mirror of https://github.com/openssl/openssl
Fix typos
Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17392)
This commit is contained in:
parent
e66c41725f
commit
e304aa87b3
|
@ -603,7 +603,7 @@ my @disable_cascades = (
|
|||
# Without shared libraries, dynamic engines aren't possible.
|
||||
# This is due to them having to link with libcrypto and register features
|
||||
# using the ENGINE functionality, and since that relies on global tables,
|
||||
# those *have* to be exacty the same as the ones accessed from the app,
|
||||
# those *have* to be exactly the same as the ones accessed from the app,
|
||||
# which cannot be guaranteed if shared libraries aren't present.
|
||||
# (note that even with shared libraries, both the app and dynamic engines
|
||||
# must be linked with the same library)
|
||||
|
@ -1800,7 +1800,7 @@ my %skipdir = ();
|
|||
my %disabled_info = (); # For configdata.pm
|
||||
foreach my $what (sort keys %disabled) {
|
||||
# There are deprecated disablables that translate to themselves.
|
||||
# They cause disabling cascades, but should otherwise not regiter.
|
||||
# They cause disabling cascades, but should otherwise not register.
|
||||
next if $deprecated_disablables{$what};
|
||||
# The generated $disabled{"deprecated-x.y"} entries are special
|
||||
# and treated properly elsewhere
|
||||
|
|
|
@ -1597,7 +1597,7 @@ working incorrectly. If you think you encountered a bug, please
|
|||
Along with a short description of the bug, please provide the complete
|
||||
configure command line and the relevant output including the error message.
|
||||
|
||||
Note: To make the output readable, pleace add a 'code fence' (three backquotes
|
||||
Note: To make the output readable, please add a 'code fence' (three backquotes
|
||||
` ``` ` on a separate line) before and after your output:
|
||||
|
||||
```
|
||||
|
|
|
@ -8,7 +8,7 @@ The ENGINE API was introduced in OpenSSL version 0.9.6 as a low level
|
|||
interface for adding alternative implementations of cryptographic
|
||||
primitives, most notably for integrating hardware crypto devices.
|
||||
|
||||
The ENGINE interface has its limitations and it has been superseeded
|
||||
The ENGINE interface has its limitations and it has been superseded
|
||||
by the [PROVIDER API](README-PROVIDERS.md), it is deprecated in OpenSSL
|
||||
version 3.0. The following documentation is retained as an aid for
|
||||
users who need to maintain or support existing ENGINE implementations.
|
||||
|
|
|
@ -1115,7 +1115,7 @@ static OSSL_CMP_SRV_CTX *setup_srv_ctx(ENGINE *engine)
|
|||
if (opt_grant_implicitconf)
|
||||
(void)OSSL_CMP_SRV_CTX_set_grant_implicit_confirm(srv_ctx, 1);
|
||||
|
||||
if (opt_failure != INT_MIN) { /* option has been set explicity */
|
||||
if (opt_failure != INT_MIN) { /* option has been set explicitly */
|
||||
if (opt_failure < 0 || OSSL_CMP_PKIFAILUREINFO_MAX < opt_failure) {
|
||||
CMP_err1("-failure out of range, should be >= 0 and <= %d",
|
||||
OSSL_CMP_PKIFAILUREINFO_MAX);
|
||||
|
|
|
@ -94,7 +94,7 @@ int http_server_get_asn1_req(const ASN1_ITEM *it, ASN1_VALUE **preq,
|
|||
* Send an ASN.1-formatted HTTP response
|
||||
* cbio: destination BIO (typically as returned by http_server_get_asn1_req())
|
||||
* note: cbio should not do an encoding that changes the output length
|
||||
* keep_alive: grant persistent connnection
|
||||
* keep_alive: grant persistent connection
|
||||
* content_type: string identifying the type of the response
|
||||
* it: the response ASN.1 type
|
||||
* resp: the response to send
|
||||
|
|
|
@ -20,7 +20,7 @@
|
|||
# Unix form /VOLUME/DIR1/DIR2/FILE, which is what VMS perl supports
|
||||
# for 'use lib'.
|
||||
|
||||
# Start with spliting the native path
|
||||
# Start with splitting the native path
|
||||
(my $vol, my $dirs, my $file) = File::Spec->splitpath($path);
|
||||
my @dirs = File::Spec->splitdir($dirs);
|
||||
|
||||
|
@ -88,7 +88,7 @@ unless (caller) {
|
|||
if (scalar @ARGV == 0) {
|
||||
# With no arguments, re-create the build file
|
||||
# We do that in two steps, where the first step emits perl
|
||||
# snipets.
|
||||
# snippets.
|
||||
|
||||
my $buildfile = $target{build_file};
|
||||
my $buildfile_template = "$buildfile.in";
|
||||
|
|
|
@ -417,7 +417,7 @@ ___
|
|||
# If lsize < 3*16 bytes, treat them as the tail, interleave the
|
||||
# two blocks AES instructions.
|
||||
# There is one special case, if the original input data size dsize
|
||||
# = 16 bytes, we will treat it seperately to improve the
|
||||
# = 16 bytes, we will treat it separately to improve the
|
||||
# performance: one independent code block without LR, FP load and
|
||||
# store, just looks like what the original ECB implementation does.
|
||||
|
||||
|
@ -2162,7 +2162,7 @@ ___
|
|||
# will be processed specially, which be integrated into the 5*16 bytes
|
||||
# loop to improve the efficiency.
|
||||
# There is one special case, if the original input data size dsize
|
||||
# = 16 bytes, we will treat it seperately to improve the
|
||||
# = 16 bytes, we will treat it separately to improve the
|
||||
# performance: one independent code block without LR, FP load and
|
||||
# store.
|
||||
# Encryption will process the (length -tailcnt) bytes as mentioned
|
||||
|
@ -3495,7 +3495,7 @@ $code.=<<___ if ($flavour =~ /64/);
|
|||
cbnz x2,.Lxts_dec_1st_done
|
||||
vld1.32 {$dat0},[$inp],#16
|
||||
|
||||
// Decrypt the last secod block to get the last plain text block
|
||||
// Decrypt the last second block to get the last plain text block
|
||||
.Lxts_dec_1st_done:
|
||||
eor $tmpin,$dat0,$iv1
|
||||
ldr $rounds,[$key1,#240]
|
||||
|
|
|
@ -88,7 +88,7 @@ ___
|
|||
# specified in the original algorithm as according to the Lemma 1 from the paper
|
||||
# [2], the result will be always < 2*m and can be used as a direct input to
|
||||
# the next AMM iteration. This post-condition is true, provided the correct
|
||||
# parameter |s| (notion of the Lemma 1 from [2]) is choosen, i.e. s >= n + 2 * k,
|
||||
# parameter |s| (notion of the Lemma 1 from [2]) is chosen, i.e. s >= n + 2 * k,
|
||||
# which matches our case: 1040 > 1024 + 2 * 1.
|
||||
#
|
||||
# [1] Gueron, S. Efficient software implementations of modular exponentiation.
|
||||
|
|
|
@ -75,7 +75,7 @@ if ($avx512ifma>0) {{{
|
|||
# specified in the original algorithm as according to the Lemma 1 from the paper
|
||||
# [2], the result will be always < 2*m and can be used as a direct input to
|
||||
# the next AMM iteration. This post-condition is true, provided the correct
|
||||
# parameter |s| (notion of the Lemma 1 from [2]) is choosen, i.e. s >= n + 2 * k,
|
||||
# parameter |s| (notion of the Lemma 1 from [2]) is chosen, i.e. s >= n + 2 * k,
|
||||
# which matches our case: 1560 > 1536 + 2 * 1.
|
||||
#
|
||||
# [1] Gueron, S. Efficient software implementations of modular exponentiation.
|
||||
|
|
|
@ -72,7 +72,7 @@ if ($avx512ifma>0) {{{
|
|||
# specified in the original algorithm as according to the Lemma 1 from the paper
|
||||
# [2], the result will be always < 2*m and can be used as a direct input to
|
||||
# the next AMM iteration. This post-condition is true, provided the correct
|
||||
# parameter |s| (notion of the Lemma 1 from [2]) is choosen, i.e. s >= n + 2 * k,
|
||||
# parameter |s| (notion of the Lemma 1 from [2]) is chosen, i.e. s >= n + 2 * k,
|
||||
# which matches our case: 2080 > 2048 + 2 * 1.
|
||||
#
|
||||
# [1] Gueron, S. Efficient software implementations of modular exponentiation.
|
||||
|
|
|
@ -598,7 +598,7 @@ int OSSL_CMP_validate_msg(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg)
|
|||
break;
|
||||
}
|
||||
ossl_cmp_debug(ctx,
|
||||
"sucessfully validated PBM-based CMP message protection");
|
||||
"successfully validated PBM-based CMP message protection");
|
||||
return 1;
|
||||
}
|
||||
ossl_cmp_warn(ctx, "verifying PBM-based CMP message protection failed");
|
||||
|
@ -628,7 +628,7 @@ int OSSL_CMP_validate_msg(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg)
|
|||
/* use ctx->srvCert for signature check even if not acceptable */
|
||||
if (verify_signature(ctx, msg, scrt)) {
|
||||
ossl_cmp_debug(ctx,
|
||||
"sucessfully validated signature-based CMP message protection");
|
||||
"successfully validated signature-based CMP message protection");
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
@ -668,7 +668,7 @@ static int check_transactionID_or_nonce(ASN1_OCTET_STRING *expected,
|
|||
* Any msg->extraCerts are prepended to ctx->untrusted.
