diff options
author | Rich Salz <rsalz@openssl.org> | 2016-05-20 08:11:46 -0400 |
---|---|---|
committer | Rich Salz <rsalz@openssl.org> | 2016-05-20 08:11:46 -0400 |
commit | 1bc74519a2a57ef8e67484ca92890fa94d3dd66f (patch) | |
tree | e6f9e69d03548ad1e73bf805957a46dec95853b1 /doc/ssl | |
parent | e990ec5234d9daad66359833c40e4536d7fce499 (diff) | |
download | openssl-1bc74519a2a57ef8e67484ca92890fa94d3dd66f.tar.gz |
Fix nits in pod files.
Add doc-nit-check to help find future issues.
Make podchecker be almost clean.
Remove trailing whitespace.
Tab expansion
Reviewed-by: Richard Levitte <levitte@openssl.org>
Diffstat (limited to 'doc/ssl')
34 files changed, 126 insertions, 144 deletions
diff --git a/doc/ssl/SSL_CONF_CTX_set1_prefix.pod b/doc/ssl/SSL_CONF_CTX_set1_prefix.pod index 00b7118021..2e82f05241 100644 --- a/doc/ssl/SSL_CONF_CTX_set1_prefix.pod +++ b/doc/ssl/SSL_CONF_CTX_set1_prefix.pod @@ -20,7 +20,7 @@ to B<prefix>. If B<prefix> is B<NULL> it is restored to the default value. Command prefixes alter the commands recognised by subsequent SSL_CTX_cmd() calls. For example for files, if the prefix "SSL" is set then command names such as "SSLProtocol", "SSLOptions" etc. are recognised instead of "Protocol" -and "Options". Similarly for command lines if the prefix is "--ssl-" then +and "Options". Similarly for command lines if the prefix is "--ssl-" then "--ssl-no_tls1_2" is recognised instead of "-no_tls1_2". If the B<SSL_CONF_FLAG_CMDLINE> flag is set then prefix checks are case diff --git a/doc/ssl/SSL_CTX_add_session.pod b/doc/ssl/SSL_CTX_add_session.pod index 4d4c32746e..fd782b3344 100644 --- a/doc/ssl/SSL_CTX_add_session.pod +++ b/doc/ssl/SSL_CTX_add_session.pod @@ -59,7 +59,7 @@ The following values are returned by all functions: session was not found in the cache. =item Z<>1 - + The operation succeeded. =back diff --git a/doc/ssl/SSL_CTX_flush_sessions.pod b/doc/ssl/SSL_CTX_flush_sessions.pod index 4c90016dab..e16775b7b8 100644 --- a/doc/ssl/SSL_CTX_flush_sessions.pod +++ b/doc/ssl/SSL_CTX_flush_sessions.pod @@ -26,7 +26,7 @@ As sessions will not be reused ones they are expired, they should be removed from the cache to save resources. This can either be done automatically whenever 255 new sessions were established (see L<SSL_CTX_set_session_cache_mode(3)>) -or manually by calling SSL_CTX_flush_sessions(). +or manually by calling SSL_CTX_flush_sessions(). The parameter B<tm> specifies the time which should be used for the expiration test, in most cases the actual time given by time(0) @@ -37,8 +37,6 @@ cache. When a session is found and removed, the remove_session_cb is however called to synchronize with the external cache (see L<SSL_CTX_sess_set_get_cb(3)>). -=head1 RETURN VALUES - =head1 SEE ALSO L<ssl(3)>, diff --git a/doc/ssl/SSL_CTX_sess_set_get_cb.pod b/doc/ssl/SSL_CTX_sess_set_get_cb.pod index 19924da3ca..e8aa8ee937 100644 --- a/doc/ssl/SSL_CTX_sess_set_get_cb.pod +++ b/doc/ssl/SSL_CTX_sess_set_get_cb.pod @@ -9,11 +9,11 @@ SSL_CTX_sess_set_new_cb, SSL_CTX_sess_set_remove_cb, SSL_CTX_sess_set_get_cb, SS #include <openssl/ssl.h> void SSL_CTX_sess_set_new_cb(SSL_CTX *ctx, - int (*new_session_cb)(SSL *, SSL_SESSION *)); + int (*new_session_cb)(SSL *, SSL_SESSION *)); void SSL_CTX_sess_set_remove_cb(SSL_CTX *ctx, - void (*remove_session_cb)(SSL_CTX *ctx, SSL_SESSION *)); + void (*remove_session_cb)(SSL_CTX *ctx, SSL_SESSION *)); void SSL_CTX_sess_set_get_cb(SSL_CTX *ctx, - SSL_SESSION (*get_session_cb)(SSL *, const unsigned char *, int, int *)); + SSL_SESSION (*get_session_cb)(SSL *, const unsigned char *, int, int *)); int (*SSL_CTX_sess_get_new_cb(SSL_CTX *ctx))(struct ssl_st *ssl, SSL_SESSION *sess); void (*SSL_CTX_sess_get_remove_cb(SSL_CTX *ctx))(struct ssl_ctx_st *ctx, SSL_SESSION *sess); @@ -22,7 +22,7 @@ SSL_CTX_sess_set_new_cb, SSL_CTX_sess_set_remove_cb, SSL_CTX_sess_set_get_cb, SS int (*new_session_cb)(struct ssl_st *ssl, SSL_SESSION *sess); void (*remove_session_cb)(struct ssl_ctx_st *ctx, SSL_SESSION *sess); SSL_SESSION *(*get_session_cb)(struct ssl_st *ssl, unsigned char *data, - int len, int *copy); + int len, int *copy); =head1 DESCRIPTION diff --git a/doc/ssl/SSL_CTX_set1_curves.pod b/doc/ssl/SSL_CTX_set1_curves.pod index 5e99d65167..2429dfbe06 100644 --- a/doc/ssl/SSL_CTX_set1_curves.pod +++ b/doc/ssl/SSL_CTX_set1_curves.pod @@ -23,7 +23,7 @@ SSL_set1_curves_list, SSL_get1_curves, SSL_get_shared_curve - EC supported curve SSL_CTX_set1_curves() sets the supported curves