106 deps/openssl/openssl/crypto/pkcs7/t/msie-enc-02.pem
View file

This file was deleted.

91 deps/openssl/openssl/crypto/pkcs7/t/msie-s-a-e
View file

This file was deleted.

106 deps/openssl/openssl/crypto/pkcs7/t/msie-s-a-e.pem
View file

This file was deleted.

157 deps/openssl/openssl/crypto/pkcs7/t/nav-smime
View file

This file was deleted.

57 deps/openssl/openssl/crypto/pkcs7/t/s.pem
View file

This file was deleted.

57 deps/openssl/openssl/crypto/pkcs7/t/server.pem
View file

This file was deleted.

263 deps/openssl/openssl/crypto/pkcs7/verify.c
View file

This file was deleted.

24 deps/openssl/openssl/crypto/rand/md_rand.c
View file
@@ -159,7 +159,6 @@ const char RAND_version[]="RAND" OPENSSL_VERSION_PTEXT;
static void ssleay_rand_cleanup(void);
static void ssleay_rand_seed(const void *buf, int num);
static void ssleay_rand_add(const void *buf, int num, double add_entropy);
static int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo);
static int ssleay_rand_nopseudo_bytes(unsigned char *buf, int num);
static int ssleay_rand_pseudo_bytes(unsigned char *buf, int num);
static int ssleay_rand_status(void);
@@ -334,7 +333,7 @@ static void ssleay_rand_seed(const void *buf, int num)
ssleay_rand_add(buf, num, (double)num);
}

static int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo)
int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo, int lock)
{
static volatile int stirred_pool = 0;
int i,j,k,st_num,st_idx;
@@ -383,10 +382,7 @@ static int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo)
* are fed into the hash function and the results are kept in the
* global 'md'.
*/
#ifdef OPENSSL_FIPS
/* NB: in FIPS mode we are already under a lock */
if (!FIPS_mode())
#endif
if (lock)
CRYPTO_w_lock(CRYPTO_LOCK_RAND);

/* prevent ssleay_rand_bytes() from trying to obtain the lock again */
@@ -466,9 +462,7 @@ static int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo)

/* before unlocking, we must clear 'crypto_lock_rand' */
crypto_lock_rand = 0;
#ifdef OPENSSL_FIPS
if (!FIPS_mode())
#endif
if (lock)
CRYPTO_w_unlock(CRYPTO_LOCK_RAND);

while (num > 0)
@@ -521,15 +515,11 @@ static int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo)
MD_Init(&m);
MD_Update(&m,(unsigned char *)&(md_c[0]),sizeof(md_c));
MD_Update(&m,local_md,MD_DIGEST_LENGTH);
#ifdef OPENSSL_FIPS
if (!FIPS_mode())
#endif
if (lock)
CRYPTO_w_lock(CRYPTO_LOCK_RAND);
MD_Update(&m,md,MD_DIGEST_LENGTH);
MD_Final(&m,md);
#ifdef OPENSSL_FIPS
if (!FIPS_mode())
#endif
if (lock)
CRYPTO_w_unlock(CRYPTO_LOCK_RAND);

EVP_MD_CTX_cleanup(&m);
@@ -548,14 +538,14 @@ static int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo)

static int ssleay_rand_nopseudo_bytes(unsigned char *buf, int num)
{
return ssleay_rand_bytes(buf, num, 0);
return ssleay_rand_bytes(buf, num, 0, 1);
}

/* pseudo-random bytes that are guaranteed to be unique but not
unpredictable */
static int ssleay_rand_pseudo_bytes(unsigned char *buf, int num)
{
return ssleay_rand_bytes(buf, num, 1);
return ssleay_rand_bytes(buf, num, 1, 1);
}

static int ssleay_rand_status(void)
1 deps/openssl/openssl/crypto/rand/rand_lcl.h
View file
@@ -154,5 +154,6 @@
#define MD(a,b,c) EVP_Digest(a,b,c,NULL,EVP_md2(), NULL)
#endif

int ssleay_rand_bytes(unsigned char *buf, int num, int pseudo, int lock);

#endif
3 deps/openssl/openssl/crypto/rand/rand_lib.c
View file
@@ -68,6 +68,7 @@
#ifdef OPENSSL_FIPS
#include <openssl/fips.h>
#include <openssl/fips_rand.h>
#include "rand_lcl.h"
#endif

#ifndef OPENSSL_NO_ENGINE
@@ -199,7 +200,7 @@ static size_t drbg_get_entropy(DRBG_CTX *ctx, unsigned char **pout,
*pout = OPENSSL_malloc(min_len);
if (!*pout)
return 0;
if (RAND_SSLeay()->bytes(*pout, min_len) <= 0)
if (ssleay_rand_bytes(*pout, min_len, 0, 0) <= 0)
{
OPENSSL_free(*pout);
*pout = NULL;
1 deps/openssl/openssl/crypto/rand/randfile.c
View file
@@ -79,6 +79,7 @@
#endif
#ifndef OPENSSL_NO_POSIX_IO
# include <sys/stat.h>
# include <fcntl.h>
#endif