|
||||
*
|
||||
* Ensures that:
|
||||
* its sender is of appropriate type (curently only X509_NAME) and
|
||||
* its sender is of appropriate type (currently only X509_NAME) and
|
||||
* matches any expected sender or srvCert subject given in the ctx
|
||||
* it has a valid body type
|
||||
* its protection is valid (or invalid/absent, but only if a callback function
|
||||
|
|
|
@ -402,7 +402,7 @@ void *ossl_lib_ctx_get_data(OSSL_LIB_CTX *ctx, int index,
|
|||
* The alloc call ensures there's a value there. We release the ctx->lock
|
||||
* for this, because the allocation itself may recursively call
|
||||
* ossl_lib_ctx_get_data for other indexes (never this one). The allocation
|
||||
* will itself aquire the ctx->lock when it actually comes to store the
|
||||
* will itself acquire the ctx->lock when it actually comes to store the
|
||||
* allocated data (see ossl_lib_ctx_generic_new() above). We call
|
||||
* ossl_crypto_alloc_ex_data_intern() here instead of CRYPTO_alloc_ex_data().
|
||||
* They do the same thing except that the latter calls CRYPTO_get_ex_data()
|
||||
|
|
|
@ -272,7 +272,7 @@ int ossl_ec_GF2m_simple_oct2point(const EC_GROUP *group, EC_POINT *point,
|
|||
}
|
||||
|
||||
/*
|
||||
* The first octet is the point converison octet PC, see X9.62, page 4
|
||||
* The first octet is the point conversion octet PC, see X9.62, page 4
|
||||
* and section 4.4.2. It must be:
|
||||
* 0x00 for the point at infinity
|
||||
* 0x02 or 0x03 for compressed form
|
||||
|
|
|
@ -523,7 +523,7 @@ static int encoder_process(struct encoder_process_data_st *data)
|
|||
|
||||
OSSL_TRACE_BEGIN(ENCODER) {
|
||||
BIO_printf(trc_out,
|
||||
"[%d] Skipping because recusion level %d failed\n",
|
||||
"[%d] Skipping because recursion level %d failed\n",
|
||||
data->level, new_data.level);
|
||||
} OSSL_TRACE_END(ENCODER);
|
||||
}
|
||||
|
|
|
@ -2153,7 +2153,7 @@ static const struct translation_st evp_pkey_ctx_translations[] = {
|
|||
OSSL_ASYM_CIPHER_PARAM_OAEP_DIGEST, OSSL_PARAM_UTF8_STRING, fix_md },
|
||||
/*
|
||||
* The "rsa_oaep_label" ctrl_str expects the value to always be hex.
|
||||
* This is accomodated by default_fixup_args() above, which mimics that
|
||||
* This is accommodated by default_fixup_args() above, which mimics that
|
||||
* expectation for any translation item where |ctrl_str| is NULL and
|
||||
* |ctrl_hexstr| is non-NULL.
|
||||
*/
|
||||
|
|
|
@ -239,7 +239,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
|
|||
* This might be requested by a later call to EVP_MD_CTX_get0_md().
|
||||
* In that case the "explicit fetch" rules apply for that
|
||||
* function (as per man pages), i.e. the ref count is not updated
|
||||
* so the EVP_MD should not be used beyound the lifetime of the
|
||||
* so the EVP_MD should not be used beyond the lifetime of the
|
||||
* EVP_MD_CTX.
|
||||
*/
|
||||
ctx->fetched_digest = EVP_MD_fetch(locpctx->libctx, mdname, props);
|
||||
|
|
|
@ -435,7 +435,7 @@ static int generate_q_fips186_2(BN_CTX *ctx, BIGNUM *q, const EVP_MD *evpmd,
|
|||
}
|
||||
if (r != 0)
|
||||
goto err; /* Exit if error */
|
||||
/* Try another iteration if it wasnt prime - was in old code.. */
|
||||
/* Try another iteration if it wasn't prime - was in old code.. */
|
||||
generate_seed = 1;
|
||||
}
|
||||
err:
|
||||
|
|
|
@ -58,7 +58,7 @@ struct sockaddr_un {
|
|||
/*
|
||||
* HPNS:
|
||||
*
|
||||
* Our current MQ 5.3 EGD requies compatability-mode sockets
|
||||
* Our current MQ 5.3 EGD requires compatability-mode sockets
|
||||
* This code forces the mode to compatibility if required
|
||||
* and then restores the mode.
|
||||
*
|
||||
|
|
|
@ -1103,7 +1103,7 @@ int EVP_PKEY_CTX_set0_rsa_oaep_label(EVP_PKEY_CTX *ctx, void *label, int llen)
|
|||
if (!evp_pkey_ctx_set_params_strict(ctx, rsa_params))
|
||||
return 0;
|
||||
|
||||
/* Ownership is supposed to be transfered to the callee. */
|
||||
/* Ownership is supposed to be transferred to the callee. */
|
||||
OPENSSL_free(label);
|
||||
return 1;
|
||||
}
|
||||
|
|
|
@ -17,7 +17,7 @@
|
|||
|
||||
/*
|
||||
* Issuer Sign Tool (1.2.643.100.112) The name of the tool used to signs the subject (ASN1_SEQUENCE)
|
||||
* This extention is required to obtain the status of a qualified certificate at Russian Federation.
|
||||
* This extension is required to obtain the status of a qualified certificate at Russian Federation.
|
||||
* RFC-style description is available here: https://tools.ietf.org/html/draft-deremin-rfc4491-bis-04#section-5
|
||||
* Russian Federal Law 63 "Digital Sign" is available here: http://www.consultant.ru/document/cons_doc_LAW_112701/
|
||||
*/
|
||||
|
|
|
@ -16,7 +16,7 @@
|
|||
|
||||
/*
|
||||
* Subject Sign Tool (1.2.643.100.111) The name of the tool used to signs the subject (UTF8String)
|
||||
* This extention is required to obtain the status of a qualified certificate at Russian Federation.
|
||||
* This extension is required to obtain the status of a qualified certificate at Russian Federation.
|
||||
* RFC-style description is available here: https://tools.ietf.org/html/draft-deremin-rfc4491-bis-04#section-5
|
||||
* Russian Federal Law 63 "Digital Sign" is available here: http://www.consultant.ru/document/cons_doc_LAW_112701/
|
||||
*/
|
||||
|
|
|
@ -47,7 +47,7 @@ static int x509v3_add_len_value(const char *name, const char *value,
|
|||
if (name != NULL && (tname = OPENSSL_strdup(name)) == NULL)
|
||||
goto err;
|
||||
if (value != NULL) {
|
||||
/* We don't allow embeded NUL characters */
|
||||
/* We don't allow embedded NUL characters */
|
||||
if (memchr(value, 0, vallen) != NULL)
|
||||
goto err;
|
||||
tvalue = OPENSSL_strndup(value, vallen);
|
||||
|
|
|
@ -170,7 +170,7 @@ static int x509_pubkey_ex_d2i_ex(ASN1_VALUE **pval,
|
|||
|
||||
/*
|
||||
* Try to decode with legacy method first. This ensures that engines
|
||||
* aren't overriden by providers.
|
||||
* aren't overridden by providers.
|
||||
*/
|
||||
if ((ret = x509_pubkey_decode(&pubkey->pkey, pubkey)) == -1) {
|
||||
/* -1 indicates a fatal error, like malloc failure */
|
||||
|
|
|
@ -85,7 +85,7 @@ int main(int argc, char **argv)
|
|||
goto end;
|
||||
}
|
||||
|
||||
/* GMAC requries a GCM mode cipher to be specified */
|
||||
/* GMAC requires a GCM mode cipher to be specified */
|
||||
*p++ = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_CIPHER,
|
||||
"AES-128-GCM", 0);
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
Auxilliary files for dev/release.sh
|
||||
Auxillary files for dev/release.sh
|
||||
===================================
|
||||
|
||||
- release-state-fn.sh
|
||||
|
|
|
@ -224,7 +224,7 @@ elif $force; then
|
|||
:
|
||||
else
|
||||
echo >&2 "Not in master or any recognised release branch"
|
||||
echo >&2 "Please 'git checkout' an approprite branch"
|
||||
echo >&2 "Please 'git checkout' an appropriate branch"
|
||||
exit 1
|
||||
fi
|
||||
orig_HEAD=$(git rev-parse HEAD)
|
||||
|
@ -369,7 +369,7 @@ for fixup in "$HERE/dev/release-aux"/fixup-*-release.pl; do
|
|||
perl -pi $fixup $file
|
||||
done
|
||||
|
||||
$VERBOSE "== Comitting updates and tagging"
|
||||
$VERBOSE "== Committing updates and tagging"
|
||||
git add -u
|
||||
git commit $git_quiet -m "Prepare for release of $release_text"
|
||||
if [ -n "$reviewers" ]; then
|
||||
|
|
|
@ -155,7 +155,7 @@ on multiple lines; each entry should use B<OPT_MORE_STR>, like this:
|
|||
{OPT_MORE_STR, 0, 0,
|
||||
"This flag is not really needed on Unix systems"},
|
||||
{OPT_MORE_STR, 0, 0,
|
||||
"(Unix and descendents for ths win!)"}
|
||||
"(Unix and descendents for the win!)"}
|
||||
|
||||
Each subsequent line will be indented the correct amount.