for B<ctx> to B<clistlen> curves in the array B<clist>. The array consist of all NIDs of curves in preference order. For a TLS client the curves are used directly in the -supported curves extension. For a TLS server the curves are used to +supported curves extension. For a TLS server the curves are used to determine the set of shared curves. SSL_CTX_set1_curves_list() sets the supported curves for B<ctx> to @@ -34,7 +34,7 @@ SSL_set1_curves() and SSL_set1_curves_list() are similar except they set supported curves for the SSL structure B<ssl>. SSL_get1_curves() returns the set of supported curves sent by a client -in the supported curves extension. It returns the total number of +in the supported curves extension. It returns the total number of supported curves. The B<curves> parameter can be B<NULL> to simply return the number of curves for memory allocation purposes. The B<curves> array is in the form of a set of curve NIDs in preference diff --git a/doc/ssl/SSL_CTX_set1_verify_cert_store.pod b/doc/ssl/SSL_CTX_set1_verify_cert_store.pod index 5343aa09df..fa6ce5611e 100644 --- a/doc/ssl/SSL_CTX_set1_verify_cert_store.pod +++ b/doc/ssl/SSL_CTX_set1_verify_cert_store.pod @@ -54,7 +54,7 @@ any client certificate chain. The chain store is used to build the certificate chain. If the mode B<SSL_MODE_NO_AUTO_CHAIN> is set or a certificate chain is -configured already (for example using the functions such as +configured already (for example using the functions such as L<SSL_CTX_add1_chain_cert(3)> or L<SSL_CTX_add_extra_chain_cert(3)>) then automatic chain building is disabled. diff --git a/doc/ssl/SSL_CTX_set_cert_store.pod b/doc/ssl/SSL_CTX_set_cert_store.pod index d53bf4fde4..27243f3ad5 100644 --- a/doc/ssl/SSL_CTX_set_cert_store.pod +++ b/doc/ssl/SSL_CTX_set_cert_store.pod @@ -46,7 +46,7 @@ X509_STORE object and its handling becomes available. The X509_STORE structure used by an SSL_CTX is used for verifying peer certificates and building certificate chains, it is also shared by -every child SSL structure. Applications wanting finer control can use +every child SSL structure. Applications wanting finer control can use functions such as SSL_CTX_set1_verify_cert_store() instead. =head1 RETURN VALUES diff --git a/doc/ssl/SSL_CTX_set_cert_verify_callback.pod b/doc/ssl/SSL_CTX_set_cert_verify_callback.pod index 018335f00a..2eda8006c7 100644 --- a/doc/ssl/SSL_CTX_set_cert_verify_callback.pod +++ b/doc/ssl/SSL_CTX_set_cert_verify_callback.pod @@ -26,7 +26,7 @@ SSL_CTX_set_cert_verify_callback(), the supplied callback function is called instead. By setting I<callback> to NULL, the default behaviour is restored. When the verification must be performed, I<callback> will be called with -the arguments callback(X509_STORE_CTX *x509_store_ctx, void *arg). The +the arguments callback(X509_STORE_CTX *x509_store_ctx, void *arg). The argument I<arg> is specified by the application when setting I<callback>. I<callback> should return 1 to indicate verification success and 0 to @@ -35,7 +35,7 @@ returns 0, the handshake will fail. As the verification procedure may allow to continue the connection in case of failure (by always returning 1) the verification result must be set in any case using the B<error> member of I<x509_store_ctx> so that the calling application will be informed -about the detailed result of the verification procedure! +about the detailed result of the verification procedure! Within I<x509_store_ctx>, I<callback> has access to the I<verify_callback> function set using L<SSL_CTX_set_verify(3)>. @@ -54,8 +54,6 @@ the B<verify_callback> function. =head1 BUGS -=head1 RETURN VALUES - SSL_CTX_set_cert_verify_callback() does not provide diagnostic information. =head1 SEE ALSO diff --git a/doc/ssl/SSL_CTX_set_client_CA_list.pod b/doc/ssl/SSL_CTX_set_client_CA_list.pod index 57d3f0a5d0..c0656abbf2 100644 --- a/doc/ssl/SSL_CTX_set_client_CA_list.pod +++ b/doc/ssl/SSL_CTX_set_client_CA_list.pod @@ -9,7 +9,7 @@ client certificate =head1 SYNOPSIS #include <openssl/ssl.h> - + void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *list); void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *list); int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *cacert); @@ -42,7 +42,7 @@ This list must explicitly be set using SSL_CTX_set_client_CA_list() for B<ctx> and SSL_set_client_CA_list() for the specific B<ssl>. The list specified overrides the previous setting. The CAs listed do not become trusted (B<list> only