#ifdef _WIN32
2 deps/openssl/openssl/crypto/rsa/rsa_eay.c
View file
@@ -459,7 +459,7 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
if (padding == RSA_X931_PADDING)
{
BN_sub(f, rsa->n, ret);
if (BN_cmp(ret, f))
if (BN_cmp(ret, f) > 0)
res = f;
else
res = ret;
0 deps/openssl/openssl/crypto/sha/asm/sha256-x86_64.pl 100755 → 100644
View file
Empty file.
6 deps/openssl/openssl/crypto/srp/srp_lib.c
View file
@@ -89,6 +89,9 @@ static BIGNUM *srp_Calc_k(BIGNUM *N, BIGNUM *g)
int longg ;
int longN = BN_num_bytes(N);

if (BN_ucmp(g, N) >= 0)
return NULL;

if ((tmp = OPENSSL_malloc(longN)) == NULL)
return NULL;
BN_bn2bin(N,tmp) ;
@@ -121,6 +124,9 @@ BIGNUM *SRP_Calc_u(BIGNUM *A, BIGNUM *B, BIGNUM *N)
if ((A == NULL) ||(B == NULL) || (N == NULL))
return NULL;

if (BN_ucmp(A, N) >= 0 || BN_ucmp(B, N) >= 0)
return NULL;

longN= BN_num_bytes(N);

if ((cAB = OPENSSL_malloc(2*longN)) == NULL)
2 deps/openssl/openssl/crypto/ui/ui_lib.c
View file
@@ -916,9 +916,9 @@ int UI_set_result(UI *ui, UI_STRING *uis, const char *result)
break;
}
}
}
default:
break;
}
}
return 0;
}
24 deps/openssl/openssl/demos/eay/Makefile
View file

This file was deleted.

49 deps/openssl/openssl/demos/eay/base64.c
View file

This file was deleted.

105 deps/openssl/openssl/demos/eay/conn.c
View file

This file was deleted.

53 deps/openssl/openssl/demos/eay/loadrsa.c
View file

This file was deleted.

59 deps/openssl/openssl/demos/maurice/Makefile
View file

This file was deleted.

34 deps/openssl/openssl/demos/maurice/README
View file

This file was deleted.

77 deps/openssl/openssl/demos/maurice/cert.pem
View file

This file was deleted.

198 deps/openssl/openssl/demos/maurice/example1.c
View file

This file was deleted.

75 deps/openssl/openssl/demos/maurice/example2.c
View file

This file was deleted.

87 deps/openssl/openssl/demos/maurice/example3.c
View file

This file was deleted.

123 deps/openssl/openssl/demos/maurice/example4.c
View file

This file was deleted.

72 deps/openssl/openssl/demos/maurice/loadkeys.c
View file

This file was deleted.

19 deps/openssl/openssl/demos/maurice/loadkeys.h
View file

This file was deleted.

27 deps/openssl/openssl/demos/maurice/privkey.pem
View file

This file was deleted.

10 deps/openssl/openssl/doc/apps/asn1parse.pod
View file
@@ -15,6 +15,8 @@ B<openssl> B<asn1parse>
[B<-length number>]
[B<-i>]
[B<-oid filename>]
[B<-dump>]
[B<-dlimit num>]
[B<-strparse offset>]
[B<-genstr string>]
[B<-genconf file>]
@@ -64,6 +66,14 @@ indents the output according to the "depth" of the structures.
a file containing additional OBJECT IDENTIFIERs (OIDs). The format of this
file is described in the NOTES section below.

=item B<-dump>

dump unknown data in hex format.

=item B<-dlimit num>

like B<-dump>, but only the first B<num> bytes are output.

=item B<-strparse offset>

parse the contents octets of the ASN.1 object starting at B<offset>. This
25 deps/openssl/openssl/doc/apps/ca.pod
View file
@@ -13,6 +13,8 @@ B<openssl> B<ca>
[B<-name section>]
[B<-gencrl>]
[B<-revoke file>]
[B<-status serial>]
[B<-updatedb>]
[B<-crl_reason reason>]
[B<-crl_hold instruction>]
[B<-crl_compromise time>]
@@ -26,6 +28,7 @@ B<openssl> B<ca>
[B<-md arg>]
[B<-policy arg>]
[B<-keyfile arg>]
[B<-keyform PEM|DER>]
[B<-key arg>]
[B<-passin arg>]
[B<-cert file>]
@@ -83,7 +86,7 @@ a single self signed certificate to be signed by the CA.

a file containing a single Netscape signed public key and challenge
and additional field values to be signed by the CA. See the B<SPKAC FORMAT>
section for information on the required format.
section for information on the required input and output format.

=item B<-infiles>

@@ -94,7 +97,7 @@ are assumed to the the names of files containing certificate requests.

the output file to output certificates to. The default is standard
output. The certificate details will also be printed out to this
file.
file in PEM format (except that B<-spkac> outputs DER format).

=item B<-outdir directory>

@@ -110,6 +113,11 @@ the CA certificate file.

the private key to sign requests with.

=item B<-keyform PEM|DER>

the format of the data in the private key file.
The default is PEM.

=item B<-key password>

the password used to encrypt the private key. Since on some
@@ -267,6 +275,15 @@ the number of hours before the next CRL is due.

a filename containing a certificate to revoke.

=item B<-status serial>

displays the revocation status of the certificate with the specified
serial number and exits.

=item B<-updatedb>

Updates the database index to purge expired certificates.