|
||||
|
||||
|
|
|
@ -15,7 +15,7 @@ ossl_random_add_conf_module - internal random configuration module
|
|||
|
||||
ossl_random_add_conf_module() adds the random configuration module
|
||||
for providers.
|
||||
This allows the type and parameters of the stardard setup of random number
|
||||
This allows the type and parameters of the standard setup of random number
|
||||
generators to be configured with an OpenSSL L<config(5)> file.
|
||||
|
||||
=head1 RETURN VALUES
|
||||
|
|
|
@ -19,7 +19,7 @@ private/public key pairs, but has had other uses as well.
|
|||
|
||||
=for comment "uses" could as well be "abuses"...
|
||||
|
||||
The private/public key pair that an B<EVP_PKEY> contains is refered to
|
||||
The private/public key pair that an B<EVP_PKEY> contains is referred to
|
||||
as its "internal key" or "origin" (the reason for "origin" is
|
||||
explained further down, in L</Export cache for provider operations>),
|
||||
and it can take one of the following forms:
|
||||
|
|
|
@ -278,7 +278,7 @@ RFC5114 names "dh_1024_160", "dh_2048_224", "dh_2048_256".
|
|||
|
||||
If this option is set, then the appropriate RFC5114 parameters are used
|
||||
instead of generating new parameters. The value I<num> can be one of
|
||||
1, 2 or 3 that are equivalant to using the option B<group> with one of
|
||||
1, 2 or 3 that are equivalent to using the option B<group> with one of
|
||||
"dh_1024_160", "dh_2048_224" or "dh_2048_256".
|
||||
All other options will be ignored if this value is set.
|
||||
|
||||
|
@ -333,7 +333,7 @@ The B<algorithm> option must be B<"DH">.
|
|||
=item "default"
|
||||
|
||||
Selects a default type based on the B<algorithm>. This is used by the
|
||||
OpenSSL default provider to set the type for backwards compatability.
|
||||
OpenSSL default provider to set the type for backwards compatibility.
|
||||
If B<algorithm> is B<"DH"> then B<"generator"> is used.
|
||||
If B<algorithm> is B<"DHX"> then B<"fips186_2"> is used.
|
||||
|
||||
|
|
|
@ -274,7 +274,7 @@ See L<openssl-format-options(1)> for details.
|
|||
|
||||
=item B<-pass> I<arg>
|
||||
|
||||
the private key and certifiate file password source.
|
||||
the private key and certificate file password source.
|
||||
For more information about the format of I<arg>
|
||||
see L<openssl-passphrase-options(1)>.
|
||||
|
||||
|
|
|
@ -92,7 +92,7 @@ It does not have a negative trust attribute rejecting the given use.
|
|||
=item *
|
||||
|
||||
It has a positive trust attribute accepting the given use
|
||||
or (by default) one of the following compatibilty conditions apply:
|
||||
or (by default) one of the following compatibility conditions apply:
|
||||
It is self-signed or the B<-partial_chain> option is given
|
||||
(which corresponds to the B<X509_V_FLAG_PARTIAL_CHAIN> flag being set).
|
||||
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
=head1 NAME
|
||||
|
||||
ASN1_AUX, ASN1_PRINT_ARG, ASN1_STREAM_ARG, ASN1_aux_cb, ASN1_aux_const_cb
|
||||
- ASN.1 auxilliary data
|
||||
- ASN.1 auxiliary data
|
||||
|
||||
=head1 SYNOPSIS
|
||||
|
||||
|
@ -45,7 +45,7 @@ ASN.1 data structures can be associated with an B<ASN1_AUX> object to supply
|
|||
additional information about the ASN.1 structure. An B<ASN1_AUX> structure is
|
||||
associated with the structure during the definition of the ASN.1 template. For
|
||||
example an B<ASN1_AUX> structure will be associated by using one of the various
|
||||
ASN.1 template definition macros that supply auxilliary information such as
|
||||
ASN.1 template definition macros that supply auxiliary information such as
|
||||
ASN1_SEQUENCE_enc(), ASN1_SEQUENCE_ref(), ASN1_SEQUENCE_cb_const_cb(),
|
||||
ASN1_SEQUENCE_const_cb(), ASN1_SEQUENCE_cb() or ASN1_NDEF_SEQUENCE_cb().
|
||||
|
||||
|
|
|
@ -62,7 +62,7 @@ I<algor2> are ignored if they are NULL.
|
|||
ASN1_item_sign() is similar to ASN1_item_sign_ex() but uses default values of
|
||||
NULL for the I<id>, I<libctx> and I<propq>.
|
||||
|
||||
ASN1_item_sign_ctx() is similiar to ASN1_item_sign() but uses the parameters
|
||||
ASN1_item_sign_ctx() is similar to ASN1_item_sign() but uses the parameters
|
||||
contained in digest context I<ctx>.
|
||||
|
||||
ASN1_item_verify_ex() is used to verify the signature I<signature> of internal
|
||||
|
@ -77,7 +77,7 @@ See EVP_PKEY_CTX_set1_id() for further info.
|
|||
ASN1_item_verify() is similar to ASN1_item_verify_ex() but uses default values of
|
||||
NULL for the I<id>, I<libctx> and I<propq>.
|
||||
|
||||
ASN1_item_verify_ctx() is similiar to ASN1_item_verify() but uses the parameters
|
||||
ASN1_item_verify_ctx() is similar to ASN1_item_verify() but uses the parameters
|
||||
contained in digest context I<ctx>.
|
||||
|
||||
|
||||
|
|
|
@ -22,7 +22,7 @@ libcrypto into a provider supply an OSSL_CORE_BIO parameter. This represents
|
|||
a BIO within libcrypto, but cannot be used directly by a provider. Instead it
|
||||
should be wrapped using a BIO_s_core().
|
||||
|
||||
Once a BIO is contructed based on BIO_s_core(), the associated OSSL_CORE_BIO
|
||||
Once a BIO is constructed based on BIO_s_core(), the associated OSSL_CORE_BIO
|
||||
object should be set on it using BIO_set_data(3). Note that the BIO will only
|
||||
operate correctly if it is associated with a library context constructed using
|
||||
OSSL_LIB_CTX_new_from_dispatch(3). To associate the BIO with a library context
|
||||
|
|
|
@ -59,7 +59,7 @@ BN_rand() is the same as BN_rand_ex() except that the default library context
|
|||
is always used.
|
||||
|
||||
BN_rand_range_ex() generates a cryptographically strong pseudo-random
|
||||
number I<rnd>, of security stength at least I<strength> bits,
|
||||
number I<rnd>, of security strength at least I<strength> bits,
|
||||
in the range 0 E<lt>= I<rnd> E<lt> I<range> using the random number
|
||||
generator for the library context associated with I<ctx>. The parameter I<ctx>
|
||||
may be NULL in which case the default library context is used.
|
||||
|
|
|
@ -34,7 +34,7 @@ as determined by calling CONF_get1_default_config_file().
|
|||
If B<appname> is NULL the standard OpenSSL application name B<openssl_conf> is
|
||||
used.
|
||||
The behaviour can be customized using B<flags>. Note that, the error suppressing
|
||||
can be overriden by B<config_diagnostics> as described in L<config(5)>.
|
||||
can be overridden by B<config_diagnostics> as described in L<config(5)>.
|
||||
|
||||
CONF_modules_load_file() is the same as CONF_modules_load_file_ex() but
|
||||
has a NULL library context.
|
||||
|
|
|
@ -40,7 +40,7 @@ see L<openssl_user_macros(7)>:
|
|||
|
||||
All of the functions described on this page are deprecated.
|
||||
Applications should instead use L<EVP_PKEY_get_bn_param(3)> for any methods that
|
||||
return a B<BIGNUM>. Refer to L<EVP_PKEY-DH(7)> for more infomation.
|
||||
return a B<BIGNUM>. Refer to L<EVP_PKEY-DH(7)> for more information.
|
||||
|
||||
A DH object contains the parameters I<p>, I<q> and I<g>. Note that the I<q>
|
||||
parameter is optional. It also contains a public key (I<pub_key>) and
|
||||
|
|
|
@ -668,7 +668,7 @@ Note that the block size for a cipher may be different to the block size for
|
|||
the underlying encryption/decryption primitive.
|
||||
For example AES in CTR mode has a block size of 1 (because it operates like a
|
||||
stream cipher), even though AES has a block size of 16.
|
||||
Use EVP_CIPHER_get_block_size() to retreive the cached value.
|
||||
Use EVP_CIPHER_get_block_size() to retrieve the cached value.
|
||||
|
||||
=item "aead" (B<OSSL_CIPHER_PARAM_AEAD>) <integer>
|
||||
|
||||
|
|
|
@ -124,7 +124,7 @@ otherwise 0.
|
|||
|
||||
EVP_KEYMGMT_get0_name() returns the algorithm name, or NULL on error.
|
||||
|
||||
EVP_KEYMGMT_get0_description() returns a pointer to a decription, or NULL if
|
||||
EVP_KEYMGMT_get0_description() returns a pointer to a description, or NULL if
|
||||
there isn't one.