contains the names, not the complete certificates); use -L<SSL_CTX_load_verify_locations(3)> +L<SSL_CTX_load_verify_locations(3)> to additionally load them for verification. If the list of acceptable CAs is compiled in a file, the diff --git a/doc/ssl/SSL_CTX_set_custom_cli_ext.pod b/doc/ssl/SSL_CTX_set_custom_cli_ext.pod index 670ed4b6c1..07b5e94f25 100644 --- a/doc/ssl/SSL_CTX_set_custom_cli_ext.pod +++ b/doc/ssl/SSL_CTX_set_custom_cli_ext.pod @@ -9,41 +9,41 @@ SSL_CTX_add_client_custom_ext, SSL_CTX_add_server_custom_ext - custom TLS extens #include <openssl/ssl.h> int SSL_CTX_add_client_custom_ext(SSL_CTX *ctx, unsigned int ext_type, - custom_ext_add_cb add_cb, - custom_ext_free_cb free_cb, void *add_arg, - custom_ext_parse_cb parse_cb, - void *parse_arg); + custom_ext_add_cb add_cb, + custom_ext_free_cb free_cb, void *add_arg, + custom_ext_parse_cb parse_cb, + void *parse_arg); int SSL_CTX_add_server_custom_ext(SSL_CTX *ctx, unsigned int ext_type, - custom_ext_add_cb add_cb, - custom_ext_free_cb free_cb, void *add_arg, - custom_ext_parse_cb parse_cb, - void *parse_arg); + custom_ext_add_cb add_cb, + custom_ext_free_cb free_cb, void *add_arg, + custom_ext_parse_cb parse_cb, + void *parse_arg); int SSL_extension_supported(unsigned int ext_type); typedef int (*custom_ext_add_cb)(SSL *s, unsigned int ext_type, - const unsigned char **out, - size_t *outlen, int *al, - void *add_arg); + const unsigned char **out, + size_t *outlen, int *al, + void *add_arg); typedef void (*custom_ext_free_cb)(SSL *s, unsigned int ext_type, - const unsigned char *out, - void *add_arg); + const unsigned char *out, + void *add_arg); typedef int (*custom_ext_parse_cb)(SSL *s, unsigned int ext_type, - const unsigned char *in, - size_t inlen, int *al, - void *parse_arg); + const unsigned char *in, + size_t inlen, int *al, + void *parse_arg); =head1 DESCRIPTION -SSL_CTX_add_client_custom_ext() adds a custom extension for a TLS client +SSL_CTX_add_client_custom_ext() adds a custom extension for a TLS client with extension type B<ext_type> and callbacks B<add_cb>, B<free_cb> and B<parse_cb>. -SSL_CTX_add_server_custom_ext() adds a custom extension for a TLS server +SSL_CTX_add_server_custom_ext() adds a custom extension for a TLS server with extension type B<ext_type> and callbacks B<add_cb>, B<free_cb> and B<parse_cb>. @@ -55,7 +55,7 @@ internally by OpenSSL and 0 otherwise. =head1 EXTENSION CALLBACKS -The callback B<add_cb> is called to send custom extension data to be +The callback B<add_cb> is called to send custom extension data to be included in ClientHello for TLS clients or ServerHello for servers. The B<ext_type> parameter is set to the extension type which will be added and B<add_arg> to the value set when the extension handler was added. diff --git a/doc/ssl/SSL_CTX_set_generate_session_id.pod b/doc/ssl/SSL_CTX_set_generate_session_id.pod index 968be766bb..170f743f4e 100644 --- a/doc/ssl/SSL_CTX_set_generate_session_id.pod +++ b/doc/ssl/SSL_CTX_set_generate_session_id.pod @@ -14,7 +14,7 @@ SSL_CTX_set_generate_session_id, SSL_set_generate_session_id, SSL_has_matching_s int SSL_CTX_set_generate_session_id(SSL_CTX *ctx, GEN_SESSION_CB cb); int SSL_set_generate_session_id(SSL *ssl, GEN_SESSION_CB, cb); int SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id, - unsigned int id_len); + unsigned int id_len); =head1 DESCRIPTION diff --git a/doc/ssl/SSL_CTX_set_info_callback.pod b/doc/ssl/SSL_CTX_set_info_callback.pod index fd1dee90e9..f20284f506 100644 --- a/doc/ssl/SSL_CTX_set_info_callback.pod +++ b/doc/ssl/SSL_CTX_set_info_callback.pod @@ -110,40 +110,40 @@ The following example callback function prints state strings, information about alerts being handled and error messages to the B<bio_err> BIO. void apps_ssl_info_callback(SSL *s, int where, int ret) - { - const char *str; - int w; - - w=where& ~SSL_ST_MASK; - - if (w & SSL_ST_CONNECT) str="SSL_connect"; - else if (w & SSL_ST_ACCEPT) str="SSL_accept"; - else str="undefined"; - - if (where & SSL_CB_LOOP) - { - BIO_printf(bio_err,"%s:%s\n",str,SSL_state_string_long(s)); - } - else if (where & SSL_CB_ALERT) - { - str=(where & SSL_CB_READ)?"read":"write"; - BIO_printf(bio_err,"SSL3 alert %s:%s:%s\n", - str, - SSL_alert_type_string_long(ret), - SSL_alert_desc_string_long(ret)); - } - else if (where & SSL_CB_EXIT) - { - if (ret == 0) - BIO_printf(bio_err,"%s:failed in %s\n", - str,SSL_state_string_long(s)); - else if (ret < 0) - { - BIO_printf(bio_err,"%s:error in %s\n", - str,SSL_state_string_long(s)); - } - } - } + { + const char *str; + int w; + + w=where& ~SSL_ST_MASK; + + if (w & SSL_ST_CONNECT) str="SSL_connect"; + else if (w & SSL_ST_ACCEPT) str="SSL_accept"; + else str="undefined"; + + if (where & SSL_CB_LOOP) + { + BIO_printf(bio_err,"%s:%s\n",str,SSL_state_string_long(s)); + } + else if (where & SSL_CB_ALERT) + { + str=(where & SSL_CB_READ)?"read":"write"; + BIO_printf(bio_err,"SSL3 alert %s:%s:%s\n", + str, + SSL_alert_type_string_long(ret), + SSL_alert_desc_string_long(ret)); + } + else if (where & SSL_CB_EXIT) + { + if (ret == 0) + BIO_printf(bio_err,"%s:failed in %s\n", + str,SSL_state_string_long(s)); + else if (ret < 0) + { + BIO_printf(bio_err,"%s:error in %s\n", + str,SSL_state_string_long(s)); + } + } + } =head1 SEE ALSO diff --git a/doc/ssl/SSL_CTX_set_psk_client_callback.pod b/doc/ssl/SSL_CTX_set_psk_client_callback.pod index 6895152856..c780bec7c3 100644 --- a/doc/ssl/SSL_CTX_set_psk_client_callback.pod +++ b/doc/ssl/SSL_CTX_set_psk_client_callback.pod @@ -9,13 +9,13 @@ SSL_CTX_set_psk_client_callback, SSL_set_psk_client_callback - set PSK client ca #include <openssl/ssl.h> void SSL_CTX_set_psk_client_callback(SSL_CTX *ctx, - unsigned int (*callback)(SSL *ssl, const char *hint, - char *identity, unsigned int max_identity_len, - unsigned char *psk, unsigned int max_psk_len)); + unsigned int (*callback)(SSL *ssl, const char *hint, + char *identity, unsigned int max_identity_len, + unsigned char *psk, unsigned int max_psk_len)); void SSL_set_psk_client_callback(SSL *ssl, - unsigned int (*callback)(SSL *ssl, const char *hint, - char *identity, unsigned int max_identity_len, - unsigned char *psk, unsigned int max_psk_len)); + unsigned int (*callback)(SSL *ssl, const char *hint, + char *identity, unsigned int max_identity_len, + unsigned char *psk, unsigned int max_psk_len)); =head1 DESCRIPTION diff --git a/doc/ssl/SSL_CTX_set_security_level.pod b/doc/ssl/SSL_CTX_set_security_level.pod index 446ab1a15b..60c3e44213 100644 --- a/doc/ssl/SSL_CTX_set_security_level.pod +++ b/doc/ssl/SSL_CTX_set_security_level.pod @@ -15,12 +15,12 @@ SSL_CTX_set_security_level, SSL_set_security_level, SSL_CTX_get_security_level, int SSL_get_security_level(const SSL *s); void SSL_CTX_set_security_callback(SSL_CTX *ctx, - int (*cb)(SSL *s, SSL_CTX *ctx, int op, int bits, int nid, - void *other, void *ex)); + int (*cb)(SSL *s, SSL_CTX *ctx, int op, int bits, int nid, + void *other, void *ex)); void SSL_set_security_callback(SSL *s, - int (*cb)(SSL *s, SSL_CTX *ctx, int op, int bits, int nid, - void *other, void *ex)); + int (*cb)(SSL *s, SSL_CTX *ctx, int op, int bits, int nid, + void *other, void *ex)); int (*SSL_CTX_get_security_callback(const SSL_CTX *ctx))(SSL *s, SSL_CTX *ctx, int op, int bits, int nid, void *other, void *ex); int (*SSL_get_security_callback(const SSL *s))(SSL *s, SSL_CTX *ctx, int op, int bits, int nid, void *other, void *ex); diff --git a/doc/ssl/SSL_CTX_set_session_cache_mode.pod b/doc/ssl/SSL_CTX_set_session_cache_mode.pod index d891372295..d7a4c1cce7 100644 --- a/doc/ssl/SSL_CTX_set_session_cache_mode.pod +++ b/doc/ssl/SSL_CTX_set_session_cache_mode.pod @@ -26,7 +26,7 @@ SSL_CTX object is being maintained, the sessions are unique for each SSL_CTX object. In order to reuse a session, a client must send the session's id to the -server. It can only send exactly one id. The server then either +server. It can only send exactly one id. The server then either agrees to reuse the session or it starts a full handshake (to create a new session). diff --git a/doc/ssl/SSL_CTX_set_tlsext_ticket_key_cb.pod b/doc/ssl/SSL_CTX_set_tlsext_ticket_key_cb.pod index 4ae381861a..4d9cd5e19e 100644 --- a/doc/ssl/SSL_CTX_set_tlsext_ticket_key_cb.pod +++ b/doc/ssl/SSL_CTX_set_tlsext_ticket_key_cb.pod @@ -10,13 +10,13 @@ SSL_CTX_set_tlsext_ticket_key_cb - set a callback for session ticket processing long SSL_CTX_set_tlsext_ticket_key_cb(SSL_CTX sslctx, int (*cb)(SSL *s, unsigned char key_name[16], - unsigned char iv[EVP_MAX_IV_LENGTH], - EVP_CIPHER_CTX *ctx, HMAC_CTX *hctx, int enc)); + unsigned char iv[EVP_MAX_IV_LENGTH], + EVP_CIPHER_CTX *ctx, HMAC_CTX *hctx, int enc)); =head1 DESCRIPTION SSL_CTX_set_tlsext_ticket_key_cb() sets a callback function I<cb> for handling -session tickets for the ssl context I<sslctx>. Session tickets, defined in +session tickets for the ssl context I<sslctx>. Session tickets, defined in RFC5077 provide an enhanced session resumption