=item B<-crl_reason reason>

revocation reason, where B<reason> is one of: B<unspecified>, B<keyCompromise>,
@@ -499,6 +516,10 @@ the SPKAC and also the required DN components as name value pairs.
If you need to include the same component twice then it can be
preceded by a number and a '.'.

When processing SPKAC format, the output is DER if the B<-out>
flag is used, but PEM format if sending to stdout or the B<-outdir>
flag is used.

=head1 EXAMPLES

Note: these examples assume that the B<ca> directory structure is
195 deps/openssl/openssl/doc/apps/ciphers.pod
View file
@@ -36,7 +36,7 @@ SSL v2 and for SSL v3/TLS v1.

=item B<-V>

Like B<-V>, but include cipher suite codes in output (hex format).
Like B<-v>, but include cipher suite codes in output (hex format).

=item B<-ssl3>

@@ -116,8 +116,8 @@ specified.
=item B<COMPLEMENTOFDEFAULT>

the ciphers included in B<ALL>, but not enabled by default. Currently
this is B<ADH>. Note that this rule does not cover B<eNULL>, which is
not included by B<ALL> (use B<COMPLEMENTOFALL> if necessary).
this is B<ADH> and B<AECDH>. Note that this rule does not cover B<eNULL>,
which is not included by B<ALL> (use B<COMPLEMENTOFALL> if necessary).

=item B<ALL>

@@ -165,21 +165,58 @@ included.
=item B<aNULL>

the cipher suites offering no authentication. This is currently the anonymous
DH algorithms. These cipher suites are vulnerable to a "man in the middle"
attack and so their use is normally discouraged.
DH algorithms and anonymous ECDH algorithms. These cipher suites are vulnerable
to a "man in the middle" attack and so their use is normally discouraged.

=item B<kRSA>, B<RSA>

cipher suites using RSA key exchange.

=item B<kDHr>, B<kDHd>, B<kDH>

cipher suites using DH key agreement and DH certificates signed by CAs with RSA
and DSS keys or either respectively. Not implemented.

=item B<kEDH>

cipher suites using ephemeral DH key agreement.
cipher suites using ephemeral DH key agreement, including anonymous cipher
suites.

=item B<kDHr>, B<kDHd>
=item B<EDH>

cipher suites using DH key agreement and DH certificates signed by CAs with RSA
and DSS keys respectively. Not implemented.
cipher suites using authenticated ephemeral DH key agreement.

=item B<ADH>

anonymous DH cipher suites, note that this does not include anonymous Elliptic
Curve DH (ECDH) cipher suites.

=item B<DH>

cipher suites using DH, including anonymous DH, ephemeral DH and fixed DH.

=item B<kECDHr>, B<kECDHe>, B<kECDH>

cipher suites using fixed ECDH key agreement signed by CAs with RSA and ECDSA
keys or either respectively.

=item B<kEECDH>

cipher suites using ephemeral ECDH key agreement, including anonymous
cipher suites.

=item B<EECDHE>

cipher suites using authenticated ephemeral ECDH key agreement.

=item B<AECDH>

anonymous Elliptic Curve Diffie Hellman cipher suites.

=item B<ECDH>

cipher suites using ECDH key exchange, including anonymous, ephemeral and
fixed ECDH.

=item B<aRSA>

@@ -194,30 +231,39 @@ cipher suites using DSS authentication, i.e. the certificates carry DSS keys.
cipher suites effectively using DH authentication, i.e. the certificates carry
DH keys. Not implemented.

=item B<aECDH>

cipher suites effectively using ECDH authentication, i.e. the certificates
carry ECDH keys.

=item B<aECDSA>, B<ECDSA>

cipher suites using ECDSA authentication, i.e. the certificates carry ECDSA
keys.

=item B<kFZA>, B<aFZA>, B<eFZA>, B<FZA>

ciphers suites using FORTEZZA key exchange, authentication, encryption or all
FORTEZZA algorithms. Not implemented.

=item B<TLSv1>, B<SSLv3>, B<SSLv2>

TLS v1.0, SSL v3.0 or SSL v2.0 cipher suites respectively.
=item B<TLSv1.2>, B<TLSv1>, B<SSLv3>, B<SSLv2>

=item B<DH>

cipher suites using DH, including anonymous DH.
TLS v1.2, TLS v1.0, SSL v3.0 or SSL v2.0 cipher suites respectively. Note:
there are no ciphersuites specific to TLS v1.1.

=item B<ADH>
=item B<AES128>, B<AES256>, B<AES>

anonymous DH cipher suites.
cipher suites using 128 bit AES, 256 bit AES or either 128 or 256 bit AES.

=item B<AES>
=item B<AESGCM>

cipher suites using AES.
AES in Galois Counter Mode (GCM): these ciphersuites are only supported
in TLS v1.2.

=item B<CAMELLIA>
=item B<CAMELLIA128>, B<CAMELLIA256>, B<CAMELLIA>

cipher suites using Camellia.
cipher suites using 128 bit CAMELLIA, 256 bit CAMELLIA or either 128 or 256 bit
CAMELLIA.

=item B<3DES>

@@ -251,6 +297,10 @@ cipher suites using MD5.

cipher suites using SHA1.

=item B<SHA256>, B<SHA384>

ciphersuites using SHA256 or SHA384.

=item B<aGOST>

cipher suites using GOST R 34.10 (either 2001 or 94) for authenticaction
@@ -277,6 +327,9 @@ cipher suites, using HMAC based on GOST R 34.11-94.

cipher suites using GOST 28147-89 MAC B<instead of> HMAC.

=item B<PSK>

cipher suites using pre-shared keys (PSK).

=back

@@ -423,7 +476,100 @@ Note: these ciphers can also be used in SSL v3.
TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA EXP1024-DHE-DSS-RC4-SHA
TLS_DHE_DSS_WITH_RC4_128_SHA DHE-DSS-RC4-SHA

=head2 SSL v2.0 cipher suites.
=head2 Elliptic curve cipher suites.

TLS_ECDH_RSA_WITH_NULL_SHA ECDH-RSA-NULL-SHA
TLS_ECDH_RSA_WITH_RC4_128_SHA ECDH-RSA-RC4-SHA
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA ECDH-RSA-DES-CBC3-SHA
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA ECDH-RSA-AES128-SHA
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA ECDH-RSA-AES256-SHA

TLS_ECDH_ECDSA_WITH_NULL_SHA ECDH-ECDSA-NULL-SHA
TLS_ECDH_ECDSA_WITH_RC4_128_SHA ECDH-ECDSA-RC4-SHA
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA ECDH-ECDSA-DES-CBC3-SHA
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA ECDH-ECDSA-AES128-SHA
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA ECDH-ECDSA-AES256-SHA

TLS_ECDHE_RSA_WITH_NULL_SHA ECDHE-RSA-NULL-SHA
TLS_ECDHE_RSA_WITH_RC4_128_SHA ECDHE-RSA-RC4-SHA
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA ECDHE-RSA-DES-CBC3-SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ECDHE-RSA-AES128-SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ECDHE-RSA-AES256-SHA

TLS_ECDHE_ECDSA_WITH_NULL_SHA ECDHE-ECDSA-NULL-SHA
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA ECDHE-ECDSA-RC4-SHA
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA ECDHE-ECDSA-DES-CBC3-SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA ECDHE-ECDSA-AES128-SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA ECDHE-ECDSA-AES256-SHA

TLS_ECDH_anon_WITH_NULL_SHA AECDH-NULL-SHA
TLS_ECDH_anon_WITH_RC4_128_SHA AECDH-RC4-SHA
TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA AECDH-DES-CBC3-SHA
TLS_ECDH_anon_WITH_AES_128_CBC_SHA AECDH-AES128-SHA
TLS_ECDH_anon_WITH_AES_256_CBC_SHA AECDH-AES256-SHA

=head2 TLS v1.2 cipher suites

TLS_RSA_WITH_NULL_SHA256 NULL-SHA256

TLS_RSA_WITH_AES_128_CBC_SHA256 AES128-SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256 AES256-SHA256
TLS_RSA_WITH_AES_128_GCM_SHA256 AES128-GCM-SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384 AES256-GCM-SHA384

TLS_DH_RSA_WITH_AES_128_CBC_SHA256 Not implemented.
TLS_DH_RSA_WITH_AES_256_CBC_SHA256 Not implemented.
TLS_DH_RSA_WITH_AES_128_GCM_SHA256 Not implemented.
TLS_DH_RSA_WITH_AES_256_GCM_SHA384 Not implemented.

TLS_DH_DSS_WITH_AES_128_CBC_SHA256 Not implemented.
TLS_DH_DSS_WITH_AES_256_CBC_SHA256 Not implemented.
TLS_DH_DSS_WITH_AES_128_GCM_SHA256 Not implemented.
TLS_DH_DSS_WITH_AES_256_GCM_SHA384 Not implemented.

TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 DHE-RSA-AES128-SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 DHE-RSA-AES256-SHA256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 DHE-RSA-AES128-GCM-SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 DHE-RSA-AES256-GCM-SHA384

TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 DHE-DSS-AES128-SHA256
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 DHE-DSS-AES256-SHA256
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 DHE-DSS-AES128-GCM-SHA256
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 DHE-DSS-AES256-GCM-SHA384

TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 ECDH-RSA-AES128-SHA256
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 ECDH-RSA-AES256-SHA384
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 ECDH-RSA-AES128-GCM-SHA256
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 ECDH-RSA-AES256-GCM-SHA384

TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 ECDH-ECDSA-AES128-SHA256
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 ECDH-ECDSA-AES256-SHA384
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 ECDH-ECDSA-AES128-GCM-SHA256
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 ECDH-ECDSA-AES256-GCM-SHA384

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ECDHE-RSA-AES128-SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ECDHE-RSA-AES256-SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDHE-RSA-AES128-GCM-SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDHE-RSA-AES256-GCM-SHA384

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 ECDHE-ECDSA-AES128-SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 ECDHE-ECDSA-AES256-SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ECDHE-ECDSA-AES128-GCM-SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ECDHE-ECDSA-AES256-GCM-SHA384

TLS_DH_anon_WITH_AES_128_CBC_SHA256 ADH-AES128-SHA256
TLS_DH_anon_WITH_AES_256_CBC_SHA256 ADH-AES256-SHA256
TLS_DH_anon_WITH_AES_128_GCM_SHA256 ADH-AES128-GCM-SHA256
TLS_DH_anon_WITH_AES_256_GCM_SHA384 ADH-AES256-GCM-SHA384

=head2 Pre shared keying (PSK) cipheruites

TLS_PSK_WITH_RC4_128_SHA PSK-RC4-SHA
TLS_PSK_WITH_3DES_EDE_CBC_SHA PSK-3DES-EDE-CBC-SHA
TLS_PSK_WITH_AES_128_CBC_SHA PSK-AES128-CBC-SHA
TLS_PSK_WITH_AES_256_CBC_SHA PSK-AES256-CBC-SHA

=head2 Deprecated SSL v2.0 cipher suites.

SSL_CK_RC4_128_WITH_MD5 RC4-MD5
SSL_CK_RC4_128_EXPORT40_WITH_MD5 EXP-RC4-MD5
@@ -452,6 +598,11 @@ strength:

openssl ciphers -v 'ALL:!ADH:@STRENGTH'

Include all ciphers except ones with no encryption (eNULL) or no
authentication (aNULL):

openssl ciphers -v 'ALL:!aNULL'

Include only 3DES ciphers and then place RSA ciphers last:

openssl ciphers -v '3DES:+RSA'
2 deps/openssl/openssl/doc/apps/cms.pod
View file
@@ -143,7 +143,7 @@ output an error.

=item B<-EncryptedData_encrypt>

Encrypt suppled content using supplied symmetric key and algorithm using a CMS
Encrypt content using supplied symmetric key and algorithm using a CMS
B<EncrytedData> type and output the content.

=item B<-sign_receipt>
6 deps/openssl/openssl/doc/apps/crl.pod
View file
@@ -12,6 +12,7 @@ B<openssl> B<crl>
[B<-text>]
[B<-in filename>]
[B<-out filename>]
[B<-nameopt option>]
[B<-noout>]
[B<-hash>]
[B<-issuer>]
@@ -53,6 +54,11 @@ default.

print out the CRL in text form.

=item B<-nameopt option>

option which determines how the subject or issuer names are displayed. See
the description of B<-nameopt> in L<x509(1)|x509(1)>.

=item B<-noout>

don't output the encoded version of the CRL.
5 deps/openssl/openssl/doc/apps/dhparam.pod
View file
@@ -12,6 +12,7 @@ B<openssl dhparam>
[B<-in> I<filename>]
[B<-out> I<filename>]
[B<-dsaparam>]
[B<-check>]
[B<-noout>]
[B<-text>]
[B<-C>]
@@ -64,6 +65,10 @@ exchange more efficient. Beware that with such DSA-style DH
parameters, a fresh DH key should be created for each use to
avoid small-subgroup attacks that may be possible otherwise.

=item B<-check>

check if the parameters are valid primes and generator.

=item B<-2>, B<-5>

The generator to use, either 2 or 5. 2 is the default. If present then the
12 deps/openssl/openssl/doc/apps/dsa.pod
View file
@@ -13,6 +13,12 @@ B<openssl> B<dsa>
[B<-passin arg>]
[B<-out filename>]
[B<-passout arg>]
[B<-aes128>]
[B<-aes192>]
[B<-aes256>]
[B<-camellia128>]
[B<-camellia192>]
[B<-camellia256>]
[B<-des>]
[B<-des3>]
[B<-idea>]
@@ -74,10 +80,10 @@ filename.
the output file password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.

=item B<-des|-des3|-idea>
=item B<-aes128|-aes192|-aes256|-camellia128|-camellia192|-camellia256|-des|-des3|-idea>

These options encrypt the private key with the DES, triple DES, or the
IDEA ciphers respectively before outputting it. A pass phrase is prompted for.
These options encrypt the private key with the specified
cipher before outputting it. A pass phrase is prompted for.
If none of these options is specified the key is written in plain text. This
means that using the B<dsa> utility to read in an encrypted key with no
encryption option can be used to remove the pass phrase from a key, or by
2 deps/openssl/openssl/doc/apps/ecparam.pod
View file
@@ -16,7 +16,7 @@ B<openssl ecparam>
[B<-C>]
[B<-check>]
[B<-name arg>]
[B<-list_curve>]
[B<-list_curves>]
[B<-conv_form arg>]
[B<-param_enc arg>]
[B<-no_seed>]
12 deps/openssl/openssl/doc/apps/gendsa.pod
View file
@@ -8,6 +8,12 @@ gendsa - generate a DSA private key from a set of parameters

B<openssl> B<gendsa>
[B<-out filename>]
[B<-aes128>]
[B<-aes192>]
[B<-aes256>]
[B<-camellia128>]
[B<-camellia192>]
[B<-camellia256>]
[B<-des>]
[B<-des3>]
[B<-idea>]
@@ -24,10 +30,10 @@ The B<gendsa> command generates a DSA private key from a DSA parameter file

=over 4

=item B<-des|-des3|-idea>
=item B<-aes128|-aes192|-aes256|-camellia128|-camellia192|-camellia256|-des|-des3|-idea>

These options encrypt the private key with the DES, triple DES, or the
IDEA ciphers respectively before outputting it. A pass phrase is prompted for.
These options encrypt the private key with specified
cipher before outputting it. A pass phrase is prompted for.
If none of these options is specified no encryption is used.

=item B<-rand file(s)>
18 deps/openssl/openssl/doc/apps/genrsa.pod
View file
@@ -9,6 +9,18 @@ genrsa - generate an RSA private key
B<openssl> B<genrsa>
[B<-out filename>]
[B<-passout arg>]
[B<-aes128>]
[B<-aes128>]
[B<-aes192>]
[B<-aes256>]
[B<-camellia128>]
[B<-camellia192>]
[B<-camellia256>]
[B<-aes192>]
[B<-aes256>]
[B<-camellia128>]
[B<-camellia192>]
[B<-camellia256>]
[B<-des>]
[B<-des3>]
[B<-idea>]
@@ -36,10 +48,10 @@ used.
the output file password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.

=item B<-des|-des3|-idea>
=item B<-aes128|-aes192|-aes256|-camellia128|-camellia192|-camellia256|-des|-des3|-idea>

These options encrypt the private key with the DES, triple DES, or the
IDEA ciphers respectively before outputting it. If none of these options is
These options encrypt the private key with specified
cipher before outputting it. If none of these options is
specified no encryption is used. If encryption is used a pass phrase is prompted
for if it is not supplied via the B<-passout> argument.

12 deps/openssl/openssl/doc/apps/rsa.pod
View file
@@ -15,6 +15,12 @@ B<openssl> B<rsa>
[B<-out filename>]
[B<-passout arg>]
[B<-sgckey>]
[B<-aes128>]
[B<-aes192>]
[B<-aes256>]
[B<-camellia128>]
[B<-camellia192>]
[B<-camellia256>]
[B<-des>]
[B<-des3>]
[B<-idea>]
@@ -82,10 +88,10 @@ see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
use the modified NET algorithm used with some versions of Microsoft IIS and SGC
keys.

=item B<-des|-des3|-idea>
=item B<-aes128|-aes192|-aes256|-camellia128|-camellia192|-camellia256|-des|-des3|-idea>

These options encrypt the private key with the DES, triple DES, or the
IDEA ciphers respectively before outputting it. A pass phrase is prompted for.
These options encrypt the private key with the specified
cipher before outputting it. A pass phrase is prompted for.
If none of these options is specified the key is written in plain text. This
means that using the B<rsa> utility to read in an encrypted key with no
encryption option can be used to remove the pass phrase from a key, or by
34 deps/openssl/openssl/doc/apps/s_client.pod
View file
@@ -9,6 +9,7 @@ s_client - SSL/TLS client program

B<openssl> B<s_client>
[B<-connect host:port>]
[B<-servername name>]
[B<-verify depth>]
[B<-verify_return_error>]
[B<-cert filename>]
@@ -28,6 +29,7 @@ B<openssl> B<s_client>
[B<-nbio>]
[B<-crlf>]
[B<-ign_eof>]
[B<-no_ign_eof>]
[B<-quiet>]
[B<-ssl2>]
[B<-ssl3>]
@@ -37,13 +39,16 @@ B<openssl> B<s_client>
[B<-no_tls1>]
[B<-bugs>]
[B<-cipher cipherlist>]
[B<-serverpref>]
[B<-starttls protocol>]
[B<-engine id>]
[B<-tlsextdebug>]
[B<-no_ticket>]
[B<-sess_out filename>]
[B<-sess_in filename>]
[B<-rand file(s)>]
[B<-status>]
[B<-nextprotoneg protocols>]

=head1 DESCRIPTION

@@ -60,6 +65,10 @@ SSL servers.
This specifies the host and optional port to connect to. If not specified
then an attempt is made to connect to the local host on port 4433.

=item B<-servername name>

Set the TLS SNI (Server Name Indication) extension in the ClientHello message.

=item B<-cert certname>

The certificate to use, if one is requested by the server. The default is
@@ -172,6 +181,11 @@ input.
inhibit printing of session and certificate information. This implicitly
turns on B<-ign_eof> as well.

=item B<-no_ign_eof>

shut down the connection when end of file is reached in the input.
Can be used to override the implicit B<-ign_eof> after B<-quiet>.

=item B<-psk_identity identity>

Use the PSK identity B<identity> when using a PSK cipher suite.
@@ -205,6 +219,10 @@ the server determines which cipher suite is used it should take the first
supported cipher in the list sent by the client. See the B<ciphers>
command for more information.

=item B<-serverpref>

use the server's cipher preferences; only used for SSLV2.

=item B<-starttls protocol>

send the protocol-specific message(s) to switch to TLS for communication.
@@ -243,6 +261,22 @@ Multiple files can be specified separated by a OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.

=item B<-status>

sends a certificate status request to the server (OCSP stapling). The server
response (if any) is printed out.

=item B<-nextprotoneg protocols>

enable Next Protocol Negotiation TLS extension and provide a list of
comma-separated protocol names that the client should advertise
support for. The list should contain most wanted protocols first.
Protocol names are printable ASCII strings, for example "http/1.1" or
"spdy/3".
Empty list of protocols is treated specially and will cause the client to
advertise support for the TLS extension but disconnect just after
reciving ServerHello with a list of server supported protocols.

=back

=head1 CONNECTED COMMANDS
40 deps/openssl/openssl/doc/apps/s_server.pod
View file
@@ -35,6 +35,7 @@ B<openssl> B<s_server>
[B<-CAfile filename>]
[B<-nocert>]
[B<-cipher cipherlist>]
[B<-serverpref>]
[B<-quiet>]
[B<-no_tmp_rsa>]
[B<-ssl2>]
@@ -55,6 +56,11 @@ B<openssl> B<s_server>
[B<-no_ticket>]
[B<-id_prefix arg>]
[B<-rand file(s)>]
[B<-status>]
[B<-status_verbose>]
[B<-status_timeout nsec>]
[B<-status_url url>]
[B<-nextprotoneg protocols>]

=head1 DESCRIPTION

@@ -150,6 +156,9 @@ the client. With the B<-verify> option a certificate is requested but the
client does not have to send one, with the B<-Verify> option the client
must supply a certificate or an error occurs.

If the ciphersuite cannot request a client certificate (for example an
anonymous ciphersuite or PSK) this option has no effect.

=item B<-crl_check>, B<-crl_check_all>

Check the peer certificate has not been revoked by its CA.
@@ -231,6 +240,10 @@ also included in the server list is used. Because the client specifies
the preference order, the order of the server cipherlist irrelevant. See
the B<ciphers> command for more information.

=item B<-serverpref>

use the server's cipher preferences, rather than the client's preferences.

=item B<-tlsextdebug>

print out a hex dump of any TLS extensions received from the server.
@@ -282,6 +295,33 @@ Multiple files can be specified separated by a OS-dependent character.
The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
all others.

=item B<-status>

enables certificate status request support (aka OCSP stapling).

=item B<-status_verbose>

enables certificate status request support (aka OCSP stapling) and gives
a verbose printout of the OCSP response.

=item B<-status_timeout nsec>

sets the timeout for OCSP response to B<nsec> seconds.

=item B<-status_url url>

sets a fallback responder URL to use if no responder URL is present in the
server certificate. Without this option an error is returned if the server
certificate does not contain a responder address.

=item B<-nextprotoneg protocols>

enable Next Protocol Negotiation TLS extension and provide a
comma-separated list of supported protocol names.
The list should contain most wanted protocols first.
Protocol names are printable ASCII strings, for example "http/1.1" or
"spdy/3".

=back

=head1 CONNECTED COMMANDS
1 deps/openssl/openssl/doc/apps/verify.pod
View file
@@ -48,7 +48,6 @@ of the B<x509> utility). Under Unix the B<c_rehash> script will automatically
create symbolic links to a directory of certificates.

=item B<-CAfile file>

A file of trusted certificates. The file should contain multiple certificates
in PEM format concatenated together.

20 deps/openssl/openssl/doc/apps/x509.pod
View file
@@ -19,6 +19,7 @@ B<openssl> B<x509>
[B<-hash>]
[B<-subject_hash>]
[B<-issuer_hash>]
[B<-ocspid>]
[B<-subject>]
[B<-issuer>]
[B<-nameopt option>]
@@ -28,6 +29,7 @@ B<openssl> B<x509>
[B<-enddate>]
[B<-purpose>]
[B<-dates>]
[B<-checkend num>]
[B<-modulus>]
[B<-pubkey>]
[B<-fingerprint>]
@@ -42,13 +44,15 @@ B<openssl> B<x509>
[B<-days arg>]
[B<-set_serial n>]
[B<-signkey filename>]
[B<-passin arg>]
[B<-x509toreq>]
[B<-req>]
[B<-CA filename>]
[B<-CAkey filename>]
[B<-CAcreateserial>]
[B<-CAserial filename>]
[B<-text>]
[B<-certopt option>]
[B<-C>]
[B<-md2|-md5|-sha1|-mdc2>]
[B<-clrext>]
@@ -159,6 +163,10 @@ name.

outputs the "hash" of the certificate issuer name.

=item B<-ocspid>

outputs the OCSP hash values for the subject name and public key.

=item B<-hash>

synonym for "-subject_hash" for backward compatibility reasons.
@@ -208,6 +216,11 @@ prints out the expiry date of the certificate, that is the notAfter date.

prints out the start and expiry dates of a certificate.

=item B<-checkend arg>

checks if the certificate expires within the next B<arg> seconds and exits
non-zero if yes it will expire or zero if not.

=item B<-fingerprint>

prints out the digest of the DER encoded version of the whole certificate
@@ -313,6 +326,11 @@ If the input is a certificate request then a self signed certificate
is created using the supplied private key using the subject name in
the request.

=item B<-passin arg>

the key password source. For more information about the format of B<arg>
see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.

=item B<-clrext>

delete any extensions from a certificate. This option is used when a
@@ -468,7 +486,7 @@ using the format \UXXXX for 16 bits and \WXXXXXXXX for 32 bits.
Also if this option is off any UTF8Strings will be converted to their
character form first.

=item B<no_type>
=item B<ignore_type>

this option does not attempt to interpret multibyte characters in any
way. That is their content octets are merely dumped as though one octet
2 deps/openssl/openssl/doc/apps/x509v3_config.pod
View file
@@ -174,7 +174,7 @@ The IP address used in the B<IP> options can be in either IPv4 or IPv6 format.

The value of B<dirName> should point to a section containing the distinguished
name to use as a set of name value pairs. Multi values AVAs can be formed by
preceeding the name with a B<+> character.
prefacing the name with a B<+> character.

otherName can include arbitrary data associated with an OID: the value
should be the OID followed by a semicolon and the content in standard
2 deps/openssl/openssl/doc/crypto/ASN1_generate_nconf.pod
View file
@@ -61,7 +61,7 @@ Encode the B<NULL> type, the B<value> string must not be present.
=item B<INTEGER>, B<INT>

Encodes an ASN1 B<INTEGER> type. The B<value> string represents
the value of the integer, it can be preceeded by a minus sign and
the value of the integer, it can be prefaced by a minus sign and
is normally interpreted as a decimal value unless the prefix B<0x>
is included.

15 deps/openssl/openssl/doc/crypto/BIO_f_base64.pod
View file
@@ -46,11 +46,11 @@ to standard output:

b64 = BIO_new(BIO_f_base64());
bio = BIO_new_fp(stdout, BIO_NOCLOSE);
bio = BIO_push(b64, bio);
BIO_write(bio, message, strlen(message));
BIO_flush(bio);
BIO_push(b64, bio);
BIO_write(b64, message, strlen(message));
BIO_flush(b64);

BIO_free_all(bio);
BIO_free_all(b64);

Read Base64 encoded data from standard input and write the decoded
data to standard output:
@@ -62,11 +62,12 @@ data to standard output:
b64 = BIO_new(BIO_f_base64());
bio = BIO_new_fp(stdin, BIO_NOCLOSE);
bio_out = BIO_new_fp(stdout, BIO_NOCLOSE);
bio = BIO_push(b64, bio);
while((inlen = BIO_read(bio, inbuf, 512)) > 0)
BIO_push(b64, bio);
while((inlen = BIO_read(b64, inbuf, 512)) > 0)
BIO_write(bio_out, inbuf, inlen);

BIO_free_all(bio);
BIO_flush(bio_out);
BIO_free_all(b64);

=head1 BUGS

2 deps/openssl/openssl/doc/crypto/BIO_push.pod
View file
@@ -40,7 +40,7 @@ If the call:

BIO_push(b64, f);

is made then the new chain will be B<b64-chain>. After making the calls
is made then the new chain will be B<b64-f>. After making the calls

BIO_push(md2, b64);
BIO_push(md1, md2);
4 deps/openssl/openssl/doc/crypto/ERR_get_error.pod
View file
@@ -49,10 +49,10 @@ additionally store the file name and line number where
the error occurred in *B<file> and *B<line>, unless these are B<NULL>.

ERR_get_error_line_data(), ERR_peek_error_line_data() and
ERR_get_last_error_line_data() store additional data and flags
ERR_peek_last_error_line_data() store additional data and flags
associated with the error code in *B<data>
and *B<flags>, unless these are B<NULL>. *B<data> contains a string
if *B<flags>&B<ERR_TXT_STRING> is true.
if *B<flags>&B<ERR_TXT_STRING> is true.

An application B<MUST NOT> free the *B<data> pointer (or any other pointers
returned by these functions) with OPENSSL_free() as freeing is handled
5 deps/openssl/openssl/doc/crypto/EVP_DigestInit.pod
View file
@@ -161,9 +161,8 @@ EVP_MD_CTX_copy_ex() returns 1 if successful or 0 for failure.
EVP_MD_type(), EVP_MD_pkey_type() and EVP_MD_type() return the NID of the
corresponding OBJECT IDENTIFIER or NID_undef if none exists.

EVP_MD_size(), EVP_MD_block_size(), EVP_MD_CTX_size(e), EVP_MD_size(),
EVP_MD_CTX_block_size() and EVP_MD_block_size() return the digest or block
size in bytes.
EVP_MD_size(), EVP_MD_block_size(), EVP_MD_CTX_size() and
EVP_MD_CTX_block_size() return the digest or block size in bytes.

EVP_md_null(), EVP_md2(), EVP_md5(), EVP_sha(), EVP_sha1(), EVP_dss(),
EVP_dss1(), EVP_mdc2() and EVP_ripemd160() return pointers to the
5 deps/openssl/openssl/doc/crypto/EVP_EncryptInit.pod
View file
@@ -344,7 +344,10 @@ bits and 12 rounds.

Where possible the B<EVP> interface to symmetric ciphers should be used in
preference to the low level interfaces. This is because the code then becomes
transparent to the cipher used and much more flexible.
transparent to the cipher used and much more flexible. Additionally, the
B<EVP> interface will ensure the use of platform specific cryptographic
acceleration such as AES-NI (the low level interfaces do not provide the
guarantee).

PKCS padding works by adding B<n> padding bytes of value B<n> to make the total
length of the encrypted data a multiple of the block size. Padding is always
8 deps/openssl/openssl/doc/crypto/EVP_SignInit.pod
View file
@@ -30,9 +30,11 @@ signature context B<ctx>. This function can be called several times on the
same B<ctx> to include additional data.

EVP_SignFinal() signs the data in B<ctx> using the private key B<pkey> and
places the signature in B<sig>. The number of bytes of data written (i.e. the
length of the signature) will be written to the integer at B<s>, at most
EVP_PKEY_size(pkey) bytes will be written.
places the signature in B<sig>. B<sig> must be at least EVP_PKEY_size(pkey)
bytes in size. B<s> is an OUT paramter, and not used as an IN parameter.
The number of bytes of data written (i.e. the length of the signature)
will be written to the integer at B<s>, at most EVP_PKEY_size(pkey) bytes
will be written.

EVP_SignInit() initializes a signing context B<ctx> to use the default
implementation of digest B<type>.