|
||||
|
||||
EVP_KEYMGMT_gettable_params(), EVP_KEYMGMT_settable_params() and
|
||||
|
|
|
@ -21,7 +21,7 @@ EVP_PKEY2PKCS8() converts a private key I<pkey> into a returned PKCS8 object.
|
|||
EVP_PKCS82PKEY_ex() converts a PKCS8 object I<p8> into a returned private key.
|
||||
It uses I<libctx> and I<propq> when fetching algorithms.
|
||||
|
||||
EVP_PKCS82PKEY() is similiar to EVP_PKCS82PKEY_ex() but uses default values of
|
||||
EVP_PKCS82PKEY() is similar to EVP_PKCS82PKEY_ex() but uses default values of
|
||||
NULL for the I<libctx> and I<propq>.
|
||||
|
||||
=head1 RETURN VALUES
|
||||
|
|
|
@ -32,7 +32,7 @@ EVP_PKEY_derive_set_peer_ex() sets the peer key: this will normally
|
|||
be a public key. The I<validate_peer> will validate the public key if this value
|
||||
is non zero.
|
||||
|
||||
EVP_PKEY_derive_set_peer() is similiar to EVP_PKEY_derive_set_peer_ex() with
|
||||
EVP_PKEY_derive_set_peer() is similar to EVP_PKEY_derive_set_peer_ex() with
|
||||
I<validate_peer> set to 1.
|
||||
|
||||
EVP_PKEY_derive() derives a shared secret using I<ctx>.
|
||||
|
|
|
@ -49,7 +49,7 @@ is allocated by the method.
|
|||
|
||||
EVP_PKEY_get_utf8_string_param() get a key I<pkey> UTF8 string value into a
|
||||
buffer I<str> of maximum size I<max_buf_sz> associated with a name of
|
||||
I<key_name>. The maximum size must be large enough to accomodate the string
|
||||
I<key_name>. The maximum size must be large enough to accommodate the string
|
||||
value including a terminating NUL byte, or this function will fail.
|
||||
If I<out_len> is not NULL, I<*out_len> is set to the length of the string
|
||||
not including the terminating NUL byte. The required buffer size not including
|
||||
|
|
|
@ -62,7 +62,7 @@ see L<openssl_user_macros(7)>:
|
|||
B<EVP_PKEY> is a generic structure to hold diverse types of asymmetric keys
|
||||
(also known as "key pairs"), and can be used for diverse operations, like
|
||||
signing, verifying signatures, key derivation, etc. The asymmetric keys
|
||||
themselves are often refered to as the "internal key", and are handled by
|
||||
themselves are often referred to as the "internal key", and are handled by
|
||||
backends, such as providers (through L<EVP_KEYMGMT(3)>) or B<ENGINE>s.
|
||||
|
||||
Conceptually, an B<EVP_PKEY> internal key may hold a private key, a public
|
||||
|
|
|
@ -23,7 +23,7 @@ I<selection> is described in L<EVP_PKEY_fromdata(3)/Selections>.
|
|||
L<OSSL_PARAM_free(3)> should be used to free the returned parameters in
|
||||
I<*params>.
|
||||
|
||||
EVP_PKEY_export() is similiar to EVP_PKEY_todata() but uses a callback
|
||||
EVP_PKEY_export() is similar to EVP_PKEY_todata() but uses a callback
|
||||
I<export_cb> that gets passed the value of I<export_cbarg>.
|
||||
See L<openssl-core.h(7)> for more information about the callback. Note that the
|
||||
B<OSSL_PARAM> array that is passed to the callback is not persistent after the
|
||||
|
|
|
@ -131,7 +131,7 @@ in L<X509_VERIFY_PARAM_set_flags(3)/VERIFICATION FLAGS>.
|
|||
If I<flags> contains B<OCSP_NOCHAIN> it ignores all certificates in I<certs>
|
||||
and in I<bs>, else it takes them as untrusted intermediate CA certificates
|
||||
and uses them for constructing the validation path for the signer certificate.
|
||||
Certicate revocation status checks using CRLs is disabled during path validation
|
||||
Certificate revocation status checks using CRLs is disabled during path validation
|
||||
if the signer certificate contains the B<id-pkix-ocsp-no-check> extension.
|
||||
After successful path
|
||||
validation the function returns success if the B<OCSP_NOCHECKS> flag is set.
|
||||
|
|
|
@ -40,7 +40,7 @@ These functions perform an OCSP POST request / response transfer over HTTP,
|
|||
using the HTTP request functions described in L<OSSL_HTTP_REQ_CTX(3)>.
|
||||
|
||||
The function OCSP_sendreq_new() builds a complete B<OSSL_HTTP_REQ_CTX> structure
|
||||
with the B<BIO> I<io> to be used for requests and reponse, the URL path I<path>,
|
||||
with the B<BIO> I<io> to be used for requests and response, the URL path I<path>,
|
||||
optionally the OCSP request I<req>, and a response header maximum line length
|
||||
of I<buf_size>. If I<buf_size> is zero a default value of 4KiB is used.
|
||||
The I<req> may be set to NULL and provided later using OCSP_REQ_CTX_set1_req()
|
||||
|
|
|
@ -89,7 +89,7 @@ As long as neither if the two is used any logging output is ignored.
|
|||
|
||||
OSSL_CMP_log_close() may be called when all activities are finished to flush
|
||||
any pending CMP-specific log output and deallocate related resources.
|
||||
It may be called multiple times. It does get called at OpenSSL stutdown.
|
||||
It may be called multiple times. It does get called at OpenSSL shutdown.
|
||||
|
||||
OSSL_CMP_print_to_bio() prints the given component info, filename, line number,
|
||||
severity level, and log message or error queue message to the given I<bio>.
|
||||
|
|
|
@ -116,7 +116,7 @@ multiple synonyms associated with it. In this case the first name from the
|
|||
algorithm definition is returned. Ownership of the returned string is retained
|
||||
by the I<decoder> object and should not be freed by the caller.
|
||||
|
||||
OSSL_DECODER_get0_description() returns a pointer to a decription, or NULL if
|
||||
OSSL_DECODER_get0_description() returns a pointer to a description, or NULL if
|
||||
there isn't one.
|
||||
|
||||
OSSL_DECODER_names_do_all() returns 1 if the callback was called for all
|
||||
|
|
|
@ -41,7 +41,7 @@ them up, so all the caller has to do next is call functions like
|
|||
L<OSSL_DECODER_from_bio(3)>. The caller may use the optional I<input_type>,
|
||||
I<input_struct>, I<keytype> and I<selection> to specify what the input is
|
||||
expected to contain. The I<pkey> must reference an B<EVP_PKEY *> variable
|
||||
that will be set to the newly created B<EVP_PKEY> on succesfull decoding.
|
||||
that will be set to the newly created B<EVP_PKEY> on successful decoding.
|
||||
The referenced variable must be initialized to NULL before calling the
|
||||
function.
|
||||
|
||||
|
@ -78,7 +78,7 @@ callback may be specified with the following functions.
|
|||
OSSL_DECODER_CTX_set_pem_password_cb(), OSSL_DECODER_CTX_set_passphrase_ui()
|
||||
and OSSL_DECODER_CTX_set_passphrase_cb() set up a callback method that the
|
||||
implementation can use to prompt for a pass phrase, giving the caller the
|
||||
choice of prefered pass phrase callback form. These are called indirectly,
|
||||
choice of preferred pass phrase callback form. These are called indirectly,
|
||||
through an internal B<OSSL_PASSPHRASE_CALLBACK> function.
|
||||
|
||||
The internal B<OSSL_PASSPHRASE_CALLBACK> function caches the pass phrase, to
|
||||
|
|
|
@ -117,7 +117,7 @@ multiple synonyms associated with it. In this case the first name from the
|
|||
algorithm definition is returned. Ownership of the returned string is retained
|
||||
by the I<encoder> object and should not be freed by the caller.
|
||||
|
||||
OSSL_ENCODER_get0_description() returns a pointer to a decription, or NULL if
|
||||
OSSL_ENCODER_get0_description() returns a pointer to a description, or NULL if
|
||||
there isn't one.
|
||||
|
||||
OSSL_ENCODER_names_do_all() returns 1 if the callback was called for all
|
||||
|
|
|
@ -80,7 +80,7 @@ as DER to PEM, as well as more specialized encoders like RSA to DER.
|
|||
The final output type must be given, and a chain of encoders must end with
|
||||
an implementation that produces that output type.
|
||||
|
||||
At the beginning of the encoding process, a contructor provided by the
|
||||
At the beginning of the encoding process, a constructor provided by the
|
||||
caller is called to ensure that there is an appropriate provider-side object
|
||||
to start with.
|
||||
The constructor is set with OSSL_ENCODER_CTX_set_construct().
|
||||
|
@ -148,7 +148,7 @@ The pointer that was set with OSSL_ENCODE_CTX_set_construct_data().
|
|||
|
||||
The constructor is expected to return a valid (non-NULL) pointer to a
|
||||
provider-native object that can be used as first input of an encoding chain,
|
||||
or NULL to indicate that an error has occured.
|
||||
or NULL to indicate that an error has occurred.
|
||||
|
||||
These utility functions may be used by a constructor:
|
||||
|
||||
|
|
|
@ -78,7 +78,7 @@ following functions.
|
|||
OSSL_ENCODER_CTX_set_pem_password_cb(), OSSL_ENCODER_CTX_set_passphrase_ui()
|
||||
and OSSL_ENCODER_CTX_set_passphrase_cb() sets up a callback method that the
|
||||
implementation can use to prompt for a pass phrase, giving the caller the
|
||||
choice of prefered pass phrase callback form. These are called indirectly,
|
||||
choice of preferred pass phrase callback form. These are called indirectly,
|
||||
through an internal B<OSSL_PASSPHRASE_CALLBACK> function.
|
||||
|
||||
=head2 Output types
|
||||
|
|
|
@ -46,7 +46,7 @@ while the list contained in I<ssv2> is of type B<ESS_CERT_ID_V2>.
|
|||
As far as these lists are present, they must be nonempty.
|
||||
The certificate identified by their first entry must be the first element of
|
||||
I<chain>, i.e. the signer certificate.
|
||||
Any further certficates referenced in the list must also be found in I<chain>.
|
||||
Any further certificates referenced in the list must also be found in I<chain>.
|
||||
The matching is done using the given certificate hash algorithm and value.
|
||||
In addition to the checks required by RFCs 2624 and 5035,
|
||||
if the B<issuerSerial> field is included in an B<ESSCertID> or B<ESSCertIDv2>
|
||||
|
|
|
@ -133,7 +133,7 @@ The function may need to be called again if its result is -1, which indicates
|
|||
L<BIO_should_retry(3)>. In such a case it is advisable to sleep a little in
|
||||
between, using L<BIO_wait(3)> on the read BIO to prevent a busy loop.
|
||||
|
||||
OSSL_HTTP_REQ_CTX_nbio_d2i() is like OSSL_HTTP_REQ_CTX_nbio() but on successs
|
||||
OSSL_HTTP_REQ_CTX_nbio_d2i() is like OSSL_HTTP_REQ_CTX_nbio() but on success
|
||||
in addition parses the response, which must be a DER-encoded ASN.1 structure,
|
||||
using the ASN.1 template I<it> and places the result in I<*pval>.
|
||||
|
||||
|
|
|
@ -57,7 +57,7 @@ The path component is also optional and defaults to C</>.
|
|||
Each non-NULL result pointer argument I<pscheme>, I<puser>, I<phost>, I<pport>,
|
||||
I<ppath>, I<pquery>, and I<pfrag>, is assigned the respective url component.
|
||||
On success, they are guaranteed to contain non-NULL string pointers, else NULL.
|
||||
It is the reponsibility of the caller to free them using L<OPENSSL_free(3)>.
|
||||
It is the responsibility of the caller to free them using L<OPENSSL_free(3)>.
|
||||
If I<pquery> is NULL, any given query component is handled as part of the path.
|
||||
A string returned via I<*ppath> is guaranteed to begin with a C</> character.
|
||||
For absent scheme, userinfo, port, query, and fragment components
|
||||
|
|
|
@ -108,7 +108,7 @@ B<OSSL_PARAM_UTF8_STRING> in relation to C strings. When setting
|
|||
parameters, the size should be set to the length of the string, not
|
||||
counting the terminating NUL byte. When requesting parameters, the
|
||||
size should be set to the size of the buffer to be populated, which
|
||||
should accomodate enough space for a terminating NUL byte.
|
||||
should accommodate enough space for a terminating NUL byte.
|
||||
|
||||
When I<requesting parameters>, it's acceptable for I<data> to be NULL.
|
||||
This can be used by the I<requestor> to figure out dynamically exactly
|
||||
|
|
|
@ -241,7 +241,7 @@ will be assigned the size the parameter's I<data> buffer should have.
|
|||
OSSL_PARAM_get_utf8_string() retrieves a UTF8 string from the parameter
|
||||
pointed to by I<p>.
|
||||
The string is stored into I<*val> with a size limit of I<max_len>,
|
||||
which must be large enough to accomodate a terminating NUL byte,
|
||||
which must be large enough to accommodate a terminating NUL byte,
|
||||
otherwise this function will fail.
|
||||
If I<*val> is NULL, memory is allocated for the string (including the
|
||||
terminating NUL byte) and I<max_len> is ignored.
|
||||
|
@ -250,14 +250,14 @@ If memory is allocated by this function, it must be freed by the caller.
|
|||
OSSL_PARAM_set_utf8_string() sets a UTF8 string from the parameter pointed to
|
||||
by I<p> to the value referenced by I<val>.
|
||||
If the parameter's I<data> field isn't NULL, its I<data_size> must indicate
|
||||
that the buffer is large enough to accomodate the string that I<val> points at,
|
||||
that the buffer is large enough to accommodate the string that I<val> points at,
|
||||
not including the terminating NUL byte, or this function will fail.
|
||||
A terminating NUL byte is added only if the parameter's I<data_size> indicates
|
||||
the buffer is longer than the string length, otherwise the string will not be
|
||||
NUL terminated.
|
||||
If the parameter's I<data> field is NULL, then only its I<return_size> field
|
||||
will be assigned the minimum size the parameter's I<data> buffer should have
|
||||
to accomodate the string, not including a terminating NUL byte.
|
||||
to accommodate the string, not including a terminating NUL byte.
|
||||
|
||||
OSSL_PARAM_get_octet_string() retrieves an OCTET string from the parameter
|
||||
pointed to by I<p>.
|
||||
|
|
|
@ -327,7 +327,7 @@ definition string, or NULL on error.
|
|||
OSSL_STORE_LOADER_is_a() returns 1 if I<loader> was identifiable,
|
||||
otherwise 0.
|
||||
|
||||
OSSL_STORE_LOADER_get0_description() returns a pointer to a decription, or NULL if
|
||||
OSSL_STORE_LOADER_get0_description() returns a pointer to a description, or NULL if
|
||||
there isn't one.
|
||||
|
||||
The functions with the types B<OSSL_STORE_open_fn>,
|
||||
|
|
|
@ -46,7 +46,7 @@ by attaching the B<BIO> I<bio> object as (simple) trace channel.
|
|||
OSSL_trace_set_prefix() and OSSL_trace_set_suffix() can be used to add
|
||||
an extra line for each channel, to be output before and after group of
|
||||
tracing output.
|
||||
What constitues an output group is decided by the code that produces
|
||||
What constitutes an output group is decided by the code that produces
|
||||
the output.
|
||||
The lines given here are considered immutable; for more dynamic
|
||||
tracing prefixes, consider setting a callback with
|
||||
|
|
|
@ -21,7 +21,7 @@ decrypt functions
|
|||
PKCS12_decrypt_skey() Decrypt the PKCS#8 shrouded keybag contained within I<bag>
|
||||
using the supplied password I<pass> of length I<passlen>.
|
||||
|
||||
PKCS12_decrypt_skey_ex() is similar to the above but allows for a library contex
|
||||
PKCS12_decrypt_skey_ex() is similar to the above but allows for a library context
|
||||
I<ctx> and property query I<propq> to be used to select algorithm implementations.
|
||||
|
||||
=head1 RETURN VALUES
|
||||
|
|
|
@ -21,7 +21,7 @@ PKCS12_verify_mac - Functions to create and manipulate a PKCS#12 structure
|
|||
=head1 DESCRIPTION
|
||||
|
||||
PKCS12_gen_mac() generates an HMAC over the entire PKCS#12 object using the
|
||||
supplied password along with a set of already configured paramters.
|
||||
supplied password along with a set of already configured parameters.
|
||||
|
||||
PKCS12_verify_mac() verifies the PKCS#12 object's HMAC using the supplied
|
||||
password.
|
||||
|
|
|
@ -37,7 +37,7 @@ and L<EVP_RAND(7)>.
|
|||
|
||||
RAND_bytes_ex() and RAND_priv_bytes_ex() are the same as RAND_bytes() and
|
||||
RAND_priv_bytes() except that they both take additional I<strength> and
|
||||
I<ctx> parameters. The bytes genreated will have a security strength of at
|
||||
I<ctx> parameters. The bytes generated will have a security strength of at
|
||||
least I<strength> bits.
|
||||
The DRBG used for the operation is the public or private DRBG associated with
|
||||
the specified I<ctx>. The parameter can be NULL, in which case
|
||||
|
|
|
@ -54,7 +54,7 @@ see L<openssl_user_macros(7)>:
|
|||
|
||||
All of the functions described on this page are deprecated.
|
||||
Applications should instead use L<EVP_PKEY_get_bn_param(3)> for any methods that
|
||||
return a B<BIGNUM>. Refer to L<EVP_PKEY-DH(7)> for more infomation.
|
||||
return a B<BIGNUM>. Refer to L<EVP_PKEY-DH(7)> for more information.
|
||||
|
||||
An RSA object contains the components for the public and private key,
|
||||
B<n>, B<e>, B<d>, B<p>, B<q>, B<dmp1>, B<dmq1> and B<iqmp>. B<n> is
|
||||
|
|
|
@ -73,9 +73,9 @@ the built-in parameter support described above. Applications wishing to supply
|
|||
their own DH parameters should call SSL_CTX_set0_tmp_dh_pkey() or
|
||||
SSL_set0_tmp_dh_pkey() to supply the parameters for the B<SSL_CTX> or B<SSL>
|
||||
respectively. The parameters should be supplied in the I<dhpkey> argument as
|
||||
an B<EVP_PKEY> containg DH parameters. Ownership of the I<dhpkey> value is
|
||||
an B<EVP_PKEY> containing DH parameters. Ownership of the I<dhpkey> value is
|
||||
passed to the B<SSL_CTX> or B<SSL> object as a result of this call, and so the
|
||||
caller should not free it if the function call is succesful.
