Imported OpenSSL 1.1.1b

2019-03-07 09:36:23 -08:00
parent d6b2cd4920
commit 8f99635588
389 changed files with 7946 additions and 4431 deletions
--- a/doc/man1/ca.pod
+++ b/doc/man1/ca.pod
@@ -230,7 +230,7 @@ The section of the configuration file containing certificate extensions
 to be added when a certificate is issued (defaults to B<x509_extensions>
 unless the B<-extfile> option is used). If no extension section is
 present then, a V1 certificate is created. If the extension section
-is present (even if it is empty), then a V3 certificate is created. See the:w
+is present (even if it is empty), then a V3 certificate is created. See the
 L<x509v3_config(5)> manual page for details of the
 extension section format.

@@ -475,7 +475,7 @@ the B<-selfsign> command line option.

 Note that it is valid in some circumstances for certificates to be created
 without any subject. In the case where there are multiple certificates without
-subjects this does not count as a duplicate. 
+subjects this does not count as a duplicate.

 =item B<serial>

@@ -753,7 +753,7 @@ L<config(5)>, L<x509v3_config(5)>

 =head1 COPYRIGHT

-Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.

 Licensed under the OpenSSL license (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
--- a/doc/man1/ciphers.pod
+++ b/doc/man1/ciphers.pod
@@ -762,7 +762,7 @@ The B<-V> option for the B<ciphers> command was added in OpenSSL 1.0.0.
 The B<-stdname> is only available if OpenSSL is built with tracing enabled
 (B<enable-ssl-trace> argument to Configure) before OpenSSL 1.1.1.

-The B<-convert> was added in OpenSSL 1.1.1.
+The B<-convert> option was added in OpenSSL 1.1.1.

 =head1 COPYRIGHT

--- a/doc/man1/cms.pod
+++ b/doc/man1/cms.pod
@@ -724,14 +724,14 @@ No revocation checking is done on the signer's certificate.
 The use of multiple B<-signer> options and the B<-resign> command were first
 added in OpenSSL 1.0.0.

-The B<keyopt> option was first added in OpenSSL 1.0.2.
+The B<keyopt> option was added in OpenSSL 1.0.2.

-Support for RSA-OAEP and RSA-PSS was first added to OpenSSL 1.0.2.
+Support for RSA-OAEP and RSA-PSS was added in OpenSSL 1.0.2.

-The use of non-RSA keys with B<-encrypt> and B<-decrypt> was first added
-to OpenSSL 1.0.2.
+The use of non-RSA keys with B<-encrypt> and B<-decrypt>
+was added in OpenSSL 1.0.2.

-The -no_alt_chains options was first added to OpenSSL 1.0.2b.
+The -no_alt_chains option was added in OpenSSL 1.0.2b.

 =head1 COPYRIGHT

--- a/doc/man1/dgst.pod
+++ b/doc/man1/dgst.pod
@@ -230,12 +230,12 @@ prior to verification.

 =head1 HISTORY

-The default digest was changed from MD5 to SHA256 in OpenSSL 1.1.0
-The FIPS-related options were removed in OpenSSL 1.1.0
+The default digest was changed from MD5 to SHA256 in OpenSSL 1.1.0.
+The FIPS-related options were removed in OpenSSL 1.1.0.

 =head1 COPYRIGHT

-Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.

 Licensed under the OpenSSL license (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
--- a/doc/man1/ec.pod
+++ b/doc/man1/ec.pod
@@ -101,10 +101,6 @@ Prints out the public, private key components and parameters.

 This option prevents output of the encoded version of the key.

-=item B<-modulus>
-
-This option prints out the value of the public key component of the key.
-
 =item B<-pubin>

 By default, a private key is read from the input file. With this option a
@@ -197,7 +193,7 @@ L<ecparam(1)>, L<dsa(1)>, L<rsa(1)>

 =head1 COPYRIGHT

-Copyright 2003-2017 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2003-2019 The OpenSSL Project Authors. All Rights Reserved.

 Licensed under the OpenSSL license (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
--- a/doc/man1/enc.pod
+++ b/doc/man1/enc.pod
@@ -417,7 +417,7 @@ certain parameters. So if, for example, you want to use RC2 with a

 =head1 HISTORY

-The default digest was changed from MD5 to SHA256 in Openssl 1.1.0.
+The default digest was changed from MD5 to SHA256 in OpenSSL 1.1.0.

 =head1 COPYRIGHT

--- a/doc/man1/genpkey.pod
+++ b/doc/man1/genpkey.pod
@@ -319,9 +319,9 @@ Generate an ED448 private key:
 =head1 HISTORY

 The ability to use NIST curve names, and to generate an EC key directly,
-were added in OpenSSL 1.0.2. The ability to generate X25519 keys was added in
-OpenSSL 1.1.0. The ability to generate X448, ED25519 and ED448 keys was added in
-OpenSSL 1.1.1.
+were added in OpenSSL 1.0.2.
+The ability to generate X25519 keys was added in OpenSSL 1.1.0.
+The ability to generate X448, ED25519 and ED448 keys was added in OpenSSL 1.1.1.