capability where the server implementation is not required to maintain per session state. It only applies to TLS and there is no SSLv3 implementation. @@ -26,9 +26,9 @@ session when session ticket extension is presented in the TLS hello message. It is the responsibility of this function to create or retrieve the cryptographic parameters and to maintain their state. -The OpenSSL library uses your callback function to help implement a common TLS +The OpenSSL library uses your callback function to help implement a common TLS ticket construction state according to RFC5077 Section 4 such that per session -state is unnecessary and a small set of cryptographic variables needs to be +state is unnecessary and a small set of cryptographic variables needs to be maintained by the callback function implementation. In order to reuse a session, a TLS client must send the a session ticket @@ -56,7 +56,7 @@ I<ctx> should use the initialisation vector I<iv>. The cipher context can be set using L<EVP_EncryptInit_ex(3)>. The hmac context can be set using L<HMAC_Init_ex(3)>. -When the client presents a session ticket, the callback function with be called +When the client presents a session ticket, the callback function with be called with I<enc> set to 0 indicating that the I<cb> function should retrieve a set of parameters. In this case I<name> and I<iv> have already been parsed out of the session ticket. The OpenSSL library expects that the I<name> will be used @@ -76,7 +76,7 @@ further processing will occur. The following return values have meaning: =item Z<>2 -This indicates that the I<ctx> and I<hctx> have been set and the session can +This indicates that the I<ctx> and I<hctx> have been set and the session can continue on those parameters. Additionally it indicates that the session ticket is in a renewal period and should be replaced. The OpenSSL library will call I<cb> again with an enc argument of 1 to set the new ticket (see RFC5077 @@ -84,12 +84,12 @@ call I<cb> again with an enc argument of 1 to set the new ticket (see RFC5077 =item Z<>1 -This indicates that the I<ctx> and I<hctx> have been set and the session can +This indicates that the I<ctx> and I<hctx> have been set and the session can continue on those parameters. =item Z<>0 -This indicates that it was not possible to set/retrieve a session ticket and +This indicates that it was not possible to set/retrieve a session ticket and the SSL/TLS session will continue by negotiating a set of cryptographic parameters or using the alternate SSL/TLS resumption mechanism, session ids. @@ -133,7 +133,7 @@ Reference Implementation: if (RAND_bytes(iv, EVP_MAX_IV_LENGTH) ) { return -1; /* insufficient random */ } - + key = currentkey(); /* something that you need to implement */ if ( !key ) { /* current key doesn't exist or isn't valid */ @@ -146,19 +146,19 @@ Reference Implementation: } } memcpy(key_name, key->name, 16); - + EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, key->aes_key, iv); HMAC_Init_ex(&hctx, key->hmac_key, 16, EVP_sha256(), NULL); - + return 1; - + } else { /* retrieve session */ key = findkey(name); - + if (!key || key->expire < now() ) { return 0; } - + HMAC_Init_ex(&hctx, key->hmac_key, 16, EVP_sha256(), NULL); EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, key->aes_key, iv ); @@ -167,7 +167,7 @@ Reference Implementation: return 2; } return 1; - + } } diff --git a/doc/ssl/SSL_CTX_set_verify.pod b/doc/ssl/SSL_CTX_set_verify.pod index e1cd4d2b2f..60b0d179b0 100644 --- a/doc/ssl/SSL_CTX_set_verify.pod +++ b/doc/ssl/SSL_CTX_set_verify.pod @@ -208,7 +208,7 @@ L<SSL_get_ex_data_X509_STORE_CTX_idx(3)>). preverify_ok = 0; err = X509_V_ERR_CERT_CHAIN_TOO_LONG; X509_STORE_CTX_set_error(ctx, err); - } + } if (!preverify_ok) { printf("verify error:num=%d:%s:depth=%d:%s\n", err, X509_verify_cert_error_string(err), depth, buf); @@ -258,7 +258,7 @@ L<SSL_get_ex_data_X509_STORE_CTX_idx(3)>). SSL_set_ex_data(ssl, mydata_index, &mydata); ... - SSL_accept(ssl); /* check of success left out for clarity */ + SSL_accept(ssl); /* check of success left out for clarity */ if (peer = SSL_get_peer_certificate(ssl)) { if (SSL_get_verify_result(ssl) == X509_V_OK) diff --git a/doc/ssl/SSL_CTX_use_certificate.pod b/doc/ssl/SSL_CTX_use_certificate.pod index 79b13873e1..4f39abb2d8 100644 --- a/doc/ssl/SSL_CTX_use_certificate.pod +++ b/doc/ssl/SSL_CTX_use_certificate.pod @@ -20,7 +20,7 @@ SSL_CTX_use_certificate, SSL_CTX_use_certificate_ASN1, SSL_CTX_use_certificate_f