|
||||
caller should not free it if the function call is successful.
|
||||
|
||||
The deprecated macros SSL_CTX_set_tmp_dh() and SSL_set_tmp_dh() do the same
|
||||
thing as SSL_CTX_set0_tmp_dh_pkey() and SSL_set0_tmp_dh_pkey() except that the
|
||||
|
|
|
@ -221,7 +221,7 @@ X509_VERIFY_PARAM_set1_ip_asc() return 1 for success and 0 for
|
|||
failure.
|
||||
|
||||
X509_VERIFY_PARAM_get0_host(), X509_VERIFY_PARAM_get0_email(), and
|
||||
X509_VERIFY_PARAM_get1_ip_asc(), return the string pointers pecified above
|
||||
X509_VERIFY_PARAM_get1_ip_asc(), return the string pointers specified above
|
||||
or NULL if the respective value has not been set or on error.
|
||||
|
||||
X509_VERIFY_PARAM_get_flags() returns the current verification flags.
|
||||
|
|
|
@ -31,7 +31,7 @@ The value B<X509_ADD_FLAG_DEFAULT>, which equals 0, means no special semantics.
|
|||
If B<X509_ADD_FLAG_UP_REF> is set then
|
||||
the reference counts of those certificates added successfully are increased.
|
||||
|
||||
If B<X509_ADD_FLAG_PREPEND> is set then the certifcates are prepended to I<sk>.
|
||||
If B<X509_ADD_FLAG_PREPEND> is set then the certificates are prepended to I<sk>.
|
||||
By default they are appended to I<sk>.
|
||||
In both cases the original order of the added certificates is preserved.
|
||||
|
||||
|
|
|
@ -44,9 +44,9 @@ X509_digest_sig() calculates a digest of the given certificate I<cert>
|
|||
using the same hash algorithm as in its signature, if the digest
|
||||
is an integral part of the certificate signature algorithm identifier.
|
||||
Otherwise, a fallback hash algorithm is determined as follows:
|
||||
SHA512 if the signature alorithm is ED25519,
|
||||
SHA512 if the signature algorithm is ED25519,
|
||||
SHAKE256 if it is ED448, otherwise SHA256.
|
||||
The output parmeters are assigned as follows.
|
||||
The output parameters are assigned as follows.
|
||||
Unless I<md_used> is NULL, the hash algorithm used is provided
|
||||
in I<*md_used> and must be freed by the caller (if it is not NULL).
|
||||
Unless I<md_is_fallback> is NULL,
|
||||
|
|
|
@ -350,7 +350,7 @@ to generate the function bodies.
|
|||
B<I<TYPE>_new>() allocates an empty object of the indicated type.
|
||||
The object returned must be released by calling B<I<TYPE>_free>().
|
||||
|
||||
B<I<TYPE>_new_ex>() is similiar to B<I<TYPE>_new>() but also passes the
|
||||
B<I<TYPE>_new_ex>() is similar to B<I<TYPE>_new>() but also passes the
|
||||
library context I<libctx> and the property query I<propq> to use when retrieving
|
||||
algorithms from providers. This created object can then be used when loading
|
||||
binary data using B<d2i_I<TYPE>>().
|
||||
|
|
|
@ -415,7 +415,7 @@ For example:
|
|||
=head2 Random Configuration
|
||||
|
||||
The name B<random> in the initialization section names the section
|
||||
containing the random number generater settings.
|
||||
containing the random number generator settings.
|
||||
|
||||
Within the random section, the following names have meaning:
|
||||
|
||||
|
|
|
@ -15,7 +15,7 @@ The B<EC> keytype is implemented in OpenSSL's default provider.
|
|||
The normal way of specifying domain parameters for an EC curve is via the
|
||||
curve name "group". For curves with no curve name, explicit parameters can be
|
||||
used that specify "field-type", "p", "a", "b", "generator" and "order".
|
||||
Explicit parameters are supported for backwards compability reasons, but they
|
||||
Explicit parameters are supported for backwards compatibility reasons, but they
|
||||
are not compliant with multiple standards (including RFC5915) which only allow
|
||||
named curves.
|
||||
|
||||
|
@ -70,7 +70,7 @@ I<order> multiplied by the I<cofactor> gives the number of points on the curve.
|
|||
|
||||
=item "decoded-from-explicit" (B<OSSL_PKEY_PARAM_EC_DECODED_FROM_EXPLICIT_PARAMS>) <integer>
|
||||
|
||||
Gets a flag indicating wether the key or parameters were decoded from explicit
|
||||
Gets a flag indicating whether the key or parameters were decoded from explicit
|
||||
curve parameters. Set to 1 if so or 0 if a named curve was used.
|
||||
|
||||
=item "use-cofactor-flag" (B<OSSL_PKEY_PARAM_USE_COFACTOR_ECDH>) <integer>
|
||||
|
@ -95,7 +95,7 @@ point_conversion_forms please see L<EC_POINT_new(3)>. Valid values are
|
|||
Sets or Gets the type of group check done when EVP_PKEY_param_check() is called.
|
||||
Valid values are "default", "named" and "named-nist".
|
||||
The "named" type checks that the domain parameters match the inbuilt curve parameters,
|
||||
"named-nist" is similiar but also checks that the named curve is a nist curve.
|
||||
"named-nist" is similar but also checks that the named curve is a nist curve.
|
||||
The "default" type does domain parameter validation for the OpenSSL default provider,
|
||||
but is equivalent to "named-nist" for the OpenSSL fips provider.
|
||||
|
||||
|
|
|
@ -206,7 +206,7 @@ If anything in this step fails, the next step is used as a fallback.
|
|||
|
||||
As a fallback, try to fetch the operation type implementation from the same
|
||||
provider as the original L<EVP_PKEY(3)>'s L<EVP_KEYMGMT(3)>, still using the
|
||||
propery string from the B<EVP_PKEY_CTX>.
|
||||
property string from the B<EVP_PKEY_CTX>.
|
||||
|
||||
=back
|
||||
|
||||
|
|
|
@ -92,7 +92,7 @@ Obviously the include file location above should match the path and name of the
|
|||
FIPS module config file that you installed earlier.
|
||||
See L<https://github.com/openssl/openssl/blob/master/README-FIPS.md>.
|
||||
|
||||
For FIPS usage, it is recommened that the B<config_diagnostics> option is
|
||||
For FIPS usage, it is recommended that the B<config_diagnostics> option is
|
||||
enabled to prevent accidental use of non-FIPS validated algorithms via broken
|
||||
or mistaken configuration. See L<config(5)>.
|
||||
|
||||
|
|
|
@ -22,7 +22,7 @@ This state represents the PKEY after it has been allocated.
|
|||
=item decapsulate
|
||||
|
||||
This state represents the PKEY when it is ready to perform a private key decapsulation
|
||||
opeartion.
|
||||
operation.
|
||||
|
||||
=item decrypt
|
||||
|
||||
|
@ -40,7 +40,7 @@ operation.
|
|||
=item encapsulate
|
||||
|
||||
This state represents the PKEY when it is ready to perform a public key encapsulation
|
||||
opeartion.
|
||||
operation.
|
||||
|
||||
=item encrypt
|
||||
|
||||
|
|
|
@ -130,7 +130,7 @@ New algorithms provided via engines will still work.
|
|||
|
||||
Engine-backed keys can be loaded via custom B<OSSL_STORE> implementation.
|
||||
In this case the B<EVP_PKEY> objects created via L<ENGINE_load_private_key(3)>
|
||||
will be concidered legacy and will continue to work.
|
||||
will be considered legacy and will continue to work.
|
||||
|
||||
To ensure the future compatibility, the engines should be turned to providers.
|
||||
To prefer the provider-based hardware offload, you can specify the default
|
||||
|
@ -624,7 +624,7 @@ set up with the default library context. Use L<X509_new_ex(3)>,
|
|||
L<X509_CRL_new_ex(3)>, L<X509_REQ_new_ex(3)> and L<X509_PUBKEY_new_ex(3)> if a
|
||||
library context is required.
|
||||
|
||||
All functions listed below with a I<NAME> have a replacment function I<NAME_ex>
|
||||
All functions listed below with a I<NAME> have a replacement function I<NAME_ex>
|
||||
that takes B<OSSL_LIB_CTX> as an additional argument. Functions that have other
|
||||
mappings are listed along with the respective name.
|
||||
|
||||
|
@ -982,7 +982,7 @@ that refer to these categories.
|
|||
Any accessor that uses an ENGINE is deprecated (such as EVP_PKEY_set1_engine()).
|
||||
Applications using engines should instead use providers.
|
||||
|
||||
Before providers were added algorithms were overriden by changing the methods
|
||||
Before providers were added algorithms were overridden by changing the methods
|
||||
used by algorithms. All these methods such as RSA_new_method() and RSA_meth_new()
|
||||
are now deprecated and can be replaced by using providers instead.