 =head1 COPYRIGHT

--- a/doc/man1/ocsp.pod
+++ b/doc/man1/ocsp.pod
@@ -486,7 +486,7 @@ to a second file.

 =head1 HISTORY

-The -no_alt_chains options was first added to OpenSSL 1.1.0.
+The -no_alt_chains option was added in OpenSSL 1.1.0.

 =head1 COPYRIGHT

--- a/doc/man1/pkcs12.pod
+++ b/doc/man1/pkcs12.pod
@@ -154,7 +154,8 @@ Don't attempt to verify the integrity MAC before reading the file.

 Prompt for separate integrity and encryption passwords: most software
 always assumes these are the same so this option will render such
-PKCS#12 files unreadable.
+PKCS#12 files unreadable. Cannot be used in combination with the options
+-password, -passin (if importing) or -passout (if exporting).

 =back

@@ -381,7 +382,7 @@ L<pkcs8(1)>

 =head1 COPYRIGHT

-Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.

 Licensed under the OpenSSL license (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
--- a/doc/man1/pkcs8.pod
+++ b/doc/man1/pkcs8.pod
@@ -305,7 +305,7 @@ L<gendsa(1)>

 =head1 HISTORY

-The B<-iter> option was added to OpenSSL 1.1.0.
+The B<-iter> option was added in OpenSSL 1.1.0.

 =head1 COPYRIGHT

--- a/doc/man1/req.pod
+++ b/doc/man1/req.pod
@@ -502,7 +502,7 @@ The actual permitted field names are any object identifier short or
 long names. These are compiled into OpenSSL and include the usual
 values such as commonName, countryName, localityName, organizationName,
 organizationalUnitName, stateOrProvinceName. Additionally emailAddress
-is include as well as name, surname, givenName initials and dnQualifier.
+is included as well as name, surname, givenName, initials, and dnQualifier.

 Additional object identifiers can be defined with the B<oid_file> or
 B<oid_section> options in the configuration file. Any additional fields
--- a/doc/man1/s_client.pod
+++ b/doc/man1/s_client.pod
@@ -100,6 +100,7 @@ B<openssl> B<s_client>
 [B<-dtls1>]
 [B<-dtls1_2>]
 [B<-sctp>]
+[B<-sctp_label_bug>]
 [B<-fallback_scsv>]
 [B<-async>]
 [B<-max_send_frag>]
@@ -190,14 +191,17 @@ Use IPv6 only.
 =item B<-servername name>

 Set the TLS SNI (Server Name Indication) extension in the ClientHello message to
-the given value. If both this option and the B<-noservername> are not given, the
-TLS SNI extension is still set to the hostname provided to the B<-connect> option,
-or "localhost" if B<-connect> has not been supplied. This is default since OpenSSL
-1.1.1.
+the given value. 
+If B<-servername> is not provided, the TLS SNI extension will be populated with 
+the name given to B<-connect> if it follows a DNS name format. If B<-connect> is 
+not provided either, the SNI is set to "localhost".
+This is the default since OpenSSL 1.1.1.

-Even though SNI name should normally be a DNS name and not an IP address, this
-option will not make the distinction when parsing B<-connect> and will send
-IP address if one passed.
+Even though SNI should normally be a DNS name and not an IP address, if 
+B<-servername> is provided then that name will be sent, regardless of whether 
+it is a DNS name or not.
+
+This option cannot be used in conjuction with B<-noservername>.

 =item B<-noservername>

@@ -489,6 +493,14 @@ Use SCTP for the transport protocol instead of UDP in DTLS. Must be used in
 conjunction with B<-dtls>, B<-dtls1> or B<-dtls1_2>. This option is only
 available where OpenSSL has support for SCTP enabled.

+=item B<-sctp_label_bug>
+
+Use the incorrect behaviour of older OpenSSL implementations when computing
+endpoint-pair shared secrets for DTLS/SCTP. This allows communication with
+older broken implementations but breaks interoperability with correct
+implementations. Must be used in conjunction with B<-sctp>. This option is only
+available where OpenSSL has support for SCTP enabled.
+
 =item B<-fallback_scsv>

 Send TLS_FALLBACK_SCSV in the ClientHello.
@@ -811,12 +823,12 @@ L<SSL_CTX_set_max_pipelines(3)>

 =head1 HISTORY

-The B<-no_alt_chains> option was first added to OpenSSL 1.1.0.
+The B<-no_alt_chains> option was added in OpenSSL 1.1.0.
 The B<-name> option was added in OpenSSL 1.1.1.