int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey); int SSL_CTX_use_PrivateKey_ASN1(int pk, SSL_CTX *ctx, unsigned char *d, - long len); + long len); int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type); int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa); int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, unsigned char *d, long len); @@ -67,7 +67,7 @@ SSL_use_certificate_file() loads the certificate from B<file> into B<ssl>. See the NOTES section on why SSL_CTX_use_certificate_chain_file() should be preferred. -SSL_CTX_use_certificate_chain_file() loads a certificate chain from +SSL_CTX_use_certificate_chain_file() loads a certificate chain from B<file> into B<ctx>. The certificates must be in PEM format and must be sorted starting with the subject's certificate (actual client or server certificate), followed by intermediate CA certificates if applicable, and @@ -82,7 +82,7 @@ If a certificate has already been set and the private does not belong to the certificate an error is returned. To change a certificate, private key pair the new certificate needs to be set with SSL_use_certificate() or SSL_CTX_use_certificate() before setting the private key with -SSL_CTX_use_PrivateKey() or SSL_use_PrivateKey(). +SSL_CTX_use_PrivateKey() or SSL_use_PrivateKey(). SSL_CTX_use_PrivateKey_ASN1() adds the private key of type B<pk> @@ -109,14 +109,14 @@ the same check for B<ssl>. If no key/certificate was explicitly added for this B<ssl>, the last item added into B<ctx> will be checked. =head1 NOTES - + The internal certificate store of OpenSSL can hold several private key/certificate pairs at a time. The certificate used depends on the cipher selected, see also L<SSL_CTX_set_cipher_list(3)>. When reading certificates and private keys from file, files of type SSL_FILETYPE_ASN1 (also known as B<DER>, binary encoding) can only contain -one certificate or private key, consequently +one certificate or private key, consequently SSL_CTX_use_certificate_chain_file() is only applicable to PEM formatting. Files of type SSL_FILETYPE_PEM can contain more than one item. @@ -124,7 +124,7 @@ SSL_CTX_use_certificate_chain_file() adds the first certificate found in the file to the certificate store. The other certificates are added to the store of chain certificates using L<SSL_CTX_add1_chain_cert(3)>. Note: versions of OpenSSL before 1.0.2 only had a single certificate chain store for all certificate types, OpenSSL 1.0.2 and later -have a separate chain store for each type. SSL_CTX_use_certificate_chain_file() +have a separate chain store for each type. SSL_CTX_use_certificate_chain_file() should be used instead of the SSL_CTX_use_certificate_file() function in order to allow the use of complete certificate chains even when no trusted CA storage is used or when the CA issuing the certificate shall not be added to diff --git a/doc/ssl/SSL_CTX_use_psk_identity_hint.pod b/doc/ssl/SSL_CTX_use_psk_identity_hint.pod index 27a46c3406..b45b2d3997 100644 --- a/doc/ssl/SSL_CTX_use_psk_identity_hint.pod +++ b/doc/ssl/SSL_CTX_use_psk_identity_hint.pod @@ -6,7 +6,6 @@ SSL_CTX_use_psk_identity_hint, SSL_use_psk_identity_hint, SSL_CTX_set_psk_server_callback, SSL_set_psk_server_callback - set PSK identity hint to use - =head1 SYNOPSIS #include <openssl/ssl.h> @@ -15,11 +14,11 @@ identity hint to use int SSL_use_psk_identity_hint(SSL *ssl, const char *hint); void SSL_CTX_set_psk_server_callback(SSL_CTX *ctx, - unsigned int (*callback)(SSL *ssl, const char *identity, - unsigned char *psk, int max_psk_len)); + unsigned int (*callback)(SSL *ssl, const char *identity, + unsigned char *psk, int max_psk_len)); void SSL_set_psk_server_callback(SSL *ssl, - unsigned int (*callback)(SSL *ssl, const char *identity, - unsigned char *psk, int max_psk_len)); + unsigned int (*callback)(SSL *ssl, const char *identity, + unsigned char *psk, int max_psk_len)); =head1 DESCRIPTION diff --git a/doc/ssl/SSL_CTX_use_serverinfo.pod b/doc/ssl/SSL_CTX_use_serverinfo.pod index bafb1a8302..6b1cdf14cd 100644 --- a/doc/ssl/SSL_CTX_use_serverinfo.pod +++ b/doc/ssl/SSL_CTX_use_serverinfo.pod @@ -20,8 +20,8 @@ A "serverinfo" extension is returned in response to an empty ClientHello Extension. SSL_CTX_use_serverinfo() loads one or more serverinfo extensions from -a byte array into B<ctx>. The extensions must be concatenated into a -sequence of bytes. Each extension must consist of a 2-byte Extension Type, +a byte array into B<ctx>. The extensions must be concatenated into a +sequence of bytes. Each extension must consist of a 2-byte Extension Type, a 2-byte length, and then length bytes of extension_data. SSL_CTX_use_serverinfo_file() loads one or more serverinfo extensions from @@ -38,19 +38,12 @@ use the serverinfo extension for multiple certificates, SSL_CTX_use_serverinfo() needs to be called multiple times, once B<after> each time a certificate is loaded. -=head1 NOTES - =head1 RETURN VALUES On success, the functions return 1. On failure, the functions return 0. Check out the error stack to find out the reason. -=head1 SEE ALSO - -=head1 HISTORY - - =cut =head1 COPYRIGHT diff --git a/doc/ssl/SSL_SESSION_get_time.pod b/doc/ssl/SSL_SESSION_get_time.pod index 911b7e6053..c032856424 100644 --- a/doc/ssl/SSL_SESSION_get_time.pod +++ b/doc/ssl/SSL_SESSION_get_time.pod @@ -52,7 +52,7 @@ valid values. SSL_SESSION_set_time() and SSL_SESSION_set_timeout() return 1 on success. -If any of the function is passed the NULL pointer for the session B<s>, +If any of the function is passed the NULL pointer for the session B<s>, 0 is returned. =head1 SEE ALSO diff --git a/doc/ssl/SSL_accept.pod b/doc/ssl/SSL_accept.pod index b3563e4c4b..88d6e8f318 100644 --- a/doc/ssl/SSL_accept.pod +++ b/doc/ssl/SSL_accept.pod @@ -18,7 +18,7 @@ B<ssl> by setting an underlying B<BIO>. =head1 NOTES -The behaviour of SSL_accept() depends on the underlying BIO. +The behaviour of SSL_accept() depends on the underlying BIO. If the underlying BIO is B<blocking>, SSL_accept() will only return once the handshake has been finished or an error occurred. diff --git a/doc/ssl/SSL_alert_type_string.pod b/doc/ssl/SSL_alert_type_string.pod index d889ddab05..2711c9cfa5 100644 --- a/doc/ssl/SSL_alert_type_string.pod +++ b/doc/ssl/SSL_alert_type_string.pod @@ -217,7 +217,7 @@ point. This message is always a warning. =item "UP"/"unknown PSK identity" Sent by the server to indicate that it does not recognize a PSK -identity or an SRP identity. +identity or an SRP identity. =item "UK"/"unknown" diff --git a/doc/ssl/SSL_connect.pod b/doc/ssl/SSL_connect.pod index 34ee086793..7c69e5df0a 100644 --- a/doc/ssl/SSL_connect.pod +++ b/doc/ssl/SSL_connect.pod @@ -18,7 +18,7 @@ underlying B<BIO>. =head1 NOTES -The behaviour of SSL_connect() depends on the underlying BIO. +The behaviour of SSL_connect() depends on the underlying BIO. If the underlying BIO is B<blocking>, SSL_connect() will only return once the handshake has been finished or an error occurred. diff --git a/doc/ssl/SSL_get_client_CA_list.pod b/doc/ssl/SSL_get_client_CA_list.pod index be79112b7c..2cf5b7d7aa 100644 --- a/doc/ssl/SSL_get_client_CA_list.pod +++ b/doc/ssl/SSL_get_client_CA_list.pod @@ -9,7 +9,7 @@ SSL_get_client_CA_list, SSL_CTX_get_client_CA_list - get list of client CAs #include <openssl/ssl.h> STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *s); - STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *ctx); + STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *ctx); =head1 DESCRIPTION diff --git a/doc/ssl/SSL_get_current_cipher.pod b/doc/ssl/SSL_get_current_cipher.pod index 46d38d0c11..66918b4071 100644 --- a/doc/ssl/SSL_get_current_cipher.pod +++ b/doc/ssl/SSL_get_current_cipher.pod @@ -27,7 +27,7 @@ the B<ssl> object. SSL_get_cipher() and SSL_get_cipher_name() are identical macros to obtain the name of the currently used cipher. SSL_get_cipher_bits() is a -macro to obtain the number of secret/algorithm bits used and +macro to obtain the number of secret/algorithm bits used and SSL_get_cipher_version() returns the protocol name. See L<SSL_CIPHER_get_name(3)> for more details. diff --git a/doc/ssl/SSL_get_psk_identity.pod b/doc/ssl/SSL_get_psk_identity.pod index e75e38cc86..c54f42978d 100644 --- a/doc/ssl/SSL_get_psk_identity.pod +++ b/doc/ssl/SSL_get_psk_identity.pod @@ -4,7 +4,6 @@ SSL_get_psk_identity, SSL_get_psk_identity_hint - get PSK client identity and hint - =head1 SYNOPSIS #include <openssl/ssl.h> diff --git a/doc/ssl/SSL_library_init.pod b/doc/ssl/SSL_library_init.pod index 0235e724bb..f838b7aff3 100644 --- a/doc/ssl/SSL_library_init.pod +++ b/doc/ssl/SSL_library_init.pod @@ -21,7 +21,7 @@ OpenSSL_add_ssl_algorithms() is a synonym for SSL_library_init(). =head1 NOTES SSL_library_init() must be called before any other action takes place. -SSL_library_init() is not reentrant. +SSL_library_init() is not reentrant. =head1 WARNING diff --git a/doc/ssl/SSL_load_client_CA_file.pod b/doc/ssl/SSL_load_client_CA_file.pod index 86b14b41ee..0db6cf10a1 100644 --- a/doc/ssl/SSL_load_client_CA_file.pod +++ b/doc/ssl/SSL_load_client_CA_file.pod @@ -30,7 +30,7 @@ Load names of CAs from file and use it as a client CA list: SSL_CTX *ctx; STACK_OF(X509_NAME) *cert_names; - ... + ... cert_names = SSL_load_client_CA_file("/path/to/CAfile.pem"); if (cert_names != NULL) SSL_CTX_set_client_CA_list(ctx, cert_names); diff --git a/doc/ssl/SSL_read.pod b/doc/ssl/SSL_read.pod index 95b8c22ab3..18efc7659c 100644 --- a/doc/ssl/SSL_read.pod +++ b/doc/ssl/SSL_read.pod @@ -22,7 +22,7 @@ not already explicitly performed by L<SSL_connect(3)> or L<SSL_accept(3)>. If the peer requests a re-negotiation, it will be performed transparently during the SSL_read() operation. The behaviour of SSL_read() depends on the -underlying BIO. +underlying BIO. For the transparent negotiation to succeed, the B<ssl> must have been initialized to client or server mode. This is being done by calling @@ -47,7 +47,7 @@ record is complete and SSL_read() can succeed. If the underlying BIO is B<blocking>, SSL_read() will only return, once the read operation has been finished or an error occurred, except when a -renegotiation take place, in which case a SSL_ERROR_WANT_READ may occur. +renegotiation take place, in which case a SSL_ERROR_WANT_READ may occur. This behaviour can be controlled with the SSL_MODE_AUTO_RETRY flag of the L<SSL_CTX_set_mode(3)> call. diff --git a/doc/ssl/SSL_set1_host.pod b/doc/ssl/SSL_set1_host.pod index 47e2e66819..1483c4a750 100644 --- a/doc/ssl/SSL_set1_host.pod +++ b/doc/ssl/SSL_set1_host.pod @@ -2,8 +2,8 @@ =head1 NAME - SSL_set1_host, SSL_add1_host, SSL_set_hostflags, SSL_get0_peername - - SSL server verification parameters +SSL_set1_host, SSL_add1_host, SSL_set_hostflags, SSL_get0_peername - +SSL server verification parameters =head1 SYNOPSIS @@ -72,8 +72,6 @@ applicable (as with RFC7671 DANE-EE(3)), or no trusted peername was matched. Otherwise, it returns the matched peername. To determine whether verification succeeded call L<SSL_get_verify_result(3)>. -=head1 NOTES - =head1 EXAMPLE Suppose "smtp.example.com" is the MX host of the domain "example.com". diff --git a/doc/ssl/SSL_shutdown.pod b/doc/ssl/SSL_shutdown.pod index 990a181748..b698d94d89 100644 --- a/doc/ssl/SSL_shutdown.pod +++ b/doc/ssl/SSL_shutdown.pod @@ -12,7 +12,7 @@ SSL_shutdown - shut down a TLS/SSL connection =head1 DESCRIPTION -SSL_shutdown() shuts down an active TLS/SSL connection. It sends the +SSL_shutdown() shuts down an active TLS/SSL connection. It sends the "close notify" shutdown alert to the peer. =head1 NOTES @@ -62,7 +62,7 @@ It is therefore recommended, to check the return value of SSL_shutdown() and call SSL_shutdown() again, if the bidirectional shutdown is not yet complete (return value of the first call is 0). -The behaviour of SSL_shutdown() additionally depends on the underlying BIO. +The behaviour of SSL_shutdown() additionally depends on the underlying BIO. If the underlying BIO is B<blocking>, SSL_shutdown() will only return once the handshake step has been finished or an error occurred. diff --git a/doc/ssl/SSL_write.pod b/doc/ssl/SSL_write.pod index 42afbd51b0..838ae3f052 100644 --- a/doc/ssl/SSL_write.pod +++ b/doc/ssl/SSL_write.pod @@ -22,7 +22,7 @@ not already explicitly performed by L<SSL_connect(3)> or L<SSL_accept(3)>. If the peer requests a re-negotiation, it will be performed transparently during the SSL_write() operation. The behaviour of SSL_write() depends on the -underlying BIO. +underlying BIO. For the transparent negotiation to succeed, the B<ssl> must have been initialized to client or server mode. This is being done by calling @@ -31,7 +31,7 @@ before the first call to an L<SSL_read(3)> or SSL_write() function. If the underlying BIO is B<blocking>, SSL_write() will only return, once the write operation has been finished or an error occurred, except when a -renegotiation take place, in which case a SSL_ERROR_WANT_READ may occur. +renegotiation take place, in which case a SSL_ERROR_WANT_READ may occur. This behaviour can be controlled with the SSL_MODE_AUTO_RETRY flag of the L<SSL_CTX_set_mode(3)> call. diff --git a/doc/ssl/ssl.pod b/doc/ssl/ssl.pod index 863c360377..fbda108842 100644 --- a/doc/ssl/ssl.pod +++ b/doc/ssl/ssl.pod @@ -1,12 +1,9 @@ - =pod =head1 NAME SSL - OpenSSL SSL/TLS library -=head1 SYNOPSIS - =head1 DESCRIPTION The OpenSSL B<ssl> library implements the Secure Sockets Layer (SSL v2/v3) and |