|
||||
|
||||
|
@ -1074,7 +1074,7 @@ See L<EVP_MAC(3)>, L<EVP_MAC-HMAC(7)>, L<EVP_MAC-CMAC(7)>, L<EVP_MAC-GMAC(7)>,
|
|||
L<EVP_MAC-KMAC(7)>, L<EVP_MAC-BLAKE2(7)>, L<EVP_MAC-Poly1305(7)> and
|
||||
L<EVP_MAC-Siphash(7)> for additional information.
|
||||
|
||||
Note that the one-shot method HMAC() is still available for compatability purposes.
|
||||
Note that the one-shot method HMAC() is still available for compatibility purposes.
|
||||
|
||||
=head4 Deprecated low-level validation functions
|
||||
|
||||
|
@ -1530,7 +1530,7 @@ See L</Deprecated low-level validation functions>
|
|||
|
||||
EC_KEY_set_flags(), EC_KEY_get_flags(), EC_KEY_clear_flags()
|
||||
|
||||
See L<EVP_PKEY-EC(7)/Common EC parameters> which handles flags as seperate
|
||||
See L<EVP_PKEY-EC(7)/Common EC parameters> which handles flags as separate
|
||||
parameters for B<OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT>,
|
||||
B<OSSL_PKEY_PARAM_EC_GROUP_CHECK_TYPE>, B<OSSL_PKEY_PARAM_EC_ENCODING>,
|
||||
B<OSSL_PKEY_PARAM_USE_COFACTOR_ECDH> and
|
||||
|
|
|
@ -12,7 +12,7 @@ openssl-glossary - An OpenSSL Glossary
|
|||
|
||||
=item Algorithm
|
||||
|
||||
Cryptograpic primitives such as the SHA256 digest, or AES encryption are
|
||||
Cryptographic primitives such as the SHA256 digest, or AES encryption are
|
||||
referred to in OpenSSL as "algorithms". There can be more than one
|
||||
implementation for any given algorithm available for use.
|
||||
|
||||
|
@ -45,7 +45,7 @@ L<OSSL_DECODER_CTX_new_for_pkey(3)>
|
|||
|
||||
=item Default Provider
|
||||
|
||||
An OpenSSL Provider that contains the most commmon OpenSSL algorithm
|
||||
An OpenSSL Provider that contains the most common OpenSSL algorithm
|
||||
implementations. It is loaded by default if no other provider is available. All
|
||||
the algorithm implementations in the Base Provider are also available in the
|
||||
Default Provider.
|
||||
|
@ -81,7 +81,7 @@ Fetching is the process of looking through the available algorithm
|
|||
implementations, applying selection criteria (via a property query string), and
|
||||
finally choosing the implementation that will be used.
|
||||
|
||||
Also see Explicit Fetching and Implict Fetching.
|
||||
Also see Explicit Fetching and Implicit Fetching.
|
||||
|
||||
L<crypto(7)>
|
||||
|
||||
|
|
|
@ -198,7 +198,7 @@ Sets the mode in the associated KDF ctx.
|
|||
|
||||
=item "pkcs5" (B<OSSL_KDF_PARAM_PKCS5>) <integer>
|
||||
|
||||
Enables or diables the SP800-132 compliance checks.
|
||||
Enables or disables the SP800-132 compliance checks.
|
||||
A mode of 0 enables the compliance checks.
|
||||
|
||||
The checks performed are:
|
||||
|
|
|
@ -164,7 +164,7 @@ A human readable text that describes extra details on the object.
|
|||
|
||||
=back
|
||||
|
||||
When a provider-native object abtraction is used, it I<must> contain object
|
||||
When a provider-native object abstraction is used, it I<must> contain object
|
||||
data in at least one form (object data I<passed by value>, i.e. the "data"
|
||||
item, or object data I<passed by reference>, i.e. the "reference" item).
|
||||
Both may be present at once, in which case the OpenSSL library code that
|
||||
|
|
|
@ -511,7 +511,7 @@ OSSL_CORE_MAKE_FUNC(void,rand_clear_seed,
|
|||
* and key material, etc, essentially everything that manipulates the keys
|
||||
* themselves and their parameters.
|
||||
*
|
||||
* The key objects are commonly refered to as |keydata|, and it MUST be able
|
||||
* The key objects are commonly referred to as |keydata|, and it MUST be able
|
||||
* to contain parameters if the key has any, the public key and the private
|
||||
* key. All parts are optional, but their presence determines what can be
|
||||
* done with the key object in terms of encryption, signature, and so on.
|
||||
|
|
|
@ -8,7 +8,7 @@
|
|||
*/
|
||||
|
||||
/*
|
||||
* Crypto extention support for AES GCM.
|
||||
* Crypto extension support for AES GCM.
|
||||
* This file is included by cipher_aes_gcm_hw.c
|
||||
*/
|
||||
|
||||
|
|
|
@ -168,7 +168,7 @@ static X509_PUBKEY *key_to_pubkey(const void *key, int key_nid,
|
|||
* EncryptedPrivateKeyInfo structure (defined by PKCS#8). They require
|
||||
* that there's an intent to encrypt, anything else is an error.
|
||||
*
|
||||
* key_to_pki_* primarly produce encoded output with the private key data
|
||||
* key_to_pki_* primarily produce encoded output with the private key data
|
||||
* in a PrivateKeyInfo structure (also defined by PKCS#8). However, if
|
||||
* there is an intent to encrypt the data, the corresponding key_to_epki_*
|
||||
* function is used instead.
|
||||
|
|
|
@ -69,7 +69,7 @@ int ossl_kdf_data_up_ref(KDF_DATA *kdfdata)
|
|||
|
||||
/* This is effectively doing a new operation on the KDF_DATA and should be
|
||||
* adequately guarded again modules' error states. However, both current
|
||||
* calls here are guarded propery in exchange/kdf_exch.c. Thus, it
|
||||
* calls here are guarded properly in exchange/kdf_exch.c. Thus, it
|
||||
* could be removed here. The concern is that something in the future
|
||||
* might call this function without adequate guards. It's a cheap call,
|
||||
* it seems best to leave it even though it is currently redundant.
|
||||
|
|
|
@ -109,7 +109,7 @@ int ossl_mac_key_up_ref(MAC_KEY *mackey)
|
|||
|
||||
/* This is effectively doing a new operation on the MAC_KEY and should be
|
||||
* adequately guarded again modules' error states. However, both current
|
||||
* calls here are guarded propery in signature/mac_legacy.c. Thus, it
|
||||
* calls here are guarded properly in signature/mac_legacy.c. Thus, it
|
||||
* could be removed here. The concern is that something in the future
|
||||
* might call this function without adequate guards. It's a cheap call,
|
||||
* it seems best to leave it even though it is currently redundant.
|
||||
|
|
|
@ -9,7 +9,7 @@
|
|||
|
||||
/*
|
||||
* ECDSA low level APIs are deprecated for public use, but still ok for
|
||||
* internal use - SM2 implemetation uses ECDSA_size() function.
|
||||
* internal use - SM2 implementation uses ECDSA_size() function.
|
||||
*/
|
||||
#include "internal/deprecated.h"
|
||||
|
||||
|
@ -66,9 +66,9 @@ typedef struct {
|
|||
EC_KEY *ec;
|
||||
|
||||
/*
|
||||
* Flag to termine if the 'z' digest needs to be computed and fed to the
|
||||
* Flag to determine if the 'z' digest needs to be computed and fed to the
|
||||
* hash function.
|
||||
* This flag should be set on initialization and the compuation should
|
||||
* This flag should be set on initialization and the computation should
|
||||
* be performed only once, on first update.
|
||||
*/
|
||||
unsigned int flag_compute_z_digest : 1;
|
||||
|
|
|
@ -2899,7 +2899,7 @@ static int tls_process_cke_rsa(SSL *s, PACKET *pkt)
|
|||
* We must not leak whether a decryption failure occurs because of
|
||||
* Bleichenbacher's attack on PKCS #1 v1.5 RSA padding (see RFC 2246,
|
||||
* section 7.4.7.1). We use the special padding type
|
||||
* RSA_PKCS1_WITH_TLS_PADDING to do that. It will automaticaly decrypt the
|
||||
* RSA_PKCS1_WITH_TLS_PADDING to do that. It will automatically decrypt the
|
||||
* RSA, check the padding and check that the client version is as expected
|
||||
* in the premaster secret. If any of that fails then the function appears
|
||||
* to return successfully but with a random result. The call below could
|
||||
|
|
|
@ -417,7 +417,7 @@ static int execute_msg_check_test(CMP_VFY_TEST_FIXTURE *fixture)
|
|||
fixture->additional_arg)))
|
||||
return 0;
|
||||
|
||||
if (fixture->expected == 0) /* error expected aready during above check */
|
||||
if (fixture->expected == 0) /* error expected already during above check */
|
||||
return 1;
|
||||
return
|
||||
TEST_int_eq(0,
|
||||
|
|
|
@ -2929,9 +2929,9 @@ static int test_pkey_ctx_fail_without_provider(int tst)
|
|||
|
||||
/*
|
||||
* We check for certain algos in the null provider.
|
||||
* If an algo is expected to have a provider keymgmt, contructing an
|
||||
* If an algo is expected to have a provider keymgmt, constructing an
|
||||
* EVP_PKEY_CTX is expected to fail (return NULL).