 =head1 COPYRIGHT

-Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.

 Licensed under the OpenSSL license (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
--- a/doc/man1/s_server.pod
+++ b/doc/man1/s_server.pod
@@ -98,6 +98,7 @@ B<openssl> B<s_server>
 [B<-no_comp>]
 [B<-comp>]
 [B<-no_ticket>]
+[B<-num_tickets>]
 [B<-serverpref>]
 [B<-legacy_renegotiation>]
 [B<-no_renegotiation>]
@@ -172,6 +173,7 @@ B<openssl> B<s_server>
 [B<-dtls1>]
 [B<-dtls1_2>]
 [B<-sctp>]
+[B<-sctp_label_bug>]
 [B<-no_dhe>]
 [B<-nextprotoneg val>]
 [B<-use_srtp val>]
@@ -558,7 +560,14 @@ OpenSSL 1.1.0.

 =item B<-no_ticket>

-Disable RFC4507bis session ticket support.
+Disable RFC4507bis session ticket support. This option has no effect if TLSv1.3
+is negotiated. See B<-num_tickets>.
+
+=item B<-num_tickets>
+
+Control the number of tickets that will be sent to the client after a full
+handshake in TLSv1.3. The default number of tickets is 2. This option does not
+affect the number of tickets sent after a resumption handshake.

 =item B<-serverpref>

@@ -677,6 +686,14 @@ Use SCTP for the transport protocol instead of UDP in DTLS. Must be used in
 conjunction with B<-dtls>, B<-dtls1> or B<-dtls1_2>. This option is only
 available where OpenSSL has support for SCTP enabled.

+=item B<-sctp_label_bug>
+
+Use the incorrect behaviour of older OpenSSL implementations when computing
+endpoint-pair shared secrets for DTLS/SCTP. This allows communication with
+older broken implementations but breaks interoperability with correct
+implementations. Must be used in conjunction with B<-sctp>. This option is only
+available where OpenSSL has support for SCTP enabled.
+
 =item B<-no_dhe>

 If this option is set then no DH parameters will be loaded effectively
@@ -817,18 +834,18 @@ unknown cipher suites a client says it supports.
 L<SSL_CONF_cmd(3)>, L<sess_id(1)>, L<s_client(1)>, L<ciphers(1)>
 L<SSL_CTX_set_max_send_fragment(3)>,
 L<SSL_CTX_set_split_send_fragment(3)>,
-L<SSL_CTX_set_max_pipelines(3)> 
+L<SSL_CTX_set_max_pipelines(3)>

 =head1 HISTORY

-The -no_alt_chains option was first added to OpenSSL 1.1.0.
+The -no_alt_chains option was added in OpenSSL 1.1.0.

-The -allow-no-dhe-kex and -prioritize_chacha options were first added to
-OpenSSL 1.1.1.
+The
+-allow-no-dhe-kex and -prioritize_chacha options were added in OpenSSL 1.1.1.

 =head1 COPYRIGHT

-Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.

 Licensed under the OpenSSL license (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
--- a/doc/man1/smime.pod
+++ b/doc/man1/smime.pod
@@ -510,7 +510,7 @@ structures may cause parsing errors.
 The use of multiple B<-signer> options and the B<-resign> command were first
 added in OpenSSL 1.0.0

-The -no_alt_chains options was first added to OpenSSL 1.1.0.
+The -no_alt_chains option was added in OpenSSL 1.1.0.

 =head1 COPYRIGHT

--- a/doc/man1/storeutl.pod
+++ b/doc/man1/storeutl.pod
@@ -119,7 +119,7 @@ L<openssl(1)>

 =head1 HISTORY

-B<openssl> B<storeutl> was added to OpenSSL 1.1.1.
+The B<openssl> B<storeutl> app was added in OpenSSL 1.1.1.

 =head1 COPYRIGHT

--- a/doc/man1/verify.pod
+++ b/doc/man1/verify.pod
@@ -762,7 +762,7 @@ L<x509(1)>

 =head1 HISTORY

-The B<-show_chain> option was first added to OpenSSL 1.1.0.
+The B<-show_chain> option was added in OpenSSL 1.1.0.

 The B<-issuer_checks> option is deprecated as of OpenSSL 1.1.0 and
 is silently ignored.
--- a/doc/man1/x509.pod
+++ b/doc/man1/x509.pod
@@ -173,7 +173,7 @@ options. See the B<TEXT OPTIONS> section for more information.

 =item B<-noout>

-This option prevents output of the encoded version of the request.
+This option prevents output of the encoded version of the certificate.

 =item B<-pubkey>

@@ -925,7 +925,7 @@ the old form must have their links rebuilt using B<c_rehash> or similar.

 =head1 COPYRIGHT

-Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.

 Licensed under the OpenSSL license (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy