 RETURN VALUES diff --git a/doc/crypto/EVP_EncryptInit.pod b/doc/crypto/EVP_EncryptInit.pod index 447e7f1a92..9afe2396e2 100644 --- a/doc/crypto/EVP_EncryptInit.pod +++ b/doc/crypto/EVP_EncryptInit.pod @@ -74,7 +74,7 @@ EVP_CIPHER_asn1_to_param - EVP cipher routines The EVP cipher routines are a high level interface to certain symmetric ciphers. -EVP_EncryptInit() initialises a cipher context B for encryption +EVP_EncryptInit() initializes a cipher context B for encryption with cipher B. B is normally supplied by a function such as EVP_des_cbc() . B is the symmetric key to use and B is the IV to use (if necessary), the actual number of bytes used for the @@ -255,7 +255,7 @@ and the EVP_CIPHER_CTX_set_key_length() function. =item EVP_idea_cbc() EVP_idea_ecb(void), EVP_idea_cfb(void), EVP_idea_ofb(void), EVP_idea_cbc(void) -IDES encryption algorothm in CBC, ECB, CFB and OFB modes respectively. +IDEA encryption algorithm in CBC, ECB, CFB and OFB modes respectively. =item EVP_rc2_cbc(void), EVP_rc2_ecb(void), EVP_rc2_cfb(void), EVP_rc2_ofb(void) @@ -325,7 +325,7 @@ default key lengths. If custom ciphers exceed these values the results are unpredictable. This is because it has become standard practice to define a generic key as a fixed unsigned char array containing EVP_MAX_KEY_LENGTH bytes. -The ASN1 code is incomplete (and sometimes innacurate) it has only been tested +The ASN1 code is incomplete (and sometimes inaccurate) it has only been tested for certain common S/MIME ciphers (RC2, DES, triple DES) in CBC mode. =head1 EXAMPLES diff --git a/doc/crypto/EVP_OpenInit.pod b/doc/crypto/EVP_OpenInit.pod index c0e5163e8c..1a3f2e410d 100644 --- a/doc/crypto/EVP_OpenInit.pod +++ b/doc/crypto/EVP_OpenInit.pod @@ -21,7 +21,7 @@ The EVP envelope routines are a high level interface to envelope decryption. They decrypt a public key encrypted symmetric key and then decrypt data using it. -EVP_OpenInit() initialises a cipher context B for decryption +EVP_OpenInit() initializes a cipher context B for decryption with cipher B. It decrypts the encrypted symmetric key of length B bytes passed in the B parameter using the private key B. The IV is supplied in the B parameter. @@ -35,7 +35,7 @@ page. It is possible to call EVP_OpenInit() twice in the same way as EVP_DecryptInit(). The first call should have B set to NULL -and (after setting any cipher paramaters) it should be called again +and (after setting any cipher parameters) it should be called again with B set to NULL. If the cipher passed in the B parameter is a variable length diff --git a/doc/crypto/EVP_SealInit.pod b/doc/crypto/EVP_SealInit.pod index 9579e91d2e..f7f7613965 100644 --- a/doc/crypto/EVP_SealInit.pod +++ b/doc/crypto/EVP_SealInit.pod @@ -22,7 +22,7 @@ encryption. They generate a random key and then "envelope" it by using public key encryption. Data can then be encrypted using this key. -EVP_SealInit() initialises a cipher context B for encryption +EVP_SealInit() initializes a cipher context B for encryption with cipher B using a random secret key and IV supplied in the B parameter. B is normally supplied by a function such as EVP_des_cbc(). The secret key is encrypted using one or more public @@ -62,7 +62,7 @@ using public key encryption. It is possible to call EVP_SealInit() twice in the same way as EVP_EncryptInit(). The first call should have B set to 0 -and (after setting any cipher paramaters) it should be called again +and (after setting any cipher parameters) it should be called again with B set to NULL. =head1 SEE ALSO diff --git a/doc/crypto/EVP_SignInit.pod b/doc/crypto/EVP_SignInit.pod index bbc9203c9c..7f9265d0a6 100644 --- a/doc/crypto/EVP_SignInit.pod +++ b/doc/crypto/EVP_SignInit.pod @@ -19,12 +19,12 @@ EVP_SignInit, EVP_SignUpdate, EVP_SignFinal - EVP signing functions The EVP signature routines are a high level interface to digital signatures. -EVP_SignInit() initialises a signing context B to using digest +EVP_SignInit() initializes a signing context B to using digest B: this will typically be supplied by a function such as EVP_sha1(). EVP_SignUpdate() hashes B bytes of data at B into the -signature context B. This funtion can be called several times on the +signature context B. This function can be called several times on the same B to include additional data. EVP_SignFinal() signs the data in B using the private key B @@ -32,7 +32,7 @@ and places the signature in B. If the B parameter is not NULL then the number of bytes of data written (i.e. the length of the signature) will be written to the integer at B, at most EVP_PKEY_size(pkey) bytes will be written. After calling EVP_SignFinal() no additional calls to -EVP_SignUpdate() can be made, but EVP_SignInit() can be called to initialiase +EVP_SignUpdate() can be made, but EVP_SignInit() can be called to initialize a new signature operation. EVP_PKEY_size() returns the maximum size of a signature in bytes. The actual diff --git a/doc/crypto/EVP_VerifyInit.pod b/doc/crypto/EVP_VerifyInit.pod index 3b5e07f4ad..76d893b53b 100644 --- a/doc/crypto/EVP_VerifyInit.pod +++ b/doc/crypto/EVP_VerifyInit.pod @@ -17,17 +17,17 @@ EVP_VerifyInit, EVP_VerifyUpdate, EVP_VerifyFinal - EVP signature verification f The EVP signature verification routines are a high level interface to digital signatures. -EVP_VerifyInit() initialises a verification context B to using digest +EVP_VerifyInit() initializes a verification context B to using digest B: this will typically be supplied by a function such as EVP_sha1(). EVP_VerifyUpdate() hashes B bytes of data at B into the -verification context B. This funtion can be called several times on the +verification context B. This function can be called several times on the same B to include additional data. EVP_VerifyFinal() verifies the data in B using the public key B and against the B bytes at B. After calling EVP_VerifyFinal() no additional calls to EVP_VerifyUpdate() can be made, but EVP_VerifyInit() -can be called to initialiase a new verification operation. +can be called to initialize a new verification operation. =head1 RETURN VALUES diff --git a/doc/crypto/OPENSSL_VERSION_NUMBER.pod b/doc/crypto/OPENSSL_VERSION_NUMBER.pod index e333b30723..68ea723259 100644 --- a/doc/crypto/OPENSSL_VERSION_NUMBER.pod +++ b/doc/crypto/OPENSSL_VERSION_NUMBER.pod @@ -39,7 +39,7 @@ for example 0x000904100 == 0.9.4 release 0x000905000 == 0.9.5 dev -Version 0.9.5a had an interrim interpretation that is like the current one, +Version 0.9.5a had an interim interpretation that is like the current one, except the patch level got the highest bit set, to keep continuity. The number was therefore 0x0090581f. diff --git a/doc/crypto/OpenSSL_add_all_algorithms.pod b/doc/crypto/OpenSSL_add_all_algorithms.pod index 3f89068001..486c903430 100644 --- a/doc/crypto/OpenSSL_add_all_algorithms.pod +++ b/doc/crypto/OpenSSL_add_all_algorithms.pod @@ -44,7 +44,7 @@ by EVP_sha1(). It just needs to add them if it (or any of the functions it calls needs to lookup algorithms. The cipher and digest lookup functions are used in many parts of the library. If -the table is not initialised several functions will misbehave and complain they +the table is not initialized several functions will misbehave and complain they cannot find algorithms. This includes the PEM, PKCS#12, SSL and S/MIME libraries. This is a common query in the OpenSSL mailing lists. diff --git a/doc/crypto/blowfish.pod b/doc/crypto/blowfish.pod index 4320af0809..ba6cc368e8 100644 --- a/doc/crypto/blowfish.pod +++ b/doc/crypto/blowfish.pod @@ -11,9 +11,6 @@ BF_cfb64_encrypt, BF_ofb64_encrypt, BF_options - Blowfish encryption void BF_set_key(BF_KEY *key, int len, const unsigned char *data); - void BF_encrypt(BF_LONG *data,const BF_KEY *key); - void BF_decrypt(BF_LONG *data,const BF_KEY *key); - void BF_ecb_encrypt(const unsigned char *in, unsigned char *out, BF_KEY *key, int enc); void BF_cbc_encrypt(const unsigned char *in, unsigned char *out, @@ -25,6 +22,9 @@ BF_cfb64_encrypt, BF_ofb64_encrypt, BF_options - Blowfish encryption long length, BF_KEY *schedule, unsigned char *ivec, int *num); const char *BF_options(void); + void BF_encrypt(BF_LONG *data,const BF_KEY *key); + void BF_decrypt(BF_LONG *data,const BF_KEY *key); + =head1 DESCRIPTION This library implements the Blowfish cipher, which is invented and described @@ -43,11 +43,6 @@ phase. BF_set_key() sets up the B B using the B bytes long key at B. -BF_encrypt() and BF_decrypt() are the lowest level functions for Blowfish -encryption. They encrypt/decrypt the first 64 bits of the vector pointed by -B, using the key B. These functions should not be used unless you -implement 'modes' of Blowfish. - BF_ecb_encrypt() is the basic Blowfish encryption and decryption function. It encrypts or decrypts the first 64 bits of B using the key B, putting the result in B. B decides if encryption (B) @@ -56,37 +51,45 @@ B and B must be 64 bits in length, no less. If they are larger, everything after the first 64 bits is ignored. The mode functions BF_cbc_encrypt(), BF_cfb64_encrypt() and BF_ofb64_encrypt() -all operate on variable length data. They all take an initialisation vector +all operate on variable length data. They all take an initialization vector B which needs to be passed along into the next call of the same function -for the same message. B may be initialised with anything, but the -recipient needs to know what it was initialised with, or it won't be able +for the same message. B may be initialized with anything, but the +recipient needs to know what it was initialized with, or it won't be able to decrypt. Some programs and protocols simplify this, like SSH, where -B is simply initialised to zero. +B is simply initialized to zero. BF_cbc_encrypt() operates of data that is a multiple of 8 bytes long, while BF_cfb64_encrypt() and BF_ofb64_encrypt() are used to encrypt an variable number of bytes (the amount does not have to be an exact multiple of 8). The purpose of the latter two is to simulate stream ciphers, and therefore, they need the parameter B, which is a pointer to an integer where the current -offset in B is stored between calls. This integer must be initialised -to zero when B is initialised. +offset in B is stored between calls. This integer must be initialized +to zero when B is initialized. BF_cbc_encrypt() is the Cipher Block Chaining function for Blowfish. It encrypts or decrypts the 64 bits chunks of B using the key B, putting the result in B. B decides if encryption (BF_ENCRYPT) or decryption (BF_DECRYPT) shall be performed. B must point at an 8 byte -long initialisation vector. +long initialization vector. BF_cfb64_encrypt() is the CFB mode for Blowfish with 64 bit feedback. It encrypts or decrypts the bytes in B using the key B, putting the result in B. B decides if encryption (B) or decryption (B) shall be performed. B must point at an -8 byte long initialisation vector. B must point at an integer which must +8 byte long initialization vector. B must point at an integer which must be initially zero. BF_ofb64_encrypt() is the OFB mode for Blowfish with 64 bit feedback. -It uses the same parameters as BF_cfb64_encrypt(), which must be initialised +It uses the same parameters as BF_cfb64_encrypt(), which must be initialized the same way. +BF_encrypt() and BF_decrypt() are the lowest level functions for Blowfish +encryption. They encrypt/decrypt the first 64 bits of the vector pointed by +B, using the key B. These functions should not be used unless you +implement 'modes' of Blowfish. The alternative is to use BF_ecb_encrypt(). +If you still want to use these functions, you should be aware that they take +each 32-bit chunk in host-byte order, which is little-endian on little-endian +platforms and big-endian on big-endian ones. + =head1 RETURN VALUES None of the functions presented here return any value. diff --git a/doc/crypto/bn_internal.pod b/doc/crypto/bn_internal.pod index 5af0c791c8..8da244aed4 100644 --- a/doc/crypto/bn_internal.pod +++ b/doc/crypto/bn_internal.pod @@ -149,7 +149,7 @@ word array B, the B word array B and the B+B word array B. It computes B*B and places the result in B. bn_mul_low_normal(B, B, B, B) operates on the B word -arrays B, B und B. It computes the B low words of +arrays B, B and B. It computes the B low words of B*B and places the result in B. bn_mul_recursive(B, B, B, B, B) operates on the B diff --git a/doc/crypto/buffer.pod b/doc/crypto/buffer.pod index 7088f51bc4..781f5b11ee 100644 --- a/doc/crypto/buffer.pod +++ b/doc/crypto/buffer.pod @@ -46,11 +46,11 @@ size. BUF_strdup() copies a null terminated string into a block of allocated memory and returns a pointer to the allocated block. -Unlike the standard C library strdup() this function uses Malloc() and so +Unlike the standard C library strdup() this function uses OPENSSL_malloc() and so should be used in preference to the standard library strdup() because it can be used for memory leak checking or replacing the malloc() function. -The memory allocated from BUF_strdup() should be freed up using the Free() +The memory allocated from BUF_strdup() should be freed up using the OPENSSL_free() function. =head1 RETURN VALUES @@ -68,6 +68,6 @@ L =head1 HISTORY BUF_MEM_new(), BUF_MEM_free() and BUF_MEM_grow() are available in all -versions of SSLeay and OpenSSL. BUF_strdup() was addded in SSLeay 0.8. +versions of SSLeay and OpenSSL. BUF_strdup() was added in SSLeay 0.8. =cut diff --git a/doc/crypto/des.pod b/doc/crypto/des.pod index c553210ef2..ab3e26e9ec 100644 --- a/doc/crypto/des.pod +++ b/doc/crypto/des.pod @@ -130,7 +130,7 @@ earlier versions of the library, des_random_key() did not generate secure keys. Before a DES key can be used, it must be converted into the -architecture dependant I via the +architecture dependent I via the des_set_key_checked() or des_set_key_unchecked() function. des_set_key_checked() will check that the key passed is of odd parity @@ -200,7 +200,7 @@ reusing I for the final encryption. C. This form of Triple-DES is used by the RSAREF library. des_pcbc_encrypt() encrypt/decrypts using the propagating cipher block -chaing mode used by Kerberos v4. Its parameters are the same as +chaining mode used by Kerberos v4. Its parameters are the same as des_ncbc_encrypt(). des_cfb_encrypt() encrypt/decrypts using cipher feedback mode. This @@ -241,7 +241,7 @@ compatibility with the MIT Kerberos library. des_read_pw_string() is also available under the name EVP_read_pw_string(). des_read_pw_string() writes the string specified by I to -standarf output, turns echo off and reads in input string from the +standard output, turns echo off and reads in input string from the terminal. The string is returned in I, which must have space for at least I bytes. If I is set, the user is asked for the password twice and unless the two copies match, an error is @@ -268,9 +268,9 @@ input, depending on I, 1, 2, 3 or 4 times. If I is non-NULL, the 8 bytes generated by each pass are written into I. -The following are DES-based tranformations: +The following are DES-based transformations: -des_fcrypt() is a fast version of the unix crypt(3) function. This +des_fcrypt() is a fast version of the Unix crypt(3) function. This version takes only a small amount of space relative to other fast crypt() implementations. This is different to the normal crypt in that the third parameter is the buffer that the return value is diff --git a/doc/crypto/des_modes.pod b/doc/crypto/des_modes.pod index 1aa3ac763b..36b77c454d 100644 --- a/doc/crypto/des_modes.pod +++ b/doc/crypto/des_modes.pod @@ -6,7 +6,7 @@ Modes of DES - the variants of DES and other crypto algorithms of OpenSSL =head1 DESCRIPTION -Several crypto algorithms fo OpenSSL can be used in a number of modes. Those +Several crypto algorithms for OpenSSL can be used in a number of modes. Those are used for using block ciphers in a way similar to stream ciphers, among other things. @@ -165,13 +165,13 @@ only one bit to be in error in the deciphered plaintext. =item * -OFB mode is not self-synchronising. If the two operation of +OFB mode is not self-synchronizing. If the two operation of encipherment and decipherment get out of synchronism, the system needs -to be re-initialised. +to be re-initialized. =item * -Each re-initialisation should use a value of the start variable +Each re-initialization should use a value of the start variable different from the start variable values used before with the same key. The reason for this is that an identical bit stream would be produced each time from the same parameters. This would be diff --git a/doc/crypto/err.pod b/doc/crypto/err.pod index b824c92b57..264e30103d 100644 --- a/doc/crypto/err.pod +++ b/doc/crypto/err.pod @@ -143,7 +143,7 @@ The closing #endif etc will be automatically added by the script. The generated C error code file B will load the header files B, B and B so the -header file must load any additional header files containg any +header file must load any additional header files containing any definitions it uses. =head1 USING ERROR CODES IN EXTERNAL LIBRARIES diff --git a/doc/crypto/lhash.pod b/doc/crypto/lhash.pod index af2c9a7102..4e87aee824 100644 --- a/doc/crypto/lhash.pod +++ b/doc/crypto/lhash.pod @@ -102,7 +102,7 @@ The following description is based on the SSLeay documentation: The B library implements a hash table described in the I in 1991. What makes this hash table different is that as the table fills, the hash table is increased (or -decreased) in size via Realloc(). When a 'resize' is done, instead of +decreased) in size via OPENSSL_realloc(). When a 'resize' is done, instead of all hashes being redistributed over twice as many 'buckets', one bucket is split. So when an 'expand' is done, there is only a minimal cost to redistribute some values. Subsequent inserts will cause more diff --git a/doc/crypto/rsa.pod b/doc/crypto/rsa.pod index 0bbb57dde7..ef0d4df205 100644 --- a/doc/crypto/rsa.pod +++ b/doc/crypto/rsa.pod @@ -97,7 +97,7 @@ SSL, PKCS #1 v2.0 =head1 PATENTS -RSA is covered by a US patent which expires in September 2000. +RSA was covered by a US patent which expired in September 2000. =head1 SEE ALSO diff --git a/doc/crypto/threads.pod b/doc/crypto/threads.pod index 7fa18aa443..bc7ff9b705 100644 --- a/doc/crypto/threads.pod +++ b/doc/crypto/threads.pod @@ -53,7 +53,7 @@ OpenSSL can safely be used in multi-threaded applications provided that at least two callback functions are set. locking_function(int mode, int n, const char *file, int line) is -needed to perform locking on shared data stuctures. Multi-threaded +needed to perform locking on shared data structures. Multi-threaded applications will crash at random if it is not set. locking_function() must be able to handle up to CRYPTO_num_locks() @@ -89,7 +89,7 @@ dyn_create_function(const char *file, int line) is needed to create a lock. Multi-threaded applications might crash at random if it is not set. dyn_lock_function(int mode, CRYPTO_dynlock *l, const char *file, int line) -is needed to perform locking off dynamic lock nunmbered n. Multi-threaded +is needed to perform locking off dynamic lock numbered n. Multi-threaded applications might crash at random if it is not set. dyn_destroy_function(CRYPTO_dynlock *l, const char *file, int line) is diff --git a/doc/openssl.txt b/doc/openssl.txt index e8c0cd7ea6..5da519e7e4 100644 --- a/doc/openssl.txt +++ b/doc/openssl.txt @@ -507,6 +507,47 @@ details about the structures returned. The returned structure should be freed after use using the relevant free function, BASIC_CONSTRAINTS_free() for example. +void * X509_get_ext_d2i(X509 *x, int nid, int *crit, int *idx); +void * X509_CRL_get_ext_d2i(X509_CRL *x, int nid, int *crit, int *idx); +void * X509_REVOKED_get_ext_d2i(X509_REVOKED *x, int nid, int *crit, int *idx); +void * X509V3_get_d2i(STACK_OF(X509_EXTENSION) *x, int nid, int *crit, int *idx); + +These functions combine the operations of searching for extensions and +parsing them. They search a certificate, a CRL a CRL entry or a stack +of extensions respectively for extension whose NID is 'nid' and return +the parsed result of NULL if an error occurred. For example: + +BASIC_CONSTRAINTS *bs; +bs = X509_get_ext_d2i(cert, NID_basic_constraints, NULL, NULL); + +This will search for the basicConstraints extension and either return +it value or NULL. NULL can mean either the extension was not found, it +occurred more than once or it could not be parsed. + +If 'idx' is NULL then an extension is only parsed if it occurs precisely +once. This is standard behaviour because extensions normally cannot occur +more than once. If however more than one extension of the same type can +occur it can be used to parse successive extensions for example: + +int i; +void *ext; + +i = -1; +for(;;) { + ext = X509_get_ext_d2i(x, nid, crit, &idx); + if(ext == NULL) break; + /* Do something with ext */ +} + +If 'crit' is not NULL and the extension was found then the int it points to +is set to 1 for critical extensions and 0 for non critical. Therefore if the +function returns NULL but 'crit' is set to 0 or 1 then the extension was +found but it could not be parsed. + +The int pointed to by crit will be set to -1 if the extension was not found +and -2 if the extension occurred more than once (this will only happen if +idx is NULL). In both cases the function will return NULL. + 3. Generating extensions. An extension will typically be generated from a configuration file, or some diff --git a/doc/ssl/SSL_clear.pod b/doc/ssl/SSL_clear.pod index 1d80b45f0c..862fd8291d 100644 --- a/doc/ssl/SSL_clear.pod +++ b/doc/ssl/SSL_clear.pod @@ -8,7 +8,7 @@ SSL_clear - reset SSL object to allow another connection #include - int *SSL_clear(SSL *ssl); + int SSL_clear(SSL *ssl); =head1 DESCRIPTION diff --git a/doc/ssl/SSL_set_session.pod b/doc/ssl/SSL_set_session.pod index 447f5d4acc..9f78d9e434 100644 --- a/doc/ssl/SSL_set_session.pod +++ b/doc/ssl/SSL_set_session.pod @@ -8,7 +8,7 @@ SSL_set_session - set a TLS/SSL session to be used during TLS/SSL connect #include - int *SSL_set_session(SSL *ssl, SSL_SESSION *session); + int SSL_set_session(SSL *ssl, SSL_SESSION *session); =head1 DESCRIPTION