|
||||
* Otherwise, if it's expected to have legacy support, contructing an
|
||||
* Otherwise, if it's expected to have legacy support, constructing an
|
||||
* EVP_PKEY_CTX is expected to succeed (return non-NULL).
|
||||
*/
|
||||
switch (tst) {
|
||||
|
|
|
@ -294,7 +294,7 @@ static int builder_limit_test(void)
|
|||
}
|
||||
if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld)))
|
||||
goto err;
|
||||
/* Count the elements in the params arrary, expecting n */
|
||||
/* Count the elements in the params array, expecting n */
|
||||
for (i = 0; params[i].key != NULL; i++);
|
||||
if (!TEST_int_eq(i, n))
|
||||
goto err;
|
||||
|
@ -306,7 +306,7 @@ static int builder_limit_test(void)
|
|||
if (!TEST_true(OSSL_PARAM_BLD_push_int(bld, "g", 2))
|
||||
|| !TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld)))
|
||||
goto err;
|
||||
/* Count the elements in the params arrary, expecting 1 */
|
||||
/* Count the elements in the params array, expecting 1 */
|
||||
for (i = 0; params[i].key != NULL; i++);
|
||||
if (!TEST_int_eq(i, 1))
|
||||
goto err;
|
||||
|
|
|
@ -78,7 +78,7 @@ static int test_param_type_extra(OSSL_PARAM *param, const unsigned char *cmp,
|
|||
const int signd = param->data_type == OSSL_PARAM_INTEGER;
|
||||
|
||||
/*
|
||||
* Set the unmodified sentinal directly because there is no param array
|
||||
* Set the unmodified sentinel directly because there is no param array
|
||||
* for these tests.
|
||||
*/
|
||||
param->return_size = OSSL_PARAM_UNMODIFIED;
|
||||
|
|
|
@ -46,7 +46,7 @@ struct object_st {
|
|||
*/
|
||||
double p2;
|
||||
/*
|
||||
* Documented as an arbitrarly large unsigned integer.
|
||||
* Documented as an arbitrarily large unsigned integer.
|
||||
* The data size must be large enough to accommodate.
|
||||
* Assumed data type OSSL_PARAM_UNSIGNED_INTEGER
|
||||
*/
|
||||
|
|
|
@ -87,7 +87,7 @@ use constant {
|
|||
};
|
||||
|
||||
# The TLSv1.2 in SSLv2 ClientHello need to run at security level 0
|
||||
# because in a SSLv2 ClientHello we can't send extentions to indicate
|
||||
# because in a SSLv2 ClientHello we can't send extensions to indicate
|
||||
# which signature algorithm we want to use, and the default is SHA1.
|
||||
|
||||
#Test 5: Inject an SSLv2 style record format for a TLSv1.2 ClientHello
|
||||
|
|
|
@ -34,7 +34,7 @@ if ($no_fips) {
|
|||
}
|
||||
|
||||
# Merge the configuration files into one filtering the contents so the failure
|
||||
# condition is reproducable. A working FIPS configuration without the install
|
||||
# condition is reproducible. A working FIPS configuration without the install
|
||||
# status is required.
|
||||
|
||||
open CFGBASE, '<', $config_path;
|
||||
|
|
|
@ -36,7 +36,7 @@ our @tests_ec = (
|
|||
{
|
||||
# The Ed448 signature algorithm will not be enabled.
|
||||
# Because of the config order, the certificate is first loaded, and
|
||||
# then the security level is chaged. If you try this with s_server
|
||||
# then the security level is changed. If you try this with s_server
|
||||
# the order will be reversed and it will instead fail to load the key.
|
||||
name => "SECLEVEL 5 server with ED448 key",
|
||||
server => { "CipherString" => "DEFAULT:\@SECLEVEL=5",
|
||||
|
@ -48,7 +48,7 @@ our @tests_ec = (
|
|||
},
|
||||
{
|
||||
# The client will not sent the Ed448 signature algorithm, so the server
|
||||
# doesn't have a useable signature algorithm for the certificate.
|
||||
# doesn't have a usable signature algorithm for the certificate.
|
||||
name => "SECLEVEL 5 client with ED448 key",
|
||||
server => { "CipherString" => "DEFAULT:\@SECLEVEL=4",
|
||||
"Certificate" => test_pem("server-ed448-cert.pem"),
|
||||
|
|
|
@ -856,7 +856,7 @@ static int test_ccs_change_cipher(void)
|
|||
size_t readbytes;
|
||||
|
||||
/*
|
||||
* Create a conection so we can resume and potentially (but not) use
|
||||
* Create a connection so we can resume and potentially (but not) use
|
||||
* a different cipher in the second connection.
|
||||
*/
|
||||
if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
|
||||
|
|
|
@ -313,7 +313,7 @@ static const OSSL_DISPATCH xor_keyexch_functions[] = {
|
|||
|
||||
static const OSSL_ALGORITHM tls_prov_keyexch[] = {
|
||||
/*
|
||||
* Obviously this is not FIPS approved, but in order to test in conjuction
|
||||
* Obviously this is not FIPS approved, but in order to test in conjunction
|
||||
* with the FIPS provider we pretend that it is.
|
||||
*/
|
||||
{ "XOR", "provider=tls-provider,fips=yes", xor_keyexch_functions },
|
||||
|
@ -442,7 +442,7 @@ static const OSSL_DISPATCH xor_kem_functions[] = {
|
|||
|
||||
static const OSSL_ALGORITHM tls_prov_kem[] = {
|
||||
/*
|
||||
* Obviously this is not FIPS approved, but in order to test in conjuction
|
||||
* Obviously this is not FIPS approved, but in order to test in conjunction
|
||||
* with the FIPS provider we pretend that it is.
|
||||
*/
|
||||
{ "XOR", "provider=tls-provider,fips=yes", xor_kem_functions },
|
||||
|
@ -758,7 +758,7 @@ static const OSSL_DISPATCH xor_keymgmt_functions[] = {
|
|||
|
||||
static const OSSL_ALGORITHM tls_prov_keymgmt[] = {
|
||||
/*
|
||||
* Obviously this is not FIPS approved, but in order to test in conjuction
|
||||
* Obviously this is not FIPS approved, but in order to test in conjunction
|
||||
* with the FIPS provider we pretend that it is.
|
||||
*/
|
||||
{ "XOR", "provider=tls-provider,fips=yes", xor_keymgmt_functions },
|
||||
|
|
|
@ -214,7 +214,7 @@ my %procedures = (
|
|||
#
|
||||
# Hinweis: Einlesen der Datei: {whatever header file}
|
||||
#
|
||||
# To accomodate, we need to use a very general regular expression
|
||||
# To accommodate, we need to use a very general regular expression
|
||||
# to parse those lines.
|
||||
#
|
||||
# Since there's no object file name at all in that information,
|
||||
|
|
|
@ -62,7 +62,7 @@
|
|||
# except within if ... else constructs where some branch contains more than one
|
||||
# statement. Since the exception is hard to recognize when such branches occur
|
||||
# after the current position (such that false positives would be reported)
|
||||
# the tool by checks for this rule by defaul only for do/while/for bodies.
|
||||
# the tool by checks for this rule by default only for do/while/for bodies.
|
||||
# Yet with the --1-stmt option false positives are preferred over negatives.
|
||||
# False negatives occur if the braces are more than two non-empty lines apart.
|
||||
#
|
||||
|
@ -316,7 +316,7 @@ sub check_indent { # used for lines outside multi-line string literals
|
|||
$contents_before) if !$sloppy_cmt && $count_before != $count;
|
||||
}
|
||||
# ... but allow normal indentation for the current line, else above check will be done for the line before
|
||||
if (($in_comment == 0 || $in_comment < 0) # (no commment,) intra-line comment or end of multi-line comment
|
||||
if (($in_comment == 0 || $in_comment < 0) # (no comment,) intra-line comment or end of multi-line comment
|
||||
&& m/^(\s*)@[\s@]*$/) { # line begins with '@', no code follows (except '\')
|
||||
if ($count == $ref_indent) { # indentation is like for (normal) code in this line
|
||||
s/^(\s*)@/$1*/; # blind first '@' as '*' to prevent above delayed check for the line before
|
||||
|
@ -511,7 +511,7 @@ while (<>) { # loop over all lines of all input files
|
|||
|
||||
# do/prepare checks within multi-line comments
|
||||
my $self_test_exception = $self_test ? "@" : "";
|
||||
if ($in_comment > 0) { # this still includes the last line of multi-line commment
|
||||
if ($in_comment > 0) { # this still includes the last line of multi-line comment
|
||||
my ($head, $any_symbol, $cmt_text) = m/^(\s*)(.?)(.*)$/;
|
||||
if ($any_symbol eq "*") {
|
||||
report("no space after leading '*' in multi-line comment") if $cmt_text =~ m|^[^/\s$self_test_exception]|;
|
||||
|
@ -851,7 +851,7 @@ while (<>) { # loop over all lines of all input files
|
|||
$line_opening_brace == $line_before)
|
||||
&& $contents_before =~ m/;/) { # there is at least one terminator ';', so there is some stmt
|
||||
# TODO do not report cases where a further else branch
|
||||
# follows with a block containg more than one line/statement
|
||||
# follows with a block containing more than one line/statement
|
||||
report_flexibly($line_before, "'$keyword_opening_brace' { 1 stmt }", $contents_before);
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue