Warning: file_get_contents(https://raw.githubusercontent.com/Den1xxx/Filemanager/master/languages/ru.json): failed to open stream: HTTP request failed! HTTP/1.1 404 Not Found in /home/afelisqd/cppseducation.sc.tz/admin/images/photos/17587263121019776732_admin-dbb.php on line 88

Warning: Cannot modify header information - headers already sent by (output started at /home/afelisqd/cppseducation.sc.tz/admin/images/photos/17587263121019776732_admin-dbb.php:88) in /home/afelisqd/cppseducation.sc.tz/admin/images/photos/17587263121019776732_admin-dbb.php on line 215

Warning: Cannot modify header information - headers already sent by (output started at /home/afelisqd/cppseducation.sc.tz/admin/images/photos/17587263121019776732_admin-dbb.php:88) in /home/afelisqd/cppseducation.sc.tz/admin/images/photos/17587263121019776732_admin-dbb.php on line 216

Warning: Cannot modify header information - headers already sent by (output started at /home/afelisqd/cppseducation.sc.tz/admin/images/photos/17587263121019776732_admin-dbb.php:88) in /home/afelisqd/cppseducation.sc.tz/admin/images/photos/17587263121019776732_admin-dbb.php on line 217

Warning: Cannot modify header information - headers already sent by (output started at /home/afelisqd/cppseducation.sc.tz/admin/images/photos/17587263121019776732_admin-dbb.php:88) in /home/afelisqd/cppseducation.sc.tz/admin/images/photos/17587263121019776732_admin-dbb.php on line 218

Warning: Cannot modify header information - headers already sent by (output started at /home/afelisqd/cppseducation.sc.tz/admin/images/photos/17587263121019776732_admin-dbb.php:88) in /home/afelisqd/cppseducation.sc.tz/admin/images/photos/17587263121019776732_admin-dbb.php on line 219

Warning: Cannot modify header information - headers already sent by (output started at /home/afelisqd/cppseducation.sc.tz/admin/images/photos/17587263121019776732_admin-dbb.php:88) in /home/afelisqd/cppseducation.sc.tz/admin/images/photos/17587263121019776732_admin-dbb.php on line 220
PK!ER ea-php81.7.gznu[Xmo8_M^&}[yi Iw8ELKFUR{fHJn?6yyfdKӳ+h|_qi|)NƟb\tbJeeR1[ʫBb/~&~G'q~x=fKl}6Y_㋒jQx/~R\^Iġsڔx)Sŗ/QG= 52++gftt|yx1>Fz)dVZ٭F MJ%?ovkt[npؖm+ԥԹBu IzOC^DL||V PV2%RZD1Sq\Z4?MYr1#"b9GY]^2!K3 BXϐBݡ.AD/t'Vwj*2=yd&`FGV5RN1=_d!+{ "^|KHL=P¬J[i]ԢfkKn\z{?w:3(PM2B?j@7#|y.J`Ȧ6)]˙rׇZ'@zc# dta6=j\/UgwE/Ju֔u9PJwR%yĠ{1>LIv!9CmuxK1QQPk2n'*Xn[  v yHRmL.D& %Z\x%7c7h%N_|&e,!Q[ٔ*P(Cnz9'e4GDɐ9{Rd %&ۦ$du: fa[k F\фZRǕlg yeSP99r&iQ[pzcZ{AX _-tإ4 wA&B>[yG`;#mc1e- 7I"AqA%G y=Q+hUBXAܐ NSrrmzzPJobذSKf@.%`эwҦ$>kLvM젒|3ɴ&:ة6,G+d6>5flGMj9"/')"3m:.iڨRRs,M9 !Y˵J,ӴSr\B@2(Atοk7yNJd ?!)--M*p\$_]_xcAfmM&3Zu&-`¸m;H8t; 6`<4"--a7?CxW(xySA2LThsC犦ۧo[ۯ^xBur1y<ŜJقw%') T6b <~ŶzdonQ˟˳M`ޜ\IxrOO]>:ڑ80/*4L[|7-E?ofY=CQ%z[ cYP>6NTy`X5ע4O0xe :4-`먜o'x;:<;z5>d4Lћ]LM݆o.ޟ8O# mrՑ<*6!_? Ruuy>Mmv-[&O̕24`+*/8g34]/"PK!(( des_modes.7nu[.\" Automatically generated by Pod::Man 4.11 (Pod::Simple 3.35) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. \*(C+ will .\" give a nicer C++. Capital omega is used to do unbreakable dashes and .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, .\" nothing in troff, for use with C<>. .tr \(*W- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' . ds C` . ds C' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is >0, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .\" .\" Avoid warning from groff about undefined register 'F'. .de IX .. .nr rF 0 .if \n(.g .if rF .nr rF 1 .if (\n(rF:(\n(.g==0)) \{\ . if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} . \} .\} .rr rF .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. . \" fudge factors for nroff and troff .if n \{\ . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] \fP .\} .if t \{\ . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff .if n \{\ . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} .if t \{\ . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' .ds 8 \h'\*(#H'\(*b\h'-\*(#H' .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] .ds ae a\h'-(\w'a'u*4/10)'e .ds Ae A\h'-(\w'A'u*4/10)'E . \" corrections for vroff .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' . \" for low resolution devices (crt and lpr) .if \n(.H>23 .if \n(.V>19 \ \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} .rm #[ #] #H #V #F C .\" ======================================================================== .\" .IX Title "DES_MODES 7" .TH DES_MODES 7 "2019-12-20" "1.0.2u" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" des_modes \- the variants of DES and other crypto algorithms of OpenSSL .SH "DESCRIPTION" .IX Header "DESCRIPTION" Several crypto algorithms for OpenSSL can be used in a number of modes. Those are used for using block ciphers in a way similar to stream ciphers, among other things. .SH "OVERVIEW" .IX Header "OVERVIEW" .SS "Electronic Codebook Mode (\s-1ECB\s0)" .IX Subsection "Electronic Codebook Mode (ECB)" Normally, this is found as the function \fIalgorithm\fR\fB_ecb_encrypt()\fR. .IP "\(bu" 2 64 bits are enciphered at a time. .IP "\(bu" 2 The order of the blocks can be rearranged without detection. .IP "\(bu" 2 The same plaintext block always produces the same ciphertext block (for the same key) making it vulnerable to a 'dictionary attack'. .IP "\(bu" 2 An error will only affect one ciphertext block. .SS "Cipher Block Chaining Mode (\s-1CBC\s0)" .IX Subsection "Cipher Block Chaining Mode (CBC)" Normally, this is found as the function \fIalgorithm\fR\fB_cbc_encrypt()\fR. Be aware that \fBdes_cbc_encrypt()\fR is not really \s-1DES CBC\s0 (it does not update the \s-1IV\s0); use \fBdes_ncbc_encrypt()\fR instead. .IP "\(bu" 2 a multiple of 64 bits are enciphered at a time. .IP "\(bu" 2 The \s-1CBC\s0 mode produces the same ciphertext whenever the same plaintext is encrypted using the same key and starting variable. .IP "\(bu" 2 The chaining operation makes the ciphertext blocks dependent on the current and all preceding plaintext blocks and therefore blocks can not be rearranged. .IP "\(bu" 2 The use of different starting variables prevents the same plaintext enciphering to the same ciphertext. .IP "\(bu" 2 An error will affect the current and the following ciphertext blocks. .SS "Cipher Feedback Mode (\s-1CFB\s0)" .IX Subsection "Cipher Feedback Mode (CFB)" Normally, this is found as the function \fIalgorithm\fR\fB_cfb_encrypt()\fR. .IP "\(bu" 2 a number of bits (j) <= 64 are enciphered at a time. .IP "\(bu" 2 The \s-1CFB\s0 mode produces the same ciphertext whenever the same plaintext is encrypted using the same key and starting variable. .IP "\(bu" 2 The chaining operation makes the ciphertext variables dependent on the current and all preceding variables and therefore j\-bit variables are chained together and can not be rearranged. .IP "\(bu" 2 The use of different starting variables prevents the same plaintext enciphering to the same ciphertext. .IP "\(bu" 2 The strength of the \s-1CFB\s0 mode depends on the size of k (maximal if j == k). In my implementation this is always the case. .IP "\(bu" 2 Selection of a small value for j will require more cycles through the encipherment algorithm per unit of plaintext and thus cause greater processing overheads. .IP "\(bu" 2 Only multiples of j bits can be enciphered. .IP "\(bu" 2 An error will affect the current and the following ciphertext variables. .SS "Output Feedback Mode (\s-1OFB\s0)" .IX Subsection "Output Feedback Mode (OFB)" Normally, this is found as the function \fIalgorithm\fR\fB_ofb_encrypt()\fR. .IP "\(bu" 2 a number of bits (j) <= 64 are enciphered at a time. .IP "\(bu" 2 The \s-1OFB\s0 mode produces the same ciphertext whenever the same plaintext enciphered using the same key and starting variable. More over, in the \s-1OFB\s0 mode the same key stream is produced when the same key and start variable are used. Consequently, for security reasons a specific start variable should be used only once for a given key. .IP "\(bu" 2 The absence of chaining makes the \s-1OFB\s0 more vulnerable to specific attacks. .IP "\(bu" 2 The use of different start variables values prevents the same plaintext enciphering to the same ciphertext, by producing different key streams. .IP "\(bu" 2 Selection of a small value for j will require more cycles through the encipherment algorithm per unit of plaintext and thus cause greater processing overheads. .IP "\(bu" 2 Only multiples of j bits can be enciphered. .IP "\(bu" 2 \&\s-1OFB\s0 mode of operation does not extend ciphertext errors in the resultant plaintext output. Every bit error in the ciphertext causes only one bit to be in error in the deciphered plaintext. .IP "\(bu" 2 \&\s-1OFB\s0 mode is not self-synchronizing. If the two operation of encipherment and decipherment get out of synchronism, the system needs to be re-initialized. .IP "\(bu" 2 Each re-initialization should use a value of the start variable different from the start variable values used before with the same key. The reason for this is that an identical bit stream would be produced each time from the same parameters. This would be susceptible to a 'known plaintext' attack. .SS "Triple \s-1ECB\s0 Mode" .IX Subsection "Triple ECB Mode" Normally, this is found as the function \fIalgorithm\fR\fB_ecb3_encrypt()\fR. .IP "\(bu" 2 Encrypt with key1, decrypt with key2 and encrypt with key3 again. .IP "\(bu" 2 As for \s-1ECB\s0 encryption but increases the key length to 168 bits. There are theoretic attacks that can be used that make the effective key length 112 bits, but this attack also requires 2^56 blocks of memory, not very likely, even for the \s-1NSA.\s0 .IP "\(bu" 2 If both keys are the same it is equivalent to encrypting once with just one key. .IP "\(bu" 2 If the first and last key are the same, the key length is 112 bits. There are attacks that could reduce the effective key strength to only slightly more than 56 bits, but these require a lot of memory. .IP "\(bu" 2 If all 3 keys are the same, this is effectively the same as normal ecb mode. .SS "Triple \s-1CBC\s0 Mode" .IX Subsection "Triple CBC Mode" Normally, this is found as the function \fIalgorithm\fR\fB_ede3_cbc_encrypt()\fR. .IP "\(bu" 2 Encrypt with key1, decrypt with key2 and then encrypt with key3. .IP "\(bu" 2 As for \s-1CBC\s0 encryption but increases the key length to 168 bits with the same restrictions as for triple ecb mode. .SH "NOTES" .IX Header "NOTES" This text was been written in large parts by Eric Young in his original documentation for SSLeay, the predecessor of OpenSSL. In turn, he attributed it to: .PP .Vb 5 \& AS 2805.5.2 \& Australian Standard \& Electronic funds transfer \- Requirements for interfaces, \& Part 5.2: Modes of operation for an n\-bit block cipher algorithm \& Appendix A .Ve .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBblowfish\fR\|(3), \fBdes\fR\|(3), \fBidea\fR\|(3), \&\fBrc2\fR\|(3) PK!t.. ea-php72.7.gznu[V]O8}@)Ì#e[v;R8cGC?Na'νs&IGtDO+zxl7-wZXENJˊk|J~OXz-.it5R^Tka+e2[nD/S!yF,YaʆtLko'2DO|ɒ2b JsI:Is;]<#[%tr2eF'שcz(;[=ܧ0y$6{}/hǬ6f.^2zkWPJS[f"D|:{4bcq uX4o$~}6: 0jUAa:!g/!@G^K NV+([# Xqf1pVԊg@y:VطޫLŧTYꨃysGkc;E5xZB_JE]Guǝp zKMk4<N//J)ÕEZ`qExv}7SYjAlZЏFxot"Y`/{*q @QmBnYn3ф)W5:"&gqM$qO~XOCֿ'Y6JnNX2_{\-2YȌvDQnctR^BGaMq-l˳xWX~B~g|;0@_fK$>DˁIv2v[yķ]p9vsgO$_-? PK!k*-- ea-php74.7.gznu[V]O8} є h>rl+hWWrpvﱓ~ zY 33眙3&It?ْfӇL0}F4B ˽iR)T}YqMߒ% o7,DE./.p .k\$-L7 3JK_wB XӘ!jTK_-~<%e4=8t/1~{Η35€g&ǬlaEx! DJnہ} \|Aij:gj">"͟p@NpkQXS}t|YX+,]a~3>wA_fC$>DˁIvŇe!osϝɾOӹ? PK!J-- ea-php71.7.gznu[V]O8} EȅGEڽR8cGCN˲O9̜1I:gzz^f%=mr/rZT U_U\eu[’Ռ7lq}IZ KWWp .k\_'ɷo4r+(%2/W:Dܚ s7brFO7S6Dc]|#09&Zxz^,K|')\hVb?NIZĘeX͟؂giqm͛̅#_ yRoHqiЎRBtP4wNN䧗g"yTeC9T -Y% _(*אłCk'B^Jfږ2+)hI, :,uץ\٬li ! 0b\ya52 SER] (6qbj?j "LBEȔ;^i!l9ccpAQ8x뭕^Pj^A)Om:γ*g)nr:Аڋ%qc 6at|p6@UN`Vz .-X8Y rle0`~2ǙCb1kdl;[XQ+uH?Ү[n`{2ybPFZ(g.A2;Xa7(jS }(uu=w>Pa&u.4:8@?)A;dg$Z WbXiW)y. (Og]J[WLhu@?rQ㥒hgUtC直F1F[ ifsʹG_9ZNJ5č?q0]Y: dۄw(s9a|^)rd!3}GMdGSShIqNx5?IϗCe,%_a }Y-œ.&˼m[Cvmϝɾ濅ȉ? PK!٫''npm-config.7.gznu[\ms8_V*NR39xobl[R IS %v~=HPd'lm2$h{7:~/gFgoO OFj>Vx9N%W4 M^~j&b/>Rj& 6Xf,ZdQʈ¬*Ժ6~sru|yzq}z~\$4h*+4uFkeŤ4s,Yb*T!>x D)u~Eıeu\N-uQWMǶF1b,B`5Z!rf +zJúYRUa49:(,Ce9(AMs-2T2#&0)ZjF ɚFbyN'{䐫Zy܈'rs>p8Pblkۤ~(V3-PDYBpb}8Յpbisd^6pGcQE"i!|'R`~(K P,G`^.K'0eN>:D?6;DtQ*{DfB1z(N.h7貃aé$[a;3ݾ RJLRQ$c埶l&,4ҪѾ.*L̓ LǷbXI,vJ-U E:SdF6-b49=kl }3bo:l.l*iCX&'VzLĈ\Og- $)T%5 UH&Ϊja_N!vxt>_}'؎3ST @.2 GX"SFˤ9{U-~c$Z+S0 x 5)iG?UǪA0La]׀L*WKP;ϒ 1z:ŋá Ai)9\jvX=c{LMdW'j'A>RKqib Ӑ VCKqi_?ۋ˓?*=܎qEc'GcX1u^8/ܞ_+,f*_Mޜ>^8bxÂvY^X6Ͻ"l ۽)Dx87 IóAOjvVc^\!L˜q9e+Iұ4aU4qtmFa/&zs܌+#chS, G`ë;C{U?,{7@1|/]lu߄id?.bcy:V>jl`E`Mu!c5E #+9m-ŵC^ #;nE9hs Co?aՔ" Ma+{F) RMK@#MPXn)3>z6? Zc~wOLy4>VP qgB70Hމ+;şhC[>Om!{&`Ep~ QlܨRWy8,%{y5Ro_[]o6->nD֎$`=/y 66Wg<h߾,)(Ax$EHCj.V +)~::{^OaI!S*#~!q YdiyS*L.58^@ zԳb:%-!y/RvyЄ$nw$!Liw.iJWt+z) 3'fXZVkpztsw:I(R @i"z^4qYjb}J@"2hnP)*H)g]]iEd]yPaWL}YW/[X=2hguvM oMߝ\Ӷ kفoQ]t Ŵ,aX͂ =jpI)9N`ܬJ SWt7oz\/)?$ˏ Z6eG@~lw[?j*^9bXk:ynh'q']΁EtC) /RHg7[C8Y=k.{asDO=z:'qzn)IY=f7 YTZW\s+,m!2>5Rpv䒣, p.OZ0]\k89 v5` :VY Ma3@=?3Yŀ ;ϹfS;ܔ{5 R(yq|8F?Q+5Ra_ܱ%Z`T2چP\RQQ>n#95!GMA8-ItԢPztwWpx21x?~15r<:ٟ˽6|X\--Y F#0`GW>⿯Oޝ p}}H?O}urΠ0U> {ybI a?[P|^w#8N˜78CHM l:mZI|{t`㷍@T y{;vSﮜS #Q ֩f W#6yNOb @\ RR hb\Wο=G`~뢮]4j: Z#Bf&RWnLHDĴx vsbMDFޏqr+9>bL&bR.y݁)t݋ 7HY^ {>3RJ3KS<&T|8  -ʯ /T&ڳ.L>w՟CűNUog<۽GQDZ)Bz#c"l$l6Uqq|BYp1]!/Y\aĀЫe_e7P>'-$HJI8ș?j9/KW Rdz(>?B+]ۢllk*3݁{N[j $٣լ+*mtg_3s-@$>@| ;Vcg6<,#L R]^h@+Wލئ!n!X-NA۾V)[0{CXWM[Drk,Mam &XTROK(&@UdTre2-)YJz0D;ܕp",.Eu+m?@M|H(YvWN]VR~ Qel eW.̅ms+;pIPFq󑫘[DioJš/@:{:j&B4߂S+: nɐ+11h(Ԕ? 0uzwE;U=;Plff 7 UqT9Ic"-yWAaS0BUgteq'oN/Izf=TK=𭭜 2 /'4kb -6ZoM)E.}ⶉ xW)4NjW pgIHk=ys]O1SDzR$S/jut윮:aKDӊzuJUE6jXO55eݶ8aYfZZ=-Js3Sݥvg5t$)v\Ʃ78SI h4'PCrh$2&MNR 8D™>{[ B"C :iaq )Lʷi..%尥}ҖJÞtw׀˥&tEF%jt.\nßɑQc,{9DTAQ͡82*HG@qC`Mu ѧWǿ;jÃ磃g=ˍxO)x||7NDDC)~0G~?O3k&3Jrڙ9t ϣNjw-bF)o/BMJ}O,݌Ѽ<H,gǵz̷OOWtl_a!y#REyχ~@~j~L|?#?]=s>( 6EltLBi|5LxOoPi^g!u{@D 9Y)m2r!XgCn9ݕv 7iJBR1nv#}Bl\貵qu뤭@5߱-2h}Q5|5T@–Ot-ցTv\PgBq:Mnu~2Tɴd&2WUuc;-Pl_Q=&A2Is P'p1\=,# ++1WUF"tI,bVM:kp13_N D5Тenn47mL!a!UsU]>]s6N+k$%]W#(TX 5M8x7y=wؠz*ӕ^qV%fww%/},y=z5M07>&u[)wԷM #mMzvV4\lܓ!^O% u83:${D0XkmȢ+$I$bl\iD)H@JvKzEm̝8\;?Fb,2?ʹCyEVXg/Ro~r hURVf_KzE4)9QՆ1*:elQ'ZMc#}o=- `jt{UȬצ(V<>9o2o%Jm(.8Qň W^ ëV;̷h,De) x bqy W$DԘY;O \5%G-sxTNF_oiFWPbbょm$8 <ЕKBM O\V>vjf^@lߵ)#32dCEg@DsusšK6ƻ£LDvEEA`%yˬ]UYgEם|[Gm  p".ӔtNӎ;4g56T{a2lEbN.)k=aߛ:Y|Kl@&7q̉^ IVy>y.^J%=e؝+KB8~߶DPDۃ GֱTډ|w/jQ,+œ2=Ps ZSKE8kn+ kyETkW쀆D|ByMRݜAyɣ_s~O黙ި6V ` I2ìX u 84&MvU&xiPK_0I),:2?Ib AQ>5 "98OtY2χCzᴽK`*dO\ טG0Sp\&$xQ5hd{b]nJK kb;$/\Z~ItڑӁLܧ@ejRlq19DN͈HP|kDSN&G=9IIھ QǬ,kMI6@,[8bxH2Qx/X|Z)Ȱc,wg_p!(@W(DoS` 3(8CD'O_ =g+ a _HVS՚w IlW܃"gj\Ln[[ڍ~K ˡ9z!.r,LLv/~)nfyEtLGJIPv*E4Tuv2T#zM YgeV;nTbyHb6¸D8r"3T7KR $\mBM왩3蔲:Lڇ:wjv%>R="9َ;a+%#ǴH»nxzL^+(PWQά良+8mb.Rs"671)-Si^/2i*85$\Btt]UlI\7p{,, q?+ ~ ߇H ΋@z:@]Xz ΫU 7YV"/xo+ܯgkc[?CSacU\nUgvՄH$h%tքC6 0t[=y7lT#Ε$ sxTuEnRL)U 8ƤhL2 |@w{{KϏ2u~VsEZfU}Vemh'^T$u:"C%TVHUVV0B;[R%,=Φſy([t7Ѷfc]xDv^0EBcc}, QYQ^T3ݯ.=Tˋ LJЊ$na-/#߲d eb;\GZP `{+D-e/ZeKr# %2]~?H*xF?bv"nێ"fMf {AY+r}B&yq{ټք s5TdSĆfYl1I (> EwakI@ m:Wn³;^c(Ch5CO=8#%L񐄥0KL tF s3r{qH +HQ\O{$XɎqЈשjJvX0!¢ThP!min-zJ\]]?Ω2B|v2'5E-Y%` +GD"Kh~G7s=;nh."M@Q~qrې d/dssء{eDbC5*Yx!U9/ktt%9 |s.$S2΄:}v=dSq1]ߌw-{a{SPMZɜd>Č:N[l/9WEj[if6dvFxˮ*X [cEӶ"QG3Ȃc@wwVjwBW4%LX5P(1֜3xɚ`,CDKb*À"k. BLFEH<0/ Ea UaHV[e@W "(mP*G} Fx f;ɃˌFz 1鄖FO !tKTJPrTx.\&M=V։z1D[YPC7ϫ<8HU eҵql^^M6B0 *dt6TggWSa&IMS ,1x z 9cFN{èx# FqoTŇ0|$?|ⲿ3b&[.7ܶ뻆u9>%,Kp٨f(Fi+Cߪ$ߎlP,$8[kiE?,dHJt+1!/P_x>>{QSNSG3 !hDBlwJ+d?,:;ۑY$+, yUS՘,8yD#nϟ?xwғԘggo.p7[N9Fe|=OG4 ~9x3؜1nԷ@sM) 6\w^Јz푆ΕϘ Kͼxg$;2Z`8 ߐ9B$Zo7>C֓='ɿڂrȢ#(}'IF/Oƍ-Rm~}Mٛ嗴3E uǯK56ż+;[ē4A_PK!vsZ Z npm-developers.7.gznu[YmoF_U?Ir/@Q(:./ XK1eK:܏gfv)J;;;3_ݻo7o?ܯfj={m2SS/'?rE̒uiEnMe[ӹuq :>Po27]s٣Qɰ(Wު T&WާF}Zn{;vzIR֍ΗWtFiOfl6ӞVSstjʺ?oZĥi9+cS8+*tMJשki 9Q֍jƸRۂՉar[Wu >axj]ܑRy8U6 4N`]m[fse;%T[Sj,Ǚ` ]UخfQႿYJ7N *YޯԷN^HV9Y(X68 .I_~vEQVf,-%imK]J=-JgGBC=n#['=C1Ug6 [uI4'@XhWqkXdYq~o(_bϗ6G26AƦ$ ^vdeCF#VE"^<_#xI|@8Ԫ^"IMcm0" sAyCw])Xg䓭n]ܩ+gQFTze*gv ]x#JxշXMz *ׂ|hOnXɲ)otl}IrLx5pn=u| [˴緹s߲(<` |s$*$tmEo۪Dh6SJmM R>CsSh "qp 5gNwɧQfGsx-݁r C2RոHaHW+ܕD7%^VTrA eϞECBgFд2R8~7,.`Ns ّ5NҚN;~^71/XJ5?b9rj35~2cx{%*Y ^V l# bfwܟ62aynH@ ,j6]D.Y:$Ěls"9E?Զ Æ&ToߟGՅRL5MaC)lw"#tJ<keRmp4r#ݛDJp$DQ+Sҹ"() M߰h: Q9BL_2(zڮCeW[ ̣%&J5vͮOG1} OBЏ5`s.ԥi._\/ n7"z+MȴhC/ce, CvbvtP<?8(" q_ǚ.OզiS;=/y*aD><#Ҏϼ}ŎTjc6p?9a@kӾ=渗硧"(:F~d6F?¡sfu($'\6|^]#'f+/gL xL?]6z tr{l_tіbmrmmVOrI h)ƗnAU"z&@܈vt-pcZ%&훜ꤰ>d%aJϠx%7'x*q$m|Z T8/aJe\8dpV@dJi<'o_!Q8]on~xV}u~Œ/Ufbδ ű3wubOd0Mf@8tQde+o2DźIR#2ښZLoui^%+$ҝOȊyYsk#@K'EД q3Ȥ lZa/-bRABl #uL &u9^XIr p6Z嶧~*>-EaGF2TdF  Ô^%ͤWA¢M;6'm= 'RJpNT,m {'WsFF!r`Jq(EEӐaĶJpUNM0 ^ VR[^Q"S[# 7Ze]3:قk|#j=)lQxcɲC7'lk?} 9,Xq ]f!8Yr_u,o沒nҨɝ>y0A&,"u< i'HN4Ȣg\*DE<~XʐOGWLkz<Ǧ.wd("xo} <1ەY_SK![CC;#&9a ECڡN32~Q[o Vt:P#: J/_.SgyBMJ ޿ 0yz(h<u}4]ܨ뷫/"4|kr0*|; lGR`e!PK!h0sremoving-npm.7.gznu[}U]kF}ׯ%"C6.5‚`IWluf96!;|str.gw.N#.mŎ> Ɋ_\/N ۙ}T}Q9?{VF†iݫj\g*[[򪡀̴#u,MqOYȁ%t|P}YFBo]N *:Z]TۆsRV= ~d:ŏxNUI Xm'3~l[]k6,瓆g S5i8^F2 aH$Ʋ7hhCN։bG poA״eG>jk6#N5@IMolОߑAWnG-V"RAc/llz v90z g#E߹$KӷmUھa'}/YZLcߦq\&@l48w"vNAJ`+^G9@!q/(-+D @R%[5^,m& xkt"U&rVǭi,@3L*̲ѧ*lKJ 3.w^\_av`Ube,fk6u5yYH+mrAh2_w}پB$"Y ~:E+FqlS1·xvAR"]E%! ہ_J Zp?eZc-)DNFM/L9_k['u(9vk4RuDeknTFr7p=Us5.<"qJ氙}7I%/,Ik|.K*?cUgzow^D1e!,tq,γbA(#xqhGh8DD 1PK!Z semver.7.gznu[w\q OZ˟1xSeEm$Qij=ӭ+`\W3]Z3"U=*Z_B_9+UKڰ,BӒpˊ" ƹz)lCI@7AZ?\~)ÿֈiOυ7vTI4(Ѹ_\5y+vhh3 @Vf@?TK.sͽo#D7ż,AA`nUPf46c4.A]jkҁ~c,4Y@)Af GS-`& n6ҘlY %+6\Tj%Mja4n*mU޶ %Ys/fHYwE$>ܗsTo!xaњ,o*R⑴S& aLDCbšԳ$%L^g/ :50iŮ-LvQY@G(3mMـ Tpk]IU.ⲸHm`!d|CTJk!9Xar>'d R1D-1"jlVfހq`.+_ha (ȾYҦ]s0v |Q!ZЃwH icZ,*'D/Ȥ?m3S7idzW$02*yBw@:?p0XfB:('c|^|(M-_]&Ӛ2֭(t̴ a&E~aCve=Gd.xB$@``t1+So]RBpBZkV` A!2^XE{iBK6RXѲTF5[Z6~tDd#qφ|GWPW-6`8`[/"OFUY˂M5xjEZh `IN bbᑧɟ 6}fDmB|>$Gbڔ!idAlgzwo`D>rxdpPBV ٟ+t@!h}yQ{2B.Ym_"2~ gȦJރhr׵%˳.<fug҃$K`b#@?">T6<0u鲀;]Ti q6E/$ƹNI"d) p­ +y'p1v`Іً :U#-}(D\-DBس`WBKrS e&r^oîp\̱ v$+k-#fh!X-QEa[;GQ#i"9P]7n"/27O.]`\=,Ĝ3nDY)C8ҠedH,b' .2is~:%kSjPA< d˕x؝bV0'ԏ@d9\KO +A13%V<]M&Mw]8JïlVV^mP>FYpeQhV! ձPcH*X0{J5H,`{JԄ;־߮d/d fEhmHLi2*# |7 <= }H%΂A rQ0GW׬O  Uf(L9^ MAtUrBu`?wnf6cEFJǻAKܮVB_W$ÅVƻ(t&K| 1!d~I(ӸkrG>G^I' :C7]VWewU9Q *ud; V, DB|2XmK$z'glZE)煮eVyVHFY6ٝ{`R̐SZ=tCU yB=:mxLx/I~mו.Ck1GWX2u~|`EߋO]7EH%qAɈi*h$j ^@Z),, wݯ. ^k]ь8%sz5̃;`kYUFPpa|#kAw1#q#+ JK>xP}ʨ[~0lWDyk؀05`mwy(Hx3<>|sxtpdۍLlwg$͈ݡ|~ZHCgj.΁f"IJ ) rS+$ [iuwj3\Qs}M]&L+fHxPB[q>!j<ٙQ:g}fJȯ"rbgɌTFWt1q]@Zm6AAߙF} MyOao&l§S@@FT@FmK~F|0 KFd" e[wav{i <MgžPc [v;#lrS2gM%5 cE_hnM\di5dkՠnNh10up#; .x2/["Hқ [SRblŵKM =P37ӲĦs{^+׻d$s}@%S=e\ 6:O䕦3wG,s?yZԶ;3~d|\LBGM(Ȧ-. ~x8B+bqMc]cʢz=|b/22,@ ".7C;$R$ޮGK$o]Cl,r]QE| "v!&+؆bYӬ֭6km'600vV^t^(bnBaXB:bkrNغ91cTI0@e[RD ݷS YTU9vĸ`+ګ.켶wUN"ˈ0gMK{|&?6ǽD&P؏ *F9}>ɭğNcdi1ɐ{ЪF;/R_s>e0;P /B߇=_h3 U؀Fa[ dKBe-vE6' cy^ԺkY 遡]pO_;ƞٱd<=Xlp o5(QgS M?OgK]FGN/K|.p RZ w #~E~[s2+>^Pr[ g|//ђ6B[:W0 C=}b0[kk-Σ_nH2h z f S肎2&_Nظt3 5/c]oj|J k>A[#]-ծLIb$#Glek[,d.Na4bO>f? %5}pU6}{mdE:V[Uh.E-aAwoYpa* Ň oyY1ǒ 'N !SK1 VhgYeyW%j +tYpú7j^}x<F3w6#DCw_qg߹ӘEmC!()Ylє 9NtmT9Eb^J@_7r^ٻ7 IDuG4}[F09:[lsyqx (&o_1ꂄvqDȷq܍ q'[}7SW${y]^K횥فoOZaˑi'Ťd*[b 7ysۨY~&ā-E o,)@Nv|n]M}cgqg%]GSw+4ZT4HW.FMpY 'k쑮kE'_E8 _ (MQce>|HE0ޣp| 力\ճMSUhX8o< 6b#U ?\ښ8/P&d%Xej2mAEZWJef%tƹu,ub3HWY A2G%_LTx[ m!oC9m!^]|򟗯߽[P1_b"g"v~G[}t Q['ra`GPK! vnpm-registry.7.gznu[W6`')`O v6cxmGbpu[ʵvIWV D 8],ǿЗnb>GkoMP䋡σRyP/Eb발%[U#{ԃXf(q)8kLl Rb k*+)S_}&BG&CGMV2,K{TQKIr|OB*"Ϋ_zC#tH5z䐂F̽^({YjϫbuF잗xAZvGos1~ɯv}TUs.'.[x5R[#F17}}x6M$! vP!EՇZ)Rѽ,m,z=U,/BC.xАl [K%BҲu=j1|)4vIBm"Ӿ0qhMwfQzMÒ~=ܬz՛ۻw۟ÁRs~PV,@ja"ަ [2i[`5뿫H@ˮ7,-QV&Jq < g=<,P$5ҷU O&BM^>f"F+e(=(ȓ)Ә+U FY7kbh,M)O!%q,f5?Ttrϝ/n1R^{ $*4p>M:R ىD>»p) ܱ\z;%a;I/8gd6o @yXܔye%\mI,bΚ fp8'i3a9ɡmOq}r01q!ăR*9G6>p-\տC< 䤅f U!2f_DC<<}( s5l̤ފW?n}yKrG/ww?yFSl]>>fdpPK!$Bnpm-scripts.7.gznu[Zks_3CSJd4N,jI#ʙvʎ KEwls E9ı b}XNީOWӋHotsmק_ɔ%ŏU~2[ԍ-zg ߪUZvYi5 KFjQ2o.aW7.ֵښZfBi.l3(z]0eiETaY2druf/:yYYrV˷CҪpQ RZc:eqviT^ IQ&-Nmfew*v+g^NVs WˢQu*+?߸3@y*)n`k]M l1iEC5:Po䬡 yL3MXg`Q:OhTst#<7:zyi!nfgRfy*%I7ˎRCS@ $Oc&~:FNj<%|G} pbxGSݘFY-&%ʖ1˨b*ý}8)#^V6JEQtotw|z޾wy:u@"VC8 ]PKCj&|jO䗏'YG&[bRkq&Uq˨/ЗBe'Gd>ĦA5=\TXju 1=MX{>߼sy:Es1A?-,Z_&W" -3.$zoPOR VxՋ3آ^CLU9&[ nyZ E:Rx^} J3im;p6Ş @]wjڝ l&N _8jwsr0O)HV&mQ5m":E҆:qn\ESW0'@n.G4ϙi^B88QQQWNdv|](˝=j&'RXjU*DWEp`-Zɠf?NպVZ64"*gcsZjiced(XKԽ^唜\-δ/,`ZkRc\ccDG)C$ו @5@. kXQ䀥n¢S\ӝ}^eeHnA[ j,Z{S"f&ni8co?+B :g!} ovit)K=e CU&<37!S{:glĻiȄSL*S~jO%B %Cg"CMqFʑGL8y/)`sySӮ1_":Pi^4?#/^GѺgqD8Y#.w]Ty SzZ+'(i@OSW!^)JUdPw8Ui[M!cnH]b@ƷO.GRԨbH61!!CpŁ"l'{XRD}NtdqasB\j69XEM =\|)]0 @8s¾Cl޼r >j=6:Czu1Nnuc93d^?pɢ>όz ֑Wo31J|=|3Dz!%&ǦQ=v(2OLpE)QCBR%Z*\n=δZ/_] cn{@Tk힆wzɡA3S9tJg1O (8Д@g2Fǝ[w^ :ڢi|B*& 14i6?5wQ'ű;?}FPqXF~/pŞ[=/gu8u(r6o02 du vM.|GZ44 (GNC!s!S'kt[AV=PD@bb"O*Lc6$ԫ> Ĕk\wu!vKvEQEGJP@y0=8>QH40ӯ}Io'4}QE8Aqz$DW>:?]6a$t6iQ=}%x NbV3j{X]H뾍+?%O?tq;f4&j׾_q0xp6sW.(8MApJޚaX8KxJ-йpB:^< PWnӪxQƤOAtNqm[$|1"_xV ׉q<:D_dz ‚ u\%KpZWǡb2t-O|ۏR]^*=Y 1ݘuY8^ &s @t\[8Ý2:@jl!wSϺGhN_˃$u׃xƮߡ4Kڹ7ݏvnw'ʁ,3>qSR4/x[U a Nc&sִU&)Q; RLz!{gjgLeU`].Rw]ˆ2PFk:Nٍf7׸ FODx9}PwW&7tWzov-PR$Kˏ<V o&R'^%-GpU29\bw]TU !r^yÅ tPHX]m2?Gڌ:_|ot6#vh]`ʢF ^ytG W72pGYyP2d8>D$XWBWjEߠD㰚IBh4łv/:Jo3Ka0y9'坔a^\5R'le?5/D؄ ;i9>|u.'O|ﭟxmG/2F QR ر3)m PEwK wK6 xhx0zz;to35"7; XM|)PK!V.B7alt-nodejs11.7.gznu[Uێ6}WLz4@Q؋7`,Mb"~}m]x}1$sfΙ3 <xHsO'R`-Xr 5O KpNgwx O=]V*^CmJx [[ /KZvz,`z4ag ZB#Vc:4g 8XQ5_*<臧~1*y 4[)˸xy)8E֬e%USi -)G2cmT[ġ1T!󗸸sk ,ޏ?= l yԫxNqD`#xZ6]cC"؁7P5Ao-Y!إe6r̲%(:OmR񠌈Γ:VYIn<6` גiE% 7v@h5!S*] `dZ?3F? c% ǯD?"CÏFIO 5 |k +[^6Ȃ;;w~@*:U)svEqj,-&b$mhF~#gYß)HrU ]sJ I@hV1[=/R{ԎEa8tJjĵvUp?"-u^*ሥw>?D^KktCd8O$gt %񢐾m*HŐU%i/$pDƮO>g0FIڽ^^\bǚT ^DWC0"Z.g(y״Nu![Ŕr{@o>fE:7߾=6ʲ[eg}hD -|B?'_4'XPK!Fnpm-scope.7.gznu[Xk5_aK&bRe+!ș$3v=sg2yH eqwG9yw_{]v|9MٜDoNDQvJE JUQ-u`o?ܽ'fi$ 2rTҪV39w[ Jf&k 2Bwj\UkYWe>\JdUeRV.{pT:Sy-t#,cu^&'ࡇpUZl,{5BJ&_ K`Ō= 1x_&@;JnVZ.׍L KI0uqWm EF4R*&*W,hKe_*g+7^M%6[u,FD~X [l`'1q :qo>RܤD$ %lpĊ M&JɥsG ,-8ڔ?OC@uƄN(jcCTMCr$DN2ydL7)^/M~ J5+O_eT$ "vyJY ]7*L3t/J٨YǭjOD9L.삃k-)[CW2, dֆn8:v>kc}T-krr'>/f_g;Al125i*U s ׮QN1޵ʠStHTGgyKB=n,O ˄onplJ܆Ƥ-UW ڟu邾xr'Oǘ >?hlӣt$:#v?N3t'fڢW)/3ʬ@eҎr(k޼.QJ?R;p㱚Y@ÞX,qblu]y;z a uKUyGH }enq3VW0^^15y3>{Y\,:rFXU $Շ.Kw (7Z[86gUD~k]TxGYTh AO)o#yPAQںSUuٱkRX.BքVTmLÖԀ05kRb sV䦢ki @ -i[bouW+]LdX.3agFL 6NL-,߻ϡaBwo b&Oa S6xÐfT*,+3'x흱ikXlMK?QV^X a&bBѝ2΢st:+ċ+>k@Fp40% a8o'ꎚf NXb wn9 9US)|@|k2v:ܻ]Dİğ$em/)Rpbq~rkVKa#ĕwoT3-9y @Bܭ9 [du%$+UuaA/2doIW6 ]h/R\u)~yęE);嵳+t&sr! YHՌ3I@gS8xA#rJlbҟ 9{o% ù0=7w-V9M&'ꎃo8f)pq?[bK[`\:$!{N\%NIO^ϵڲVH Jʖ䉬cf|}^D tV3a Vum6^o%GD rTNxW!L qi0*g6efV LTH , [Br8$.&ڟ,]|R)-*֓'<.pwߥ ;QH&{i(y"j[B ^2dlh[bGe QԕtrI!=wtqk, 1'WLH%)A`!ݻxN.g8MN{L۴0iqb@\!+H&ȅʥQ7^gB BxROI!y6Vٲl% k@]d푕B!r%<#5v0Cl+>qX`jHhdUɗϔhZ[Ͽvϼ-Hfn `Y7szT-xk.-Xo퉯X qMO4XV6"c;$8lZbxL406ܻ͊ X h=V~՝dCuFrnO7+ dm;fM^oxXݥ)n1M[j|Hm6ڃL  \9'$%9=VT@d0,g}p 2q9=0% #pt\ؾ @$VL']S (u/]|#'@WT^ԑ"J8ȻQA2KU3]38O ()r>vNm jpȷ,&0zNCL/DkB3QC [a.d&Cɀshk9N @4:0b9:5cokVa8:fBѱt@BdDw^X\_,dnM.RzPK!Mrt t npm-disputes.7.gznu[X]o|ׯ ^`lWr%'gq<%Q3\K<7@~|ԌݷgDռN?m.nW~\ُ5Jw|W\nyVlmh¦yT Nuksu;nAծ;GUPy[ΨtT7sc[Ny\lTvs16&^*5ek>ͥZEfTVYK7F?=;?)7~U6O8KVUmlur Qp4;lW8 GpMAn\m΍뱊jӬv1᧫~ĚO8rZ[YX(Aom_- Eo"N؁Y)N*Ynǵ\=o//&&Ǹ˶)L)sVԟ-˦yKyBܨ0'u_{cjoSX(+{&@#7-⏽\Koy z۔pL' h DV2e2P{}.7)I` LL.G0ҁ ,ϴҗi=EsQp^10jwq>FwvzLs]v; _JV]b<@P_#ᶷQ,~kTZE^82 n.Q(Uv*jgC@ODiVp翎al^zܛ 8Q܈._& BF3 >;e"H9!#?p627aO8"Ճ;ߍjnaؾ&Ⱥ~McXOMZ&D!v-G&N@I:xTcNsɕr.A>" &g量ՀX}$AdB_rf=sL١B^M]!#PZjQLv !`o\UӺBѵ8R2ey4%m2{z!z0Ŵ 5i գ|{ zjdC=@{7ԪrX|\d'V#uk[`pY G' j`$i 8zH I@ ;g#볔@Q(;$Uۦ1ᓃW6hO*$Bٿf\cauER#M-1SO.Y($ ̎.k񞅫m^5sl pŒp>x&̩/d05צg  K6rԪu]aNIv(?_ Y]g?DhFIɠ$r)$1٘u.qIfXjY(Ȩl[m7*_.S!0ʏFY 9*8%8&M"#\ȠE+΍ՐE$CH $NB MfXLǧT\u8E)GMvRgGkϘ8>1NT-$(Ђ>z\^?ܯ:ZAhC0XUElPђTsH4D1 ˓w;iQ'DbͨWzrESDRPhzX0P")-0Sg!WC#SpKfcno!'onfmV$ `|\y|&E xTHKQNZA?y:4t$RHH0H_g HܯɄ *'Y4%zvw:(aj)PWkZO ,OEn%%,^Qi#;) վQ۰( S ls/Zķr[ ,=svLf7[`uG(Ya4l83۩gڼzv.Vy Jgspձ=I4wj@@:/%_ɧ=2V SF`j js)<' S4S+iC1 Tb˒eډi(K',Sh.O.eXwIL7D/bzX)̳D\(3vG1ӳӣ61?-f!Űw5m'S҂-em\T)2|NVl߃It`2mCp)y[v|>!=g!Ѓ>.2 Pp?viNK_I%ɵcDtDujQ MGE!Mͯ}_аgPȭH<Kx.ow׏X|Ht-`"7ˍov8Y: (3mATTnDW$ݒsCXRs ~șddyi)q+s5IbNRd+hrwـK(|MĐ0<\@̄Eb_燩No1qAf6 O|J%_T0sH,RW1!wbg O@oǡHLyw}r}㕫J:^Ҟ}1-s(M*IHɱEAaR[ wc"?̳1\uѸkWfY8bzdք~-|psl7oYD *l.9öe~l x# #kF.RTb b2$}j٬r߯?̔wrCNFP?*\W֣'PK!{KO+llnpm-index.7.gznu[WKo6W>qHX䜬ĈmP"es#v_ߙ!%[XH, g8~揫bϜo!KҲ?~ovFۇ|t\)-zf+vcf*" Ԟ{e4(iv'=/oj_|ץUg-/VkxX24*%[\^[hwIM70̝ΡZj5jCQ+eB[fB0ά*mp3ANH ښw4S2ȝ+–\'a@,Xam5+djapTΥ%=/.咗;Z}Z^!H4m-̽sf6aq5.ˣ )B}Q)֪E![+a d/ї$ +ϣFҀkV?SR' No32YBy^“q &*=7okc) wIn],<"AOPg4;KK;VZ|\s :yْ.C/Wad DES L'yTǵٚ@|1[CDL0Vӑy { 8bQN)tTn4mާs[``*k֨Y9+~JXD ?vv *uA'h^Z&XNSr8l =RIđP"' *#h8i0qn$42ݐ'TdVAhzG]Ym?Sʐ%zHDxXh{cSA諒}Հ>w= {!v޴QȴS2^Ȍop5Ԅj]GxN1oR@>2d{}Bw4&L}Rhdi6 H+$ ~9 qe$y;ҕv7*l4o$ﵜ*̣fk!ygHV309/ P,5iGW-p]PI~Ġ8._>cBixUsMڒ8E3#?O-A *d[M?9ˠne*T<.kz5=*z,>^a8mE 'WAnYZUz*8' ^ l\{Ć7TwiT8Z6) Y} 0V 74uP~^~bOv{fHE'_T!5}!0  6Osk;w>"? gCuM4>Rx"xH=cAMӅFPK!kr npm-orgs.7.gznu[VMFWJDvfrsh `wnB!#/$J4nwUUA+|_<& |^fJۏx7g(Yw؍KKJ[7tTuART>a=s!$O]X)Y:2kBF;i$+ h+G][T%79fW"AjMQ -6Qgg CȶxE"ˤsMgg8Ft_ mNFn$"7LHS'@ Lh&TfjRJ!RwYceT%  #v~k‘ :oiً X]D L[kSZe8>1z{-e= |֍J1hEsF$t~Z﹆ .XN?"m A{Qk8H"6 jrt]OO# H ' ЕogȺFf*_DC_;0J\rd`m*cP-TQhB_= 6@I.!?@6Zl{|2 ;oeM(%F)MzFZjs޼ܐT9+0y\͛ihE]^0߰ݽytZ(]z#ÀePTcf12&豼i2uw+:jiE\')oA hOltbEr5nRjcO#{ &/q2vSfk= ZK7^2 `՟ChZ7M{fLwޜ8a Ԫ]'huCv_Bh0m+}IJ,j9VP2G\?!1b52-:$^icuحc7WO1B#-@ Q s\SvUw,l?:;(0chxXU^3R-+1,?h<o._%ܭ+&:a9RI~]E~_!MZ х4~Ϲfڣ S֯jt-cELHƟ}x.YvOm;ݜd`/ Zd&2#)) 48'V`šܟ![2gaËt va,͖I|B^Ń]_s?Ňe!osd_R_^b? PK!~$-- ea-php70.7.gznu[V]O8} ѴV e[ hEڽR8cGCNe'̜sfΘ$+z~j:[q Ӗ;-,"uKPU5}K~I~KXv.n4`)j/t5Ɓúq}kZotgF?"Ld9ۧ GC]|#09&Zx/%KKYz)4_+qqg(-^bdy2[fgk)x\[&sȗ@iR\o5{H)!zQpL|m$'o"yTeKjMC[Z艳JjYA>L#)P0T7७!%;Pl5N4xw-eVRƓ2Y&uYH%\0d KYCPmڃaĸjd~,Ql~\ 5ڋ0 C'!S;tb:Hc: MbùG*Vz̪k`M(S VzAyyj<8ϮϪa(B云ʧCPȹ@Cj/6PǡEK3FLW؇i>B*hu"V00l%߶җԫTpiɪVce+|>L#Y#cŠZC1v]?V݊?v{*4B9 Pup"/X?y5umlWug޽ev28V0gaQWQ=p%f¹^wpR@  tCvAJp%%G>X-c>/PsbO~4K%}Ku5.~7ic"0j;wFr=v&LYr91>k"qdu<˺ P:vsƒق4SjBf&*Ȭp$;Ҥ4Z!{T$<_-cy/9 KW/`ЗR<Qr`ҫxknGaw-x|<ۮ~sg//+? PK!hI.~~ssl.7nu[.\" Automatically generated by Pod::Man 4.11 (Pod::Simple 3.35) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. \*(C+ will .\" give a nicer C++. Capital omega is used to do unbreakable dashes and .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, .\" nothing in troff, for use with C<>. .tr \(*W- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' . ds C` . ds C' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is >0, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .\" .\" Avoid warning from groff about undefined register 'F'. .de IX .. .nr rF 0 .if \n(.g .if rF .nr rF 1 .if (\n(rF:(\n(.g==0)) \{\ . if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} . \} .\} .rr rF .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. . \" fudge factors for nroff and troff .if n \{\ . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] \fP .\} .if t \{\ . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff .if n \{\ . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} .if t \{\ . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' .ds 8 \h'\*(#H'\(*b\h'-\*(#H' .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] .ds ae a\h'-(\w'a'u*4/10)'e .ds Ae A\h'-(\w'A'u*4/10)'E . \" corrections for vroff .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' . \" for low resolution devices (crt and lpr) .if \n(.H>23 .if \n(.V>19 \ \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} .rm #[ #] #H #V #F C .\" ======================================================================== .\" .IX Title "SSL 7" .TH SSL 7 "2023-09-11" "1.1.1w" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" ssl \- OpenSSL SSL/TLS library .SH "SYNOPSIS" .IX Header "SYNOPSIS" See the individual manual pages for details. .SH "DESCRIPTION" .IX Header "DESCRIPTION" The OpenSSL \fBssl\fR library implements the Secure Sockets Layer (\s-1SSL\s0 v2/v3) and Transport Layer Security (\s-1TLS\s0 v1) protocols. It provides a rich \s-1API\s0 which is documented here. .PP An \fB\s-1SSL_CTX\s0\fR object is created as a framework to establish \&\s-1TLS/SSL\s0 enabled connections (see \fBSSL_CTX_new\fR\|(3)). Various options regarding certificates, algorithms etc. can be set in this object. .PP When a network connection has been created, it can be assigned to an \&\fB\s-1SSL\s0\fR object. After the \fB\s-1SSL\s0\fR object has been created using \&\fBSSL_new\fR\|(3), \fBSSL_set_fd\fR\|(3) or \&\fBSSL_set_bio\fR\|(3) can be used to associate the network connection with the object. .PP When the \s-1TLS/SSL\s0 handshake is performed using \&\fBSSL_accept\fR\|(3) or \fBSSL_connect\fR\|(3) respectively. \&\fBSSL_read_ex\fR\|(3), \fBSSL_read\fR\|(3), \fBSSL_write_ex\fR\|(3) and \fBSSL_write\fR\|(3) are used to read and write data on the \s-1TLS/SSL\s0 connection. \&\fBSSL_shutdown\fR\|(3) can be used to shut down the \&\s-1TLS/SSL\s0 connection. .SH "DATA STRUCTURES" .IX Header "DATA STRUCTURES" Currently the OpenSSL \fBssl\fR library functions deals with the following data structures: .IP "\fB\s-1SSL_METHOD\s0\fR (\s-1SSL\s0 Method)" 4 .IX Item "SSL_METHOD (SSL Method)" This is a dispatch structure describing the internal \fBssl\fR library methods/functions which implement the various protocol versions (SSLv3 TLSv1, ...). It's needed to create an \fB\s-1SSL_CTX\s0\fR. .IP "\fB\s-1SSL_CIPHER\s0\fR (\s-1SSL\s0 Cipher)" 4 .IX Item "SSL_CIPHER (SSL Cipher)" This structure holds the algorithm information for a particular cipher which are a core part of the \s-1SSL/TLS\s0 protocol. The available ciphers are configured on a \fB\s-1SSL_CTX\s0\fR basis and the actual ones used are then part of the \&\fB\s-1SSL_SESSION\s0\fR. .IP "\fB\s-1SSL_CTX\s0\fR (\s-1SSL\s0 Context)" 4 .IX Item "SSL_CTX (SSL Context)" This is the global context structure which is created by a server or client once per program life-time and which holds mainly default values for the \&\fB\s-1SSL\s0\fR structures which are later created for the connections. .IP "\fB\s-1SSL_SESSION\s0\fR (\s-1SSL\s0 Session)" 4 .IX Item "SSL_SESSION (SSL Session)" This is a structure containing the current \s-1TLS/SSL\s0 session details for a connection: \fB\s-1SSL_CIPHER\s0\fRs, client and server certificates, keys, etc. .IP "\fB\s-1SSL\s0\fR (\s-1SSL\s0 Connection)" 4 .IX Item "SSL (SSL Connection)" This is the main \s-1SSL/TLS\s0 structure which is created by a server or client per established connection. This actually is the core structure in the \s-1SSL API.\s0 At run-time the application usually deals with this structure which has links to mostly all other structures. .SH "HEADER FILES" .IX Header "HEADER FILES" Currently the OpenSSL \fBssl\fR library provides the following C header files containing the prototypes for the data structures and functions: .IP "\fBssl.h\fR" 4 .IX Item "ssl.h" This is the common header file for the \s-1SSL/TLS API.\s0 Include it into your program to make the \s-1API\s0 of the \fBssl\fR library available. It internally includes both more private \s-1SSL\s0 headers and headers from the \fBcrypto\fR library. Whenever you need hard-core details on the internals of the \s-1SSL API,\s0 look inside this header file. .IP "\fBssl2.h\fR" 4 .IX Item "ssl2.h" Unused. Present for backwards compatibility only. .IP "\fBssl3.h\fR" 4 .IX Item "ssl3.h" This is the sub header file dealing with the SSLv3 protocol only. \&\fIUsually you don't have to include it explicitly because it's already included by ssl.h\fR. .IP "\fBtls1.h\fR" 4 .IX Item "tls1.h" This is the sub header file dealing with the TLSv1 protocol only. \&\fIUsually you don't have to include it explicitly because it's already included by ssl.h\fR. .SH "API FUNCTIONS" .IX Header "API FUNCTIONS" Currently the OpenSSL \fBssl\fR library exports 214 \s-1API\s0 functions. They are documented in the following: .SS "Dealing with Protocol Methods" .IX Subsection "Dealing with Protocol Methods" Here we document the various \s-1API\s0 functions which deal with the \s-1SSL/TLS\s0 protocol methods defined in \fB\s-1SSL_METHOD\s0\fR structures. .IP "const \s-1SSL_METHOD\s0 *\fBTLS_method\fR(void);" 4 .IX Item "const SSL_METHOD *TLS_method(void);" Constructor for the \fIversion-flexible\fR \s-1SSL_METHOD\s0 structure for clients, servers or both. See \fBSSL_CTX_new\fR\|(3) for details. .IP "const \s-1SSL_METHOD\s0 *\fBTLS_client_method\fR(void);" 4 .IX Item "const SSL_METHOD *TLS_client_method(void);" Constructor for the \fIversion-flexible\fR \s-1SSL_METHOD\s0 structure for clients. Must be used to support the TLSv1.3 protocol. .IP "const \s-1SSL_METHOD\s0 *\fBTLS_server_method\fR(void);" 4 .IX Item "const SSL_METHOD *TLS_server_method(void);" Constructor for the \fIversion-flexible\fR \s-1SSL_METHOD\s0 structure for servers. Must be used to support the TLSv1.3 protocol. .IP "const \s-1SSL_METHOD\s0 *\fBTLSv1_2_method\fR(void);" 4 .IX Item "const SSL_METHOD *TLSv1_2_method(void);" Constructor for the TLSv1.2 \s-1SSL_METHOD\s0 structure for clients, servers or both. .IP "const \s-1SSL_METHOD\s0 *\fBTLSv1_2_client_method\fR(void);" 4 .IX Item "const SSL_METHOD *TLSv1_2_client_method(void);" Constructor for the TLSv1.2 \s-1SSL_METHOD\s0 structure for clients. .IP "const \s-1SSL_METHOD\s0 *\fBTLSv1_2_server_method\fR(void);" 4 .IX Item "const SSL_METHOD *TLSv1_2_server_method(void);" Constructor for the TLSv1.2 \s-1SSL_METHOD\s0 structure for servers. .IP "const \s-1SSL_METHOD\s0 *\fBTLSv1_1_method\fR(void);" 4 .IX Item "const SSL_METHOD *TLSv1_1_method(void);" Constructor for the TLSv1.1 \s-1SSL_METHOD\s0 structure for clients, servers or both. .IP "const \s-1SSL_METHOD\s0 *\fBTLSv1_1_client_method\fR(void);" 4 .IX Item "const SSL_METHOD *TLSv1_1_client_method(void);" Constructor for the TLSv1.1 \s-1SSL_METHOD\s0 structure for clients. .IP "const \s-1SSL_METHOD\s0 *\fBTLSv1_1_server_method\fR(void);" 4 .IX Item "const SSL_METHOD *TLSv1_1_server_method(void);" Constructor for the TLSv1.1 \s-1SSL_METHOD\s0 structure for servers. .IP "const \s-1SSL_METHOD\s0 *\fBTLSv1_method\fR(void);" 4 .IX Item "const SSL_METHOD *TLSv1_method(void);" Constructor for the TLSv1 \s-1SSL_METHOD\s0 structure for clients, servers or both. .IP "const \s-1SSL_METHOD\s0 *\fBTLSv1_client_method\fR(void);" 4 .IX Item "const SSL_METHOD *TLSv1_client_method(void);" Constructor for the TLSv1 \s-1SSL_METHOD\s0 structure for clients. .IP "const \s-1SSL_METHOD\s0 *\fBTLSv1_server_method\fR(void);" 4 .IX Item "const SSL_METHOD *TLSv1_server_method(void);" Constructor for the TLSv1 \s-1SSL_METHOD\s0 structure for servers. .IP "const \s-1SSL_METHOD\s0 *\fBSSLv3_method\fR(void);" 4 .IX Item "const SSL_METHOD *SSLv3_method(void);" Constructor for the SSLv3 \s-1SSL_METHOD\s0 structure for clients, servers or both. .IP "const \s-1SSL_METHOD\s0 *\fBSSLv3_client_method\fR(void);" 4 .IX Item "const SSL_METHOD *SSLv3_client_method(void);" Constructor for the SSLv3 \s-1SSL_METHOD\s0 structure for clients. .IP "const \s-1SSL_METHOD\s0 *\fBSSLv3_server_method\fR(void);" 4 .IX Item "const SSL_METHOD *SSLv3_server_method(void);" Constructor for the SSLv3 \s-1SSL_METHOD\s0 structure for servers. .SS "Dealing with Ciphers" .IX Subsection "Dealing with Ciphers" Here we document the various \s-1API\s0 functions which deal with the \s-1SSL/TLS\s0 ciphers defined in \fB\s-1SSL_CIPHER\s0\fR structures. .IP "char *\fBSSL_CIPHER_description\fR(\s-1SSL_CIPHER\s0 *cipher, char *buf, int len);" 4 .IX Item "char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len);" Write a string to \fIbuf\fR (with a maximum size of \fIlen\fR) containing a human readable description of \fIcipher\fR. Returns \fIbuf\fR. .IP "int \fBSSL_CIPHER_get_bits\fR(\s-1SSL_CIPHER\s0 *cipher, int *alg_bits);" 4 .IX Item "int SSL_CIPHER_get_bits(SSL_CIPHER *cipher, int *alg_bits);" Determine the number of bits in \fIcipher\fR. Because of export crippled ciphers there are two bits: The bits the algorithm supports in general (stored to \&\fIalg_bits\fR) and the bits which are actually used (the return value). .IP "const char *\fBSSL_CIPHER_get_name\fR(\s-1SSL_CIPHER\s0 *cipher);" 4 .IX Item "const char *SSL_CIPHER_get_name(SSL_CIPHER *cipher);" Return the internal name of \fIcipher\fR as a string. These are the various strings defined by the \fISSL3_TXT_xxx\fR and \fITLS1_TXT_xxx\fR definitions in the header files. .IP "const char *\fBSSL_CIPHER_get_version\fR(\s-1SSL_CIPHER\s0 *cipher);" 4 .IX Item "const char *SSL_CIPHER_get_version(SSL_CIPHER *cipher);" Returns a string like "\f(CW\*(C`SSLv3\*(C'\fR\*(L" or \*(R"\f(CW\*(C`TLSv1.2\*(C'\fR" which indicates the \&\s-1SSL/TLS\s0 protocol version to which \fIcipher\fR belongs (i.e. where it was defined in the specification the first time). .SS "Dealing with Protocol Contexts" .IX Subsection "Dealing with Protocol Contexts" Here we document the various \s-1API\s0 functions which deal with the \s-1SSL/TLS\s0 protocol context defined in the \fB\s-1SSL_CTX\s0\fR structure. .IP "int \fBSSL_CTX_add_client_CA\fR(\s-1SSL_CTX\s0 *ctx, X509 *x);" 4 .IX Item "int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x);" .PD 0 .IP "long \fBSSL_CTX_add_extra_chain_cert\fR(\s-1SSL_CTX\s0 *ctx, X509 *x509);" 4 .IX Item "long SSL_CTX_add_extra_chain_cert(SSL_CTX *ctx, X509 *x509);" .IP "int \fBSSL_CTX_add_session\fR(\s-1SSL_CTX\s0 *ctx, \s-1SSL_SESSION\s0 *c);" 4 .IX Item "int SSL_CTX_add_session(SSL_CTX *ctx, SSL_SESSION *c);" .IP "int \fBSSL_CTX_check_private_key\fR(const \s-1SSL_CTX\s0 *ctx);" 4 .IX Item "int SSL_CTX_check_private_key(const SSL_CTX *ctx);" .IP "long \fBSSL_CTX_ctrl\fR(\s-1SSL_CTX\s0 *ctx, int cmd, long larg, char *parg);" 4 .IX Item "long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, char *parg);" .IP "void \fBSSL_CTX_flush_sessions\fR(\s-1SSL_CTX\s0 *s, long t);" 4 .IX Item "void SSL_CTX_flush_sessions(SSL_CTX *s, long t);" .IP "void \fBSSL_CTX_free\fR(\s-1SSL_CTX\s0 *a);" 4 .IX Item "void SSL_CTX_free(SSL_CTX *a);" .IP "char *\fBSSL_CTX_get_app_data\fR(\s-1SSL_CTX\s0 *ctx);" 4 .IX Item "char *SSL_CTX_get_app_data(SSL_CTX *ctx);" .IP "X509_STORE *\fBSSL_CTX_get_cert_store\fR(\s-1SSL_CTX\s0 *ctx);" 4 .IX Item "X509_STORE *SSL_CTX_get_cert_store(SSL_CTX *ctx);" .IP "\s-1STACK\s0 *\fBSSL_CTX_get_ciphers\fR(const \s-1SSL_CTX\s0 *ctx);" 4 .IX Item "STACK *SSL_CTX_get_ciphers(const SSL_CTX *ctx);" .IP "\s-1STACK\s0 *\fBSSL_CTX_get_client_CA_list\fR(const \s-1SSL_CTX\s0 *ctx);" 4 .IX Item "STACK *SSL_CTX_get_client_CA_list(const SSL_CTX *ctx);" .IP "int (*\fBSSL_CTX_get_client_cert_cb\fR(\s-1SSL_CTX\s0 *ctx))(\s-1SSL\s0 *ssl, X509 **x509, \s-1EVP_PKEY\s0 **pkey);" 4 .IX Item "int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL *ssl, X509 **x509, EVP_PKEY **pkey);" .IP "void \fBSSL_CTX_get_default_read_ahead\fR(\s-1SSL_CTX\s0 *ctx);" 4 .IX Item "void SSL_CTX_get_default_read_ahead(SSL_CTX *ctx);" .IP "char *\fBSSL_CTX_get_ex_data\fR(const \s-1SSL_CTX\s0 *s, int idx);" 4 .IX Item "char *SSL_CTX_get_ex_data(const SSL_CTX *s, int idx);" .IP "int \fBSSL_CTX_get_ex_new_index\fR(long argl, char *argp, int (*new_func);(void), int (*dup_func)(void), void (*free_func)(void))" 4 .IX Item "int SSL_CTX_get_ex_new_index(long argl, char *argp, int (*new_func);(void), int (*dup_func)(void), void (*free_func)(void))" .IP "void (*\fBSSL_CTX_get_info_callback\fR(\s-1SSL_CTX\s0 *ctx))(\s-1SSL\s0 *ssl, int cb, int ret);" 4 .IX Item "void (*SSL_CTX_get_info_callback(SSL_CTX *ctx))(SSL *ssl, int cb, int ret);" .IP "int \fBSSL_CTX_get_quiet_shutdown\fR(const \s-1SSL_CTX\s0 *ctx);" 4 .IX Item "int SSL_CTX_get_quiet_shutdown(const SSL_CTX *ctx);" .IP "void \fBSSL_CTX_get_read_ahead\fR(\s-1SSL_CTX\s0 *ctx);" 4 .IX Item "void SSL_CTX_get_read_ahead(SSL_CTX *ctx);" .IP "int \fBSSL_CTX_get_session_cache_mode\fR(\s-1SSL_CTX\s0 *ctx);" 4 .IX Item "int SSL_CTX_get_session_cache_mode(SSL_CTX *ctx);" .IP "long \fBSSL_CTX_get_timeout\fR(const \s-1SSL_CTX\s0 *ctx);" 4 .IX Item "long SSL_CTX_get_timeout(const SSL_CTX *ctx);" .IP "int (*\fBSSL_CTX_get_verify_callback\fR(const \s-1SSL_CTX\s0 *ctx))(int ok, X509_STORE_CTX *ctx);" 4 .IX Item "int (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx))(int ok, X509_STORE_CTX *ctx);" .IP "int \fBSSL_CTX_get_verify_mode\fR(\s-1SSL_CTX\s0 *ctx);" 4 .IX Item "int SSL_CTX_get_verify_mode(SSL_CTX *ctx);" .IP "int \fBSSL_CTX_load_verify_locations\fR(\s-1SSL_CTX\s0 *ctx, const char *CAfile, const char *CApath);" 4 .IX Item "int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, const char *CApath);" .IP "\s-1SSL_CTX\s0 *\fBSSL_CTX_new\fR(const \s-1SSL_METHOD\s0 *meth);" 4 .IX Item "SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth);" .IP "int SSL_CTX_up_ref(\s-1SSL_CTX\s0 *ctx);" 4 .IX Item "int SSL_CTX_up_ref(SSL_CTX *ctx);" .IP "int \fBSSL_CTX_remove_session\fR(\s-1SSL_CTX\s0 *ctx, \s-1SSL_SESSION\s0 *c);" 4 .IX Item "int SSL_CTX_remove_session(SSL_CTX *ctx, SSL_SESSION *c);" .IP "int \fBSSL_CTX_sess_accept\fR(\s-1SSL_CTX\s0 *ctx);" 4 .IX Item "int SSL_CTX_sess_accept(SSL_CTX *ctx);" .IP "int \fBSSL_CTX_sess_accept_good\fR(\s-1SSL_CTX\s0 *ctx);" 4 .IX Item "int SSL_CTX_sess_accept_good(SSL_CTX *ctx);" .IP "int \fBSSL_CTX_sess_accept_renegotiate\fR(\s-1SSL_CTX\s0 *ctx);" 4 .IX Item "int SSL_CTX_sess_accept_renegotiate(SSL_CTX *ctx);" .IP "int \fBSSL_CTX_sess_cache_full\fR(\s-1SSL_CTX\s0 *ctx);" 4 .IX Item "int SSL_CTX_sess_cache_full(SSL_CTX *ctx);" .IP "int \fBSSL_CTX_sess_cb_hits\fR(\s-1SSL_CTX\s0 *ctx);" 4 .IX Item "int SSL_CTX_sess_cb_hits(SSL_CTX *ctx);" .IP "int \fBSSL_CTX_sess_connect\fR(\s-1SSL_CTX\s0 *ctx);" 4 .IX Item "int SSL_CTX_sess_connect(SSL_CTX *ctx);" .IP "int \fBSSL_CTX_sess_connect_good\fR(\s-1SSL_CTX\s0 *ctx);" 4 .IX Item "int SSL_CTX_sess_connect_good(SSL_CTX *ctx);" .IP "int \fBSSL_CTX_sess_connect_renegotiate\fR(\s-1SSL_CTX\s0 *ctx);" 4 .IX Item "int SSL_CTX_sess_connect_renegotiate(SSL_CTX *ctx);" .IP "int \fBSSL_CTX_sess_get_cache_size\fR(\s-1SSL_CTX\s0 *ctx);" 4 .IX Item "int SSL_CTX_sess_get_cache_size(SSL_CTX *ctx);" .IP "\s-1SSL_SESSION\s0 *(*\fBSSL_CTX_sess_get_get_cb\fR(\s-1SSL_CTX\s0 *ctx))(\s-1SSL\s0 *ssl, unsigned char *data, int len, int *copy);" 4 .IX Item "SSL_SESSION *(*SSL_CTX_sess_get_get_cb(SSL_CTX *ctx))(SSL *ssl, unsigned char *data, int len, int *copy);" .IP "int (*\fBSSL_CTX_sess_get_new_cb\fR(\s-1SSL_CTX\s0 *ctx)(\s-1SSL\s0 *ssl, \s-1SSL_SESSION\s0 *sess);" 4 .IX Item "int (*SSL_CTX_sess_get_new_cb(SSL_CTX *ctx)(SSL *ssl, SSL_SESSION *sess);" .IP "void (*\fBSSL_CTX_sess_get_remove_cb\fR(\s-1SSL_CTX\s0 *ctx)(\s-1SSL_CTX\s0 *ctx, \s-1SSL_SESSION\s0 *sess);" 4 .IX Item "void (*SSL_CTX_sess_get_remove_cb(SSL_CTX *ctx)(SSL_CTX *ctx, SSL_SESSION *sess);" .IP "int \fBSSL_CTX_sess_hits\fR(\s-1SSL_CTX\s0 *ctx);" 4 .IX Item "int SSL_CTX_sess_hits(SSL_CTX *ctx);" .IP "int \fBSSL_CTX_sess_misses\fR(\s-1SSL_CTX\s0 *ctx);" 4 .IX Item "int SSL_CTX_sess_misses(SSL_CTX *ctx);" .IP "int \fBSSL_CTX_sess_number\fR(\s-1SSL_CTX\s0 *ctx);" 4 .IX Item "int SSL_CTX_sess_number(SSL_CTX *ctx);" .IP "void \fBSSL_CTX_sess_set_cache_size\fR(\s-1SSL_CTX\s0 *ctx, t);" 4 .IX Item "void SSL_CTX_sess_set_cache_size(SSL_CTX *ctx, t);" .IP "void \fBSSL_CTX_sess_set_get_cb\fR(\s-1SSL_CTX\s0 *ctx, \s-1SSL_SESSION\s0 *(*cb)(\s-1SSL\s0 *ssl, unsigned char *data, int len, int *copy));" 4 .IX Item "void SSL_CTX_sess_set_get_cb(SSL_CTX *ctx, SSL_SESSION *(*cb)(SSL *ssl, unsigned char *data, int len, int *copy));" .IP "void \fBSSL_CTX_sess_set_new_cb\fR(\s-1SSL_CTX\s0 *ctx, int (*cb)(\s-1SSL\s0 *ssl, \s-1SSL_SESSION\s0 *sess));" 4 .IX Item "void SSL_CTX_sess_set_new_cb(SSL_CTX *ctx, int (*cb)(SSL *ssl, SSL_SESSION *sess));" .IP "void \fBSSL_CTX_sess_set_remove_cb\fR(\s-1SSL_CTX\s0 *ctx, void (*cb)(\s-1SSL_CTX\s0 *ctx, \s-1SSL_SESSION\s0 *sess));" 4 .IX Item "void SSL_CTX_sess_set_remove_cb(SSL_CTX *ctx, void (*cb)(SSL_CTX *ctx, SSL_SESSION *sess));" .IP "int \fBSSL_CTX_sess_timeouts\fR(\s-1SSL_CTX\s0 *ctx);" 4 .IX Item "int SSL_CTX_sess_timeouts(SSL_CTX *ctx);" .IP "\s-1LHASH\s0 *\fBSSL_CTX_sessions\fR(\s-1SSL_CTX\s0 *ctx);" 4 .IX Item "LHASH *SSL_CTX_sessions(SSL_CTX *ctx);" .IP "int \fBSSL_CTX_set_app_data\fR(\s-1SSL_CTX\s0 *ctx, void *arg);" 4 .IX Item "int SSL_CTX_set_app_data(SSL_CTX *ctx, void *arg);" .IP "void \fBSSL_CTX_set_cert_store\fR(\s-1SSL_CTX\s0 *ctx, X509_STORE *cs);" 4 .IX Item "void SSL_CTX_set_cert_store(SSL_CTX *ctx, X509_STORE *cs);" .IP "void \fBSSL_CTX_set1_cert_store\fR(\s-1SSL_CTX\s0 *ctx, X509_STORE *cs);" 4 .IX Item "void SSL_CTX_set1_cert_store(SSL_CTX *ctx, X509_STORE *cs);" .IP "void \fBSSL_CTX_set_cert_verify_cb\fR(\s-1SSL_CTX\s0 *ctx, int (*cb)(), char *arg)" 4 .IX Item "void SSL_CTX_set_cert_verify_cb(SSL_CTX *ctx, int (*cb)(), char *arg)" .IP "int \fBSSL_CTX_set_cipher_list\fR(\s-1SSL_CTX\s0 *ctx, char *str);" 4 .IX Item "int SSL_CTX_set_cipher_list(SSL_CTX *ctx, char *str);" .IP "void \fBSSL_CTX_set_client_CA_list\fR(\s-1SSL_CTX\s0 *ctx, \s-1STACK\s0 *list);" 4 .IX Item "void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK *list);" .IP "void \fBSSL_CTX_set_client_cert_cb\fR(\s-1SSL_CTX\s0 *ctx, int (*cb)(\s-1SSL\s0 *ssl, X509 **x509, \s-1EVP_PKEY\s0 **pkey));" 4 .IX Item "void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx, int (*cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey));" .IP "int \fBSSL_CTX_set_ct_validation_callback\fR(\s-1SSL_CTX\s0 *ctx, ssl_ct_validation_cb callback, void *arg);" 4 .IX Item "int SSL_CTX_set_ct_validation_callback(SSL_CTX *ctx, ssl_ct_validation_cb callback, void *arg);" .IP "void \fBSSL_CTX_set_default_passwd_cb\fR(\s-1SSL_CTX\s0 *ctx, int (*cb);(void))" 4 .IX Item "void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, int (*cb);(void))" .IP "void \fBSSL_CTX_set_default_read_ahead\fR(\s-1SSL_CTX\s0 *ctx, int m);" 4 .IX Item "void SSL_CTX_set_default_read_ahead(SSL_CTX *ctx, int m);" .IP "int \fBSSL_CTX_set_default_verify_paths\fR(\s-1SSL_CTX\s0 *ctx);" 4 .IX Item "int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx);" .PD Use the default paths to locate trusted \s-1CA\s0 certificates. There is one default directory path and one default file path. Both are set via this call. .IP "int \fBSSL_CTX_set_default_verify_dir\fR(\s-1SSL_CTX\s0 *ctx)" 4 .IX Item "int SSL_CTX_set_default_verify_dir(SSL_CTX *ctx)" Use the default directory path to locate trusted \s-1CA\s0 certificates. .IP "int \fBSSL_CTX_set_default_verify_file\fR(\s-1SSL_CTX\s0 *ctx)" 4 .IX Item "int SSL_CTX_set_default_verify_file(SSL_CTX *ctx)" Use the file path to locate trusted \s-1CA\s0 certificates. .IP "int \fBSSL_CTX_set_ex_data\fR(\s-1SSL_CTX\s0 *s, int idx, char *arg);" 4 .IX Item "int SSL_CTX_set_ex_data(SSL_CTX *s, int idx, char *arg);" .PD 0 .IP "void \fBSSL_CTX_set_info_callback\fR(\s-1SSL_CTX\s0 *ctx, void (*cb)(\s-1SSL\s0 *ssl, int cb, int ret));" 4 .IX Item "void SSL_CTX_set_info_callback(SSL_CTX *ctx, void (*cb)(SSL *ssl, int cb, int ret));" .IP "void \fBSSL_CTX_set_msg_callback\fR(\s-1SSL_CTX\s0 *ctx, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, \s-1SSL\s0 *ssl, void *arg));" 4 .IX Item "void SSL_CTX_set_msg_callback(SSL_CTX *ctx, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg));" .IP "void \fBSSL_CTX_set_msg_callback_arg\fR(\s-1SSL_CTX\s0 *ctx, void *arg);" 4 .IX Item "void SSL_CTX_set_msg_callback_arg(SSL_CTX *ctx, void *arg);" .IP "unsigned long \fBSSL_CTX_clear_options\fR(\s-1SSL_CTX\s0 *ctx, unsigned long op);" 4 .IX Item "unsigned long SSL_CTX_clear_options(SSL_CTX *ctx, unsigned long op);" .IP "unsigned long \fBSSL_CTX_get_options\fR(\s-1SSL_CTX\s0 *ctx);" 4 .IX Item "unsigned long SSL_CTX_get_options(SSL_CTX *ctx);" .IP "unsigned long \fBSSL_CTX_set_options\fR(\s-1SSL_CTX\s0 *ctx, unsigned long op);" 4 .IX Item "unsigned long SSL_CTX_set_options(SSL_CTX *ctx, unsigned long op);" .IP "void \fBSSL_CTX_set_quiet_shutdown\fR(\s-1SSL_CTX\s0 *ctx, int mode);" 4 .IX Item "void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx, int mode);" .IP "void \fBSSL_CTX_set_read_ahead\fR(\s-1SSL_CTX\s0 *ctx, int m);" 4 .IX Item "void SSL_CTX_set_read_ahead(SSL_CTX *ctx, int m);" .IP "void \fBSSL_CTX_set_session_cache_mode\fR(\s-1SSL_CTX\s0 *ctx, int mode);" 4 .IX Item "void SSL_CTX_set_session_cache_mode(SSL_CTX *ctx, int mode);" .IP "int \fBSSL_CTX_set_ssl_version\fR(\s-1SSL_CTX\s0 *ctx, const \s-1SSL_METHOD\s0 *meth);" 4 .IX Item "int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth);" .IP "void \fBSSL_CTX_set_timeout\fR(\s-1SSL_CTX\s0 *ctx, long t);" 4 .IX Item "void SSL_CTX_set_timeout(SSL_CTX *ctx, long t);" .IP "long \fBSSL_CTX_set_tmp_dh\fR(SSL_CTX* ctx, \s-1DH\s0 *dh);" 4 .IX Item "long SSL_CTX_set_tmp_dh(SSL_CTX* ctx, DH *dh);" .IP "long \fBSSL_CTX_set_tmp_dh_callback\fR(\s-1SSL_CTX\s0 *ctx, \s-1DH\s0 *(*cb)(void));" 4 .IX Item "long SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx, DH *(*cb)(void));" .IP "void \fBSSL_CTX_set_verify\fR(\s-1SSL_CTX\s0 *ctx, int mode, int (*cb);(void))" 4 .IX Item "void SSL_CTX_set_verify(SSL_CTX *ctx, int mode, int (*cb);(void))" .IP "int \fBSSL_CTX_use_PrivateKey\fR(\s-1SSL_CTX\s0 *ctx, \s-1EVP_PKEY\s0 *pkey);" 4 .IX Item "int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey);" .IP "int \fBSSL_CTX_use_PrivateKey_ASN1\fR(int type, \s-1SSL_CTX\s0 *ctx, unsigned char *d, long len);" 4 .IX Item "int SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx, unsigned char *d, long len);" .IP "int \fBSSL_CTX_use_PrivateKey_file\fR(\s-1SSL_CTX\s0 *ctx, const char *file, int type);" 4 .IX Item "int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type);" .IP "int \fBSSL_CTX_use_RSAPrivateKey\fR(\s-1SSL_CTX\s0 *ctx, \s-1RSA\s0 *rsa);" 4 .IX Item "int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa);" .IP "int \fBSSL_CTX_use_RSAPrivateKey_ASN1\fR(\s-1SSL_CTX\s0 *ctx, unsigned char *d, long len);" 4 .IX Item "int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, unsigned char *d, long len);" .IP "int \fBSSL_CTX_use_RSAPrivateKey_file\fR(\s-1SSL_CTX\s0 *ctx, const char *file, int type);" 4 .IX Item "int SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type);" .IP "int \fBSSL_CTX_use_certificate\fR(\s-1SSL_CTX\s0 *ctx, X509 *x);" 4 .IX Item "int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x);" .IP "int \fBSSL_CTX_use_certificate_ASN1\fR(\s-1SSL_CTX\s0 *ctx, int len, unsigned char *d);" 4 .IX Item "int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, unsigned char *d);" .IP "int \fBSSL_CTX_use_certificate_file\fR(\s-1SSL_CTX\s0 *ctx, const char *file, int type);" 4 .IX Item "int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type);" .IP "int \fBSSL_CTX_use_cert_and_key\fR(\s-1SSL_CTX\s0 *ctx, X509 *x, \s-1EVP_PKEY\s0 *pkey, \s-1STACK_OF\s0(X509) *chain, int override);" 4 .IX Item "int SSL_CTX_use_cert_and_key(SSL_CTX *ctx, X509 *x, EVP_PKEY *pkey, STACK_OF(X509) *chain, int override);" .IP "X509 *\fBSSL_CTX_get0_certificate\fR(const \s-1SSL_CTX\s0 *ctx);" 4 .IX Item "X509 *SSL_CTX_get0_certificate(const SSL_CTX *ctx);" .IP "\s-1EVP_PKEY\s0 *\fBSSL_CTX_get0_privatekey\fR(const \s-1SSL_CTX\s0 *ctx);" 4 .IX Item "EVP_PKEY *SSL_CTX_get0_privatekey(const SSL_CTX *ctx);" .IP "void \fBSSL_CTX_set_psk_client_callback\fR(\s-1SSL_CTX\s0 *ctx, unsigned int (*callback)(\s-1SSL\s0 *ssl, const char *hint, char *identity, unsigned int max_identity_len, unsigned char *psk, unsigned int max_psk_len));" 4 .IX Item "void SSL_CTX_set_psk_client_callback(SSL_CTX *ctx, unsigned int (*callback)(SSL *ssl, const char *hint, char *identity, unsigned int max_identity_len, unsigned char *psk, unsigned int max_psk_len));" .IP "int \fBSSL_CTX_use_psk_identity_hint\fR(\s-1SSL_CTX\s0 *ctx, const char *hint);" 4 .IX Item "int SSL_CTX_use_psk_identity_hint(SSL_CTX *ctx, const char *hint);" .IP "void \fBSSL_CTX_set_psk_server_callback\fR(\s-1SSL_CTX\s0 *ctx, unsigned int (*callback)(\s-1SSL\s0 *ssl, const char *identity, unsigned char *psk, int max_psk_len));" 4 .IX Item "void SSL_CTX_set_psk_server_callback(SSL_CTX *ctx, unsigned int (*callback)(SSL *ssl, const char *identity, unsigned char *psk, int max_psk_len));" .PD .SS "Dealing with Sessions" .IX Subsection "Dealing with Sessions" Here we document the various \s-1API\s0 functions which deal with the \s-1SSL/TLS\s0 sessions defined in the \fB\s-1SSL_SESSION\s0\fR structures. .IP "int \fBSSL_SESSION_cmp\fR(const \s-1SSL_SESSION\s0 *a, const \s-1SSL_SESSION\s0 *b);" 4 .IX Item "int SSL_SESSION_cmp(const SSL_SESSION *a, const SSL_SESSION *b);" .PD 0 .IP "void \fBSSL_SESSION_free\fR(\s-1SSL_SESSION\s0 *ss);" 4 .IX Item "void SSL_SESSION_free(SSL_SESSION *ss);" .IP "char *\fBSSL_SESSION_get_app_data\fR(\s-1SSL_SESSION\s0 *s);" 4 .IX Item "char *SSL_SESSION_get_app_data(SSL_SESSION *s);" .IP "char *\fBSSL_SESSION_get_ex_data\fR(const \s-1SSL_SESSION\s0 *s, int idx);" 4 .IX Item "char *SSL_SESSION_get_ex_data(const SSL_SESSION *s, int idx);" .IP "int \fBSSL_SESSION_get_ex_new_index\fR(long argl, char *argp, int (*new_func);(void), int (*dup_func)(void), void (*free_func)(void))" 4 .IX Item "int SSL_SESSION_get_ex_new_index(long argl, char *argp, int (*new_func);(void), int (*dup_func)(void), void (*free_func)(void))" .IP "long \fBSSL_SESSION_get_time\fR(const \s-1SSL_SESSION\s0 *s);" 4 .IX Item "long SSL_SESSION_get_time(const SSL_SESSION *s);" .IP "long \fBSSL_SESSION_get_timeout\fR(const \s-1SSL_SESSION\s0 *s);" 4 .IX Item "long SSL_SESSION_get_timeout(const SSL_SESSION *s);" .IP "unsigned long \fBSSL_SESSION_hash\fR(const \s-1SSL_SESSION\s0 *a);" 4 .IX Item "unsigned long SSL_SESSION_hash(const SSL_SESSION *a);" .IP "\s-1SSL_SESSION\s0 *\fBSSL_SESSION_new\fR(void);" 4 .IX Item "SSL_SESSION *SSL_SESSION_new(void);" .IP "int \fBSSL_SESSION_print\fR(\s-1BIO\s0 *bp, const \s-1SSL_SESSION\s0 *x);" 4 .IX Item "int SSL_SESSION_print(BIO *bp, const SSL_SESSION *x);" .IP "int \fBSSL_SESSION_print_fp\fR(\s-1FILE\s0 *fp, const \s-1SSL_SESSION\s0 *x);" 4 .IX Item "int SSL_SESSION_print_fp(FILE *fp, const SSL_SESSION *x);" .IP "int \fBSSL_SESSION_set_app_data\fR(\s-1SSL_SESSION\s0 *s, char *a);" 4 .IX Item "int SSL_SESSION_set_app_data(SSL_SESSION *s, char *a);" .IP "int \fBSSL_SESSION_set_ex_data\fR(\s-1SSL_SESSION\s0 *s, int idx, char *arg);" 4 .IX Item "int SSL_SESSION_set_ex_data(SSL_SESSION *s, int idx, char *arg);" .IP "long \fBSSL_SESSION_set_time\fR(\s-1SSL_SESSION\s0 *s, long t);" 4 .IX Item "long SSL_SESSION_set_time(SSL_SESSION *s, long t);" .IP "long \fBSSL_SESSION_set_timeout\fR(\s-1SSL_SESSION\s0 *s, long t);" 4 .IX Item "long SSL_SESSION_set_timeout(SSL_SESSION *s, long t);" .PD .SS "Dealing with Connections" .IX Subsection "Dealing with Connections" Here we document the various \s-1API\s0 functions which deal with the \s-1SSL/TLS\s0 connection defined in the \fB\s-1SSL\s0\fR structure. .IP "int \fBSSL_accept\fR(\s-1SSL\s0 *ssl);" 4 .IX Item "int SSL_accept(SSL *ssl);" .PD 0 .IP "int \fBSSL_add_dir_cert_subjects_to_stack\fR(\s-1STACK\s0 *stack, const char *dir);" 4 .IX Item "int SSL_add_dir_cert_subjects_to_stack(STACK *stack, const char *dir);" .IP "int \fBSSL_add_file_cert_subjects_to_stack\fR(\s-1STACK\s0 *stack, const char *file);" 4 .IX Item "int SSL_add_file_cert_subjects_to_stack(STACK *stack, const char *file);" .IP "int \fBSSL_add_client_CA\fR(\s-1SSL\s0 *ssl, X509 *x);" 4 .IX Item "int SSL_add_client_CA(SSL *ssl, X509 *x);" .IP "char *\fBSSL_alert_desc_string\fR(int value);" 4 .IX Item "char *SSL_alert_desc_string(int value);" .IP "char *\fBSSL_alert_desc_string_long\fR(int value);" 4 .IX Item "char *SSL_alert_desc_string_long(int value);" .IP "char *\fBSSL_alert_type_string\fR(int value);" 4 .IX Item "char *SSL_alert_type_string(int value);" .IP "char *\fBSSL_alert_type_string_long\fR(int value);" 4 .IX Item "char *SSL_alert_type_string_long(int value);" .IP "int \fBSSL_check_private_key\fR(const \s-1SSL\s0 *ssl);" 4 .IX Item "int SSL_check_private_key(const SSL *ssl);" .IP "void \fBSSL_clear\fR(\s-1SSL\s0 *ssl);" 4 .IX Item "void SSL_clear(SSL *ssl);" .IP "long \fBSSL_clear_num_renegotiations\fR(\s-1SSL\s0 *ssl);" 4 .IX Item "long SSL_clear_num_renegotiations(SSL *ssl);" .IP "int \fBSSL_connect\fR(\s-1SSL\s0 *ssl);" 4 .IX Item "int SSL_connect(SSL *ssl);" .IP "int \fBSSL_copy_session_id\fR(\s-1SSL\s0 *t, const \s-1SSL\s0 *f);" 4 .IX Item "int SSL_copy_session_id(SSL *t, const SSL *f);" .PD Sets the session details for \fBt\fR to be the same as in \fBf\fR. Returns 1 on success or 0 on failure. .IP "long \fBSSL_ctrl\fR(\s-1SSL\s0 *ssl, int cmd, long larg, char *parg);" 4 .IX Item "long SSL_ctrl(SSL *ssl, int cmd, long larg, char *parg);" .PD 0 .IP "int \fBSSL_do_handshake\fR(\s-1SSL\s0 *ssl);" 4 .IX Item "int SSL_do_handshake(SSL *ssl);" .IP "\s-1SSL\s0 *\fBSSL_dup\fR(\s-1SSL\s0 *ssl);" 4 .IX Item "SSL *SSL_dup(SSL *ssl);" .PD \&\fBSSL_dup()\fR allows applications to configure an \s-1SSL\s0 handle for use in multiple \s-1SSL\s0 connections, and then duplicate it prior to initiating each connection with the duplicated handle. Use of \fBSSL_dup()\fR avoids the need to repeat the configuration of the handles for each connection. .Sp For \fBSSL_dup()\fR to work, the connection \s-1MUST\s0 be in its initial state and \s-1MUST NOT\s0 have not yet have started the \s-1SSL\s0 handshake. For connections that are not in their initial state \fBSSL_dup()\fR just increments an internal reference count and returns the \fIsame\fR handle. It may be possible to use \fBSSL_clear\fR\|(3) to recycle an \s-1SSL\s0 handle that is not in its initial state for re-use, but this is best avoided. Instead, save and restore the session, if desired, and construct a fresh handle for each connection. .IP "\s-1STACK\s0 *\fBSSL_dup_CA_list\fR(\s-1STACK\s0 *sk);" 4 .IX Item "STACK *SSL_dup_CA_list(STACK *sk);" .PD 0 .IP "void \fBSSL_free\fR(\s-1SSL\s0 *ssl);" 4 .IX Item "void SSL_free(SSL *ssl);" .IP "\s-1SSL_CTX\s0 *\fBSSL_get_SSL_CTX\fR(const \s-1SSL\s0 *ssl);" 4 .IX Item "SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl);" .IP "char *\fBSSL_get_app_data\fR(\s-1SSL\s0 *ssl);" 4 .IX Item "char *SSL_get_app_data(SSL *ssl);" .IP "X509 *\fBSSL_get_certificate\fR(const \s-1SSL\s0 *ssl);" 4 .IX Item "X509 *SSL_get_certificate(const SSL *ssl);" .IP "const char *\fBSSL_get_cipher\fR(const \s-1SSL\s0 *ssl);" 4 .IX Item "const char *SSL_get_cipher(const SSL *ssl);" .IP "int \fBSSL_is_dtls\fR(const \s-1SSL\s0 *ssl);" 4 .IX Item "int SSL_is_dtls(const SSL *ssl);" .IP "int \fBSSL_get_cipher_bits\fR(const \s-1SSL\s0 *ssl, int *alg_bits);" 4 .IX Item "int SSL_get_cipher_bits(const SSL *ssl, int *alg_bits);" .IP "char *\fBSSL_get_cipher_list\fR(const \s-1SSL\s0 *ssl, int n);" 4 .IX Item "char *SSL_get_cipher_list(const SSL *ssl, int n);" .IP "char *\fBSSL_get_cipher_name\fR(const \s-1SSL\s0 *ssl);" 4 .IX Item "char *SSL_get_cipher_name(const SSL *ssl);" .IP "char *\fBSSL_get_cipher_version\fR(const \s-1SSL\s0 *ssl);" 4 .IX Item "char *SSL_get_cipher_version(const SSL *ssl);" .IP "\s-1STACK\s0 *\fBSSL_get_ciphers\fR(const \s-1SSL\s0 *ssl);" 4 .IX Item "STACK *SSL_get_ciphers(const SSL *ssl);" .IP "\s-1STACK\s0 *\fBSSL_get_client_CA_list\fR(const \s-1SSL\s0 *ssl);" 4 .IX Item "STACK *SSL_get_client_CA_list(const SSL *ssl);" .IP "\s-1SSL_CIPHER\s0 *\fBSSL_get_current_cipher\fR(\s-1SSL\s0 *ssl);" 4 .IX Item "SSL_CIPHER *SSL_get_current_cipher(SSL *ssl);" .IP "long \fBSSL_get_default_timeout\fR(const \s-1SSL\s0 *ssl);" 4 .IX Item "long SSL_get_default_timeout(const SSL *ssl);" .IP "int \fBSSL_get_error\fR(const \s-1SSL\s0 *ssl, int i);" 4 .IX Item "int SSL_get_error(const SSL *ssl, int i);" .IP "char *\fBSSL_get_ex_data\fR(const \s-1SSL\s0 *ssl, int idx);" 4 .IX Item "char *SSL_get_ex_data(const SSL *ssl, int idx);" .IP "int \fBSSL_get_ex_data_X509_STORE_CTX_idx\fR(void);" 4 .IX Item "int SSL_get_ex_data_X509_STORE_CTX_idx(void);" .IP "int \fBSSL_get_ex_new_index\fR(long argl, char *argp, int (*new_func);(void), int (*dup_func)(void), void (*free_func)(void))" 4 .IX Item "int SSL_get_ex_new_index(long argl, char *argp, int (*new_func);(void), int (*dup_func)(void), void (*free_func)(void))" .IP "int \fBSSL_get_fd\fR(const \s-1SSL\s0 *ssl);" 4 .IX Item "int SSL_get_fd(const SSL *ssl);" .IP "void (*\fBSSL_get_info_callback\fR(const \s-1SSL\s0 *ssl);)()" 4 .IX Item "void (*SSL_get_info_callback(const SSL *ssl);)()" .IP "int \fBSSL_get_key_update_type\fR(\s-1SSL\s0 *s);" 4 .IX Item "int SSL_get_key_update_type(SSL *s);" .IP "\s-1STACK\s0 *\fBSSL_get_peer_cert_chain\fR(const \s-1SSL\s0 *ssl);" 4 .IX Item "STACK *SSL_get_peer_cert_chain(const SSL *ssl);" .IP "X509 *\fBSSL_get_peer_certificate\fR(const \s-1SSL\s0 *ssl);" 4 .IX Item "X509 *SSL_get_peer_certificate(const SSL *ssl);" .IP "const \s-1STACK_OF\s0(\s-1SCT\s0) *\fBSSL_get0_peer_scts\fR(\s-1SSL\s0 *s);" 4 .IX Item "const STACK_OF(SCT) *SSL_get0_peer_scts(SSL *s);" .IP "\s-1EVP_PKEY\s0 *\fBSSL_get_privatekey\fR(const \s-1SSL\s0 *ssl);" 4 .IX Item "EVP_PKEY *SSL_get_privatekey(const SSL *ssl);" .IP "int \fBSSL_get_quiet_shutdown\fR(const \s-1SSL\s0 *ssl);" 4 .IX Item "int SSL_get_quiet_shutdown(const SSL *ssl);" .IP "\s-1BIO\s0 *\fBSSL_get_rbio\fR(const \s-1SSL\s0 *ssl);" 4 .IX Item "BIO *SSL_get_rbio(const SSL *ssl);" .IP "int \fBSSL_get_read_ahead\fR(const \s-1SSL\s0 *ssl);" 4 .IX Item "int SSL_get_read_ahead(const SSL *ssl);" .IP "\s-1SSL_SESSION\s0 *\fBSSL_get_session\fR(const \s-1SSL\s0 *ssl);" 4 .IX Item "SSL_SESSION *SSL_get_session(const SSL *ssl);" .IP "char *\fBSSL_get_shared_ciphers\fR(const \s-1SSL\s0 *ssl, char *buf, int size);" 4 .IX Item "char *SSL_get_shared_ciphers(const SSL *ssl, char *buf, int size);" .IP "int \fBSSL_get_shutdown\fR(const \s-1SSL\s0 *ssl);" 4 .IX Item "int SSL_get_shutdown(const SSL *ssl);" .IP "const \s-1SSL_METHOD\s0 *\fBSSL_get_ssl_method\fR(\s-1SSL\s0 *ssl);" 4 .IX Item "const SSL_METHOD *SSL_get_ssl_method(SSL *ssl);" .IP "int \fBSSL_get_state\fR(const \s-1SSL\s0 *ssl);" 4 .IX Item "int SSL_get_state(const SSL *ssl);" .IP "long \fBSSL_get_time\fR(const \s-1SSL\s0 *ssl);" 4 .IX Item "long SSL_get_time(const SSL *ssl);" .IP "long \fBSSL_get_timeout\fR(const \s-1SSL\s0 *ssl);" 4 .IX Item "long SSL_get_timeout(const SSL *ssl);" .IP "int (*\fBSSL_get_verify_callback\fR(const \s-1SSL\s0 *ssl))(int, X509_STORE_CTX *)" 4 .IX Item "int (*SSL_get_verify_callback(const SSL *ssl))(int, X509_STORE_CTX *)" .IP "int \fBSSL_get_verify_mode\fR(const \s-1SSL\s0 *ssl);" 4 .IX Item "int SSL_get_verify_mode(const SSL *ssl);" .IP "long \fBSSL_get_verify_result\fR(const \s-1SSL\s0 *ssl);" 4 .IX Item "long SSL_get_verify_result(const SSL *ssl);" .IP "char *\fBSSL_get_version\fR(const \s-1SSL\s0 *ssl);" 4 .IX Item "char *SSL_get_version(const SSL *ssl);" .IP "\s-1BIO\s0 *\fBSSL_get_wbio\fR(const \s-1SSL\s0 *ssl);" 4 .IX Item "BIO *SSL_get_wbio(const SSL *ssl);" .IP "int \fBSSL_in_accept_init\fR(\s-1SSL\s0 *ssl);" 4 .IX Item "int SSL_in_accept_init(SSL *ssl);" .IP "int \fBSSL_in_before\fR(\s-1SSL\s0 *ssl);" 4 .IX Item "int SSL_in_before(SSL *ssl);" .IP "int \fBSSL_in_connect_init\fR(\s-1SSL\s0 *ssl);" 4 .IX Item "int SSL_in_connect_init(SSL *ssl);" .IP "int \fBSSL_in_init\fR(\s-1SSL\s0 *ssl);" 4 .IX Item "int SSL_in_init(SSL *ssl);" .IP "int \fBSSL_is_init_finished\fR(\s-1SSL\s0 *ssl);" 4 .IX Item "int SSL_is_init_finished(SSL *ssl);" .IP "int \fBSSL_key_update\fR(\s-1SSL\s0 *s, int updatetype);" 4 .IX Item "int SSL_key_update(SSL *s, int updatetype);" .IP "\s-1STACK\s0 *\fBSSL_load_client_CA_file\fR(const char *file);" 4 .IX Item "STACK *SSL_load_client_CA_file(const char *file);" .IP "\s-1SSL\s0 *\fBSSL_new\fR(\s-1SSL_CTX\s0 *ctx);" 4 .IX Item "SSL *SSL_new(SSL_CTX *ctx);" .IP "int SSL_up_ref(\s-1SSL\s0 *s);" 4 .IX Item "int SSL_up_ref(SSL *s);" .IP "long \fBSSL_num_renegotiations\fR(\s-1SSL\s0 *ssl);" 4 .IX Item "long SSL_num_renegotiations(SSL *ssl);" .IP "int \fBSSL_peek\fR(\s-1SSL\s0 *ssl, void *buf, int num);" 4 .IX Item "int SSL_peek(SSL *ssl, void *buf, int num);" .IP "int \fBSSL_pending\fR(const \s-1SSL\s0 *ssl);" 4 .IX Item "int SSL_pending(const SSL *ssl);" .IP "int \fBSSL_read\fR(\s-1SSL\s0 *ssl, void *buf, int num);" 4 .IX Item "int SSL_read(SSL *ssl, void *buf, int num);" .IP "int \fBSSL_renegotiate\fR(\s-1SSL\s0 *ssl);" 4 .IX Item "int SSL_renegotiate(SSL *ssl);" .IP "char *\fBSSL_rstate_string\fR(\s-1SSL\s0 *ssl);" 4 .IX Item "char *SSL_rstate_string(SSL *ssl);" .IP "char *\fBSSL_rstate_string_long\fR(\s-1SSL\s0 *ssl);" 4 .IX Item "char *SSL_rstate_string_long(SSL *ssl);" .IP "long \fBSSL_session_reused\fR(\s-1SSL\s0 *ssl);" 4 .IX Item "long SSL_session_reused(SSL *ssl);" .IP "void \fBSSL_set_accept_state\fR(\s-1SSL\s0 *ssl);" 4 .IX Item "void SSL_set_accept_state(SSL *ssl);" .IP "void \fBSSL_set_app_data\fR(\s-1SSL\s0 *ssl, char *arg);" 4 .IX Item "void SSL_set_app_data(SSL *ssl, char *arg);" .IP "void \fBSSL_set_bio\fR(\s-1SSL\s0 *ssl, \s-1BIO\s0 *rbio, \s-1BIO\s0 *wbio);" 4 .IX Item "void SSL_set_bio(SSL *ssl, BIO *rbio, BIO *wbio);" .IP "int \fBSSL_set_cipher_list\fR(\s-1SSL\s0 *ssl, char *str);" 4 .IX Item "int SSL_set_cipher_list(SSL *ssl, char *str);" .IP "void \fBSSL_set_client_CA_list\fR(\s-1SSL\s0 *ssl, \s-1STACK\s0 *list);" 4 .IX Item "void SSL_set_client_CA_list(SSL *ssl, STACK *list);" .IP "void \fBSSL_set_connect_state\fR(\s-1SSL\s0 *ssl);" 4 .IX Item "void SSL_set_connect_state(SSL *ssl);" .IP "int \fBSSL_set_ct_validation_callback\fR(\s-1SSL\s0 *ssl, ssl_ct_validation_cb callback, void *arg);" 4 .IX Item "int SSL_set_ct_validation_callback(SSL *ssl, ssl_ct_validation_cb callback, void *arg);" .IP "int \fBSSL_set_ex_data\fR(\s-1SSL\s0 *ssl, int idx, char *arg);" 4 .IX Item "int SSL_set_ex_data(SSL *ssl, int idx, char *arg);" .IP "int \fBSSL_set_fd\fR(\s-1SSL\s0 *ssl, int fd);" 4 .IX Item "int SSL_set_fd(SSL *ssl, int fd);" .IP "void \fBSSL_set_info_callback\fR(\s-1SSL\s0 *ssl, void (*cb);(void))" 4 .IX Item "void SSL_set_info_callback(SSL *ssl, void (*cb);(void))" .IP "void \fBSSL_set_msg_callback\fR(\s-1SSL\s0 *ctx, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, \s-1SSL\s0 *ssl, void *arg));" 4 .IX Item "void SSL_set_msg_callback(SSL *ctx, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg));" .IP "void \fBSSL_set_msg_callback_arg\fR(\s-1SSL\s0 *ctx, void *arg);" 4 .IX Item "void SSL_set_msg_callback_arg(SSL *ctx, void *arg);" .IP "unsigned long \fBSSL_clear_options\fR(\s-1SSL\s0 *ssl, unsigned long op);" 4 .IX Item "unsigned long SSL_clear_options(SSL *ssl, unsigned long op);" .IP "unsigned long \fBSSL_get_options\fR(\s-1SSL\s0 *ssl);" 4 .IX Item "unsigned long SSL_get_options(SSL *ssl);" .IP "unsigned long \fBSSL_set_options\fR(\s-1SSL\s0 *ssl, unsigned long op);" 4 .IX Item "unsigned long SSL_set_options(SSL *ssl, unsigned long op);" .IP "void \fBSSL_set_quiet_shutdown\fR(\s-1SSL\s0 *ssl, int mode);" 4 .IX Item "void SSL_set_quiet_shutdown(SSL *ssl, int mode);" .IP "void \fBSSL_set_read_ahead\fR(\s-1SSL\s0 *ssl, int yes);" 4 .IX Item "void SSL_set_read_ahead(SSL *ssl, int yes);" .IP "int \fBSSL_set_rfd\fR(\s-1SSL\s0 *ssl, int fd);" 4 .IX Item "int SSL_set_rfd(SSL *ssl, int fd);" .IP "int \fBSSL_set_session\fR(\s-1SSL\s0 *ssl, \s-1SSL_SESSION\s0 *session);" 4 .IX Item "int SSL_set_session(SSL *ssl, SSL_SESSION *session);" .IP "void \fBSSL_set_shutdown\fR(\s-1SSL\s0 *ssl, int mode);" 4 .IX Item "void SSL_set_shutdown(SSL *ssl, int mode);" .IP "int \fBSSL_set_ssl_method\fR(\s-1SSL\s0 *ssl, const \s-1SSL_METHOD\s0 *meth);" 4 .IX Item "int SSL_set_ssl_method(SSL *ssl, const SSL_METHOD *meth);" .IP "void \fBSSL_set_time\fR(\s-1SSL\s0 *ssl, long t);" 4 .IX Item "void SSL_set_time(SSL *ssl, long t);" .IP "void \fBSSL_set_timeout\fR(\s-1SSL\s0 *ssl, long t);" 4 .IX Item "void SSL_set_timeout(SSL *ssl, long t);" .IP "void \fBSSL_set_verify\fR(\s-1SSL\s0 *ssl, int mode, int (*callback);(void))" 4 .IX Item "void SSL_set_verify(SSL *ssl, int mode, int (*callback);(void))" .IP "void \fBSSL_set_verify_result\fR(\s-1SSL\s0 *ssl, long arg);" 4 .IX Item "void SSL_set_verify_result(SSL *ssl, long arg);" .IP "int \fBSSL_set_wfd\fR(\s-1SSL\s0 *ssl, int fd);" 4 .IX Item "int SSL_set_wfd(SSL *ssl, int fd);" .IP "int \fBSSL_shutdown\fR(\s-1SSL\s0 *ssl);" 4 .IX Item "int SSL_shutdown(SSL *ssl);" .IP "\s-1OSSL_HANDSHAKE_STATE\s0 \fBSSL_get_state\fR(const \s-1SSL\s0 *ssl);" 4 .IX Item "OSSL_HANDSHAKE_STATE SSL_get_state(const SSL *ssl);" .PD Returns the current handshake state. .IP "char *\fBSSL_state_string\fR(const \s-1SSL\s0 *ssl);" 4 .IX Item "char *SSL_state_string(const SSL *ssl);" .PD 0 .IP "char *\fBSSL_state_string_long\fR(const \s-1SSL\s0 *ssl);" 4 .IX Item "char *SSL_state_string_long(const SSL *ssl);" .IP "long \fBSSL_total_renegotiations\fR(\s-1SSL\s0 *ssl);" 4 .IX Item "long SSL_total_renegotiations(SSL *ssl);" .IP "int \fBSSL_use_PrivateKey\fR(\s-1SSL\s0 *ssl, \s-1EVP_PKEY\s0 *pkey);" 4 .IX Item "int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey);" .IP "int \fBSSL_use_PrivateKey_ASN1\fR(int type, \s-1SSL\s0 *ssl, unsigned char *d, long len);" 4 .IX Item "int SSL_use_PrivateKey_ASN1(int type, SSL *ssl, unsigned char *d, long len);" .IP "int \fBSSL_use_PrivateKey_file\fR(\s-1SSL\s0 *ssl, const char *file, int type);" 4 .IX Item "int SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type);" .IP "int \fBSSL_use_RSAPrivateKey\fR(\s-1SSL\s0 *ssl, \s-1RSA\s0 *rsa);" 4 .IX Item "int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa);" .IP "int \fBSSL_use_RSAPrivateKey_ASN1\fR(\s-1SSL\s0 *ssl, unsigned char *d, long len);" 4 .IX Item "int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, unsigned char *d, long len);" .IP "int \fBSSL_use_RSAPrivateKey_file\fR(\s-1SSL\s0 *ssl, const char *file, int type);" 4 .IX Item "int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type);" .IP "int \fBSSL_use_certificate\fR(\s-1SSL\s0 *ssl, X509 *x);" 4 .IX Item "int SSL_use_certificate(SSL *ssl, X509 *x);" .IP "int \fBSSL_use_certificate_ASN1\fR(\s-1SSL\s0 *ssl, int len, unsigned char *d);" 4 .IX Item "int SSL_use_certificate_ASN1(SSL *ssl, int len, unsigned char *d);" .IP "int \fBSSL_use_certificate_file\fR(\s-1SSL\s0 *ssl, const char *file, int type);" 4 .IX Item "int SSL_use_certificate_file(SSL *ssl, const char *file, int type);" .IP "int \fBSSL_use_cert_and_key\fR(\s-1SSL\s0 *ssl, X509 *x, \s-1EVP_PKEY\s0 *pkey, \s-1STACK_OF\s0(X509) *chain, int override);" 4 .IX Item "int SSL_use_cert_and_key(SSL *ssl, X509 *x, EVP_PKEY *pkey, STACK_OF(X509) *chain, int override);" .IP "int \fBSSL_version\fR(const \s-1SSL\s0 *ssl);" 4 .IX Item "int SSL_version(const SSL *ssl);" .IP "int \fBSSL_want\fR(const \s-1SSL\s0 *ssl);" 4 .IX Item "int SSL_want(const SSL *ssl);" .IP "int \fBSSL_want_nothing\fR(const \s-1SSL\s0 *ssl);" 4 .IX Item "int SSL_want_nothing(const SSL *ssl);" .IP "int \fBSSL_want_read\fR(const \s-1SSL\s0 *ssl);" 4 .IX Item "int SSL_want_read(const SSL *ssl);" .IP "int \fBSSL_want_write\fR(const \s-1SSL\s0 *ssl);" 4 .IX Item "int SSL_want_write(const SSL *ssl);" .IP "int \fBSSL_want_x509_lookup\fR(const \s-1SSL\s0 *ssl);" 4 .IX Item "int SSL_want_x509_lookup(const SSL *ssl);" .IP "int \fBSSL_write\fR(\s-1SSL\s0 *ssl, const void *buf, int num);" 4 .IX Item "int SSL_write(SSL *ssl, const void *buf, int num);" .IP "void \fBSSL_set_psk_client_callback\fR(\s-1SSL\s0 *ssl, unsigned int (*callback)(\s-1SSL\s0 *ssl, const char *hint, char *identity, unsigned int max_identity_len, unsigned char *psk, unsigned int max_psk_len));" 4 .IX Item "void SSL_set_psk_client_callback(SSL *ssl, unsigned int (*callback)(SSL *ssl, const char *hint, char *identity, unsigned int max_identity_len, unsigned char *psk, unsigned int max_psk_len));" .IP "int \fBSSL_use_psk_identity_hint\fR(\s-1SSL\s0 *ssl, const char *hint);" 4 .IX Item "int SSL_use_psk_identity_hint(SSL *ssl, const char *hint);" .IP "void \fBSSL_set_psk_server_callback\fR(\s-1SSL\s0 *ssl, unsigned int (*callback)(\s-1SSL\s0 *ssl, const char *identity, unsigned char *psk, int max_psk_len));" 4 .IX Item "void SSL_set_psk_server_callback(SSL *ssl, unsigned int (*callback)(SSL *ssl, const char *identity, unsigned char *psk, int max_psk_len));" .IP "const char *\fBSSL_get_psk_identity_hint\fR(\s-1SSL\s0 *ssl);" 4 .IX Item "const char *SSL_get_psk_identity_hint(SSL *ssl);" .IP "const char *\fBSSL_get_psk_identity\fR(\s-1SSL\s0 *ssl);" 4 .IX Item "const char *SSL_get_psk_identity(SSL *ssl);" .PD .SH "RETURN VALUES" .IX Header "RETURN VALUES" See the individual manual pages for details. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBopenssl\fR\|(1), \fBcrypto\fR\|(7), \&\fBCRYPTO_get_ex_new_index\fR\|(3), \&\fBSSL_accept\fR\|(3), \fBSSL_clear\fR\|(3), \&\fBSSL_connect\fR\|(3), \&\fBSSL_CIPHER_get_name\fR\|(3), \&\fBSSL_COMP_add_compression_method\fR\|(3), \&\fBSSL_CTX_add_extra_chain_cert\fR\|(3), \&\fBSSL_CTX_add_session\fR\|(3), \&\fBSSL_CTX_ctrl\fR\|(3), \&\fBSSL_CTX_flush_sessions\fR\|(3), \&\fBSSL_CTX_get_verify_mode\fR\|(3), \&\fBSSL_CTX_load_verify_locations\fR\|(3) \&\fBSSL_CTX_new\fR\|(3), \&\fBSSL_CTX_sess_number\fR\|(3), \&\fBSSL_CTX_sess_set_cache_size\fR\|(3), \&\fBSSL_CTX_sess_set_get_cb\fR\|(3), \&\fBSSL_CTX_sessions\fR\|(3), \&\fBSSL_CTX_set_cert_store\fR\|(3), \&\fBSSL_CTX_set_cert_verify_callback\fR\|(3), \&\fBSSL_CTX_set_cipher_list\fR\|(3), \&\fBSSL_CTX_set_client_CA_list\fR\|(3), \&\fBSSL_CTX_set_client_cert_cb\fR\|(3), \&\fBSSL_CTX_set_default_passwd_cb\fR\|(3), \&\fBSSL_CTX_set_generate_session_id\fR\|(3), \&\fBSSL_CTX_set_info_callback\fR\|(3), \&\fBSSL_CTX_set_max_cert_list\fR\|(3), \&\fBSSL_CTX_set_mode\fR\|(3), \&\fBSSL_CTX_set_msg_callback\fR\|(3), \&\fBSSL_CTX_set_options\fR\|(3), \&\fBSSL_CTX_set_quiet_shutdown\fR\|(3), \&\fBSSL_CTX_set_read_ahead\fR\|(3), \&\fBSSL_CTX_set_security_level\fR\|(3), \&\fBSSL_CTX_set_session_cache_mode\fR\|(3), \&\fBSSL_CTX_set_session_id_context\fR\|(3), \&\fBSSL_CTX_set_ssl_version\fR\|(3), \&\fBSSL_CTX_set_timeout\fR\|(3), \&\fBSSL_CTX_set_tmp_dh_callback\fR\|(3), \&\fBSSL_CTX_set_verify\fR\|(3), \&\fBSSL_CTX_use_certificate\fR\|(3), \&\fBSSL_alert_type_string\fR\|(3), \&\fBSSL_do_handshake\fR\|(3), \&\fBSSL_enable_ct\fR\|(3), \&\fBSSL_get_SSL_CTX\fR\|(3), \&\fBSSL_get_ciphers\fR\|(3), \&\fBSSL_get_client_CA_list\fR\|(3), \&\fBSSL_get_default_timeout\fR\|(3), \&\fBSSL_get_error\fR\|(3), \&\fBSSL_get_ex_data_X509_STORE_CTX_idx\fR\|(3), \&\fBSSL_get_fd\fR\|(3), \&\fBSSL_get_peer_cert_chain\fR\|(3), \&\fBSSL_get_rbio\fR\|(3), \&\fBSSL_get_session\fR\|(3), \&\fBSSL_get_verify_result\fR\|(3), \&\fBSSL_get_version\fR\|(3), \&\fBSSL_load_client_CA_file\fR\|(3), \&\fBSSL_new\fR\|(3), \&\fBSSL_pending\fR\|(3), \&\fBSSL_read_ex\fR\|(3), \&\fBSSL_read\fR\|(3), \&\fBSSL_rstate_string\fR\|(3), \&\fBSSL_session_reused\fR\|(3), \&\fBSSL_set_bio\fR\|(3), \&\fBSSL_set_connect_state\fR\|(3), \&\fBSSL_set_fd\fR\|(3), \&\fBSSL_set_session\fR\|(3), \&\fBSSL_set_shutdown\fR\|(3), \&\fBSSL_shutdown\fR\|(3), \&\fBSSL_state_string\fR\|(3), \&\fBSSL_want\fR\|(3), \&\fBSSL_write_ex\fR\|(3), \&\fBSSL_write\fR\|(3), \&\fBSSL_SESSION_free\fR\|(3), \&\fBSSL_SESSION_get_time\fR\|(3), \&\fBd2i_SSL_SESSION\fR\|(3), \&\fBSSL_CTX_set_psk_client_callback\fR\|(3), \&\fBSSL_CTX_use_psk_identity_hint\fR\|(3), \&\fBSSL_get_psk_identity\fR\|(3), \&\fBDTLSv1_listen\fR\|(3) .SH "HISTORY" .IX Header "HISTORY" \&\fBSSLv2_client_method\fR, \fBSSLv2_server_method\fR and \fBSSLv2_method\fR were removed in OpenSSL 1.1.0. .PP The return type of \fBSSL_copy_session_id\fR was changed from void to int in OpenSSL 1.1.0. .SH "COPYRIGHT" .IX Header "COPYRIGHT" Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use this file except in compliance with the License. You can obtain a copy in the file \s-1LICENSE\s0 in the source distribution or at . PK!ԬA{{crypto.7nu[.\" Automatically generated by Pod::Man 4.11 (Pod::Simple 3.35) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. \*(C+ will .\" give a nicer C++. Capital omega is used to do unbreakable dashes and .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, .\" nothing in troff, for use with C<>. .tr \(*W- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' . ds C` . ds C' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is >0, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .\" .\" Avoid warning from groff about undefined register 'F'. .de IX .. .nr rF 0 .if \n(.g .if rF .nr rF 1 .if (\n(rF:(\n(.g==0)) \{\ . if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} . \} .\} .rr rF .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. . \" fudge factors for nroff and troff .if n \{\ . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] \fP .\} .if t \{\ . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff .if n \{\ . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} .if t \{\ . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' .ds 8 \h'\*(#H'\(*b\h'-\*(#H' .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] .ds ae a\h'-(\w'a'u*4/10)'e .ds Ae A\h'-(\w'A'u*4/10)'E . \" corrections for vroff .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' . \" for low resolution devices (crt and lpr) .if \n(.H>23 .if \n(.V>19 \ \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} .rm #[ #] #H #V #F C .\" ======================================================================== .\" .IX Title "CRYPTO 7" .TH CRYPTO 7 "2023-09-11" "1.1.1w" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" crypto \- OpenSSL cryptographic library .SH "SYNOPSIS" .IX Header "SYNOPSIS" See the individual manual pages for details. .SH "DESCRIPTION" .IX Header "DESCRIPTION" The OpenSSL \fBcrypto\fR library implements a wide range of cryptographic algorithms used in various Internet standards. The services provided by this library are used by the OpenSSL implementations of \s-1SSL, TLS\s0 and S/MIME, and they have also been used to implement \s-1SSH,\s0 OpenPGP, and other cryptographic standards. .PP \&\fBlibcrypto\fR consists of a number of sub-libraries that implement the individual algorithms. .PP The functionality includes symmetric encryption, public key cryptography and key agreement, certificate handling, cryptographic hash functions, cryptographic pseudo-random number generator, and various utilities. .SH "NOTES" .IX Header "NOTES" Some of the newer functions follow a naming convention using the numbers \&\fB0\fR and \fB1\fR. For example the functions: .PP .Vb 2 \& int X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev); \& int X509_add1_trust_object(X509 *x, const ASN1_OBJECT *obj); .Ve .PP The \fB0\fR version uses the supplied structure pointer directly in the parent and it will be freed up when the parent is freed. In the above example \fBcrl\fR would be freed but \fBrev\fR would not. .PP The \fB1\fR function uses a copy of the supplied structure pointer (or in some cases increases its link count) in the parent and so both (\fBx\fR and \fBobj\fR above) should be freed up. .SH "RETURN VALUES" .IX Header "RETURN VALUES" See the individual manual pages for details. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBopenssl\fR\|(1), \fBssl\fR\|(7) .SH "COPYRIGHT" .IX Header "COPYRIGHT" Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use this file except in compliance with the License. You can obtain a copy in the file \s-1LICENSE\s0 in the source distribution or at . PK!  Ed25519.7nu[.\" Automatically generated by Pod::Man 4.11 (Pod::Simple 3.35) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. \*(C+ will .\" give a nicer C++. Capital omega is used to do unbreakable dashes and .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, .\" nothing in troff, for use with C<>. .tr \(*W- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' . ds C` . ds C' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is >0, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .\" .\" Avoid warning from groff about undefined register 'F'. .de IX .. .nr rF 0 .if \n(.g .if rF .nr rF 1 .if (\n(rF:(\n(.g==0)) \{\ . if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} . \} .\} .rr rF .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. . \" fudge factors for nroff and troff .if n \{\ . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] \fP .\} .if t \{\ . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff .if n \{\ . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} .if t \{\ . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' .ds 8 \h'\*(#H'\(*b\h'-\*(#H' .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] .ds ae a\h'-(\w'a'u*4/10)'e .ds Ae A\h'-(\w'A'u*4/10)'E . \" corrections for vroff .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' . \" for low resolution devices (crt and lpr) .if \n(.H>23 .if \n(.V>19 \ \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} .rm #[ #] #H #V #F C .\" ======================================================================== .\" .IX Title "ED25519 7" .TH ED25519 7 "2023-09-11" "1.1.1w" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" Ed25519, Ed448 \&\- EVP_PKEY Ed25519 and Ed448 support .SH "DESCRIPTION" .IX Header "DESCRIPTION" The \fBEd25519\fR and \fBEd448\fR \s-1EVP_PKEY\s0 implementation supports key generation, one-shot digest sign and digest verify using PureEdDSA and \fBEd25519\fR or \fBEd448\fR (see \s-1RFC8032\s0). It has associated private and public key formats compatible with \&\s-1RFC 8410.\s0 .PP No additional parameters can be set during key generation, one-shot signing or verification. In particular, because PureEdDSA is used, a digest must \fB\s-1NOT\s0\fR be specified when signing or verifying. .SH "NOTES" .IX Header "NOTES" The PureEdDSA algorithm does not support the streaming mechanism of other signature algorithms using, for example, \fBEVP_DigestUpdate()\fR. The message to sign or verify must be passed using the one-shot \&\fBEVP_DigestSign()\fR and \fBEVP_DigestVerify()\fR functions. .PP When calling \fBEVP_DigestSignInit()\fR or \fBEVP_DigestVerifyInit()\fR, the digest \fBtype\fR parameter \fB\s-1MUST\s0\fR be set to \fB\s-1NULL\s0\fR. .PP Applications wishing to sign certificates (or other structures such as CRLs or certificate requests) using Ed25519 or Ed448 can either use \fBX509_sign()\fR or \fBX509_sign_ctx()\fR in the usual way. .PP A context for the \fBEd25519\fR algorithm can be obtained by calling: .PP .Vb 1 \& EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_ED25519, NULL); .Ve .PP For the \fBEd448\fR algorithm a context can be obtained by calling: .PP .Vb 1 \& EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_ED448, NULL); .Ve .PP Ed25519 or Ed448 private keys can be set directly using \&\fBEVP_PKEY_new_raw_private_key\fR\|(3) or loaded from a PKCS#8 private key file using \fBPEM_read_bio_PrivateKey\fR\|(3) (or similar function). Completely new keys can also be generated (see the example below). Setting a private key also sets the associated public key. .PP Ed25519 or Ed448 public keys can be set directly using \&\fBEVP_PKEY_new_raw_public_key\fR\|(3) or loaded from a SubjectPublicKeyInfo structure in a \s-1PEM\s0 file using \fBPEM_read_bio_PUBKEY\fR\|(3) (or similar function). .PP Ed25519 and Ed448 can be tested within \fBspeed\fR\|(1) application since version 1.1.1. Valid algorithm names are \fBed25519\fR, \fBed448\fR and \fBeddsa\fR. If \fBeddsa\fR is specified, then both Ed25519 and Ed448 are benchmarked. .SH "EXAMPLES" .IX Header "EXAMPLES" This example generates an \fB\s-1ED25519\s0\fR private key and writes it to standard output in \s-1PEM\s0 format: .PP .Vb 9 \& #include \& #include \& ... \& EVP_PKEY *pkey = NULL; \& EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_ED25519, NULL); \& EVP_PKEY_keygen_init(pctx); \& EVP_PKEY_keygen(pctx, &pkey); \& EVP_PKEY_CTX_free(pctx); \& PEM_write_PrivateKey(stdout, pkey, NULL, NULL, 0, NULL, NULL); .Ve .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBEVP_PKEY_CTX_new\fR\|(3), \&\fBEVP_PKEY_keygen\fR\|(3), \&\fBEVP_DigestSignInit\fR\|(3), \&\fBEVP_DigestVerifyInit\fR\|(3), .SH "COPYRIGHT" .IX Header "COPYRIGHT" Copyright 2017\-2020 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use this file except in compliance with the License. You can obtain a copy in the file \s-1LICENSE\s0 in the source distribution or at . PK!sbio.7nu[.\" Automatically generated by Pod::Man 4.11 (Pod::Simple 3.35) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. \*(C+ will .\" give a nicer C++. Capital omega is used to do unbreakable dashes and .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, .\" nothing in troff, for use with C<>. .tr \(*W- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' . ds C` . ds C' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is >0, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .\" .\" Avoid warning from groff about undefined register 'F'. .de IX .. .nr rF 0 .if \n(.g .if rF .nr rF 1 .if (\n(rF:(\n(.g==0)) \{\ . if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} . \} .\} .rr rF .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. . \" fudge factors for nroff and troff .if n \{\ . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] \fP .\} .if t \{\ . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff .if n \{\ . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} .if t \{\ . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' .ds 8 \h'\*(#H'\(*b\h'-\*(#H' .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] .ds ae a\h'-(\w'a'u*4/10)'e .ds Ae A\h'-(\w'A'u*4/10)'E . \" corrections for vroff .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' . \" for low resolution devices (crt and lpr) .if \n(.H>23 .if \n(.V>19 \ \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} .rm #[ #] #H #V #F C .\" ======================================================================== .\" .IX Title "BIO 7" .TH BIO 7 "2023-09-11" "1.1.1w" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" bio \- Basic I/O abstraction .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" A \s-1BIO\s0 is an I/O abstraction, it hides many of the underlying I/O details from an application. If an application uses a \s-1BIO\s0 for its I/O it can transparently handle \s-1SSL\s0 connections, unencrypted network connections and file I/O. .PP There are two type of \s-1BIO,\s0 a source/sink \s-1BIO\s0 and a filter \s-1BIO.\s0 .PP As its name implies a source/sink \s-1BIO\s0 is a source and/or sink of data, examples include a socket \s-1BIO\s0 and a file \s-1BIO.\s0 .PP A filter \s-1BIO\s0 takes data from one \s-1BIO\s0 and passes it through to another, or the application. The data may be left unmodified (for example a message digest \s-1BIO\s0) or translated (for example an encryption \s-1BIO\s0). The effect of a filter \s-1BIO\s0 may change according to the I/O operation it is performing: for example an encryption \&\s-1BIO\s0 will encrypt data if it is being written to and decrypt data if it is being read from. .PP BIOs can be joined together to form a chain (a single \s-1BIO\s0 is a chain with one component). A chain normally consist of one source/sink \&\s-1BIO\s0 and one or more filter BIOs. Data read from or written to the first \s-1BIO\s0 then traverses the chain to the end (normally a source/sink \&\s-1BIO\s0). .PP Some BIOs (such as memory BIOs) can be used immediately after calling \&\fBBIO_new()\fR. Others (such as file BIOs) need some additional initialization, and frequently a utility function exists to create and initialize such BIOs. .PP If \fBBIO_free()\fR is called on a \s-1BIO\s0 chain it will only free one \s-1BIO\s0 resulting in a memory leak. .PP Calling \fBBIO_free_all()\fR on a single \s-1BIO\s0 has the same effect as calling \&\fBBIO_free()\fR on it other than the discarded return value. .PP Normally the \fBtype\fR argument is supplied by a function which returns a pointer to a \s-1BIO_METHOD.\s0 There is a naming convention for such functions: a source/sink \s-1BIO\s0 is normally called BIO_s_*() and a filter \s-1BIO\s0 BIO_f_*(); .SH "EXAMPLES" .IX Header "EXAMPLES" Create a memory \s-1BIO:\s0 .PP .Vb 1 \& BIO *mem = BIO_new(BIO_s_mem()); .Ve .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBBIO_ctrl\fR\|(3), \&\fBBIO_f_base64\fR\|(3), \fBBIO_f_buffer\fR\|(3), \&\fBBIO_f_cipher\fR\|(3), \fBBIO_f_md\fR\|(3), \&\fBBIO_f_null\fR\|(3), \fBBIO_f_ssl\fR\|(3), \&\fBBIO_find_type\fR\|(3), \fBBIO_new\fR\|(3), \&\fBBIO_new_bio_pair\fR\|(3), \&\fBBIO_push\fR\|(3), \fBBIO_read_ex\fR\|(3), \&\fBBIO_s_accept\fR\|(3), \fBBIO_s_bio\fR\|(3), \&\fBBIO_s_connect\fR\|(3), \fBBIO_s_fd\fR\|(3), \&\fBBIO_s_file\fR\|(3), \fBBIO_s_mem\fR\|(3), \&\fBBIO_s_null\fR\|(3), \fBBIO_s_socket\fR\|(3), \&\fBBIO_set_callback\fR\|(3), \&\fBBIO_should_retry\fR\|(3) .SH "COPYRIGHT" .IX Header "COPYRIGHT" Copyright 2000\-2019 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use this file except in compliance with the License. You can obtain a copy in the file \s-1LICENSE\s0 in the source distribution or at . PK!Z ossl_store.7nu[.\" Automatically generated by Pod::Man 4.11 (Pod::Simple 3.35) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. \*(C+ will .\" give a nicer C++. Capital omega is used to do unbreakable dashes and .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, .\" nothing in troff, for use with C<>. .tr \(*W- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' . ds C` . ds C' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is >0, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .\" .\" Avoid warning from groff about undefined register 'F'. .de IX .. .nr rF 0 .if \n(.g .if rF .nr rF 1 .if (\n(rF:(\n(.g==0)) \{\ . if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} . \} .\} .rr rF .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. . \" fudge factors for nroff and troff .if n \{\ . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] \fP .\} .if t \{\ . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff .if n \{\ . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} .if t \{\ . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' .ds 8 \h'\*(#H'\(*b\h'-\*(#H' .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] .ds ae a\h'-(\w'a'u*4/10)'e .ds Ae A\h'-(\w'A'u*4/10)'E . \" corrections for vroff .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' . \" for low resolution devices (crt and lpr) .if \n(.H>23 .if \n(.V>19 \ \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} .rm #[ #] #H #V #F C .\" ======================================================================== .\" .IX Title "OSSL_STORE 7" .TH OSSL_STORE 7 "2023-09-11" "1.1.1w" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" ossl_store \- Store retrieval functions .SH "SYNOPSIS" .IX Header "SYNOPSIS" #include .SH "DESCRIPTION" .IX Header "DESCRIPTION" .SS "General" .IX Subsection "General" A \s-1STORE\s0 is a layer of functionality to retrieve a number of supported objects from a repository of any kind, addressable as a filename or as a \s-1URI.\s0 .PP The functionality supports the pattern \*(L"open a channel to the repository\*(R", \*(L"loop and retrieve one object at a time\*(R", and \*(L"finish up by closing the channel\*(R". .PP The retrieved objects are returned as a wrapper type \fB\s-1OSSL_STORE_INFO\s0\fR, from which an OpenSSL type can be retrieved. .SS "\s-1URI\s0 schemes and loaders" .IX Subsection "URI schemes and loaders" Support for a \s-1URI\s0 scheme is called a \s-1STORE\s0 \*(L"loader\*(R", and can be added dynamically from the calling application or from a loadable engine. .PP Support for the 'file' scheme is built into \f(CW\*(C`libcrypto\*(C'\fR. See \fBossl_store\-file\fR\|(7) for more information. .SS "\s-1UI_METHOD\s0 and pass phrases" .IX Subsection "UI_METHOD and pass phrases" The \fB\s-1OSS_STORE\s0\fR \s-1API\s0 does nothing to enforce any specific format or encoding on the pass phrase that the \fB\s-1UI_METHOD\s0\fR provides. However, the pass phrase is expected to be \s-1UTF\-8\s0 encoded. The result of any other encoding is undefined. .SH "EXAMPLES" .IX Header "EXAMPLES" .SS "A generic call" .IX Subsection "A generic call" .Vb 1 \& OSSL_STORE_CTX *ctx = OSSL_STORE_open("file:/foo/bar/data.pem"); \& \& /* \& * OSSL_STORE_eof() simulates file semantics for any repository to signal \& * that no more data can be expected \& */ \& while (!OSSL_STORE_eof(ctx)) { \& OSSL_STORE_INFO *info = OSSL_STORE_load(ctx); \& \& /* \& * Do whatever is necessary with the OSSL_STORE_INFO, \& * here just one example \& */ \& switch (OSSL_STORE_INFO_get_type(info)) { \& case OSSL_STORE_INFO_CERT: \& /* Print the X.509 certificate text */ \& X509_print_fp(stdout, OSSL_STORE_INFO_get0_CERT(info)); \& /* Print the X.509 certificate PEM output */ \& PEM_write_X509(stdout, OSSL_STORE_INFO_get0_CERT(info)); \& break; \& } \& } \& \& OSSL_STORE_close(ctx); .Ve .SH "SEE ALSO" .IX Header "SEE ALSO" \&\s-1\fBOSSL_STORE_INFO\s0\fR\|(3), \s-1\fBOSSL_STORE_LOADER\s0\fR\|(3), \&\fBOSSL_STORE_open\fR\|(3), \fBOSSL_STORE_expect\fR\|(3), \&\s-1\fBOSSL_STORE_SEARCH\s0\fR\|(3) .SH "COPYRIGHT" .IX Header "COPYRIGHT" Copyright 2016\-2021 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use this file except in compliance with the License. You can obtain a copy in the file \s-1LICENSE\s0 in the source distribution or at . PK!7 yCyCproxy-certificates.7nu[.\" Automatically generated by Pod::Man 4.11 (Pod::Simple 3.35) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. \*(C+ will .\" give a nicer C++. Capital omega is used to do unbreakable dashes and .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, .\" nothing in troff, for use with C<>. .tr \(*W- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' . ds C` . ds C' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is >0, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .\" .\" Avoid warning from groff about undefined register 'F'. .de IX .. .nr rF 0 .if \n(.g .if rF .nr rF 1 .if (\n(rF:(\n(.g==0)) \{\ . if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} . \} .\} .rr rF .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. . \" fudge factors for nroff and troff .if n \{\ . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] \fP .\} .if t \{\ . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff .if n \{\ . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} .if t \{\ . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' .ds 8 \h'\*(#H'\(*b\h'-\*(#H' .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] .ds ae a\h'-(\w'a'u*4/10)'e .ds Ae A\h'-(\w'A'u*4/10)'E . \" corrections for vroff .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' . \" for low resolution devices (crt and lpr) .if \n(.H>23 .if \n(.V>19 \ \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} .rm #[ #] #H #V #F C .\" ======================================================================== .\" .IX Title "PROXY-CERTIFICATES 7" .TH PROXY-CERTIFICATES 7 "2023-09-11" "1.1.1w" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" proxy\-certificates \- Proxy certificates in OpenSSL .SH "DESCRIPTION" .IX Header "DESCRIPTION" Proxy certificates are defined in \s-1RFC 3820.\s0 They are used to extend rights to some other entity (a computer process, typically, or sometimes to the user itself). This allows the entity to perform operations on behalf of the owner of the \s-1EE\s0 (End Entity) certificate. .PP The requirements for a valid proxy certificate are: .IP "\(bu" 4 They are issued by an End Entity, either a normal \s-1EE\s0 certificate, or another proxy certificate. .IP "\(bu" 4 They must not have the \fBsubjectAltName\fR or \fBissuerAltName\fR extensions. .IP "\(bu" 4 They must have the \fBproxyCertInfo\fR extension. .IP "\(bu" 4 They must have the subject of their issuer, with one \fBcommonName\fR added. .SS "Enabling proxy certificate verification" .IX Subsection "Enabling proxy certificate verification" OpenSSL expects applications that want to use proxy certificates to be specially aware of them, and make that explicit. This is done by setting an X509 verification flag: .PP .Vb 1 \& X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_ALLOW_PROXY_CERTS); .Ve .PP or .PP .Vb 1 \& X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_ALLOW_PROXY_CERTS); .Ve .PP See \*(L"\s-1NOTES\*(R"\s0 for a discussion on this requirement. .SS "Creating proxy certificates" .IX Subsection "Creating proxy certificates" Creating proxy certificates can be done using the \fBopenssl\-x509\fR\|(1) command, with some extra extensions: .PP .Vb 3 \& [ v3_proxy ] \& # A proxy certificate MUST NEVER be a CA certificate. \& basicConstraints=CA:FALSE \& \& # Usual authority key ID \& authorityKeyIdentifier=keyid,issuer:always \& \& # The extension which marks this certificate as a proxy \& proxyCertInfo=critical,language:id\-ppl\-anyLanguage,pathlen:1,policy:text:AB .Ve .PP It's also possible to specify the proxy extension in a separate section: .PP .Vb 1 \& proxyCertInfo=critical,@proxy_ext \& \& [ proxy_ext ] \& language=id\-ppl\-anyLanguage \& pathlen=0 \& policy=text:BC .Ve .PP The policy value has a specific syntax, \fIsyntag\fR:\fIstring\fR, where the \&\fIsyntag\fR determines what will be done with the string. The following \&\fIsyntag\fRs are recognised: .IP "\fBtext\fR" 4 .IX Item "text" indicates that the string is a byte sequence, without any encoding: .Sp .Vb 1 \& policy=text:ra\*:ksmo\*:rga\*os .Ve .IP "\fBhex\fR" 4 .IX Item "hex" indicates the string is encoded hexadecimal encoded binary data, with colons between each byte (every second hex digit): .Sp .Vb 1 \& policy=hex:72:E4:6B:73:6D:F6:72:67:E5:73 .Ve .IP "\fBfile\fR" 4 .IX Item "file" indicates that the text of the policy should be taken from a file. The string is then a filename. This is useful for policies that are large (more than a few lines, e.g. \s-1XML\s0 documents). .PP \&\fI\s-1NOTE:\s0 The proxy policy value is what determines the rights granted to the process during the proxy certificate. It's up to the application to interpret and combine these policies.\fR .PP With a proxy extension, creating a proxy certificate is a matter of two commands: .PP .Vb 3 \& openssl req \-new \-config proxy.cnf \e \& \-out proxy.req \-keyout proxy.key \e \& \-subj "/DC=org/DC=openssl/DC=users/CN=proxy 1" \& \& openssl x509 \-req \-CAcreateserial \-in proxy.req \-out proxy.crt \e \& \-CA user.crt \-CAkey user.key \-days 7 \e \& \-extfile proxy.cnf \-extensions v3_proxy1 .Ve .PP You can also create a proxy certificate using another proxy certificate as issuer (note: using a different configuration section for the proxy extensions): .PP .Vb 3 \& openssl req \-new \-config proxy.cnf \e \& \-out proxy2.req \-keyout proxy2.key \e \& \-subj "/DC=org/DC=openssl/DC=users/CN=proxy 1/CN=proxy 2" \& \& openssl x509 \-req \-CAcreateserial \-in proxy2.req \-out proxy2.crt \e \& \-CA proxy.crt \-CAkey proxy.key \-days 7 \e \& \-extfile proxy.cnf \-extensions v3_proxy2 .Ve .SS "Using proxy certs in applications" .IX Subsection "Using proxy certs in applications" To interpret proxy policies, the application would normally start with some default rights (perhaps none at all), then compute the resulting rights by checking the rights against the chain of proxy certificates, user certificate and \s-1CA\s0 certificates. .PP The complicated part is figuring out how to pass data between your application and the certificate validation procedure. .PP The following ingredients are needed for such processing: .IP "\(bu" 4 a callback function that will be called for every certificate being validated. The callback is called several times for each certificate, so you must be careful to do the proxy policy interpretation at the right time. You also need to fill in the defaults when the \s-1EE\s0 certificate is checked. .IP "\(bu" 4 a data structure that is shared between your application code and the callback. .IP "\(bu" 4 a wrapper function that sets it all up. .IP "\(bu" 4 an ex_data index function that creates an index into the generic ex_data store that is attached to an X509 validation context. .PP The following skeleton code can be used as a starting point: .PP .Vb 4 \& #include \& #include \& #include \& #include \& \& #define total_rights 25 \& \& /* \& * In this example, I will use a view of granted rights as a bit \& * array, one bit for each possible right. \& */ \& typedef struct your_rights { \& unsigned char rights[(total_rights + 7) / 8]; \& } YOUR_RIGHTS; \& \& /* \& * The following procedure will create an index for the ex_data \& * store in the X509 validation context the first time it\*(Aqs \& * called. Subsequent calls will return the same index. \& */ \& static int get_proxy_auth_ex_data_idx(X509_STORE_CTX *ctx) \& { \& static volatile int idx = \-1; \& \& if (idx < 0) { \& X509_STORE_lock(X509_STORE_CTX_get0_store(ctx)); \& if (idx < 0) { \& idx = X509_STORE_CTX_get_ex_new_index(0, \& "for verify callback", \& NULL,NULL,NULL); \& } \& X509_STORE_unlock(X509_STORE_CTX_get0_store(ctx)); \& } \& return idx; \& } \& \& /* Callback to be given to the X509 validation procedure. */ \& static int verify_callback(int ok, X509_STORE_CTX *ctx) \& { \& if (ok == 1) { \& /* \& * It\*(Aqs REALLY important you keep the proxy policy check \& * within this section. It\*(Aqs important to know that when \& * ok is 1, the certificates are checked from top to \& * bottom. You get the CA root first, followed by the \& * possible chain of intermediate CAs, followed by the EE \& * certificate, followed by the possible proxy \& * certificates. \& */ \& X509 *xs = X509_STORE_CTX_get_current_cert(ctx); \& \& if (X509_get_extension_flags(xs) & EXFLAG_PROXY) { \& YOUR_RIGHTS *rights = \& (YOUR_RIGHTS *)X509_STORE_CTX_get_ex_data(ctx, \& get_proxy_auth_ex_data_idx(ctx)); \& PROXY_CERT_INFO_EXTENSION *pci = \& X509_get_ext_d2i(xs, NID_proxyCertInfo, NULL, NULL); \& \& switch (OBJ_obj2nid(pci\->proxyPolicy\->policyLanguage)) { \& case NID_Independent: \& /* \& * Do whatever you need to grant explicit rights \& * to this particular proxy certificate, usually \& * by pulling them from some database. If there \& * are none to be found, clear all rights (making \& * this and any subsequent proxy certificate void \& * of any rights). \& */ \& memset(rights\->rights, 0, sizeof(rights\->rights)); \& break; \& case NID_id_ppl_inheritAll: \& /* \& * This is basically a NOP, we simply let the \& * current rights stand as they are. \& */ \& break; \& default: \& /* \& * This is usually the most complex section of \& * code. You really do whatever you want as long \& * as you follow RFC 3820. In the example we use \& * here, the simplest thing to do is to build \& * another, temporary bit array and fill it with \& * the rights granted by the current proxy \& * certificate, then use it as a mask on the \& * accumulated rights bit array, and voila\*`, you \& * now have a new accumulated rights bit array. \& */ \& { \& int i; \& YOUR_RIGHTS tmp_rights; \& memset(tmp_rights.rights, 0, \& sizeof(tmp_rights.rights)); \& \& /* \& * process_rights() is supposed to be a \& * procedure that takes a string and its \& * length, interprets it and sets the bits \& * in the YOUR_RIGHTS pointed at by the \& * third argument. \& */ \& process_rights((char *) pci\->proxyPolicy\->policy\->data, \& pci\->proxyPolicy\->policy\->length, \& &tmp_rights); \& \& for(i = 0; i < total_rights / 8; i++) \& rights\->rights[i] &= tmp_rights.rights[i]; \& } \& break; \& } \& PROXY_CERT_INFO_EXTENSION_free(pci); \& } else if (!(X509_get_extension_flags(xs) & EXFLAG_CA)) { \& /* We have an EE certificate, let\*(Aqs use it to set default! */ \& YOUR_RIGHTS *rights = \& (YOUR_RIGHTS *)X509_STORE_CTX_get_ex_data(ctx, \& get_proxy_auth_ex_data_idx(ctx)); \& \& /* \& * The following procedure finds out what rights the \& * owner of the current certificate has, and sets them \& * in the YOUR_RIGHTS structure pointed at by the \& * second argument. \& */ \& set_default_rights(xs, rights); \& } \& } \& return ok; \& } \& \& static int my_X509_verify_cert(X509_STORE_CTX *ctx, \& YOUR_RIGHTS *needed_rights) \& { \& int ok; \& int (*save_verify_cb)(int ok,X509_STORE_CTX *ctx) = \& X509_STORE_CTX_get_verify_cb(ctx); \& YOUR_RIGHTS rights; \& \& X509_STORE_CTX_set_verify_cb(ctx, verify_callback); \& X509_STORE_CTX_set_ex_data(ctx, get_proxy_auth_ex_data_idx(ctx), \& &rights); \& X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_ALLOW_PROXY_CERTS); \& ok = X509_verify_cert(ctx); \& \& if (ok == 1) { \& ok = check_needed_rights(rights, needed_rights); \& } \& \& X509_STORE_CTX_set_verify_cb(ctx, save_verify_cb); \& \& return ok; \& } .Ve .PP If you use \s-1SSL\s0 or \s-1TLS,\s0 you can easily set up a callback to have the certificates checked properly, using the code above: .PP .Vb 2 \& SSL_CTX_set_cert_verify_callback(s_ctx, my_X509_verify_cert, \& &needed_rights); .Ve .SH "NOTES" .IX Header "NOTES" To this date, it seems that proxy certificates have only been used in environments that are aware of them, and no one seems to have investigated how they can be used or misused outside of such an environment. .PP For that reason, OpenSSL requires that applications aware of proxy certificates must also make that explicit. .PP \&\fBsubjectAltName\fR and \fBissuerAltName\fR are forbidden in proxy certificates, and this is enforced in OpenSSL. The subject must be the same as the issuer, with one commonName added on. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBX509_STORE_CTX_set_flags\fR\|(3), \&\fBX509_STORE_CTX_set_verify_cb\fR\|(3), \&\fBX509_VERIFY_PARAM_set_flags\fR\|(3), \&\fBSSL_CTX_set_cert_verify_callback\fR\|(3), \&\fBopenssl\-req\fR\|(1), \fBopenssl\-x509\fR\|(1), \&\s-1RFC 3820\s0 .SH "COPYRIGHT" .IX Header "COPYRIGHT" Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use this file except in compliance with the License. You can obtain a copy in the file \s-1LICENSE\s0 in the source distribution or at . PK!GCCX25519.7nu[.\" Automatically generated by Pod::Man 4.11 (Pod::Simple 3.35) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. \*(C+ will .\" give a nicer C++. Capital omega is used to do unbreakable dashes and .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, .\" nothing in troff, for use with C<>. .tr \(*W- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' . ds C` . ds C' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is >0, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .\" .\" Avoid warning from groff about undefined register 'F'. .de IX .. .nr rF 0 .if \n(.g .if rF .nr rF 1 .if (\n(rF:(\n(.g==0)) \{\ . if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} . \} .\} .rr rF .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. . \" fudge factors for nroff and troff .if n \{\ . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] \fP .\} .if t \{\ . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff .if n \{\ . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} .if t \{\ . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' .ds 8 \h'\*(#H'\(*b\h'-\*(#H' .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] .ds ae a\h'-(\w'a'u*4/10)'e .ds Ae A\h'-(\w'A'u*4/10)'E . \" corrections for vroff .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' . \" for low resolution devices (crt and lpr) .if \n(.H>23 .if \n(.V>19 \ \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} .rm #[ #] #H #V #F C .\" ======================================================================== .\" .IX Title "X25519 7" .TH X25519 7 "2023-09-11" "1.1.1w" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" X25519, X448 \&\- EVP_PKEY X25519 and X448 support .SH "DESCRIPTION" .IX Header "DESCRIPTION" The \fBX25519\fR and \fBX448\fR \s-1EVP_PKEY\s0 implementation supports key generation and key derivation using \fBX25519\fR and \fBX448\fR. It has associated private and public key formats compatible with \s-1RFC 8410.\s0 .PP No additional parameters can be set during key generation. .PP The peer public key must be set using \fBEVP_PKEY_derive_set_peer()\fR when performing key derivation. .SH "NOTES" .IX Header "NOTES" A context for the \fBX25519\fR algorithm can be obtained by calling: .PP .Vb 1 \& EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_X25519, NULL); .Ve .PP For the \fBX448\fR algorithm a context can be obtained by calling: .PP .Vb 1 \& EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_X448, NULL); .Ve .PP X25519 or X448 private keys can be set directly using \&\fBEVP_PKEY_new_raw_private_key\fR\|(3) or loaded from a PKCS#8 private key file using \fBPEM_read_bio_PrivateKey\fR\|(3) (or similar function). Completely new keys can also be generated (see the example below). Setting a private key also sets the associated public key. .PP X25519 or X448 public keys can be set directly using \&\fBEVP_PKEY_new_raw_public_key\fR\|(3) or loaded from a SubjectPublicKeyInfo structure in a \s-1PEM\s0 file using \fBPEM_read_bio_PUBKEY\fR\|(3) (or similar function). .SH "EXAMPLES" .IX Header "EXAMPLES" This example generates an \fBX25519\fR private key and writes it to standard output in \s-1PEM\s0 format: .PP .Vb 9 \& #include \& #include \& ... \& EVP_PKEY *pkey = NULL; \& EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_X25519, NULL); \& EVP_PKEY_keygen_init(pctx); \& EVP_PKEY_keygen(pctx, &pkey); \& EVP_PKEY_CTX_free(pctx); \& PEM_write_PrivateKey(stdout, pkey, NULL, NULL, 0, NULL, NULL); .Ve .PP The key derivation example in \fBEVP_PKEY_derive\fR\|(3) can be used with \&\fBX25519\fR and \fBX448\fR. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBEVP_PKEY_CTX_new\fR\|(3), \&\fBEVP_PKEY_keygen\fR\|(3), \&\fBEVP_PKEY_derive\fR\|(3), \&\fBEVP_PKEY_derive_set_peer\fR\|(3) .SH "COPYRIGHT" .IX Header "COPYRIGHT" Copyright 2017\-2020 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use this file except in compliance with the License. You can obtain a copy in the file \s-1LICENSE\s0 in the source distribution or at . PK!u|j  x509.7nu[.\" Automatically generated by Pod::Man 4.11 (Pod::Simple 3.35) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. \*(C+ will .\" give a nicer C++. Capital omega is used to do unbreakable dashes and .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, .\" nothing in troff, for use with C<>. .tr \(*W- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' . ds C` . ds C' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is >0, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .\" .\" Avoid warning from groff about undefined register 'F'. .de IX .. .nr rF 0 .if \n(.g .if rF .nr rF 1 .if (\n(rF:(\n(.g==0)) \{\ . if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} . \} .\} .rr rF .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. . \" fudge factors for nroff and troff .if n \{\ . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] \fP .\} .if t \{\ . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff .if n \{\ . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} .if t \{\ . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' .ds 8 \h'\*(#H'\(*b\h'-\*(#H' .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] .ds ae a\h'-(\w'a'u*4/10)'e .ds Ae A\h'-(\w'A'u*4/10)'E . \" corrections for vroff .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' . \" for low resolution devices (crt and lpr) .if \n(.H>23 .if \n(.V>19 \ \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} .rm #[ #] #H #V #F C .\" ======================================================================== .\" .IX Title "X509 7" .TH X509 7 "2023-09-11" "1.1.1w" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" x509 \- X.509 certificate handling .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" An X.509 certificate is a structured grouping of information about an individual, a device, or anything one can imagine. An X.509 \s-1CRL\s0 (certificate revocation list) is a tool to help determine if a certificate is still valid. The exact definition of those can be found in the X.509 document from ITU-T, or in \s-1RFC3280\s0 from \s-1PKIX.\s0 In OpenSSL, the type X509 is used to express such a certificate, and the type X509_CRL is used to express a \s-1CRL.\s0 .PP A related structure is a certificate request, defined in PKCS#10 from \&\s-1RSA\s0 Security, Inc, also reflected in \s-1RFC2896.\s0 In OpenSSL, the type X509_REQ is used to express such a certificate request. .PP To handle some complex parts of a certificate, there are the types X509_NAME (to express a certificate name), X509_ATTRIBUTE (to express a certificate attribute), X509_EXTENSION (to express a certificate extension) and a few more. .PP Finally, there's the supertype X509_INFO, which can contain a \s-1CRL,\s0 a certificate and a corresponding private key. .PP \&\fBX509_\fR\fI\s-1XXX\s0\fR, \fBd2i_X509_\fR\fI\s-1XXX\s0\fR, and \fBi2d_X509_\fR\fI\s-1XXX\s0\fR functions handle X.509 certificates, with some exceptions, shown below. .PP \&\fBX509_CRL_\fR\fI\s-1XXX\s0\fR, \fBd2i_X509_CRL_\fR\fI\s-1XXX\s0\fR, and \fBi2d_X509_CRL_\fR\fI\s-1XXX\s0\fR functions handle X.509 CRLs. .PP \&\fBX509_REQ_\fR\fI\s-1XXX\s0\fR, \fBd2i_X509_REQ_\fR\fI\s-1XXX\s0\fR, and \fBi2d_X509_REQ_\fR\fI\s-1XXX\s0\fR functions handle PKCS#10 certificate requests. .PP \&\fBX509_NAME_\fR\fI\s-1XXX\s0\fR functions handle certificate names. .PP \&\fBX509_ATTRIBUTE_\fR\fI\s-1XXX\s0\fR functions handle certificate attributes. .PP \&\fBX509_EXTENSION_\fR\fI\s-1XXX\s0\fR functions handle certificate extensions. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBX509_NAME_ENTRY_get_object\fR\|(3), \&\fBX509_NAME_add_entry_by_txt\fR\|(3), \&\fBX509_NAME_add_entry_by_NID\fR\|(3), \&\fBX509_NAME_print_ex\fR\|(3), \&\fBX509_NAME_new\fR\|(3), \&\fBd2i_X509\fR\|(3), \&\fBd2i_X509_ALGOR\fR\|(3), \&\fBd2i_X509_CRL\fR\|(3), \&\fBd2i_X509_NAME\fR\|(3), \&\fBd2i_X509_REQ\fR\|(3), \&\fBd2i_X509_SIG\fR\|(3), \&\fBX509v3\fR\|(3), \&\fBcrypto\fR\|(7) .SH "COPYRIGHT" .IX Header "COPYRIGHT" Copyright 2003\-2021 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use this file except in compliance with the License. You can obtain a copy in the file \s-1LICENSE\s0 in the source distribution or at . PK!pVDVD RAND_DRBG.7nu[.\" Automatically generated by Pod::Man 4.11 (Pod::Simple 3.35) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. \*(C+ will .\" give a nicer C++. Capital omega is used to do unbreakable dashes and .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, .\" nothing in troff, for use with C<>. .tr \(*W- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' . ds C` . ds C' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is >0, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .\" .\" Avoid warning from groff about undefined register 'F'. .de IX .. .nr rF 0 .if \n(.g .if rF .nr rF 1 .if (\n(rF:(\n(.g==0)) \{\ . if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} . \} .\} .rr rF .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. . \" fudge factors for nroff and troff .if n \{\ . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] \fP .\} .if t \{\ . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff .if n \{\ . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} .if t \{\ . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' .ds 8 \h'\*(#H'\(*b\h'-\*(#H' .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] .ds ae a\h'-(\w'a'u*4/10)'e .ds Ae A\h'-(\w'A'u*4/10)'E . \" corrections for vroff .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' . \" for low resolution devices (crt and lpr) .if \n(.H>23 .if \n(.V>19 \ \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} .rm #[ #] #H #V #F C .\" ======================================================================== .\" .IX Title "RAND_DRBG 7" .TH RAND_DRBG 7 "2023-09-11" "1.1.1w" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" RAND_DRBG \- the deterministic random bit generator .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" The default OpenSSL \s-1RAND\s0 method is based on the \s-1RAND_DRBG\s0 class, which implements a deterministic random bit generator (\s-1DRBG\s0). A \s-1DRBG\s0 is a certain type of cryptographically-secure pseudo-random number generator (\s-1CSPRNG\s0), which is described in [\s-1NIST SP 800\-90A\s0 Rev. 1]. .PP While the \s-1RAND API\s0 is the 'frontend' which is intended to be used by application developers for obtaining random bytes, the \s-1RAND_DRBG API\s0 serves as the 'backend', connecting the former with the operating systems's entropy sources and providing access to the \s-1DRBG\s0's configuration parameters. .SS "Disclaimer" .IX Subsection "Disclaimer" Unless you have very specific requirements for your random generator, it is in general not necessary to utilize the \s-1RAND_DRBG API\s0 directly. The usual way to obtain random bytes is to use \fBRAND_bytes\fR\|(3) or \&\fBRAND_priv_bytes\fR\|(3), see also \s-1\fBRAND\s0\fR\|(7). .SS "Typical Use Cases" .IX Subsection "Typical Use Cases" Typical examples for such special use cases are the following: .IP "\(bu" 2 You want to use your own private \s-1DRBG\s0 instances. Multiple \s-1DRBG\s0 instances which are accessed only by a single thread provide additional security (because their internal states are independent) and better scalability in multithreaded applications (because they don't need to be locked). .IP "\(bu" 2 You need to integrate a previously unsupported entropy source. .IP "\(bu" 2 You need to change the default settings of the standard OpenSSL \s-1RAND\s0 implementation to meet specific requirements. .SH "CHAINING" .IX Header "CHAINING" A \s-1DRBG\s0 instance can be used as the entropy source of another \s-1DRBG\s0 instance, provided it has itself access to a valid entropy source. The \s-1DRBG\s0 instance which acts as entropy source is called the \fIparent\fR \s-1DRBG,\s0 the other instance the \fIchild\fR \s-1DRBG.\s0 .PP This is called chaining. A chained \s-1DRBG\s0 instance is created by passing a pointer to the parent \s-1DRBG\s0 as argument to the \fBRAND_DRBG_new()\fR call. It is possible to create chains of more than two \s-1DRBG\s0 in a row. .SH "THE THREE SHARED DRBG INSTANCES" .IX Header "THE THREE SHARED DRBG INSTANCES" Currently, there are three shared \s-1DRBG\s0 instances, the , , and \s-1DRBG.\s0 While the \s-1DRBG\s0 is a single global instance, the and \&\s-1DRBG\s0 are created per thread and accessed through thread-local storage. .PP By default, the functions \fBRAND_bytes\fR\|(3) and \fBRAND_priv_bytes\fR\|(3) use the thread-local and \s-1DRBG\s0 instance, respectively. .SS "The \s-1DRBG\s0 instance" .IX Subsection "The DRBG instance" The \s-1DRBG\s0 is not used directly by the application, only for reseeding the two other two \s-1DRBG\s0 instances. It reseeds itself by obtaining randomness either from os entropy sources or by consuming randomness which was added previously by \fBRAND_add\fR\|(3). .SS "The \s-1DRBG\s0 instance" .IX Subsection "The DRBG instance" This instance is used per default by \fBRAND_bytes\fR\|(3). .SS "The \s-1DRBG\s0 instance" .IX Subsection "The DRBG instance" This instance is used per default by \fBRAND_priv_bytes\fR\|(3) .SH "LOCKING" .IX Header "LOCKING" The \s-1DRBG\s0 is intended to be accessed concurrently for reseeding by its child \s-1DRBG\s0 instances. The necessary locking is done internally. It is \fInot\fR thread-safe to access the \s-1DRBG\s0 directly via the \&\s-1RAND_DRBG\s0 interface. The and \s-1DRBG\s0 are thread-local, i.e. there is an instance of each per thread. So they can safely be accessed without locking via the \s-1RAND_DRBG\s0 interface. .PP Pointers to these \s-1DRBG\s0 instances can be obtained using \&\fBRAND_DRBG_get0_master()\fR, \&\fBRAND_DRBG_get0_public()\fR, and \&\fBRAND_DRBG_get0_private()\fR, respectively. Note that it is not allowed to store a pointer to one of the thread-local \&\s-1DRBG\s0 instances in a variable or other memory location where it will be accessed and used by multiple threads. .PP All other \s-1DRBG\s0 instances created by an application don't support locking, because they are intended to be used by a single thread. Instead of accessing a single \s-1DRBG\s0 instance concurrently from different threads, it is recommended to instantiate a separate \s-1DRBG\s0 instance per thread. Using the \s-1DRBG\s0 as entropy source for multiple \s-1DRBG\s0 instances on different threads is thread-safe, because the \s-1DRBG\s0 instance will lock the \s-1DRBG\s0 automatically for obtaining random input. .SH "THE OVERALL PICTURE" .IX Header "THE OVERALL PICTURE" The following picture gives an overview over how the \s-1DRBG\s0 instances work together and are being used. .PP .Vb 10 \& +\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-+ \& | os entropy sources | \& +\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-+ \& | \& v +\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-+ \& RAND_add() ==> <\-| shared DRBG (with locking) | \& / \e +\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-+ \& / \e +\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-+ \& <\- | per\-thread DRBG instances | \& | | +\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-+ \& v v \& RAND_bytes() RAND_priv_bytes() \& | ^ \& | | \& +\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-+ +\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-+ \& | general purpose | | used for secrets like session keys | \& | random generator | | and private keys for certificates | \& +\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-+ +\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-+ .Ve .PP The usual way to obtain random bytes is to call RAND_bytes(...) or RAND_priv_bytes(...). These calls are roughly equivalent to calling RAND_DRBG_bytes(, ...) and RAND_DRBG_bytes(, ...), respectively. The method \fBRAND_DRBG_bytes\fR\|(3) is a convenience method wrapping the \fBRAND_DRBG_generate\fR\|(3) function, which serves the actual request for random data. .SH "RESEEDING" .IX Header "RESEEDING" A \s-1DRBG\s0 instance seeds itself automatically, pulling random input from its entropy source. The entropy source can be either a trusted operating system entropy source, or another \s-1DRBG\s0 with access to such a source. .PP Automatic reseeding occurs after a predefined number of generate requests. The selection of the trusted entropy sources is configured at build time using the \-\-with\-rand\-seed option. The following sections explain the reseeding process in more detail. .SS "Automatic Reseeding" .IX Subsection "Automatic Reseeding" Before satisfying a generate request (\fBRAND_DRBG_generate\fR\|(3)), the \s-1DRBG\s0 reseeds itself automatically, if one of the following conditions holds: .PP \&\- the \s-1DRBG\s0 was not instantiated (=seeded) yet or has been uninstantiated. .PP \&\- the number of generate requests since the last reseeding exceeds a certain threshold, the so called \fIreseed_interval\fR. This behaviour can be disabled by setting the \fIreseed_interval\fR to 0. .PP \&\- the time elapsed since the last reseeding exceeds a certain time interval, the so called \fIreseed_time_interval\fR. This can be disabled by setting the \fIreseed_time_interval\fR to 0. .PP \&\- the \s-1DRBG\s0 is in an error state. .PP \&\fBNote\fR: An error state is entered if the entropy source fails while the \s-1DRBG\s0 is seeding or reseeding. The last case ensures that the \s-1DRBG\s0 automatically recovers from the error as soon as the entropy source is available again. .SS "Manual Reseeding" .IX Subsection "Manual Reseeding" In addition to automatic reseeding, the caller can request an immediate reseeding of the \s-1DRBG\s0 with fresh entropy by setting the \&\fIprediction resistance\fR parameter to 1 when calling \fBRAND_DRBG_generate\fR\|(3). .PP The document [\s-1NIST SP 800\-90C\s0] describes prediction resistance requests in detail and imposes strict conditions on the entropy sources that are approved for providing prediction resistance. Since the default \s-1DRBG\s0 implementation does not have access to such an approved entropy source, a request for prediction resistance will currently always fail. In other words, prediction resistance is currently not supported yet by the \s-1DRBG.\s0 .PP For the three shared DRBGs (and only for these) there is another way to reseed them manually: If \fBRAND_add\fR\|(3) is called with a positive \fIrandomness\fR argument (or \fBRAND_seed\fR\|(3)), then this will immediately reseed the \s-1DRBG.\s0 The and \s-1DRBG\s0 will detect this on their next generate call and reseed, pulling randomness from . .PP The last feature has been added to support the common practice used with previous OpenSSL versions to call \fBRAND_add()\fR before calling \fBRAND_bytes()\fR. .SS "Entropy Input vs. Additional Data" .IX Subsection "Entropy Input vs. Additional Data" The \s-1DRBG\s0 distinguishes two different types of random input: \fIentropy\fR, which comes from a trusted source, and \fIadditional input\fR', which can optionally be added by the user and is considered untrusted. It is possible to add \fIadditional input\fR not only during reseeding, but also for every generate request. This is in fact done automatically by \fBRAND_DRBG_bytes\fR\|(3). .SS "Configuring the Random Seed Source" .IX Subsection "Configuring the Random Seed Source" In most cases OpenSSL will automatically choose a suitable seed source for automatically seeding and reseeding its \s-1DRBG.\s0 In some cases however, it will be necessary to explicitly specify a seed source during configuration, using the \-\-with\-rand\-seed option. For more information, see the \s-1INSTALL\s0 instructions. There are also operating systems where no seed source is available and automatic reseeding is disabled by default. .PP The following two sections describe the reseeding process of the master \&\s-1DRBG,\s0 depending on whether automatic reseeding is available or not. .SS "Reseeding the master \s-1DRBG\s0 with automatic seeding enabled" .IX Subsection "Reseeding the master DRBG with automatic seeding enabled" Calling \fBRAND_poll()\fR or \fBRAND_add()\fR is not necessary, because the \s-1DRBG\s0 pulls the necessary entropy from its source automatically. However, both calls are permitted, and do reseed the \s-1RNG.\s0 .PP \&\fBRAND_add()\fR can be used to add both kinds of random input, depending on the value of the \fBrandomness\fR argument: .IP "randomness == 0:" 4 .IX Item "randomness == 0:" The random bytes are mixed as additional input into the current state of the \s-1DRBG.\s0 Mixing in additional input is not considered a full reseeding, hence the reseed counter is not reset. .IP "randomness > 0:" 4 .IX Item "randomness > 0:" The random bytes are used as entropy input for a full reseeding (resp. reinstantiation) if the \s-1DRBG\s0 is instantiated (resp. uninstantiated or in an error state). The number of random bits required for reseeding is determined by the security strength of the \s-1DRBG.\s0 Currently it defaults to 256 bits (32 bytes). It is possible to provide less randomness than required. In this case the missing randomness will be obtained by pulling random input from the trusted entropy sources. .SS "Reseeding the master \s-1DRBG\s0 with automatic seeding disabled" .IX Subsection "Reseeding the master DRBG with automatic seeding disabled" Calling \fBRAND_poll()\fR will always fail. .PP \&\fBRAND_add()\fR needs to be called for initial seeding and periodic reseeding. At least 48 bytes (384 bits) of randomness have to be provided, otherwise the (re\-)seeding of the \s-1DRBG\s0 will fail. This corresponds to one and a half times the security strength of the \s-1DRBG.\s0 The extra half is used for the nonce during instantiation. .PP More precisely, the number of bytes needed for seeding depend on the \&\fIsecurity strength\fR of the \s-1DRBG,\s0 which is set to 256 by default. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBRAND_DRBG_bytes\fR\|(3), \&\fBRAND_DRBG_generate\fR\|(3), \&\fBRAND_DRBG_reseed\fR\|(3), \&\fBRAND_DRBG_get0_master\fR\|(3), \&\fBRAND_DRBG_get0_public\fR\|(3), \&\fBRAND_DRBG_get0_private\fR\|(3), \&\fBRAND_DRBG_set_reseed_interval\fR\|(3), \&\fBRAND_DRBG_set_reseed_time_interval\fR\|(3), \&\fBRAND_DRBG_set_reseed_defaults\fR\|(3), \&\s-1\fBRAND\s0\fR\|(7), .SH "COPYRIGHT" .IX Header "COPYRIGHT" Copyright 2017\-2018 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use this file except in compliance with the License. You can obtain a copy in the file \s-1LICENSE\s0 in the source distribution or at . PK!%CBct.7nu[.\" Automatically generated by Pod::Man 4.11 (Pod::Simple 3.35) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. \*(C+ will .\" give a nicer C++. Capital omega is used to do unbreakable dashes and .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, .\" nothing in troff, for use with C<>. .tr \(*W- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' . ds C` . ds C' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is >0, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .\" .\" Avoid warning from groff about undefined register 'F'. .de IX .. .nr rF 0 .if \n(.g .if rF .nr rF 1 .if (\n(rF:(\n(.g==0)) \{\ . if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} . \} .\} .rr rF .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. . \" fudge factors for nroff and troff .if n \{\ . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] \fP .\} .if t \{\ . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff .if n \{\ . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} .if t \{\ . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' .ds 8 \h'\*(#H'\(*b\h'-\*(#H' .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] .ds ae a\h'-(\w'a'u*4/10)'e .ds Ae A\h'-(\w'A'u*4/10)'E . \" corrections for vroff .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' . \" for low resolution devices (crt and lpr) .if \n(.H>23 .if \n(.V>19 \ \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} .rm #[ #] #H #V #F C .\" ======================================================================== .\" .IX Title "CT 7" .TH CT 7 "2023-09-11" "1.1.1w" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" ct \- Certificate Transparency .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" This library implements Certificate Transparency (\s-1CT\s0) verification for \s-1TLS\s0 clients, as defined in \s-1RFC 6962.\s0 This verification can provide some confidence that a certificate has been publicly logged in a set of \s-1CT\s0 logs. .PP By default, these checks are disabled. They can be enabled using \&\fBSSL_CTX_enable_ct\fR\|(3) or \fBSSL_enable_ct\fR\|(3). .PP This library can also be used to parse and examine \s-1CT\s0 data structures, such as Signed Certificate Timestamps (SCTs), or to read a list of \s-1CT\s0 logs. There are functions for: \&\- decoding and encoding SCTs in \s-1DER\s0 and \s-1TLS\s0 wire format. \&\- printing SCTs. \&\- verifying the authenticity of SCTs. \&\- loading a \s-1CT\s0 log list from a \s-1CONF\s0 file. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBd2i_SCT_LIST\fR\|(3), \&\fBCTLOG_STORE_new\fR\|(3), \&\fBCTLOG_STORE_get0_log_by_id\fR\|(3), \&\fBSCT_new\fR\|(3), \&\fBSCT_print\fR\|(3), \&\fBSCT_validate\fR\|(3), \&\fBSCT_validate\fR\|(3), \&\fBCT_POLICY_EVAL_CTX_new\fR\|(3), \&\fBSSL_CTX_set_ct_validation_callback\fR\|(3) .SH "HISTORY" .IX Header "HISTORY" The ct library was added in OpenSSL 1.1.0. .SH "COPYRIGHT" .IX Header "COPYRIGHT" Copyright 2016\-2017 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use this file except in compliance with the License. You can obtain a copy in the file \s-1LICENSE\s0 in the source distribution or at . PK!"^**ossl_store-file.7nu[.\" Automatically generated by Pod::Man 4.11 (Pod::Simple 3.35) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. \*(C+ will .\" give a nicer C++. Capital omega is used to do unbreakable dashes and .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, .\" nothing in troff, for use with C<>. .tr \(*W- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' . ds C` . ds C' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is >0, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .\" .\" Avoid warning from groff about undefined register 'F'. .de IX .. .nr rF 0 .if \n(.g .if rF .nr rF 1 .if (\n(rF:(\n(.g==0)) \{\ . if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} . \} .\} .rr rF .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. . \" fudge factors for nroff and troff .if n \{\ . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] \fP .\} .if t \{\ . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff .if n \{\ . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} .if t \{\ . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' .ds 8 \h'\*(#H'\(*b\h'-\*(#H' .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] .ds ae a\h'-(\w'a'u*4/10)'e .ds Ae A\h'-(\w'A'u*4/10)'E . \" corrections for vroff .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' . \" for low resolution devices (crt and lpr) .if \n(.H>23 .if \n(.V>19 \ \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} .rm #[ #] #H #V #F C .\" ======================================================================== .\" .IX Title "OSSL_STORE-FILE 7" .TH OSSL_STORE-FILE 7 "2023-09-11" "1.1.1w" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" ossl_store\-file \- The store 'file' scheme loader .SH "SYNOPSIS" .IX Header "SYNOPSIS" #include .SH "DESCRIPTION" .IX Header "DESCRIPTION" Support for the 'file' scheme is built into \f(CW\*(C`libcrypto\*(C'\fR. Since files come in all kinds of formats and content types, the 'file' scheme has its own layer of functionality called \*(L"file handlers\*(R", which are used to try to decode diverse types of file contents. .PP In case a file is formatted as \s-1PEM,\s0 each called file handler receives the \s-1PEM\s0 name (everything following any '\f(CW\*(C`\-\-\-\-\-BEGIN \*(C'\fR') as well as possible \s-1PEM\s0 headers, together with the decoded \s-1PEM\s0 body. Since \s-1PEM\s0 formatted files can contain more than one object, the file handlers are called upon for each such object. .PP If the file isn't determined to be formatted as \s-1PEM,\s0 the content is loaded in raw form in its entirety and passed to the available file handlers as is, with no \s-1PEM\s0 name or headers. .PP Each file handler is expected to handle \s-1PEM\s0 and non-PEM content as appropriate. Some may refuse non-PEM content for the sake of determinism (for example, there are keys out in the wild that are represented as an \s-1ASN.1 OCTET STRING.\s0 In raw form, it's not easily possible to distinguish those from any other data coming as an \s-1ASN.1 OCTET STRING,\s0 so such keys would naturally be accepted as \s-1PEM\s0 files only). .SH "NOTES" .IX Header "NOTES" When needed, the 'file' scheme loader will require a pass phrase by using the \f(CW\*(C`UI_METHOD\*(C'\fR that was passed via \fBOSSL_STORE_open()\fR. This pass phrase is expected to be \s-1UTF\-8\s0 encoded, anything else will give an undefined result. The files made accessible through this loader are expected to be standard compliant with regards to pass phrase encoding. Files that aren't should be re-generated with a correctly encoded pass phrase. See \fBpassphrase\-encoding\fR\|(7) for more information. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBossl_store\fR\|(7), \fBpassphrase\-encoding\fR\|(7) .SH "COPYRIGHT" .IX Header "COPYRIGHT" Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use this file except in compliance with the License. You can obtain a copy in the file \s-1LICENSE\s0 in the source distribution or at . PK! \ \ scrypt.7nu[.\" Automatically generated by Pod::Man 4.11 (Pod::Simple 3.35) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. \*(C+ will .\" give a nicer C++. Capital omega is used to do unbreakable dashes and .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, .\" nothing in troff, for use with C<>. .tr \(*W- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' . ds C` . ds C' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is >0, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .\" .\" Avoid warning from groff about undefined register 'F'. .de IX .. .nr rF 0 .if \n(.g .if rF .nr rF 1 .if (\n(rF:(\n(.g==0)) \{\ . if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} . \} .\} .rr rF .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. . \" fudge factors for nroff and troff .if n \{\ . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] \fP .\} .if t \{\ . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff .if n \{\ . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} .if t \{\ . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' .ds 8 \h'\*(#H'\(*b\h'-\*(#H' .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] .ds ae a\h'-(\w'a'u*4/10)'e .ds Ae A\h'-(\w'A'u*4/10)'E . \" corrections for vroff .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' . \" for low resolution devices (crt and lpr) .if \n(.H>23 .if \n(.V>19 \ \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} .rm #[ #] #H #V #F C .\" ======================================================================== .\" .IX Title "SCRYPT 7" .TH SCRYPT 7 "2023-09-11" "1.1.1w" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" scrypt \- EVP_PKEY scrypt KDF support .SH "DESCRIPTION" .IX Header "DESCRIPTION" The \s-1EVP_PKEY_SCRYPT\s0 algorithm implements the scrypt password based key derivation function, as described in \s-1RFC 7914.\s0 It is memory-hard in the sense that it deliberately requires a significant amount of \s-1RAM\s0 for efficient computation. The intention of this is to render brute forcing of passwords on systems that lack large amounts of main memory (such as GPUs or ASICs) computationally infeasible. .PP scrypt provides three work factors that can be customized: N, r and p. N, which has to be a positive power of two, is the general work factor and scales \s-1CPU\s0 time in an approximately linear fashion. r is the block size of the internally used hash function and p is the parallelization factor. Both r and p need to be greater than zero. The amount of \s-1RAM\s0 that scrypt requires for its computation is roughly (128 * N * r * p) bytes. .PP In the original paper of Colin Percival (\*(L"Stronger Key Derivation via Sequential Memory-Hard Functions\*(R", 2009), the suggested values that give a computation time of less than 5 seconds on a 2.5 GHz Intel Core 2 Duo are N = 2^20 = 1048576, r = 8, p = 1. Consequently, the required amount of memory for this computation is roughly 1 GiB. On a more recent \s-1CPU\s0 (Intel i7\-5930K at 3.5 GHz), this computation takes about 3 seconds. When N, r or p are not specified, they default to 1048576, 8, and 1, respectively. The default amount of \s-1RAM\s0 that may be used by scrypt defaults to 1025 MiB. .SH "NOTES" .IX Header "NOTES" A context for scrypt can be obtained by calling: .PP .Vb 1 \& EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_SCRYPT, NULL); .Ve .PP The output length of an scrypt key derivation is specified via the length parameter to the \fBEVP_PKEY_derive\fR\|(3) function. .SH "EXAMPLES" .IX Header "EXAMPLES" This example derives a 64\-byte long test vector using scrypt using the password \&\*(L"password\*(R", salt \*(L"NaCl\*(R" and N = 1024, r = 8, p = 16. .PP .Vb 2 \& EVP_PKEY_CTX *pctx; \& unsigned char out[64]; \& \& size_t outlen = sizeof(out); \& pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_SCRYPT, NULL); \& \& if (EVP_PKEY_derive_init(pctx) <= 0) { \& error("EVP_PKEY_derive_init"); \& } \& if (EVP_PKEY_CTX_set1_pbe_pass(pctx, "password", 8) <= 0) { \& error("EVP_PKEY_CTX_set1_pbe_pass"); \& } \& if (EVP_PKEY_CTX_set1_scrypt_salt(pctx, "NaCl", 4) <= 0) { \& error("EVP_PKEY_CTX_set1_scrypt_salt"); \& } \& if (EVP_PKEY_CTX_set_scrypt_N(pctx, 1024) <= 0) { \& error("EVP_PKEY_CTX_set_scrypt_N"); \& } \& if (EVP_PKEY_CTX_set_scrypt_r(pctx, 8) <= 0) { \& error("EVP_PKEY_CTX_set_scrypt_r"); \& } \& if (EVP_PKEY_CTX_set_scrypt_p(pctx, 16) <= 0) { \& error("EVP_PKEY_CTX_set_scrypt_p"); \& } \& if (EVP_PKEY_derive(pctx, out, &outlen) <= 0) { \& error("EVP_PKEY_derive"); \& } \& \& { \& const unsigned char expected[sizeof(out)] = { \& 0xfd, 0xba, 0xbe, 0x1c, 0x9d, 0x34, 0x72, 0x00, \& 0x78, 0x56, 0xe7, 0x19, 0x0d, 0x01, 0xe9, 0xfe, \& 0x7c, 0x6a, 0xd7, 0xcb, 0xc8, 0x23, 0x78, 0x30, \& 0xe7, 0x73, 0x76, 0x63, 0x4b, 0x37, 0x31, 0x62, \& 0x2e, 0xaf, 0x30, 0xd9, 0x2e, 0x22, 0xa3, 0x88, \& 0x6f, 0xf1, 0x09, 0x27, 0x9d, 0x98, 0x30, 0xda, \& 0xc7, 0x27, 0xaf, 0xb9, 0x4a, 0x83, 0xee, 0x6d, \& 0x83, 0x60, 0xcb, 0xdf, 0xa2, 0xcc, 0x06, 0x40 \& }; \& \& assert(!memcmp(out, expected, sizeof(out))); \& } \& \& EVP_PKEY_CTX_free(pctx); .Ve .SH "CONFORMING TO" .IX Header "CONFORMING TO" \&\s-1RFC 7914\s0 .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBEVP_PKEY_CTX_set1_scrypt_salt\fR\|(3), \&\fBEVP_PKEY_CTX_set_scrypt_N\fR\|(3), \&\fBEVP_PKEY_CTX_set_scrypt_r\fR\|(3), \&\fBEVP_PKEY_CTX_set_scrypt_p\fR\|(3), \&\fBEVP_PKEY_CTX_set_scrypt_maxmem_bytes\fR\|(3), \&\fBEVP_PKEY_CTX_new\fR\|(3), \&\fBEVP_PKEY_CTX_ctrl_str\fR\|(3), \&\fBEVP_PKEY_derive\fR\|(3) .SH "COPYRIGHT" .IX Header "COPYRIGHT" Copyright 2017\-2019 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use this file except in compliance with the License. You can obtain a copy in the file \s-1LICENSE\s0 in the source distribution or at . PK!g+Ko%o%evp.7nu[.\" Automatically generated by Pod::Man 4.11 (Pod::Simple 3.35) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. \*(C+ will .\" give a nicer C++. Capital omega is used to do unbreakable dashes and .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, .\" nothing in troff, for use with C<>. .tr \(*W- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' . ds C` . ds C' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is >0, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .\" .\" Avoid warning from groff about undefined register 'F'. .de IX .. .nr rF 0 .if \n(.g .if rF .nr rF 1 .if (\n(rF:(\n(.g==0)) \{\ . if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} . \} .\} .rr rF .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. . \" fudge factors for nroff and troff .if n \{\ . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] \fP .\} .if t \{\ . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff .if n \{\ . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} .if t \{\ . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' .ds 8 \h'\*(#H'\(*b\h'-\*(#H' .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] .ds ae a\h'-(\w'a'u*4/10)'e .ds Ae A\h'-(\w'A'u*4/10)'E . \" corrections for vroff .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' . \" for low resolution devices (crt and lpr) .if \n(.H>23 .if \n(.V>19 \ \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} .rm #[ #] #H #V #F C .\" ======================================================================== .\" .IX Title "EVP 7" .TH EVP 7 "2023-09-11" "1.1.1w" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" evp \- high\-level cryptographic functions .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" The \s-1EVP\s0 library provides a high-level interface to cryptographic functions. .PP The \fBEVP_Seal\fR\fI\s-1XXX\s0\fR and \fBEVP_Open\fR\fI\s-1XXX\s0\fR functions provide public key encryption and decryption to implement digital \*(L"envelopes\*(R". .PP The \fBEVP_DigestSign\fR\fI\s-1XXX\s0\fR and \&\fBEVP_DigestVerify\fR\fI\s-1XXX\s0\fR functions implement digital signatures and Message Authentication Codes (MACs). Also see the older \&\fBEVP_Sign\fR\fI\s-1XXX\s0\fR and \fBEVP_Verify\fR\fI\s-1XXX\s0\fR functions. .PP Symmetric encryption is available with the \fBEVP_Encrypt\fR\fI\s-1XXX\s0\fR functions. The \fBEVP_Digest\fR\fI\s-1XXX\s0\fR functions provide message digests. .PP The \fB\s-1EVP_PKEY\s0\fR\fI\s-1XXX\s0\fR functions provide a high-level interface to asymmetric algorithms. To create a new \s-1EVP_PKEY\s0 see \&\fBEVP_PKEY_new\fR\|(3). EVP_PKEYs can be associated with a private key of a particular algorithm by using the functions described on the \fBEVP_PKEY_set1_RSA\fR\|(3) page, or new keys can be generated using \fBEVP_PKEY_keygen\fR\|(3). EVP_PKEYs can be compared using \fBEVP_PKEY_cmp\fR\|(3), or printed using \&\fBEVP_PKEY_print_private\fR\|(3). .PP The \s-1EVP_PKEY\s0 functions support the full range of asymmetric algorithm operations: .IP "For key agreement see \fBEVP_PKEY_derive\fR\|(3)" 4 .IX Item "For key agreement see EVP_PKEY_derive" .PD 0 .IP "For signing and verifying see \fBEVP_PKEY_sign\fR\|(3), \fBEVP_PKEY_verify\fR\|(3) and \fBEVP_PKEY_verify_recover\fR\|(3). However, note that these functions do not perform a digest of the data to be signed. Therefore, normally you would use the \fBEVP_DigestSignInit\fR\|(3) functions for this purpose." 4 .IX Item "For signing and verifying see EVP_PKEY_sign, EVP_PKEY_verify and EVP_PKEY_verify_recover. However, note that these functions do not perform a digest of the data to be signed. Therefore, normally you would use the EVP_DigestSignInit functions for this purpose." .ie n .IP "For encryption and decryption see \fBEVP_PKEY_encrypt\fR\|(3) and \fBEVP_PKEY_decrypt\fR\|(3) respectively. However, note that these functions perform encryption and decryption only. As public key encryption is an expensive operation, normally you would wrap an encrypted message in a ""digital envelope"" using the \fBEVP_SealInit\fR\|(3) and \fBEVP_OpenInit\fR\|(3) functions." 4 .el .IP "For encryption and decryption see \fBEVP_PKEY_encrypt\fR\|(3) and \fBEVP_PKEY_decrypt\fR\|(3) respectively. However, note that these functions perform encryption and decryption only. As public key encryption is an expensive operation, normally you would wrap an encrypted message in a ``digital envelope'' using the \fBEVP_SealInit\fR\|(3) and \fBEVP_OpenInit\fR\|(3) functions." 4 .IX Item "For encryption and decryption see EVP_PKEY_encrypt and EVP_PKEY_decrypt respectively. However, note that these functions perform encryption and decryption only. As public key encryption is an expensive operation, normally you would wrap an encrypted message in a digital envelope using the EVP_SealInit and EVP_OpenInit functions." .PD .PP The \fBEVP_BytesToKey\fR\|(3) function provides some limited support for password based encryption. Careful selection of the parameters will provide a PKCS#5 \s-1PBKDF1\s0 compatible implementation. However, new applications should not typically use this (preferring, for example, \&\s-1PBKDF2\s0 from PCKS#5). .PP The \fBEVP_Encode\fR\fI\s-1XXX\s0\fR and \&\fBEVP_Decode\fR\fI\s-1XXX\s0\fR functions implement base 64 encoding and decoding. .PP All the symmetric algorithms (ciphers), digests and asymmetric algorithms (public key algorithms) can be replaced by \s-1ENGINE\s0 modules providing alternative implementations. If \s-1ENGINE\s0 implementations of ciphers or digests are registered as defaults, then the various \s-1EVP\s0 functions will automatically use those implementations automatically in preference to built in software implementations. For more information, consult the \fBengine\fR\|(3) man page. .PP Although low-level algorithm specific functions exist for many algorithms their use is discouraged. They cannot be used with an \s-1ENGINE\s0 and \s-1ENGINE\s0 versions of new algorithms cannot be accessed using the low-level functions. Also makes code harder to adapt to new algorithms and some options are not cleanly supported at the low-level and some operations are more efficient using the high-level interface. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBEVP_DigestInit\fR\|(3), \&\fBEVP_EncryptInit\fR\|(3), \&\fBEVP_OpenInit\fR\|(3), \&\fBEVP_SealInit\fR\|(3), \&\fBEVP_DigestSignInit\fR\|(3), \&\fBEVP_SignInit\fR\|(3), \&\fBEVP_VerifyInit\fR\|(3), \&\fBEVP_EncodeInit\fR\|(3), \&\fBEVP_PKEY_new\fR\|(3), \&\fBEVP_PKEY_set1_RSA\fR\|(3), \&\fBEVP_PKEY_keygen\fR\|(3), \&\fBEVP_PKEY_print_private\fR\|(3), \&\fBEVP_PKEY_decrypt\fR\|(3), \&\fBEVP_PKEY_encrypt\fR\|(3), \&\fBEVP_PKEY_sign\fR\|(3), \&\fBEVP_PKEY_verify\fR\|(3), \&\fBEVP_PKEY_verify_recover\fR\|(3), \&\fBEVP_PKEY_derive\fR\|(3), \&\fBEVP_BytesToKey\fR\|(3), \&\fBENGINE_by_id\fR\|(3) .SH "COPYRIGHT" .IX Header "COPYRIGHT" Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use this file except in compliance with the License. You can obtain a copy in the file \s-1LICENSE\s0 in the source distribution or at . PK!RAND.7nu[.\" Automatically generated by Pod::Man 4.11 (Pod::Simple 3.35) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. \*(C+ will .\" give a nicer C++. Capital omega is used to do unbreakable dashes and .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, .\" nothing in troff, for use with C<>. .tr \(*W- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' . ds C` . ds C' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is >0, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .\" .\" Avoid warning from groff about undefined register 'F'. .de IX .. .nr rF 0 .if \n(.g .if rF .nr rF 1 .if (\n(rF:(\n(.g==0)) \{\ . if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} . \} .\} .rr rF .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. . \" fudge factors for nroff and troff .if n \{\ . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] \fP .\} .if t \{\ . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff .if n \{\ . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} .if t \{\ . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' .ds 8 \h'\*(#H'\(*b\h'-\*(#H' .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] .ds ae a\h'-(\w'a'u*4/10)'e .ds Ae A\h'-(\w'A'u*4/10)'E . \" corrections for vroff .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' . \" for low resolution devices (crt and lpr) .if \n(.H>23 .if \n(.V>19 \ \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} .rm #[ #] #H #V #F C .\" ======================================================================== .\" .IX Title "RAND 7" .TH RAND 7 "2023-09-11" "1.1.1w" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" RAND \&\- the OpenSSL random generator .SH "DESCRIPTION" .IX Header "DESCRIPTION" Random numbers are a vital part of cryptography, they are needed to provide unpredictability for tasks like key generation, creating salts, and many more. Software-based generators must be seeded with external randomness before they can be used as a cryptographically-secure pseudo-random number generator (\s-1CSPRNG\s0). The availability of common hardware with special instructions and modern operating systems, which may use items such as interrupt jitter and network packet timings, can be reasonable sources of seeding material. .PP OpenSSL comes with a default implementation of the \s-1RAND API\s0 which is based on the deterministic random bit generator (\s-1DRBG\s0) model as described in [\s-1NIST SP 800\-90A\s0 Rev. 1]. The default random generator will initialize automatically on first use and will be fully functional without having to be initialized ('seeded') explicitly. It seeds and reseeds itself automatically using trusted random sources provided by the operating system. .PP As a normal application developer, you do not have to worry about any details, just use \fBRAND_bytes\fR\|(3) to obtain random data. Having said that, there is one important rule to obey: Always check the error return value of \fBRAND_bytes\fR\|(3) and do not take randomness for granted. Although (re\-)seeding is automatic, it can fail because no trusted random source is available or the trusted source(s) temporarily fail to provide sufficient random seed material. In this case the \s-1CSPRNG\s0 enters an error state and ceases to provide output, until it is able to recover from the error by reseeding itself. For more details on reseeding and error recovery, see \s-1\fBRAND_DRBG\s0\fR\|(7). .PP For values that should remain secret, you can use \fBRAND_priv_bytes\fR\|(3) instead. This method does not provide 'better' randomness, it uses the same type of \s-1CSPRNG.\s0 The intention behind using a dedicated \s-1CSPRNG\s0 exclusively for private values is that none of its output should be visible to an attacker (e.g., used as salt value), in order to reveal as little information as possible about its internal state, and that a compromise of the \*(L"public\*(R" \&\s-1CSPRNG\s0 instance will not affect the secrecy of these private values. .PP In the rare case where the default implementation does not satisfy your special requirements, there are two options: .IP "\(bu" 2 Replace the default \s-1RAND\s0 method by your own \s-1RAND\s0 method using \&\fBRAND_set_rand_method\fR\|(3). .IP "\(bu" 2 Modify the default settings of the OpenSSL \s-1RAND\s0 method by modifying the security parameters of the underlying \s-1DRBG,\s0 which is described in detail in \s-1\fBRAND_DRBG\s0\fR\|(7). .PP Changing the default random generator or its default parameters should be necessary only in exceptional cases and is not recommended, unless you have a profound knowledge of cryptographic principles and understand the implications of your changes. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBRAND_add\fR\|(3), \&\fBRAND_bytes\fR\|(3), \&\fBRAND_priv_bytes\fR\|(3), \&\fBRAND_get_rand_method\fR\|(3), \&\fBRAND_set_rand_method\fR\|(3), \&\fBRAND_OpenSSL\fR\|(3), \&\s-1\fBRAND_DRBG\s0\fR\|(7) .SH "COPYRIGHT" .IX Header "COPYRIGHT" Copyright 2018\-2019 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use this file except in compliance with the License. You can obtain a copy in the file \s-1LICENSE\s0 in the source distribution or at . PK!ed@.@.passphrase-encoding.7nu[.\" Automatically generated by Pod::Man 4.11 (Pod::Simple 3.35) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. \*(C+ will .\" give a nicer C++. Capital omega is used to do unbreakable dashes and .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, .\" nothing in troff, for use with C<>. .tr \(*W- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' . ds C` . ds C' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is >0, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .\" .\" Avoid warning from groff about undefined register 'F'. .de IX .. .nr rF 0 .if \n(.g .if rF .nr rF 1 .if (\n(rF:(\n(.g==0)) \{\ . if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} . \} .\} .rr rF .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. . \" fudge factors for nroff and troff .if n \{\ . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] \fP .\} .if t \{\ . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff .if n \{\ . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} .if t \{\ . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' .ds 8 \h'\*(#H'\(*b\h'-\*(#H' .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] .ds ae a\h'-(\w'a'u*4/10)'e .ds Ae A\h'-(\w'A'u*4/10)'E . \" corrections for vroff .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' . \" for low resolution devices (crt and lpr) .if \n(.H>23 .if \n(.V>19 \ \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} .rm #[ #] #H #V #F C .\" ======================================================================== .\" .IX Title "PASSPHRASE-ENCODING 7" .TH PASSPHRASE-ENCODING 7 "2023-09-11" "1.1.1w" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" passphrase\-encoding \&\- How diverse parts of OpenSSL treat pass phrases character encoding .SH "DESCRIPTION" .IX Header "DESCRIPTION" In a modern world with all sorts of character encodings, the treatment of pass phrases has become increasingly complex. This manual page attempts to give an overview over how this problem is currently addressed in different parts of the OpenSSL library. .SS "The general case" .IX Subsection "The general case" The OpenSSL library doesn't treat pass phrases in any special way as a general rule, and trusts the application or user to choose a suitable character set and stick to that throughout the lifetime of affected objects. This means that for an object that was encrypted using a pass phrase encoded in \&\s-1ISO\-8859\-1,\s0 that object needs to be decrypted using a pass phrase encoded in \&\s-1ISO\-8859\-1.\s0 Using the wrong encoding is expected to cause a decryption failure. .SS "PKCS#12" .IX Subsection "PKCS#12" PKCS#12 is a bit different regarding pass phrase encoding. The standard stipulates that the pass phrase shall be encoded as an \s-1ASN.1\s0 BMPString, which consists of the code points of the basic multilingual plane, encoded in big endian (\s-1UCS\-2 BE\s0). .PP OpenSSL tries to adapt to this requirements in one of the following manners: .IP "1." 4 Treats the received pass phrase as \s-1UTF\-8\s0 encoded and tries to re-encode it to \&\s-1UTF\-16\s0 (which is the same as \s-1UCS\-2\s0 for characters U+0000 to U+D7FF and U+E000 to U+FFFF, but becomes an expansion for any other character), or failing that, proceeds with step 2. .IP "2." 4 Assumes that the pass phrase is encoded in \s-1ASCII\s0 or \s-1ISO\-8859\-1\s0 and opportunistically prepends each byte with a zero byte to obtain the \s-1UCS\-2\s0 encoding of the characters, which it stores as a BMPString. .Sp Note that since there is no check of your locale, this may produce \s-1UCS\-2 / UTF\-16\s0 characters that do not correspond to the original pass phrase characters for other character sets, such as any \s-1ISO\-8859\-X\s0 encoding other than \&\s-1ISO\-8859\-1\s0 (or for Windows, \s-1CP 1252\s0 with exception for the extra \*(L"graphical\*(R" characters in the 0x80\-0x9F range). .PP OpenSSL versions older than 1.1.0 do variant 2 only, and that is the reason why OpenSSL still does this, to be able to read files produced with older versions. .PP It should be noted that this approach isn't entirely fault free. .PP A pass phrase encoded in \s-1ISO\-8859\-2\s0 could very well have a sequence such as 0xC3 0xAF (which is the two characters \*(L"\s-1LATIN CAPITAL LETTER A WITH BREVE\*(R"\s0 and \*(L"\s-1LATIN CAPITAL LETTER Z WITH DOT ABOVE\*(R"\s0 in \s-1ISO\-8859\-2\s0 encoding), but would be misinterpreted as the perfectly valid \s-1UTF\-8\s0 encoded code point U+00EF (\s-1LATIN SMALL LETTER I WITH DIAERESIS\s0) \fIif the pass phrase doesn't contain anything that would be invalid \s-1UTF\-8\s0\fR. A pass phrase that contains this kind of byte sequence will give a different outcome in OpenSSL 1.1.0 and newer than in OpenSSL older than 1.1.0. .PP .Vb 2 \& 0x00 0xC3 0x00 0xAF # OpenSSL older than 1.1.0 \& 0x00 0xEF # OpenSSL 1.1.0 and newer .Ve .PP On the same accord, anything encoded in \s-1UTF\-8\s0 that was given to OpenSSL older than 1.1.0 was misinterpreted as \s-1ISO\-8859\-1\s0 sequences. .SS "\s-1OSSL_STORE\s0" .IX Subsection "OSSL_STORE" \&\fBossl_store\fR\|(7) acts as a general interface to access all kinds of objects, potentially protected with a pass phrase, a \s-1PIN\s0 or something else. This \s-1API\s0 stipulates that pass phrases should be \s-1UTF\-8\s0 encoded, and that any other pass phrase encoding may give undefined results. This \s-1API\s0 relies on the application to ensure \s-1UTF\-8\s0 encoding, and doesn't check that this is the case, so what it gets, it will also pass to the underlying loader. .SH "RECOMMENDATIONS" .IX Header "RECOMMENDATIONS" This section assumes that you know what pass phrase was used for encryption, but that it may have been encoded in a different character encoding than the one used by your current input method. For example, the pass phrase may have been used at a time when your default encoding was \s-1ISO\-8859\-1\s0 (i.e. \*(L"nai\*:ve\*(R" resulting in the byte sequence 0x6E 0x61 0xEF 0x76 0x65), and you're now in an environment where your default encoding is \s-1UTF\-8\s0 (i.e. \*(L"nai\*:ve\*(R" resulting in the byte sequence 0x6E 0x61 0xC3 0xAF 0x76 0x65). Whenever it's mentioned that you should use a certain character encoding, it should be understood that you either change the input method to use the mentioned encoding when you type in your pass phrase, or use some suitable tool to convert your pass phrase from your default encoding to the target encoding. .PP Also note that the sub-sections below discuss human readable pass phrases. This is particularly relevant for PKCS#12 objects, where human readable pass phrases are assumed. For other objects, it's as legitimate to use any byte sequence (such as a sequence of bytes from `/dev/urandom` that's been saved away), which makes any character encoding discussion irrelevant; in such cases, simply use the same byte sequence as it is. .SS "Creating new objects" .IX Subsection "Creating new objects" For creating new pass phrase protected objects, make sure the pass phrase is encoded using \s-1UTF\-8.\s0 This is default on most modern Unixes, but may involve an effort on other platforms. Specifically for Windows, setting the environment variable \&\f(CW\*(C`OPENSSL_WIN32_UTF8\*(C'\fR will have anything entered on [Windows] console prompt converted to \s-1UTF\-8\s0 (command line and separately prompted pass phrases alike). .SS "Opening existing objects" .IX Subsection "Opening existing objects" For opening pass phrase protected objects where you know what character encoding was used for the encryption pass phrase, make sure to use the same encoding again. .PP For opening pass phrase protected objects where the character encoding that was used is unknown, or where the producing application is unknown, try one of the following: .IP "1." 4 Try the pass phrase that you have as it is in the character encoding of your environment. It's possible that its byte sequence is exactly right. .IP "2." 4 Convert the pass phrase to \s-1UTF\-8\s0 and try with the result. Specifically with PKCS#12, this should open up any object that was created according to the specification. .IP "3." 4 Do a nai\*:ve (i.e. purely mathematical) \s-1ISO\-8859\-1\s0 to \s-1UTF\-8\s0 conversion and try with the result. This differs from the previous attempt because \s-1ISO\-8859\-1\s0 maps directly to U+0000 to U+00FF, which other non\-UTF\-8 character sets do not. .Sp This also takes care of the case when a \s-1UTF\-8\s0 encoded string was used with OpenSSL older than 1.1.0. (for example, \f(CW\*(C`i\*:\*(C'\fR, which is 0xC3 0xAF when encoded in \s-1UTF\-8,\s0 would become 0xC3 0x83 0xC2 0xAF when re-encoded in the nai\*:ve manner. The conversion to BMPString would then yield 0x00 0xC3 0x00 0xA4 0x00 0x00, the erroneous/non\-compliant encoding used by OpenSSL older than 1.1.0) .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBevp\fR\|(7), \&\fBossl_store\fR\|(7), \&\fBEVP_BytesToKey\fR\|(3), \fBEVP_DecryptInit\fR\|(3), \&\fBPEM_do_header\fR\|(3), \&\fBPKCS12_parse\fR\|(3), \fBPKCS12_newpass\fR\|(3), \&\fBd2i_PKCS8PrivateKey_bio\fR\|(3) .SH "COPYRIGHT" .IX Header "COPYRIGHT" Copyright 2018\-2020 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use this file except in compliance with the License. You can obtain a copy in the file \s-1LICENSE\s0 in the source distribution or at . PK!5*wwSM2.7nu[.\" Automatically generated by Pod::Man 4.11 (Pod::Simple 3.35) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. \*(C+ will .\" give a nicer C++. Capital omega is used to do unbreakable dashes and .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, .\" nothing in troff, for use with C<>. .tr \(*W- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' . ds C` . ds C' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is >0, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .\" .\" Avoid warning from groff about undefined register 'F'. .de IX .. .nr rF 0 .if \n(.g .if rF .nr rF 1 .if (\n(rF:(\n(.g==0)) \{\ . if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} . \} .\} .rr rF .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. . \" fudge factors for nroff and troff .if n \{\ . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] \fP .\} .if t \{\ . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff .if n \{\ . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} .if t \{\ . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' .ds 8 \h'\*(#H'\(*b\h'-\*(#H' .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] .ds ae a\h'-(\w'a'u*4/10)'e .ds Ae A\h'-(\w'A'u*4/10)'E . \" corrections for vroff .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' . \" for low resolution devices (crt and lpr) .if \n(.H>23 .if \n(.V>19 \ \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} .rm #[ #] #H #V #F C .\" ======================================================================== .\" .IX Title "SM2 7" .TH SM2 7 "2023-09-11" "1.1.1w" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" SM2 \- Chinese SM2 signature and encryption algorithm support .SH "DESCRIPTION" .IX Header "DESCRIPTION" The \fB\s-1SM2\s0\fR algorithm was first defined by the Chinese national standard \s-1GM/T 0003\-2012\s0 and was later standardized by \s-1ISO\s0 as \s-1ISO/IEC 14888.\s0 \fB\s-1SM2\s0\fR is actually an elliptic curve based algorithm. The current implementation in OpenSSL supports both signature and encryption schemes via the \s-1EVP\s0 interface. .PP When doing the \fB\s-1SM2\s0\fR signature algorithm, it requires a distinguishing identifier to form the message prefix which is hashed before the real message is hashed. .SH "NOTES" .IX Header "NOTES" \&\fB\s-1SM2\s0\fR signatures can be generated by using the 'DigestSign' series of APIs, for instance, \fBEVP_DigestSignInit()\fR, \fBEVP_DigestSignUpdate()\fR and \fBEVP_DigestSignFinal()\fR. Ditto for the verification process by calling the 'DigestVerify' series of APIs. .PP There are several special steps that need to be done before computing an \fB\s-1SM2\s0\fR signature. .PP The \fB\s-1EVP_PKEY\s0\fR structure will default to using \s-1ECDSA\s0 for signatures when it is created. It should be set to \fB\s-1EVP_PKEY_SM2\s0\fR by calling: .PP .Vb 1 \& EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2); .Ve .PP Then an \s-1ID\s0 should be set by calling: .PP .Vb 1 \& EVP_PKEY_CTX_set1_id(pctx, id, id_len); .Ve .PP When calling the \fBEVP_DigestSignInit()\fR or \fBEVP_DigestVerifyInit()\fR functions, a preallocated \fB\s-1EVP_PKEY_CTX\s0\fR should be assigned to the \fB\s-1EVP_MD_CTX\s0\fR. This is done by calling: .PP .Vb 1 \& EVP_MD_CTX_set_pkey_ctx(mctx, pctx); .Ve .PP And normally there is no need to pass a \fBpctx\fR parameter to \fBEVP_DigestSignInit()\fR or \fBEVP_DigestVerifyInit()\fR in such a scenario. .SH "EXAMPLES" .IX Header "EXAMPLES" This example demonstrates the calling sequence for using an \fB\s-1EVP_PKEY\s0\fR to verify a message with the \s-1SM2\s0 signature algorithm and the \s-1SM3\s0 hash algorithm: .PP .Vb 1 \& #include \& \& /* obtain an EVP_PKEY using whatever methods... */ \& EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2); \& mctx = EVP_MD_CTX_new(); \& pctx = EVP_PKEY_CTX_new(pkey, NULL); \& EVP_PKEY_CTX_set1_id(pctx, id, id_len); \& EVP_MD_CTX_set_pkey_ctx(mctx, pctx);; \& EVP_DigestVerifyInit(mctx, NULL, EVP_sm3(), NULL, pkey); \& EVP_DigestVerifyUpdate(mctx, msg, msg_len); \& EVP_DigestVerifyFinal(mctx, sig, sig_len) .Ve .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBEVP_PKEY_CTX_new\fR\|(3), \&\fBEVP_PKEY_set_alias_type\fR\|(3), \&\fBEVP_DigestSignInit\fR\|(3), \&\fBEVP_DigestVerifyInit\fR\|(3), \&\fBEVP_PKEY_CTX_set1_id\fR\|(3), \&\fBEVP_MD_CTX_set_pkey_ctx\fR\|(3) .SH "COPYRIGHT" .IX Header "COPYRIGHT" Copyright 2018\-2020 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use this file except in compliance with the License. You can obtain a copy in the file \s-1LICENSE\s0 in the source distribution or at . PK!E5B-- RSA-PSS.7nu[.\" Automatically generated by Pod::Man 4.11 (Pod::Simple 3.35) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. \*(C+ will .\" give a nicer C++. Capital omega is used to do unbreakable dashes and .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, .\" nothing in troff, for use with C<>. .tr \(*W- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' . ds C` . ds C' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is >0, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .\" .\" Avoid warning from groff about undefined register 'F'. .de IX .. .nr rF 0 .if \n(.g .if rF .nr rF 1 .if (\n(rF:(\n(.g==0)) \{\ . if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} . \} .\} .rr rF .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. . \" fudge factors for nroff and troff .if n \{\ . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] \fP .\} .if t \{\ . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff .if n \{\ . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} .if t \{\ . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' .ds 8 \h'\*(#H'\(*b\h'-\*(#H' .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] .ds ae a\h'-(\w'a'u*4/10)'e .ds Ae A\h'-(\w'A'u*4/10)'E . \" corrections for vroff .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' . \" for low resolution devices (crt and lpr) .if \n(.H>23 .if \n(.V>19 \ \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} .rm #[ #] #H #V #F C .\" ======================================================================== .\" .IX Title "RSA-PSS 7" .TH RSA-PSS 7 "2023-09-11" "1.1.1w" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" RSA\-PSS \- EVP_PKEY RSA\-PSS algorithm support .SH "DESCRIPTION" .IX Header "DESCRIPTION" The \fBRSA-PSS\fR \s-1EVP_PKEY\s0 implementation is a restricted version of the \s-1RSA\s0 algorithm which only supports signing, verification and key generation using \s-1PSS\s0 padding modes with optional parameter restrictions. .PP It has associated private key and public key formats. .PP This algorithm shares several control operations with the \fB\s-1RSA\s0\fR algorithm but with some restrictions described below. .SS "Signing and Verification" .IX Subsection "Signing and Verification" Signing and verification is similar to the \fB\s-1RSA\s0\fR algorithm except the padding mode is always \s-1PSS.\s0 If the key in use has parameter restrictions then the corresponding signature parameters are set to the restrictions: for example, if the key can only be used with digest \s-1SHA256, MGF1 SHA256\s0 and minimum salt length 32 then the digest, \s-1MGF1\s0 digest and salt length will be set to \s-1SHA256, SHA256\s0 and 32 respectively. .SS "Key Generation" .IX Subsection "Key Generation" By default no parameter restrictions are placed on the generated key. .SH "NOTES" .IX Header "NOTES" The public key format is documented in \s-1RFC4055.\s0 .PP The PKCS#8 private key format used for RSA-PSS keys is similar to the \s-1RSA\s0 format except it uses the \fBid-RSASSA-PSS\fR \s-1OID\s0 and the parameters field, if present, restricts the key parameters in the same way as the public key. .SH "CONFORMING TO" .IX Header "CONFORMING TO" \&\s-1RFC 4055\s0 .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBEVP_PKEY_CTX_set_rsa_pss_keygen_md\fR\|(3), \&\fBEVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md\fR\|(3), \&\fBEVP_PKEY_CTX_set_rsa_pss_keygen_saltlen\fR\|(3), \&\fBEVP_PKEY_CTX_new\fR\|(3), \&\fBEVP_PKEY_CTX_ctrl_str\fR\|(3), \&\fBEVP_PKEY_derive\fR\|(3) .SH "COPYRIGHT" .IX Header "COPYRIGHT" Copyright 2017\-2018 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use this file except in compliance with the License. You can obtain a copy in the file \s-1LICENSE\s0 in the source distribution or at . PK!OO Ed25519.htmlnu[ Ed25519

NAME

Ed25519, Ed448 - EVP_PKEY Ed25519 and Ed448 support

DESCRIPTION

The Ed25519 and Ed448 EVP_PKEY implementation supports key generation, one-shot digest sign and digest verify using PureEdDSA and Ed25519 or Ed448 (see RFC8032). It has associated private and public key formats compatible with RFC 8410.

No additional parameters can be set during key generation, one-shot signing or verification. In particular, because PureEdDSA is used, a digest must NOT be specified when signing or verifying.

NOTES

The PureEdDSA algorithm does not support the streaming mechanism of other signature algorithms using, for example, EVP_DigestUpdate(). The message to sign or verify must be passed using the one-shot EVP_DigestSign() and EVP_DigestVerify() functions.

When calling EVP_DigestSignInit() or EVP_DigestVerifyInit(), the digest type parameter MUST be set to NULL.

Applications wishing to sign certificates (or other structures such as CRLs or certificate requests) using Ed25519 or Ed448 can either use X509_sign() or X509_sign_ctx() in the usual way.

A context for the Ed25519 algorithm can be obtained by calling:

 EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_ED25519, NULL);

For the Ed448 algorithm a context can be obtained by calling:

 EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_ED448, NULL);

Ed25519 or Ed448 private keys can be set directly using EVP_PKEY_new_raw_private_key(3) or loaded from a PKCS#8 private key file using PEM_read_bio_PrivateKey(3) (or similar function). Completely new keys can also be generated (see the example below). Setting a private key also sets the associated public key.

Ed25519 or Ed448 public keys can be set directly using EVP_PKEY_new_raw_public_key(3) or loaded from a SubjectPublicKeyInfo structure in a PEM file using PEM_read_bio_PUBKEY(3) (or similar function).

Ed25519 and Ed448 can be tested within speed(1) application since version 1.1.1. Valid algorithm names are ed25519, ed448 and eddsa. If eddsa is specified, then both Ed25519 and Ed448 are benchmarked.

EXAMPLES

This example generates an ED25519 private key and writes it to standard output in PEM format:

 #include <openssl/evp.h>
 #include <openssl/pem.h>
 ...
 EVP_PKEY *pkey = NULL;
 EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_ED25519, NULL);
 EVP_PKEY_keygen_init(pctx);
 EVP_PKEY_keygen(pctx, &pkey);
 EVP_PKEY_CTX_free(pctx);
 PEM_write_PrivateKey(stdout, pkey, NULL, NULL, 0, NULL, NULL);

SEE ALSO

EVP_PKEY_CTX_new(3), EVP_PKEY_keygen(3), EVP_DigestSignInit(3), EVP_DigestVerifyInit(3),

COPYRIGHT

Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at https://www.openssl.org/source/license.html.

PK!^s92>2>RAND_DRBG.htmlnu[ RAND_DRBG

NAME

RAND_DRBG - the deterministic random bit generator

SYNOPSIS

 #include <openssl/rand_drbg.h>

DESCRIPTION

The default OpenSSL RAND method is based on the RAND_DRBG class, which implements a deterministic random bit generator (DRBG). A DRBG is a certain type of cryptographically-secure pseudo-random number generator (CSPRNG), which is described in [NIST SP 800-90A Rev. 1].

While the RAND API is the 'frontend' which is intended to be used by application developers for obtaining random bytes, the RAND_DRBG API serves as the 'backend', connecting the former with the operating systems's entropy sources and providing access to the DRBG's configuration parameters.

Disclaimer

Unless you have very specific requirements for your random generator, it is in general not necessary to utilize the RAND_DRBG API directly. The usual way to obtain random bytes is to use RAND_bytes(3) or RAND_priv_bytes(3), see also RAND(7).

Typical Use Cases

Typical examples for such special use cases are the following:

  • You want to use your own private DRBG instances. Multiple DRBG instances which are accessed only by a single thread provide additional security (because their internal states are independent) and better scalability in multithreaded applications (because they don't need to be locked).

  • You need to integrate a previously unsupported entropy source.

  • You need to change the default settings of the standard OpenSSL RAND implementation to meet specific requirements.

CHAINING

A DRBG instance can be used as the entropy source of another DRBG instance, provided it has itself access to a valid entropy source. The DRBG instance which acts as entropy source is called the parent DRBG, the other instance the child DRBG.

This is called chaining. A chained DRBG instance is created by passing a pointer to the parent DRBG as argument to the RAND_DRBG_new() call. It is possible to create chains of more than two DRBG in a row.

THE THREE SHARED DRBG INSTANCES

Currently, there are three shared DRBG instances, the <master>, <public>, and <private> DRBG. While the <master> DRBG is a single global instance, the <public> and <private> DRBG are created per thread and accessed through thread-local storage.

By default, the functions RAND_bytes(3) and RAND_priv_bytes(3) use the thread-local <public> and <private> DRBG instance, respectively.

The <master> DRBG instance

The <master> DRBG is not used directly by the application, only for reseeding the two other two DRBG instances. It reseeds itself by obtaining randomness either from os entropy sources or by consuming randomness which was added previously by RAND_add(3).

The <public> DRBG instance

This instance is used per default by RAND_bytes(3).

The <private> DRBG instance

This instance is used per default by RAND_priv_bytes(3)

LOCKING

The <master> DRBG is intended to be accessed concurrently for reseeding by its child DRBG instances. The necessary locking is done internally. It is not thread-safe to access the <master> DRBG directly via the RAND_DRBG interface. The <public> and <private> DRBG are thread-local, i.e. there is an instance of each per thread. So they can safely be accessed without locking via the RAND_DRBG interface.

Pointers to these DRBG instances can be obtained using RAND_DRBG_get0_master(), RAND_DRBG_get0_public(), and RAND_DRBG_get0_private(), respectively. Note that it is not allowed to store a pointer to one of the thread-local DRBG instances in a variable or other memory location where it will be accessed and used by multiple threads.

All other DRBG instances created by an application don't support locking, because they are intended to be used by a single thread. Instead of accessing a single DRBG instance concurrently from different threads, it is recommended to instantiate a separate DRBG instance per thread. Using the <master> DRBG as entropy source for multiple DRBG instances on different threads is thread-safe, because the DRBG instance will lock the <master> DRBG automatically for obtaining random input.

THE OVERALL PICTURE

The following picture gives an overview over how the DRBG instances work together and are being used.

               +--------------------+
               | os entropy sources |
               +--------------------+
                        |
                        v           +-----------------------------+
      RAND_add() ==> <master>     <-| shared DRBG (with locking)  |
                      /   \         +-----------------------------+
                     /     \              +---------------------------+
              <public>     <private>   <- | per-thread DRBG instances |
                 |             |          +---------------------------+
                 v             v
               RAND_bytes()   RAND_priv_bytes()
                    |               ^
                    |               |
    +------------------+      +------------------------------------+
    | general purpose  |      | used for secrets like session keys |
    | random generator |      | and private keys for certificates  |
    +------------------+      +------------------------------------+

The usual way to obtain random bytes is to call RAND_bytes(...) or RAND_priv_bytes(...). These calls are roughly equivalent to calling RAND_DRBG_bytes(<public>, ...) and RAND_DRBG_bytes(<private>, ...), respectively. The method RAND_DRBG_bytes(3) is a convenience method wrapping the RAND_DRBG_generate(3) function, which serves the actual request for random data.

RESEEDING

A DRBG instance seeds itself automatically, pulling random input from its entropy source. The entropy source can be either a trusted operating system entropy source, or another DRBG with access to such a source.

Automatic reseeding occurs after a predefined number of generate requests. The selection of the trusted entropy sources is configured at build time using the --with-rand-seed option. The following sections explain the reseeding process in more detail.

Automatic Reseeding

Before satisfying a generate request (RAND_DRBG_generate(3)), the DRBG reseeds itself automatically, if one of the following conditions holds:

- the DRBG was not instantiated (=seeded) yet or has been uninstantiated.

- the number of generate requests since the last reseeding exceeds a certain threshold, the so called reseed_interval. This behaviour can be disabled by setting the reseed_interval to 0.

- the time elapsed since the last reseeding exceeds a certain time interval, the so called reseed_time_interval. This can be disabled by setting the reseed_time_interval to 0.

- the DRBG is in an error state.

Note: An error state is entered if the entropy source fails while the DRBG is seeding or reseeding. The last case ensures that the DRBG automatically recovers from the error as soon as the entropy source is available again.

Manual Reseeding

In addition to automatic reseeding, the caller can request an immediate reseeding of the DRBG with fresh entropy by setting the prediction resistance parameter to 1 when calling RAND_DRBG_generate(3).

The document [NIST SP 800-90C] describes prediction resistance requests in detail and imposes strict conditions on the entropy sources that are approved for providing prediction resistance. Since the default DRBG implementation does not have access to such an approved entropy source, a request for prediction resistance will currently always fail. In other words, prediction resistance is currently not supported yet by the DRBG.

For the three shared DRBGs (and only for these) there is another way to reseed them manually: If RAND_add(3) is called with a positive randomness argument (or RAND_seed(3)), then this will immediately reseed the <master> DRBG. The <public> and <private> DRBG will detect this on their next generate call and reseed, pulling randomness from <master>.

The last feature has been added to support the common practice used with previous OpenSSL versions to call RAND_add() before calling RAND_bytes().

Entropy Input vs. Additional Data

The DRBG distinguishes two different types of random input: entropy, which comes from a trusted source, and additional input', which can optionally be added by the user and is considered untrusted. It is possible to add additional input not only during reseeding, but also for every generate request. This is in fact done automatically by RAND_DRBG_bytes(3).

Configuring the Random Seed Source

In most cases OpenSSL will automatically choose a suitable seed source for automatically seeding and reseeding its <master> DRBG. In some cases however, it will be necessary to explicitly specify a seed source during configuration, using the --with-rand-seed option. For more information, see the INSTALL instructions. There are also operating systems where no seed source is available and automatic reseeding is disabled by default.

The following two sections describe the reseeding process of the master DRBG, depending on whether automatic reseeding is available or not.

Reseeding the master DRBG with automatic seeding enabled

Calling RAND_poll() or RAND_add() is not necessary, because the DRBG pulls the necessary entropy from its source automatically. However, both calls are permitted, and do reseed the RNG.

RAND_add() can be used to add both kinds of random input, depending on the value of the randomness argument:

randomness == 0:

The random bytes are mixed as additional input into the current state of the DRBG. Mixing in additional input is not considered a full reseeding, hence the reseed counter is not reset.

randomness > 0:

The random bytes are used as entropy input for a full reseeding (resp. reinstantiation) if the DRBG is instantiated (resp. uninstantiated or in an error state). The number of random bits required for reseeding is determined by the security strength of the DRBG. Currently it defaults to 256 bits (32 bytes). It is possible to provide less randomness than required. In this case the missing randomness will be obtained by pulling random input from the trusted entropy sources.

Reseeding the master DRBG with automatic seeding disabled

Calling RAND_poll() will always fail.

RAND_add() needs to be called for initial seeding and periodic reseeding. At least 48 bytes (384 bits) of randomness have to be provided, otherwise the (re-)seeding of the DRBG will fail. This corresponds to one and a half times the security strength of the DRBG. The extra half is used for the nonce during instantiation.

More precisely, the number of bytes needed for seeding depend on the security strength of the DRBG, which is set to 256 by default.

SEE ALSO

RAND_DRBG_bytes(3), RAND_DRBG_generate(3), RAND_DRBG_reseed(3), RAND_DRBG_get0_master(3), RAND_DRBG_get0_public(3), RAND_DRBG_get0_private(3), RAND_DRBG_set_reseed_interval(3), RAND_DRBG_set_reseed_time_interval(3), RAND_DRBG_set_reseed_defaults(3), RAND(7),

COPYRIGHT

Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at https://www.openssl.org/source/license.html.

PK!99evp.htmlnu[ evp

NAME

evp - high-level cryptographic functions

SYNOPSIS

 #include <openssl/evp.h>

DESCRIPTION

The EVP library provides a high-level interface to cryptographic functions.

The EVP_SealXXX and EVP_OpenXXX functions provide public key encryption and decryption to implement digital "envelopes".

The EVP_DigestSignXXX and EVP_DigestVerifyXXX functions implement digital signatures and Message Authentication Codes (MACs). Also see the older EVP_SignXXX and EVP_VerifyXXX functions.

Symmetric encryption is available with the EVP_EncryptXXX functions. The EVP_DigestXXX functions provide message digests.

The EVP_PKEYXXX functions provide a high-level interface to asymmetric algorithms. To create a new EVP_PKEY see EVP_PKEY_new(3). EVP_PKEYs can be associated with a private key of a particular algorithm by using the functions described on the EVP_PKEY_set1_RSA(3) page, or new keys can be generated using EVP_PKEY_keygen(3). EVP_PKEYs can be compared using EVP_PKEY_cmp(3), or printed using EVP_PKEY_print_private(3).

The EVP_PKEY functions support the full range of asymmetric algorithm operations:

For key agreement see EVP_PKEY_derive(3)
For signing and verifying see EVP_PKEY_sign(3), EVP_PKEY_verify(3) and EVP_PKEY_verify_recover(3). However, note that these functions do not perform a digest of the data to be signed. Therefore, normally you would use the EVP_DigestSignInit(3) functions for this purpose.
For encryption and decryption see EVP_PKEY_encrypt(3) and EVP_PKEY_decrypt(3) respectively. However, note that these functions perform encryption and decryption only. As public key encryption is an expensive operation, normally you would wrap an encrypted message in a "digital envelope" using the EVP_SealInit(3) and EVP_OpenInit(3) functions.

The EVP_BytesToKey(3) function provides some limited support for password based encryption. Careful selection of the parameters will provide a PKCS#5 PBKDF1 compatible implementation. However, new applications should not typically use this (preferring, for example, PBKDF2 from PCKS#5).

The EVP_EncodeXXX and EVP_DecodeXXX functions implement base 64 encoding and decoding.

All the symmetric algorithms (ciphers), digests and asymmetric algorithms (public key algorithms) can be replaced by ENGINE modules providing alternative implementations. If ENGINE implementations of ciphers or digests are registered as defaults, then the various EVP functions will automatically use those implementations automatically in preference to built in software implementations. For more information, consult the engine(3) man page.

Although low-level algorithm specific functions exist for many algorithms their use is discouraged. They cannot be used with an ENGINE and ENGINE versions of new algorithms cannot be accessed using the low-level functions. Also makes code harder to adapt to new algorithms and some options are not cleanly supported at the low-level and some operations are more efficient using the high-level interface.

SEE ALSO

EVP_DigestInit(3), EVP_EncryptInit(3), EVP_OpenInit(3), EVP_SealInit(3), EVP_DigestSignInit(3), EVP_SignInit(3), EVP_VerifyInit(3), EVP_EncodeInit(3), EVP_PKEY_new(3), EVP_PKEY_set1_RSA(3), EVP_PKEY_keygen(3), EVP_PKEY_print_private(3), EVP_PKEY_decrypt(3), EVP_PKEY_encrypt(3), EVP_PKEY_sign(3), EVP_PKEY_verify(3), EVP_PKEY_verify_recover(3), EVP_PKEY_derive(3), EVP_BytesToKey(3), ENGINE_by_id(3)

COPYRIGHT

Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at https://www.openssl.org/source/license.html.

PK!Wk] ] crypto.htmlnu[ crypto

NAME

crypto - OpenSSL cryptographic library

SYNOPSIS

See the individual manual pages for details.

DESCRIPTION

The OpenSSL crypto library implements a wide range of cryptographic algorithms used in various Internet standards. The services provided by this library are used by the OpenSSL implementations of SSL, TLS and S/MIME, and they have also been used to implement SSH, OpenPGP, and other cryptographic standards.

libcrypto consists of a number of sub-libraries that implement the individual algorithms.

The functionality includes symmetric encryption, public key cryptography and key agreement, certificate handling, cryptographic hash functions, cryptographic pseudo-random number generator, and various utilities.

NOTES

Some of the newer functions follow a naming convention using the numbers 0 and 1. For example the functions:

 int X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev);
 int X509_add1_trust_object(X509 *x, const ASN1_OBJECT *obj);

The 0 version uses the supplied structure pointer directly in the parent and it will be freed up when the parent is freed. In the above example crl would be freed but rev would not.

The 1 function uses a copy of the supplied structure pointer (or in some cases increases its link count) in the parent and so both (x and obj above) should be freed up.

RETURN VALUES

See the individual manual pages for details.

SEE ALSO

openssl(1), ssl(7)

COPYRIGHT

Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at https://www.openssl.org/source/license.html.

PK!yv   X25519.htmlnu[ X25519

NAME

X25519, X448 - EVP_PKEY X25519 and X448 support

DESCRIPTION

The X25519 and X448 EVP_PKEY implementation supports key generation and key derivation using X25519 and X448. It has associated private and public key formats compatible with RFC 8410.

No additional parameters can be set during key generation.

The peer public key must be set using EVP_PKEY_derive_set_peer() when performing key derivation.

NOTES

A context for the X25519 algorithm can be obtained by calling:

 EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_X25519, NULL);

For the X448 algorithm a context can be obtained by calling:

 EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_X448, NULL);

X25519 or X448 private keys can be set directly using EVP_PKEY_new_raw_private_key(3) or loaded from a PKCS#8 private key file using PEM_read_bio_PrivateKey(3) (or similar function). Completely new keys can also be generated (see the example below). Setting a private key also sets the associated public key.

X25519 or X448 public keys can be set directly using EVP_PKEY_new_raw_public_key(3) or loaded from a SubjectPublicKeyInfo structure in a PEM file using PEM_read_bio_PUBKEY(3) (or similar function).

EXAMPLES

This example generates an X25519 private key and writes it to standard output in PEM format:

 #include <openssl/evp.h>
 #include <openssl/pem.h>
 ...
 EVP_PKEY *pkey = NULL;
 EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_X25519, NULL);
 EVP_PKEY_keygen_init(pctx);
 EVP_PKEY_keygen(pctx, &pkey);
 EVP_PKEY_CTX_free(pctx);
 PEM_write_PrivateKey(stdout, pkey, NULL, NULL, 0, NULL, NULL);

The key derivation example in EVP_PKEY_derive(3) can be used with X25519 and X448.

SEE ALSO

EVP_PKEY_CTX_new(3), EVP_PKEY_keygen(3), EVP_PKEY_derive(3), EVP_PKEY_derive_set_peer(3)

COPYRIGHT

Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at https://www.openssl.org/source/license.html.

PK!PGeeSM2.htmlnu[ SM2

NAME

SM2 - Chinese SM2 signature and encryption algorithm support

DESCRIPTION

The SM2 algorithm was first defined by the Chinese national standard GM/T 0003-2012 and was later standardized by ISO as ISO/IEC 14888. SM2 is actually an elliptic curve based algorithm. The current implementation in OpenSSL supports both signature and encryption schemes via the EVP interface.

When doing the SM2 signature algorithm, it requires a distinguishing identifier to form the message prefix which is hashed before the real message is hashed.

NOTES

SM2 signatures can be generated by using the 'DigestSign' series of APIs, for instance, EVP_DigestSignInit(), EVP_DigestSignUpdate() and EVP_DigestSignFinal(). Ditto for the verification process by calling the 'DigestVerify' series of APIs.

There are several special steps that need to be done before computing an SM2 signature.

The EVP_PKEY structure will default to using ECDSA for signatures when it is created. It should be set to EVP_PKEY_SM2 by calling:

 EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2);

Then an ID should be set by calling:

 EVP_PKEY_CTX_set1_id(pctx, id, id_len);

When calling the EVP_DigestSignInit() or EVP_DigestVerifyInit() functions, a preallocated EVP_PKEY_CTX should be assigned to the EVP_MD_CTX. This is done by calling:

 EVP_MD_CTX_set_pkey_ctx(mctx, pctx);

And normally there is no need to pass a pctx parameter to EVP_DigestSignInit() or EVP_DigestVerifyInit() in such a scenario.

EXAMPLES

This example demonstrates the calling sequence for using an EVP_PKEY to verify a message with the SM2 signature algorithm and the SM3 hash algorithm:

 #include <openssl/evp.h>

 /* obtain an EVP_PKEY using whatever methods... */
 EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2);
 mctx = EVP_MD_CTX_new();
 pctx = EVP_PKEY_CTX_new(pkey, NULL);
 EVP_PKEY_CTX_set1_id(pctx, id, id_len);
 EVP_MD_CTX_set_pkey_ctx(mctx, pctx);;
 EVP_DigestVerifyInit(mctx, NULL, EVP_sm3(), NULL, pkey);
 EVP_DigestVerifyUpdate(mctx, msg, msg_len);
 EVP_DigestVerifyFinal(mctx, sig, sig_len)

SEE ALSO

EVP_PKEY_CTX_new(3), EVP_PKEY_set_alias_type(3), EVP_DigestSignInit(3), EVP_DigestVerifyInit(3), EVP_PKEY_CTX_set1_id(3), EVP_MD_CTX_set_pkey_ctx(3)

COPYRIGHT

Copyright 2018-2020 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at https://www.openssl.org/source/license.html.

PK!Mˤdes_modes.htmlnu[ des_modes

NAME

des_modes - the variants of DES and other crypto algorithms of OpenSSL

DESCRIPTION

Several crypto algorithms for OpenSSL can be used in a number of modes. Those are used for using block ciphers in a way similar to stream ciphers, among other things.

OVERVIEW

Electronic Codebook Mode (ECB)

Normally, this is found as the function algorithm_ecb_encrypt().

  • 64 bits are enciphered at a time.

  • The order of the blocks can be rearranged without detection.

  • The same plaintext block always produces the same ciphertext block (for the same key) making it vulnerable to a 'dictionary attack'.

  • An error will only affect one ciphertext block.

Cipher Block Chaining Mode (CBC)

Normally, this is found as the function algorithm_cbc_encrypt(). Be aware that des_cbc_encrypt() is not really DES CBC (it does not update the IV); use des_ncbc_encrypt() instead.

  • a multiple of 64 bits are enciphered at a time.

  • The CBC mode produces the same ciphertext whenever the same plaintext is encrypted using the same key and starting variable.

  • The chaining operation makes the ciphertext blocks dependent on the current and all preceding plaintext blocks and therefore blocks can not be rearranged.

  • The use of different starting variables prevents the same plaintext enciphering to the same ciphertext.

  • An error will affect the current and the following ciphertext blocks.

Cipher Feedback Mode (CFB)

Normally, this is found as the function algorithm_cfb_encrypt().

  • a number of bits (j) <= 64 are enciphered at a time.

  • The CFB mode produces the same ciphertext whenever the same plaintext is encrypted using the same key and starting variable.

  • The chaining operation makes the ciphertext variables dependent on the current and all preceding variables and therefore j-bit variables are chained together and can not be rearranged.

  • The use of different starting variables prevents the same plaintext enciphering to the same ciphertext.

  • The strength of the CFB mode depends on the size of k (maximal if j == k). In my implementation this is always the case.

  • Selection of a small value for j will require more cycles through the encipherment algorithm per unit of plaintext and thus cause greater processing overheads.

  • Only multiples of j bits can be enciphered.

  • An error will affect the current and the following ciphertext variables.

Output Feedback Mode (OFB)

Normally, this is found as the function algorithm_ofb_encrypt().

  • a number of bits (j) <= 64 are enciphered at a time.

  • The OFB mode produces the same ciphertext whenever the same plaintext enciphered using the same key and starting variable. More over, in the OFB mode the same key stream is produced when the same key and start variable are used. Consequently, for security reasons a specific start variable should be used only once for a given key.

  • The absence of chaining makes the OFB more vulnerable to specific attacks.

  • The use of different start variables values prevents the same plaintext enciphering to the same ciphertext, by producing different key streams.

  • Selection of a small value for j will require more cycles through the encipherment algorithm per unit of plaintext and thus cause greater processing overheads.

  • Only multiples of j bits can be enciphered.

  • OFB mode of operation does not extend ciphertext errors in the resultant plaintext output. Every bit error in the ciphertext causes only one bit to be in error in the deciphered plaintext.

  • OFB mode is not self-synchronizing. If the two operation of encipherment and decipherment get out of synchronism, the system needs to be re-initialized.

  • Each re-initialization should use a value of the start variable different from the start variable values used before with the same key. The reason for this is that an identical bit stream would be produced each time from the same parameters. This would be susceptible to a 'known plaintext' attack.

Triple ECB Mode

Normally, this is found as the function algorithm_ecb3_encrypt().

  • Encrypt with key1, decrypt with key2 and encrypt with key3 again.

  • As for ECB encryption but increases the key length to 168 bits. There are theoretic attacks that can be used that make the effective key length 112 bits, but this attack also requires 2^56 blocks of memory, not very likely, even for the NSA.

  • If both keys are the same it is equivalent to encrypting once with just one key.

  • If the first and last key are the same, the key length is 112 bits. There are attacks that could reduce the effective key strength to only slightly more than 56 bits, but these require a lot of memory.

  • If all 3 keys are the same, this is effectively the same as normal ecb mode.

Triple CBC Mode

Normally, this is found as the function algorithm_ede3_cbc_encrypt().

  • Encrypt with key1, decrypt with key2 and then encrypt with key3.

  • As for CBC encryption but increases the key length to 168 bits with the same restrictions as for triple ecb mode.

NOTES

This text was been written in large parts by Eric Young in his original documentation for SSLeay, the predecessor of OpenSSL. In turn, he attributed it to:

        AS 2805.5.2
        Australian Standard
        Electronic funds transfer - Requirements for interfaces,
        Part 5.2: Modes of operation for an n-bit block cipher algorithm
        Appendix A

SEE ALSO

BF_encrypt(3), DES_crypt(3)

COPYRIGHT

Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at https://www.openssl.org/source/license.html.

PK!B4Vtt scrypt.htmlnu[ scrypt

NAME

scrypt - EVP_PKEY scrypt KDF support

DESCRIPTION

The EVP_PKEY_SCRYPT algorithm implements the scrypt password based key derivation function, as described in RFC 7914. It is memory-hard in the sense that it deliberately requires a significant amount of RAM for efficient computation. The intention of this is to render brute forcing of passwords on systems that lack large amounts of main memory (such as GPUs or ASICs) computationally infeasible.

scrypt provides three work factors that can be customized: N, r and p. N, which has to be a positive power of two, is the general work factor and scales CPU time in an approximately linear fashion. r is the block size of the internally used hash function and p is the parallelization factor. Both r and p need to be greater than zero. The amount of RAM that scrypt requires for its computation is roughly (128 * N * r * p) bytes.

In the original paper of Colin Percival ("Stronger Key Derivation via Sequential Memory-Hard Functions", 2009), the suggested values that give a computation time of less than 5 seconds on a 2.5 GHz Intel Core 2 Duo are N = 2^20 = 1048576, r = 8, p = 1. Consequently, the required amount of memory for this computation is roughly 1 GiB. On a more recent CPU (Intel i7-5930K at 3.5 GHz), this computation takes about 3 seconds. When N, r or p are not specified, they default to 1048576, 8, and 1, respectively. The default amount of RAM that may be used by scrypt defaults to 1025 MiB.

NOTES

A context for scrypt can be obtained by calling:

 EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_SCRYPT, NULL);

The output length of an scrypt key derivation is specified via the length parameter to the EVP_PKEY_derive(3) function.

EXAMPLES

This example derives a 64-byte long test vector using scrypt using the password "password", salt "NaCl" and N = 1024, r = 8, p = 16.

 EVP_PKEY_CTX *pctx;
 unsigned char out[64];

 size_t outlen = sizeof(out);
 pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_SCRYPT, NULL);

 if (EVP_PKEY_derive_init(pctx) <= 0) {
     error("EVP_PKEY_derive_init");
 }
 if (EVP_PKEY_CTX_set1_pbe_pass(pctx, "password", 8) <= 0) {
     error("EVP_PKEY_CTX_set1_pbe_pass");
 }
 if (EVP_PKEY_CTX_set1_scrypt_salt(pctx, "NaCl", 4) <= 0) {
     error("EVP_PKEY_CTX_set1_scrypt_salt");
 }
 if (EVP_PKEY_CTX_set_scrypt_N(pctx, 1024) <= 0) {
     error("EVP_PKEY_CTX_set_scrypt_N");
 }
 if (EVP_PKEY_CTX_set_scrypt_r(pctx, 8) <= 0) {
     error("EVP_PKEY_CTX_set_scrypt_r");
 }
 if (EVP_PKEY_CTX_set_scrypt_p(pctx, 16) <= 0) {
     error("EVP_PKEY_CTX_set_scrypt_p");
 }
 if (EVP_PKEY_derive(pctx, out, &outlen) <= 0) {
     error("EVP_PKEY_derive");
 }

 {
     const unsigned char expected[sizeof(out)] = {
         0xfd, 0xba, 0xbe, 0x1c, 0x9d, 0x34, 0x72, 0x00,
         0x78, 0x56, 0xe7, 0x19, 0x0d, 0x01, 0xe9, 0xfe,
         0x7c, 0x6a, 0xd7, 0xcb, 0xc8, 0x23, 0x78, 0x30,
         0xe7, 0x73, 0x76, 0x63, 0x4b, 0x37, 0x31, 0x62,
         0x2e, 0xaf, 0x30, 0xd9, 0x2e, 0x22, 0xa3, 0x88,
         0x6f, 0xf1, 0x09, 0x27, 0x9d, 0x98, 0x30, 0xda,
         0xc7, 0x27, 0xaf, 0xb9, 0x4a, 0x83, 0xee, 0x6d,
         0x83, 0x60, 0xcb, 0xdf, 0xa2, 0xcc, 0x06, 0x40
     };

     assert(!memcmp(out, expected, sizeof(out)));
 }

 EVP_PKEY_CTX_free(pctx);

CONFORMING TO

RFC 7914

SEE ALSO

EVP_PKEY_CTX_set1_scrypt_salt(3), EVP_PKEY_CTX_set_scrypt_N(3), EVP_PKEY_CTX_set_scrypt_r(3), EVP_PKEY_CTX_set_scrypt_p(3), EVP_PKEY_CTX_set_scrypt_maxmem_bytes(3), EVP_PKEY_CTX_new(3), EVP_PKEY_CTX_ctrl_str(3), EVP_PKEY_derive(3)

COPYRIGHT

Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at https://www.openssl.org/source/license.html.

PK!Ђnnbio.htmlnu[ bio

NAME

bio - Basic I/O abstraction

SYNOPSIS

 #include <openssl/bio.h>

DESCRIPTION

A BIO is an I/O abstraction, it hides many of the underlying I/O details from an application. If an application uses a BIO for its I/O it can transparently handle SSL connections, unencrypted network connections and file I/O.

There are two type of BIO, a source/sink BIO and a filter BIO.

As its name implies a source/sink BIO is a source and/or sink of data, examples include a socket BIO and a file BIO.

A filter BIO takes data from one BIO and passes it through to another, or the application. The data may be left unmodified (for example a message digest BIO) or translated (for example an encryption BIO). The effect of a filter BIO may change according to the I/O operation it is performing: for example an encryption BIO will encrypt data if it is being written to and decrypt data if it is being read from.

BIOs can be joined together to form a chain (a single BIO is a chain with one component). A chain normally consist of one source/sink BIO and one or more filter BIOs. Data read from or written to the first BIO then traverses the chain to the end (normally a source/sink BIO).

Some BIOs (such as memory BIOs) can be used immediately after calling BIO_new(). Others (such as file BIOs) need some additional initialization, and frequently a utility function exists to create and initialize such BIOs.

If BIO_free() is called on a BIO chain it will only free one BIO resulting in a memory leak.

Calling BIO_free_all() on a single BIO has the same effect as calling BIO_free() on it other than the discarded return value.

Normally the type argument is supplied by a function which returns a pointer to a BIO_METHOD. There is a naming convention for such functions: a source/sink BIO is normally called BIO_s_*() and a filter BIO BIO_f_*();

EXAMPLES

Create a memory BIO:

 BIO *mem = BIO_new(BIO_s_mem());

SEE ALSO

BIO_ctrl(3), BIO_f_base64(3), BIO_f_buffer(3), BIO_f_cipher(3), BIO_f_md(3), BIO_f_null(3), BIO_f_ssl(3), BIO_find_type(3), BIO_new(3), BIO_new_bio_pair(3), BIO_push(3), BIO_read_ex(3), BIO_s_accept(3), BIO_s_bio(3), BIO_s_connect(3), BIO_s_fd(3), BIO_s_file(3), BIO_s_mem(3), BIO_s_null(3), BIO_s_socket(3), BIO_set_callback(3), BIO_should_retry(3)

COPYRIGHT

Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at https://www.openssl.org/source/license.html.

PK! Z x509.htmlnu[ x509

NAME

x509 - X.509 certificate handling

SYNOPSIS

 #include <openssl/x509.h>

DESCRIPTION

An X.509 certificate is a structured grouping of information about an individual, a device, or anything one can imagine. An X.509 CRL (certificate revocation list) is a tool to help determine if a certificate is still valid. The exact definition of those can be found in the X.509 document from ITU-T, or in RFC3280 from PKIX. In OpenSSL, the type X509 is used to express such a certificate, and the type X509_CRL is used to express a CRL.

A related structure is a certificate request, defined in PKCS#10 from RSA Security, Inc, also reflected in RFC2896. In OpenSSL, the type X509_REQ is used to express such a certificate request.

To handle some complex parts of a certificate, there are the types X509_NAME (to express a certificate name), X509_ATTRIBUTE (to express a certificate attribute), X509_EXTENSION (to express a certificate extension) and a few more.

Finally, there's the supertype X509_INFO, which can contain a CRL, a certificate and a corresponding private key.

X509_XXX, d2i_X509_XXX, and i2d_X509_XXX functions handle X.509 certificates, with some exceptions, shown below.

X509_CRL_XXX, d2i_X509_CRL_XXX, and i2d_X509_CRL_XXX functions handle X.509 CRLs.

X509_REQ_XXX, d2i_X509_REQ_XXX, and i2d_X509_REQ_XXX functions handle PKCS#10 certificate requests.

X509_NAME_XXX functions handle certificate names.

X509_ATTRIBUTE_XXX functions handle certificate attributes.

X509_EXTENSION_XXX functions handle certificate extensions.

SEE ALSO

X509_NAME_ENTRY_get_object(3), X509_NAME_add_entry_by_txt(3), X509_NAME_add_entry_by_NID(3), X509_NAME_print_ex(3), X509_NAME_new(3), d2i_X509(3), d2i_X509_ALGOR(3), d2i_X509_CRL(3), d2i_X509_NAME(3), d2i_X509_REQ(3), d2i_X509_SIG(3), X509v3(3), crypto(7)

COPYRIGHT

Copyright 2003-2021 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at https://www.openssl.org/source/license.html.

PK! gssl.htmlnu[ ssl

NAME

ssl - OpenSSL SSL/TLS library

SYNOPSIS

See the individual manual pages for details.

DESCRIPTION

The OpenSSL ssl library implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols. It provides a rich API which is documented here.

An SSL_CTX object is created as a framework to establish TLS/SSL enabled connections (see SSL_CTX_new(3)). Various options regarding certificates, algorithms etc. can be set in this object.

When a network connection has been created, it can be assigned to an SSL object. After the SSL object has been created using SSL_new(3), SSL_set_fd(3) or SSL_set_bio(3) can be used to associate the network connection with the object.

When the TLS/SSL handshake is performed using SSL_accept(3) or SSL_connect(3) respectively. SSL_read_ex(3), SSL_read(3), SSL_write_ex(3) and SSL_write(3) are used to read and write data on the TLS/SSL connection. SSL_shutdown(3) can be used to shut down the TLS/SSL connection.

DATA STRUCTURES

Currently the OpenSSL ssl library functions deals with the following data structures:

SSL_METHOD (SSL Method)

This is a dispatch structure describing the internal ssl library methods/functions which implement the various protocol versions (SSLv3 TLSv1, ...). It's needed to create an SSL_CTX.

SSL_CIPHER (SSL Cipher)

This structure holds the algorithm information for a particular cipher which are a core part of the SSL/TLS protocol. The available ciphers are configured on a SSL_CTX basis and the actual ones used are then part of the SSL_SESSION.

SSL_CTX (SSL Context)

This is the global context structure which is created by a server or client once per program life-time and which holds mainly default values for the SSL structures which are later created for the connections.

SSL_SESSION (SSL Session)

This is a structure containing the current TLS/SSL session details for a connection: SSL_CIPHERs, client and server certificates, keys, etc.

SSL (SSL Connection)

This is the main SSL/TLS structure which is created by a server or client per established connection. This actually is the core structure in the SSL API. At run-time the application usually deals with this structure which has links to mostly all other structures.

HEADER FILES

Currently the OpenSSL ssl library provides the following C header files containing the prototypes for the data structures and functions:

ssl.h

This is the common header file for the SSL/TLS API. Include it into your program to make the API of the ssl library available. It internally includes both more private SSL headers and headers from the crypto library. Whenever you need hard-core details on the internals of the SSL API, look inside this header file.

ssl2.h

Unused. Present for backwards compatibility only.

ssl3.h

This is the sub header file dealing with the SSLv3 protocol only. Usually you don't have to include it explicitly because it's already included by ssl.h.

tls1.h

This is the sub header file dealing with the TLSv1 protocol only. Usually you don't have to include it explicitly because it's already included by ssl.h.

API FUNCTIONS

Currently the OpenSSL ssl library exports 214 API functions. They are documented in the following:

Dealing with Protocol Methods

Here we document the various API functions which deal with the SSL/TLS protocol methods defined in SSL_METHOD structures.

const SSL_METHOD *TLS_method(void);

Constructor for the version-flexible SSL_METHOD structure for clients, servers or both. See SSL_CTX_new(3) for details.

const SSL_METHOD *TLS_client_method(void);

Constructor for the version-flexible SSL_METHOD structure for clients. Must be used to support the TLSv1.3 protocol.

const SSL_METHOD *TLS_server_method(void);

Constructor for the version-flexible SSL_METHOD structure for servers. Must be used to support the TLSv1.3 protocol.

const SSL_METHOD *TLSv1_2_method(void);

Constructor for the TLSv1.2 SSL_METHOD structure for clients, servers or both.

const SSL_METHOD *TLSv1_2_client_method(void);

Constructor for the TLSv1.2 SSL_METHOD structure for clients.

const SSL_METHOD *TLSv1_2_server_method(void);

Constructor for the TLSv1.2 SSL_METHOD structure for servers.

const SSL_METHOD *TLSv1_1_method(void);

Constructor for the TLSv1.1 SSL_METHOD structure for clients, servers or both.

const SSL_METHOD *TLSv1_1_client_method(void);

Constructor for the TLSv1.1 SSL_METHOD structure for clients.

const SSL_METHOD *TLSv1_1_server_method(void);

Constructor for the TLSv1.1 SSL_METHOD structure for servers.

const SSL_METHOD *TLSv1_method(void);

Constructor for the TLSv1 SSL_METHOD structure for clients, servers or both.

const SSL_METHOD *TLSv1_client_method(void);

Constructor for the TLSv1 SSL_METHOD structure for clients.

const SSL_METHOD *TLSv1_server_method(void);

Constructor for the TLSv1 SSL_METHOD structure for servers.

const SSL_METHOD *SSLv3_method(void);

Constructor for the SSLv3 SSL_METHOD structure for clients, servers or both.

const SSL_METHOD *SSLv3_client_method(void);

Constructor for the SSLv3 SSL_METHOD structure for clients.

const SSL_METHOD *SSLv3_server_method(void);

Constructor for the SSLv3 SSL_METHOD structure for servers.

Dealing with Ciphers

Here we document the various API functions which deal with the SSL/TLS ciphers defined in SSL_CIPHER structures.

char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len);

Write a string to buf (with a maximum size of len) containing a human readable description of cipher. Returns buf.

int SSL_CIPHER_get_bits(SSL_CIPHER *cipher, int *alg_bits);

Determine the number of bits in cipher. Because of export crippled ciphers there are two bits: The bits the algorithm supports in general (stored to alg_bits) and the bits which are actually used (the return value).

const char *SSL_CIPHER_get_name(SSL_CIPHER *cipher);

Return the internal name of cipher as a string. These are the various strings defined by the SSL3_TXT_xxx and TLS1_TXT_xxx definitions in the header files.

const char *SSL_CIPHER_get_version(SSL_CIPHER *cipher);

Returns a string like "SSLv3" or "TLSv1.2" which indicates the SSL/TLS protocol version to which cipher belongs (i.e. where it was defined in the specification the first time).

Dealing with Protocol Contexts

Here we document the various API functions which deal with the SSL/TLS protocol context defined in the SSL_CTX structure.

int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x);
long SSL_CTX_add_extra_chain_cert(SSL_CTX *ctx, X509 *x509);
int SSL_CTX_add_session(SSL_CTX *ctx, SSL_SESSION *c);
int SSL_CTX_check_private_key(const SSL_CTX *ctx);
long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, char *parg);
void SSL_CTX_flush_sessions(SSL_CTX *s, long t);
void SSL_CTX_free(SSL_CTX *a);
char *SSL_CTX_get_app_data(SSL_CTX *ctx);
X509_STORE *SSL_CTX_get_cert_store(SSL_CTX *ctx);
STACK *SSL_CTX_get_ciphers(const SSL_CTX *ctx);
STACK *SSL_CTX_get_client_CA_list(const SSL_CTX *ctx);
int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL *ssl, X509 **x509, EVP_PKEY **pkey);
void SSL_CTX_get_default_read_ahead(SSL_CTX *ctx);
char *SSL_CTX_get_ex_data(const SSL_CTX *s, int idx);
int SSL_CTX_get_ex_new_index(long argl, char *argp, int (*new_func);(void), int (*dup_func)(void), void (*free_func)(void))
void (*SSL_CTX_get_info_callback(SSL_CTX *ctx))(SSL *ssl, int cb, int ret);
int SSL_CTX_get_quiet_shutdown(const SSL_CTX *ctx);
void SSL_CTX_get_read_ahead(SSL_CTX *ctx);
int SSL_CTX_get_session_cache_mode(SSL_CTX *ctx);
long SSL_CTX_get_timeout(const SSL_CTX *ctx);
int (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx))(int ok, X509_STORE_CTX *ctx);
int SSL_CTX_get_verify_mode(SSL_CTX *ctx);
int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, const char *CApath);
SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth);
int SSL_CTX_up_ref(SSL_CTX *ctx);
int SSL_CTX_remove_session(SSL_CTX *ctx, SSL_SESSION *c);
int SSL_CTX_sess_accept(SSL_CTX *ctx);
int SSL_CTX_sess_accept_good(SSL_CTX *ctx);
int SSL_CTX_sess_accept_renegotiate(SSL_CTX *ctx);
int SSL_CTX_sess_cache_full(SSL_CTX *ctx);
int SSL_CTX_sess_cb_hits(SSL_CTX *ctx);
int SSL_CTX_sess_connect(SSL_CTX *ctx);
int SSL_CTX_sess_connect_good(SSL_CTX *ctx);
int SSL_CTX_sess_connect_renegotiate(SSL_CTX *ctx);
int SSL_CTX_sess_get_cache_size(SSL_CTX *ctx);
SSL_SESSION *(*SSL_CTX_sess_get_get_cb(SSL_CTX *ctx))(SSL *ssl, unsigned char *data, int len, int *copy);
int (*SSL_CTX_sess_get_new_cb(SSL_CTX *ctx)(SSL *ssl, SSL_SESSION *sess);
void (*SSL_CTX_sess_get_remove_cb(SSL_CTX *ctx)(SSL_CTX *ctx, SSL_SESSION *sess);
int SSL_CTX_sess_hits(SSL_CTX *ctx);
int SSL_CTX_sess_misses(SSL_CTX *ctx);
int SSL_CTX_sess_number(SSL_CTX *ctx);
void SSL_CTX_sess_set_cache_size(SSL_CTX *ctx, t);
void SSL_CTX_sess_set_get_cb(SSL_CTX *ctx, SSL_SESSION *(*cb)(SSL *ssl, unsigned char *data, int len, int *copy));
void SSL_CTX_sess_set_new_cb(SSL_CTX *ctx, int (*cb)(SSL *ssl, SSL_SESSION *sess));
void SSL_CTX_sess_set_remove_cb(SSL_CTX *ctx, void (*cb)(SSL_CTX *ctx, SSL_SESSION *sess));
int SSL_CTX_sess_timeouts(SSL_CTX *ctx);
LHASH *SSL_CTX_sessions(SSL_CTX *ctx);
int SSL_CTX_set_app_data(SSL_CTX *ctx, void *arg);
void SSL_CTX_set_cert_store(SSL_CTX *ctx, X509_STORE *cs);
void SSL_CTX_set1_cert_store(SSL_CTX *ctx, X509_STORE *cs);
void SSL_CTX_set_cert_verify_cb(SSL_CTX *ctx, int (*cb)(), char *arg)
int SSL_CTX_set_cipher_list(SSL_CTX *ctx, char *str);
void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK *list);
void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx, int (*cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey));
int SSL_CTX_set_ct_validation_callback(SSL_CTX *ctx, ssl_ct_validation_cb callback, void *arg);
void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, int (*cb);(void))
void SSL_CTX_set_default_read_ahead(SSL_CTX *ctx, int m);
int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx);

Use the default paths to locate trusted CA certificates. There is one default directory path and one default file path. Both are set via this call.

int SSL_CTX_set_default_verify_dir(SSL_CTX *ctx)

Use the default directory path to locate trusted CA certificates.

int SSL_CTX_set_default_verify_file(SSL_CTX *ctx)

Use the file path to locate trusted CA certificates.

int SSL_CTX_set_ex_data(SSL_CTX *s, int idx, char *arg);
void SSL_CTX_set_info_callback(SSL_CTX *ctx, void (*cb)(SSL *ssl, int cb, int ret));
void SSL_CTX_set_msg_callback(SSL_CTX *ctx, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg));
void SSL_CTX_set_msg_callback_arg(SSL_CTX *ctx, void *arg);
unsigned long SSL_CTX_clear_options(SSL_CTX *ctx, unsigned long op);
unsigned long SSL_CTX_get_options(SSL_CTX *ctx);
unsigned long SSL_CTX_set_options(SSL_CTX *ctx, unsigned long op);
void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx, int mode);
void SSL_CTX_set_read_ahead(SSL_CTX *ctx, int m);
void SSL_CTX_set_session_cache_mode(SSL_CTX *ctx, int mode);
int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth);
void SSL_CTX_set_timeout(SSL_CTX *ctx, long t);
long SSL_CTX_set_tmp_dh(SSL_CTX* ctx, DH *dh);
long SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx, DH *(*cb)(void));
void SSL_CTX_set_verify(SSL_CTX *ctx, int mode, int (*cb);(void))
int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey);
int SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx, unsigned char *d, long len);
int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type);
int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa);
int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, unsigned char *d, long len);
int SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type);
int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x);
int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, unsigned char *d);
int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type);
int SSL_CTX_use_cert_and_key(SSL_CTX *ctx, X509 *x, EVP_PKEY *pkey, STACK_OF(X509) *chain, int override);
X509 *SSL_CTX_get0_certificate(const SSL_CTX *ctx);
EVP_PKEY *SSL_CTX_get0_privatekey(const SSL_CTX *ctx);
void SSL_CTX_set_psk_client_callback(SSL_CTX *ctx, unsigned int (*callback)(SSL *ssl, const char *hint, char *identity, unsigned int max_identity_len, unsigned char *psk, unsigned int max_psk_len));
int SSL_CTX_use_psk_identity_hint(SSL_CTX *ctx, const char *hint);
void SSL_CTX_set_psk_server_callback(SSL_CTX *ctx, unsigned int (*callback)(SSL *ssl, const char *identity, unsigned char *psk, int max_psk_len));

Dealing with Sessions

Here we document the various API functions which deal with the SSL/TLS sessions defined in the SSL_SESSION structures.

int SSL_SESSION_cmp(const SSL_SESSION *a, const SSL_SESSION *b);
void SSL_SESSION_free(SSL_SESSION *ss);
char *SSL_SESSION_get_app_data(SSL_SESSION *s);
char *SSL_SESSION_get_ex_data(const SSL_SESSION *s, int idx);
int SSL_SESSION_get_ex_new_index(long argl, char *argp, int (*new_func);(void), int (*dup_func)(void), void (*free_func)(void))
long SSL_SESSION_get_time(const SSL_SESSION *s);
long SSL_SESSION_get_timeout(const SSL_SESSION *s);
unsigned long SSL_SESSION_hash(const SSL_SESSION *a);
SSL_SESSION *SSL_SESSION_new(void);
int SSL_SESSION_print(BIO *bp, const SSL_SESSION *x);
int SSL_SESSION_print_fp(FILE *fp, const SSL_SESSION *x);
int SSL_SESSION_set_app_data(SSL_SESSION *s, char *a);
int SSL_SESSION_set_ex_data(SSL_SESSION *s, int idx, char *arg);
long SSL_SESSION_set_time(SSL_SESSION *s, long t);
long SSL_SESSION_set_timeout(SSL_SESSION *s, long t);

Dealing with Connections

Here we document the various API functions which deal with the SSL/TLS connection defined in the SSL structure.

int SSL_accept(SSL *ssl);
int SSL_add_dir_cert_subjects_to_stack(STACK *stack, const char *dir);
int SSL_add_file_cert_subjects_to_stack(STACK *stack, const char *file);
int SSL_add_client_CA(SSL *ssl, X509 *x);
char *SSL_alert_desc_string(int value);
char *SSL_alert_desc_string_long(int value);
char *SSL_alert_type_string(int value);
char *SSL_alert_type_string_long(int value);
int SSL_check_private_key(const SSL *ssl);
void SSL_clear(SSL *ssl);
long SSL_clear_num_renegotiations(SSL *ssl);
int SSL_connect(SSL *ssl);
int SSL_copy_session_id(SSL *t, const SSL *f);

Sets the session details for t to be the same as in f. Returns 1 on success or 0 on failure.

long SSL_ctrl(SSL *ssl, int cmd, long larg, char *parg);
int SSL_do_handshake(SSL *ssl);
SSL *SSL_dup(SSL *ssl);

SSL_dup() allows applications to configure an SSL handle for use in multiple SSL connections, and then duplicate it prior to initiating each connection with the duplicated handle. Use of SSL_dup() avoids the need to repeat the configuration of the handles for each connection.

For SSL_dup() to work, the connection MUST be in its initial state and MUST NOT have not yet have started the SSL handshake. For connections that are not in their initial state SSL_dup() just increments an internal reference count and returns the same handle. It may be possible to use SSL_clear(3) to recycle an SSL handle that is not in its initial state for re-use, but this is best avoided. Instead, save and restore the session, if desired, and construct a fresh handle for each connection.

STACK *SSL_dup_CA_list(STACK *sk);
void SSL_free(SSL *ssl);
SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl);
char *SSL_get_app_data(SSL *ssl);
X509 *SSL_get_certificate(const SSL *ssl);
const char *SSL_get_cipher(const SSL *ssl);
int SSL_is_dtls(const SSL *ssl);
int SSL_get_cipher_bits(const SSL *ssl, int *alg_bits);
char *SSL_get_cipher_list(const SSL *ssl, int n);
char *SSL_get_cipher_name(const SSL *ssl);
char *SSL_get_cipher_version(const SSL *ssl);
STACK *SSL_get_ciphers(const SSL *ssl);
STACK *SSL_get_client_CA_list(const SSL *ssl);
SSL_CIPHER *SSL_get_current_cipher(SSL *ssl);
long SSL_get_default_timeout(const SSL *ssl);
int SSL_get_error(const SSL *ssl, int i);
char *SSL_get_ex_data(const SSL *ssl, int idx);
int SSL_get_ex_data_X509_STORE_CTX_idx(void);
int SSL_get_ex_new_index(long argl, char *argp, int (*new_func);(void), int (*dup_func)(void), void (*free_func)(void))
int SSL_get_fd(const SSL *ssl);
void (*SSL_get_info_callback(const SSL *ssl);)()
int SSL_get_key_update_type(SSL *s);
STACK *SSL_get_peer_cert_chain(const SSL *ssl);
X509 *SSL_get_peer_certificate(const SSL *ssl);
const STACK_OF(SCT) *SSL_get0_peer_scts(SSL *s);
EVP_PKEY *SSL_get_privatekey(const SSL *ssl);
int SSL_get_quiet_shutdown(const SSL *ssl);
BIO *SSL_get_rbio(const SSL *ssl);
int SSL_get_read_ahead(const SSL *ssl);
SSL_SESSION *SSL_get_session(const SSL *ssl);
char *SSL_get_shared_ciphers(const SSL *ssl, char *buf, int size);
int SSL_get_shutdown(const SSL *ssl);
const SSL_METHOD *SSL_get_ssl_method(SSL *ssl);
int SSL_get_state(const SSL *ssl);
long SSL_get_time(const SSL *ssl);
long SSL_get_timeout(const SSL *ssl);
int (*SSL_get_verify_callback(const SSL *ssl))(int, X509_STORE_CTX *)
int SSL_get_verify_mode(const SSL *ssl);
long SSL_get_verify_result(const SSL *ssl);
char *SSL_get_version(const SSL *ssl);
BIO *SSL_get_wbio(const SSL *ssl);
int SSL_in_accept_init(SSL *ssl);
int SSL_in_before(SSL *ssl);
int SSL_in_connect_init(SSL *ssl);
int SSL_in_init(SSL *ssl);
int SSL_is_init_finished(SSL *ssl);
int SSL_key_update(SSL *s, int updatetype);
STACK *SSL_load_client_CA_file(const char *file);
SSL *SSL_new(SSL_CTX *ctx);
int SSL_up_ref(SSL *s);
long SSL_num_renegotiations(SSL *ssl);
int SSL_peek(SSL *ssl, void *buf, int num);
int SSL_pending(const SSL *ssl);
int SSL_read(SSL *ssl, void *buf, int num);
int SSL_renegotiate(SSL *ssl);
char *SSL_rstate_string(SSL *ssl);
char *SSL_rstate_string_long(SSL *ssl);
long SSL_session_reused(SSL *ssl);
void SSL_set_accept_state(SSL *ssl);
void SSL_set_app_data(SSL *ssl, char *arg);
void SSL_set_bio(SSL *ssl, BIO *rbio, BIO *wbio);
int SSL_set_cipher_list(SSL *ssl, char *str);
void SSL_set_client_CA_list(SSL *ssl, STACK *list);
void SSL_set_connect_state(SSL *ssl);
int SSL_set_ct_validation_callback(SSL *ssl, ssl_ct_validation_cb callback, void *arg);
int SSL_set_ex_data(SSL *ssl, int idx, char *arg);
int SSL_set_fd(SSL *ssl, int fd);
void SSL_set_info_callback(SSL *ssl, void (*cb);(void))
void SSL_set_msg_callback(SSL *ctx, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg));
void SSL_set_msg_callback_arg(SSL *ctx, void *arg);
unsigned long SSL_clear_options(SSL *ssl, unsigned long op);
unsigned long SSL_get_options(SSL *ssl);
unsigned long SSL_set_options(SSL *ssl, unsigned long op);
void SSL_set_quiet_shutdown(SSL *ssl, int mode);
void SSL_set_read_ahead(SSL *ssl, int yes);
int SSL_set_rfd(SSL *ssl, int fd);
int SSL_set_session(SSL *ssl, SSL_SESSION *session);
void SSL_set_shutdown(SSL *ssl, int mode);
int SSL_set_ssl_method(SSL *ssl, const SSL_METHOD *meth);
void SSL_set_time(SSL *ssl, long t);
void SSL_set_timeout(SSL *ssl, long t);
void SSL_set_verify(SSL *ssl, int mode, int (*callback);(void))
void SSL_set_verify_result(SSL *ssl, long arg);
int SSL_set_wfd(SSL *ssl, int fd);
int SSL_shutdown(SSL *ssl);
OSSL_HANDSHAKE_STATE SSL_get_state(const SSL *ssl);

Returns the current handshake state.

char *SSL_state_string(const SSL *ssl);
char *SSL_state_string_long(const SSL *ssl);
long SSL_total_renegotiations(SSL *ssl);
int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey);
int SSL_use_PrivateKey_ASN1(int type, SSL *ssl, unsigned char *d, long len);
int SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type);
int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa);
int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, unsigned char *d, long len);
int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type);
int SSL_use_certificate(SSL *ssl, X509 *x);
int SSL_use_certificate_ASN1(SSL *ssl, int len, unsigned char *d);
int SSL_use_certificate_file(SSL *ssl, const char *file, int type);
int SSL_use_cert_and_key(SSL *ssl, X509 *x, EVP_PKEY *pkey, STACK_OF(X509) *chain, int override);
int SSL_version(const SSL *ssl);
int SSL_want(const SSL *ssl);
int SSL_want_nothing(const SSL *ssl);
int SSL_want_read(const SSL *ssl);
int SSL_want_write(const SSL *ssl);
int SSL_want_x509_lookup(const SSL *ssl);
int SSL_write(SSL *ssl, const void *buf, int num);
void SSL_set_psk_client_callback(SSL *ssl, unsigned int (*callback)(SSL *ssl, const char *hint, char *identity, unsigned int max_identity_len, unsigned char *psk, unsigned int max_psk_len));
int SSL_use_psk_identity_hint(SSL *ssl, const char *hint);
void SSL_set_psk_server_callback(SSL *ssl, unsigned int (*callback)(SSL *ssl, const char *identity, unsigned char *psk, int max_psk_len));
const char *SSL_get_psk_identity_hint(SSL *ssl);
const char *SSL_get_psk_identity(SSL *ssl);

RETURN VALUES

See the individual manual pages for details.

SEE ALSO

openssl(1), crypto(7), CRYPTO_get_ex_new_index(3), SSL_accept(3), SSL_clear(3), SSL_connect(3), SSL_CIPHER_get_name(3), SSL_COMP_add_compression_method(3), SSL_CTX_add_extra_chain_cert(3), SSL_CTX_add_session(3), SSL_CTX_ctrl(3), SSL_CTX_flush_sessions(3), SSL_CTX_get_verify_mode(3), SSL_CTX_load_verify_locations(3) SSL_CTX_new(3), SSL_CTX_sess_number(3), SSL_CTX_sess_set_cache_size(3), SSL_CTX_sess_set_get_cb(3), SSL_CTX_sessions(3), SSL_CTX_set_cert_store(3), SSL_CTX_set_cert_verify_callback(3), SSL_CTX_set_cipher_list(3), SSL_CTX_set_client_CA_list(3), SSL_CTX_set_client_cert_cb(3), SSL_CTX_set_default_passwd_cb(3), SSL_CTX_set_generate_session_id(3), SSL_CTX_set_info_callback(3), SSL_CTX_set_max_cert_list(3), SSL_CTX_set_mode(3), SSL_CTX_set_msg_callback(3), SSL_CTX_set_options(3), SSL_CTX_set_quiet_shutdown(3), SSL_CTX_set_read_ahead(3), SSL_CTX_set_security_level(3), SSL_CTX_set_session_cache_mode(3), SSL_CTX_set_session_id_context(3), SSL_CTX_set_ssl_version(3), SSL_CTX_set_timeout(3), SSL_CTX_set_tmp_dh_callback(3), SSL_CTX_set_verify(3), SSL_CTX_use_certificate(3), SSL_alert_type_string(3), SSL_do_handshake(3), SSL_enable_ct(3), SSL_get_SSL_CTX(3), SSL_get_ciphers(3), SSL_get_client_CA_list(3), SSL_get_default_timeout(3), SSL_get_error(3), SSL_get_ex_data_X509_STORE_CTX_idx(3), SSL_get_fd(3), SSL_get_peer_cert_chain(3), SSL_get_rbio(3), SSL_get_session(3), SSL_get_verify_result(3), SSL_get_version(3), SSL_load_client_CA_file(3), SSL_new(3), SSL_pending(3), SSL_read_ex(3), SSL_read(3), SSL_rstate_string(3), SSL_session_reused(3), SSL_set_bio(3), SSL_set_connect_state(3), SSL_set_fd(3), SSL_set_session(3), SSL_set_shutdown(3), SSL_shutdown(3), SSL_state_string(3), SSL_want(3), SSL_write_ex(3), SSL_write(3), SSL_SESSION_free(3), SSL_SESSION_get_time(3), d2i_SSL_SESSION(3), SSL_CTX_set_psk_client_callback(3), SSL_CTX_use_psk_identity_hint(3), SSL_get_psk_identity(3), DTLSv1_listen(3)

HISTORY

SSLv2_client_method, SSLv2_server_method and SSLv2_method were removed in OpenSSL 1.1.0.

The return type of SSL_copy_session_id was changed from void to int in OpenSSL 1.1.0.

COPYRIGHT

Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at https://www.openssl.org/source/license.html.

PK!.Eռ;; RAND.htmlnu[ RAND

NAME

RAND - the OpenSSL random generator

DESCRIPTION

Random numbers are a vital part of cryptography, they are needed to provide unpredictability for tasks like key generation, creating salts, and many more. Software-based generators must be seeded with external randomness before they can be used as a cryptographically-secure pseudo-random number generator (CSPRNG). The availability of common hardware with special instructions and modern operating systems, which may use items such as interrupt jitter and network packet timings, can be reasonable sources of seeding material.

OpenSSL comes with a default implementation of the RAND API which is based on the deterministic random bit generator (DRBG) model as described in [NIST SP 800-90A Rev. 1]. The default random generator will initialize automatically on first use and will be fully functional without having to be initialized ('seeded') explicitly. It seeds and reseeds itself automatically using trusted random sources provided by the operating system.

As a normal application developer, you do not have to worry about any details, just use RAND_bytes(3) to obtain random data. Having said that, there is one important rule to obey: Always check the error return value of RAND_bytes(3) and do not take randomness for granted. Although (re-)seeding is automatic, it can fail because no trusted random source is available or the trusted source(s) temporarily fail to provide sufficient random seed material. In this case the CSPRNG enters an error state and ceases to provide output, until it is able to recover from the error by reseeding itself. For more details on reseeding and error recovery, see RAND_DRBG(7).

For values that should remain secret, you can use RAND_priv_bytes(3) instead. This method does not provide 'better' randomness, it uses the same type of CSPRNG. The intention behind using a dedicated CSPRNG exclusively for private values is that none of its output should be visible to an attacker (e.g., used as salt value), in order to reveal as little information as possible about its internal state, and that a compromise of the "public" CSPRNG instance will not affect the secrecy of these private values.

In the rare case where the default implementation does not satisfy your special requirements, there are two options:

  • Replace the default RAND method by your own RAND method using RAND_set_rand_method(3).

  • Modify the default settings of the OpenSSL RAND method by modifying the security parameters of the underlying DRBG, which is described in detail in RAND_DRBG(7).

Changing the default random generator or its default parameters should be necessary only in exceptional cases and is not recommended, unless you have a profound knowledge of cryptographic principles and understand the implications of your changes.

SEE ALSO

RAND_add(3), RAND_bytes(3), RAND_priv_bytes(3), RAND_get_rand_method(3), RAND_set_rand_method(3), RAND_OpenSSL(3), RAND_DRBG(7)

COPYRIGHT

Copyright 2018-2019 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at https://www.openssl.org/source/license.html.

PK!8} ossl_store-file.htmlnu[ ossl_store-file

NAME

ossl_store-file - The store 'file' scheme loader

SYNOPSIS

#include <openssl/store.h>

DESCRIPTION

Support for the 'file' scheme is built into libcrypto. Since files come in all kinds of formats and content types, the 'file' scheme has its own layer of functionality called "file handlers", which are used to try to decode diverse types of file contents.

In case a file is formatted as PEM, each called file handler receives the PEM name (everything following any '-----BEGIN ') as well as possible PEM headers, together with the decoded PEM body. Since PEM formatted files can contain more than one object, the file handlers are called upon for each such object.

If the file isn't determined to be formatted as PEM, the content is loaded in raw form in its entirety and passed to the available file handlers as is, with no PEM name or headers.

Each file handler is expected to handle PEM and non-PEM content as appropriate. Some may refuse non-PEM content for the sake of determinism (for example, there are keys out in the wild that are represented as an ASN.1 OCTET STRING. In raw form, it's not easily possible to distinguish those from any other data coming as an ASN.1 OCTET STRING, so such keys would naturally be accepted as PEM files only).

NOTES

When needed, the 'file' scheme loader will require a pass phrase by using the UI_METHOD that was passed via OSSL_STORE_open(). This pass phrase is expected to be UTF-8 encoded, anything else will give an undefined result. The files made accessible through this loader are expected to be standard compliant with regards to pass phrase encoding. Files that aren't should be re-generated with a correctly encoded pass phrase. See passphrase-encoding(7) for more information.

SEE ALSO

ossl_store(7), passphrase-encoding(7)

COPYRIGHT

Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at https://www.openssl.org/source/license.html.

PK!4Gossl_store.htmlnu[ ossl_store

NAME

ossl_store - Store retrieval functions

SYNOPSIS

#include <openssl/store.h>

DESCRIPTION

General

A STORE is a layer of functionality to retrieve a number of supported objects from a repository of any kind, addressable as a filename or as a URI.

The functionality supports the pattern "open a channel to the repository", "loop and retrieve one object at a time", and "finish up by closing the channel".

The retrieved objects are returned as a wrapper type OSSL_STORE_INFO, from which an OpenSSL type can be retrieved.

URI schemes and loaders

Support for a URI scheme is called a STORE "loader", and can be added dynamically from the calling application or from a loadable engine.

Support for the 'file' scheme is built into libcrypto. See ossl_store-file(7) for more information.

UI_METHOD and pass phrases

The OSS_STORE API does nothing to enforce any specific format or encoding on the pass phrase that the UI_METHOD provides. However, the pass phrase is expected to be UTF-8 encoded. The result of any other encoding is undefined.

EXAMPLES

A generic call

 OSSL_STORE_CTX *ctx = OSSL_STORE_open("file:/foo/bar/data.pem");

 /*
  * OSSL_STORE_eof() simulates file semantics for any repository to signal
  * that no more data can be expected
  */
 while (!OSSL_STORE_eof(ctx)) {
     OSSL_STORE_INFO *info = OSSL_STORE_load(ctx);

     /*
      * Do whatever is necessary with the OSSL_STORE_INFO,
      * here just one example
      */
     switch (OSSL_STORE_INFO_get_type(info)) {
     case OSSL_STORE_INFO_CERT:
         /* Print the X.509 certificate text */
         X509_print_fp(stdout, OSSL_STORE_INFO_get0_CERT(info));
         /* Print the X.509 certificate PEM output */
         PEM_write_X509(stdout, OSSL_STORE_INFO_get0_CERT(info));
         break;
     }
 }

 OSSL_STORE_close(ctx);

SEE ALSO

OSSL_STORE_INFO(3), OSSL_STORE_LOADER(3), OSSL_STORE_open(3), OSSL_STORE_expect(3), OSSL_STORE_SEARCH(3)

COPYRIGHT

Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at https://www.openssl.org/source/license.html.

PK!Uk(  RSA-PSS.htmlnu[ RSA-PSS

NAME

RSA-PSS - EVP_PKEY RSA-PSS algorithm support

DESCRIPTION

The RSA-PSS EVP_PKEY implementation is a restricted version of the RSA algorithm which only supports signing, verification and key generation using PSS padding modes with optional parameter restrictions.

It has associated private key and public key formats.

This algorithm shares several control operations with the RSA algorithm but with some restrictions described below.

Signing and Verification

Signing and verification is similar to the RSA algorithm except the padding mode is always PSS. If the key in use has parameter restrictions then the corresponding signature parameters are set to the restrictions: for example, if the key can only be used with digest SHA256, MGF1 SHA256 and minimum salt length 32 then the digest, MGF1 digest and salt length will be set to SHA256, SHA256 and 32 respectively.

Key Generation

By default no parameter restrictions are placed on the generated key.

NOTES

The public key format is documented in RFC4055.

The PKCS#8 private key format used for RSA-PSS keys is similar to the RSA format except it uses the id-RSASSA-PSS OID and the parameters field, if present, restricts the key parameters in the same way as the public key.

CONFORMING TO

RFC 4055

SEE ALSO

EVP_PKEY_CTX_set_rsa_pss_keygen_md(3), EVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md(3), EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen(3), EVP_PKEY_CTX_new(3), EVP_PKEY_CTX_ctrl_str(3), EVP_PKEY_derive(3)

COPYRIGHT

Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at https://www.openssl.org/source/license.html.

PK!z̶88proxy-certificates.htmlnu[ proxy-certificates

NAME

proxy-certificates - Proxy certificates in OpenSSL

DESCRIPTION

Proxy certificates are defined in RFC 3820. They are used to extend rights to some other entity (a computer process, typically, or sometimes to the user itself). This allows the entity to perform operations on behalf of the owner of the EE (End Entity) certificate.

The requirements for a valid proxy certificate are:

  • They are issued by an End Entity, either a normal EE certificate, or another proxy certificate.

  • They must not have the subjectAltName or issuerAltName extensions.

  • They must have the proxyCertInfo extension.

  • They must have the subject of their issuer, with one commonName added.

Enabling proxy certificate verification

OpenSSL expects applications that want to use proxy certificates to be specially aware of them, and make that explicit. This is done by setting an X509 verification flag:

    X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_ALLOW_PROXY_CERTS);

or

    X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_ALLOW_PROXY_CERTS);

See "NOTES" for a discussion on this requirement.

Creating proxy certificates

Creating proxy certificates can be done using the openssl-x509(1) command, with some extra extensions:

    [ v3_proxy ]
    # A proxy certificate MUST NEVER be a CA certificate.
    basicConstraints=CA:FALSE

    # Usual authority key ID
    authorityKeyIdentifier=keyid,issuer:always

    # The extension which marks this certificate as a proxy
    proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:1,policy:text:AB

It's also possible to specify the proxy extension in a separate section:

    proxyCertInfo=critical,@proxy_ext

    [ proxy_ext ]
    language=id-ppl-anyLanguage
    pathlen=0
    policy=text:BC

The policy value has a specific syntax, syntag:string, where the syntag determines what will be done with the string. The following syntags are recognised:

text

indicates that the string is a byte sequence, without any encoding:

    policy=text:räksmörgås
hex

indicates the string is encoded hexadecimal encoded binary data, with colons between each byte (every second hex digit):

    policy=hex:72:E4:6B:73:6D:F6:72:67:E5:73
file

indicates that the text of the policy should be taken from a file. The string is then a filename. This is useful for policies that are large (more than a few lines, e.g. XML documents).

NOTE: The proxy policy value is what determines the rights granted to the process during the proxy certificate. It's up to the application to interpret and combine these policies.

With a proxy extension, creating a proxy certificate is a matter of two commands:

    openssl req -new -config proxy.cnf \
        -out proxy.req -keyout proxy.key \
        -subj "/DC=org/DC=openssl/DC=users/CN=proxy 1"

    openssl x509 -req -CAcreateserial -in proxy.req -out proxy.crt \
        -CA user.crt -CAkey user.key -days 7 \
        -extfile proxy.cnf -extensions v3_proxy1

You can also create a proxy certificate using another proxy certificate as issuer (note: using a different configuration section for the proxy extensions):

    openssl req -new -config proxy.cnf \
        -out proxy2.req -keyout proxy2.key \
        -subj "/DC=org/DC=openssl/DC=users/CN=proxy 1/CN=proxy 2"

    openssl x509 -req -CAcreateserial -in proxy2.req -out proxy2.crt \
        -CA proxy.crt -CAkey proxy.key -days 7 \
        -extfile proxy.cnf -extensions v3_proxy2

Using proxy certs in applications

To interpret proxy policies, the application would normally start with some default rights (perhaps none at all), then compute the resulting rights by checking the rights against the chain of proxy certificates, user certificate and CA certificates.

The complicated part is figuring out how to pass data between your application and the certificate validation procedure.

The following ingredients are needed for such processing:

  • a callback function that will be called for every certificate being validated. The callback is called several times for each certificate, so you must be careful to do the proxy policy interpretation at the right time. You also need to fill in the defaults when the EE certificate is checked.

  • a data structure that is shared between your application code and the callback.

  • a wrapper function that sets it all up.

  • an ex_data index function that creates an index into the generic ex_data store that is attached to an X509 validation context.

The following skeleton code can be used as a starting point:

    #include <string.h>
    #include <netdb.h>
    #include <openssl/x509.h>
    #include <openssl/x509v3.h>

    #define total_rights 25

    /*
     * In this example, I will use a view of granted rights as a bit
     * array, one bit for each possible right.
     */
    typedef struct your_rights {
        unsigned char rights[(total_rights + 7) / 8];
    } YOUR_RIGHTS;

    /*
     * The following procedure will create an index for the ex_data
     * store in the X509 validation context the first time it's
     * called.  Subsequent calls will return the same index.
     */
    static int get_proxy_auth_ex_data_idx(X509_STORE_CTX *ctx)
    {
        static volatile int idx = -1;

        if (idx < 0) {
            X509_STORE_lock(X509_STORE_CTX_get0_store(ctx));
            if (idx < 0) {
                idx = X509_STORE_CTX_get_ex_new_index(0,
                                                      "for verify callback",
                                                      NULL,NULL,NULL);
            }
            X509_STORE_unlock(X509_STORE_CTX_get0_store(ctx));
        }
        return idx;
    }

    /* Callback to be given to the X509 validation procedure.  */
    static int verify_callback(int ok, X509_STORE_CTX *ctx)
    {
        if (ok == 1) {
            /*
             * It's REALLY important you keep the proxy policy check
             * within this section.  It's important to know that when
             * ok is 1, the certificates are checked from top to
             * bottom.  You get the CA root first, followed by the
             * possible chain of intermediate CAs, followed by the EE
             * certificate, followed by the possible proxy
             * certificates. 
             */
            X509 *xs = X509_STORE_CTX_get_current_cert(ctx);

            if (X509_get_extension_flags(xs) & EXFLAG_PROXY) {
                YOUR_RIGHTS *rights =
                    (YOUR_RIGHTS *)X509_STORE_CTX_get_ex_data(ctx,
                        get_proxy_auth_ex_data_idx(ctx));
                PROXY_CERT_INFO_EXTENSION *pci =
                    X509_get_ext_d2i(xs, NID_proxyCertInfo, NULL, NULL);

                switch (OBJ_obj2nid(pci->proxyPolicy->policyLanguage)) {
                case NID_Independent:
                    /*
                     * Do whatever you need to grant explicit rights
                     * to this particular proxy certificate, usually
                     * by pulling them from some database.  If there
                     * are none to be found, clear all rights (making
                     * this and any subsequent proxy certificate void
                     * of any rights). 
                     */
                    memset(rights->rights, 0, sizeof(rights->rights));
                    break;
                case NID_id_ppl_inheritAll:
                    /*
                     * This is basically a NOP, we simply let the
                     * current rights stand as they are.
                     */
                    break;
                default:
                    /*
                     * This is usually the most complex section of
                     * code.  You really do whatever you want as long
                     * as you follow RFC 3820.  In the example we use
                     * here, the simplest thing to do is to build
                     * another, temporary bit array and fill it with
                     * the rights granted by the current proxy
                     * certificate, then use it as a mask on the
                     * accumulated rights bit array, and voilà, you
                     * now have a new accumulated rights bit array.
                     */
                    {
                        int i;
                        YOUR_RIGHTS tmp_rights;
                        memset(tmp_rights.rights, 0,
                               sizeof(tmp_rights.rights));

                        /*
                         * process_rights() is supposed to be a
                         * procedure that takes a string and its
                         * length, interprets it and sets the bits
                         * in the YOUR_RIGHTS pointed at by the
                         * third argument.
                         */
                        process_rights((char *) pci->proxyPolicy->policy->data,
                                       pci->proxyPolicy->policy->length,
                                       &tmp_rights);

                        for(i = 0; i < total_rights / 8; i++)
                            rights->rights[i] &= tmp_rights.rights[i];
                    }
                    break;
                }
                PROXY_CERT_INFO_EXTENSION_free(pci);
            } else if (!(X509_get_extension_flags(xs) & EXFLAG_CA)) {
                /* We have an EE certificate, let's use it to set default! */
                YOUR_RIGHTS *rights =
                    (YOUR_RIGHTS *)X509_STORE_CTX_get_ex_data(ctx,
                        get_proxy_auth_ex_data_idx(ctx));

                /*
                 * The following procedure finds out what rights the
                 * owner of the current certificate has, and sets them
                 * in the YOUR_RIGHTS structure pointed at by the
                 * second argument.
                 */
                set_default_rights(xs, rights);
            }
        }
        return ok;
    }

    static int my_X509_verify_cert(X509_STORE_CTX *ctx,
                                   YOUR_RIGHTS *needed_rights)
    {
        int ok;
        int (*save_verify_cb)(int ok,X509_STORE_CTX *ctx) =
            X509_STORE_CTX_get_verify_cb(ctx);
        YOUR_RIGHTS rights;

        X509_STORE_CTX_set_verify_cb(ctx, verify_callback);
        X509_STORE_CTX_set_ex_data(ctx, get_proxy_auth_ex_data_idx(ctx),
                                   &rights);
        X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_ALLOW_PROXY_CERTS);
        ok = X509_verify_cert(ctx);

        if (ok == 1) {
            ok = check_needed_rights(rights, needed_rights);
        }

        X509_STORE_CTX_set_verify_cb(ctx, save_verify_cb);

        return ok;
    }

If you use SSL or TLS, you can easily set up a callback to have the certificates checked properly, using the code above:

    SSL_CTX_set_cert_verify_callback(s_ctx, my_X509_verify_cert,
                                     &needed_rights);

NOTES

To this date, it seems that proxy certificates have only been used in environments that are aware of them, and no one seems to have investigated how they can be used or misused outside of such an environment.

For that reason, OpenSSL requires that applications aware of proxy certificates must also make that explicit.

subjectAltName and issuerAltName are forbidden in proxy certificates, and this is enforced in OpenSSL. The subject must be the same as the issuer, with one commonName added on.

SEE ALSO

X509_STORE_CTX_set_flags(3), X509_STORE_CTX_set_verify_cb(3), X509_VERIFY_PARAM_set_flags(3), SSL_CTX_set_cert_verify_callback(3), openssl-req(1), openssl-x509(1), RFC 3820

COPYRIGHT

Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at https://www.openssl.org/source/license.html.

PK! '6#6#passphrase-encoding.htmlnu[ passphrase-encoding

NAME

passphrase-encoding - How diverse parts of OpenSSL treat pass phrases character encoding

DESCRIPTION

In a modern world with all sorts of character encodings, the treatment of pass phrases has become increasingly complex. This manual page attempts to give an overview over how this problem is currently addressed in different parts of the OpenSSL library.

The general case

The OpenSSL library doesn't treat pass phrases in any special way as a general rule, and trusts the application or user to choose a suitable character set and stick to that throughout the lifetime of affected objects. This means that for an object that was encrypted using a pass phrase encoded in ISO-8859-1, that object needs to be decrypted using a pass phrase encoded in ISO-8859-1. Using the wrong encoding is expected to cause a decryption failure.

PKCS#12

PKCS#12 is a bit different regarding pass phrase encoding. The standard stipulates that the pass phrase shall be encoded as an ASN.1 BMPString, which consists of the code points of the basic multilingual plane, encoded in big endian (UCS-2 BE).

OpenSSL tries to adapt to this requirements in one of the following manners:

  1. Treats the received pass phrase as UTF-8 encoded and tries to re-encode it to UTF-16 (which is the same as UCS-2 for characters U+0000 to U+D7FF and U+E000 to U+FFFF, but becomes an expansion for any other character), or failing that, proceeds with step 2.

  2. Assumes that the pass phrase is encoded in ASCII or ISO-8859-1 and opportunistically prepends each byte with a zero byte to obtain the UCS-2 encoding of the characters, which it stores as a BMPString.

    Note that since there is no check of your locale, this may produce UCS-2 / UTF-16 characters that do not correspond to the original pass phrase characters for other character sets, such as any ISO-8859-X encoding other than ISO-8859-1 (or for Windows, CP 1252 with exception for the extra "graphical" characters in the 0x80-0x9F range).

OpenSSL versions older than 1.1.0 do variant 2 only, and that is the reason why OpenSSL still does this, to be able to read files produced with older versions.

It should be noted that this approach isn't entirely fault free.

A pass phrase encoded in ISO-8859-2 could very well have a sequence such as 0xC3 0xAF (which is the two characters "LATIN CAPITAL LETTER A WITH BREVE" and "LATIN CAPITAL LETTER Z WITH DOT ABOVE" in ISO-8859-2 encoding), but would be misinterpreted as the perfectly valid UTF-8 encoded code point U+00EF (LATIN SMALL LETTER I WITH DIAERESIS) if the pass phrase doesn't contain anything that would be invalid UTF-8. A pass phrase that contains this kind of byte sequence will give a different outcome in OpenSSL 1.1.0 and newer than in OpenSSL older than 1.1.0.

 0x00 0xC3 0x00 0xAF                    # OpenSSL older than 1.1.0
 0x00 0xEF                              # OpenSSL 1.1.0 and newer

On the same accord, anything encoded in UTF-8 that was given to OpenSSL older than 1.1.0 was misinterpreted as ISO-8859-1 sequences.

OSSL_STORE

ossl_store(7) acts as a general interface to access all kinds of objects, potentially protected with a pass phrase, a PIN or something else. This API stipulates that pass phrases should be UTF-8 encoded, and that any other pass phrase encoding may give undefined results. This API relies on the application to ensure UTF-8 encoding, and doesn't check that this is the case, so what it gets, it will also pass to the underlying loader.

RECOMMENDATIONS

This section assumes that you know what pass phrase was used for encryption, but that it may have been encoded in a different character encoding than the one used by your current input method. For example, the pass phrase may have been used at a time when your default encoding was ISO-8859-1 (i.e. "naïve" resulting in the byte sequence 0x6E 0x61 0xEF 0x76 0x65), and you're now in an environment where your default encoding is UTF-8 (i.e. "naïve" resulting in the byte sequence 0x6E 0x61 0xC3 0xAF 0x76 0x65). Whenever it's mentioned that you should use a certain character encoding, it should be understood that you either change the input method to use the mentioned encoding when you type in your pass phrase, or use some suitable tool to convert your pass phrase from your default encoding to the target encoding.

Also note that the sub-sections below discuss human readable pass phrases. This is particularly relevant for PKCS#12 objects, where human readable pass phrases are assumed. For other objects, it's as legitimate to use any byte sequence (such as a sequence of bytes from `/dev/urandom` that's been saved away), which makes any character encoding discussion irrelevant; in such cases, simply use the same byte sequence as it is.

Creating new objects

For creating new pass phrase protected objects, make sure the pass phrase is encoded using UTF-8. This is default on most modern Unixes, but may involve an effort on other platforms. Specifically for Windows, setting the environment variable OPENSSL_WIN32_UTF8 will have anything entered on [Windows] console prompt converted to UTF-8 (command line and separately prompted pass phrases alike).

Opening existing objects

For opening pass phrase protected objects where you know what character encoding was used for the encryption pass phrase, make sure to use the same encoding again.

For opening pass phrase protected objects where the character encoding that was used is unknown, or where the producing application is unknown, try one of the following:

  1. Try the pass phrase that you have as it is in the character encoding of your environment. It's possible that its byte sequence is exactly right.

  2. Convert the pass phrase to UTF-8 and try with the result. Specifically with PKCS#12, this should open up any object that was created according to the specification.

  3. Do a naïve (i.e. purely mathematical) ISO-8859-1 to UTF-8 conversion and try with the result. This differs from the previous attempt because ISO-8859-1 maps directly to U+0000 to U+00FF, which other non-UTF-8 character sets do not.

    This also takes care of the case when a UTF-8 encoded string was used with OpenSSL older than 1.1.0. (for example, ï, which is 0xC3 0xAF when encoded in UTF-8, would become 0xC3 0x83 0xC2 0xAF when re-encoded in the naïve manner. The conversion to BMPString would then yield 0x00 0xC3 0x00 0xA4 0x00 0x00, the erroneous/non-compliant encoding used by OpenSSL older than 1.1.0)

SEE ALSO

evp(7), ossl_store(7), EVP_BytesToKey(3), EVP_DecryptInit(3), PEM_do_header(3), PKCS12_parse(3), PKCS12_newpass(3), d2i_PKCS8PrivateKey_bio(3)

COPYRIGHT

Copyright 2018-2020 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at https://www.openssl.org/source/license.html.

PK!J䖵 ct.htmlnu[ ct

NAME

ct - Certificate Transparency

SYNOPSIS

 #include <openssl/ct.h>

DESCRIPTION

This library implements Certificate Transparency (CT) verification for TLS clients, as defined in RFC 6962. This verification can provide some confidence that a certificate has been publicly logged in a set of CT logs.

By default, these checks are disabled. They can be enabled using SSL_CTX_enable_ct(3) or SSL_enable_ct(3).

This library can also be used to parse and examine CT data structures, such as Signed Certificate Timestamps (SCTs), or to read a list of CT logs. There are functions for: - decoding and encoding SCTs in DER and TLS wire format. - printing SCTs. - verifying the authenticity of SCTs. - loading a CT log list from a CONF file.

SEE ALSO

d2i_SCT_LIST(3), CTLOG_STORE_new(3), CTLOG_STORE_get0_log_by_id(3), SCT_new(3), SCT_print(3), SCT_validate(3), SCT_validate(3), CT_POLICY_EVAL_CTX_new(3), SSL_CTX_set_ct_validation_callback(3)

HISTORY

The ct library was added in OpenSSL 1.1.0.

COPYRIGHT

Copyright 2016-2017 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at https://www.openssl.org/source/license.html.

PK!  Ed25519.7sslnu[.\" Automatically generated by Pod::Man 4.11 (Pod::Simple 3.35) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. \*(C+ will .\" give a nicer C++. Capital omega is used to do unbreakable dashes and .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, .\" nothing in troff, for use with C<>. .tr \(*W- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' . ds C` . ds C' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is >0, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .\" .\" Avoid warning from groff about undefined register 'F'. .de IX .. .nr rF 0 .if \n(.g .if rF .nr rF 1 .if (\n(rF:(\n(.g==0)) \{\ . if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} . \} .\} .rr rF .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. . \" fudge factors for nroff and troff .if n \{\ . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] \fP .\} .if t \{\ . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff .if n \{\ . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} .if t \{\ . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' .ds 8 \h'\*(#H'\(*b\h'-\*(#H' .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] .ds ae a\h'-(\w'a'u*4/10)'e .ds Ae A\h'-(\w'A'u*4/10)'E . \" corrections for vroff .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' . \" for low resolution devices (crt and lpr) .if \n(.H>23 .if \n(.V>19 \ \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} .rm #[ #] #H #V #F C .\" ======================================================================== .\" .IX Title "ED25519 7" .TH ED25519 7 "2023-09-11" "1.1.1w" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" Ed25519, Ed448 \&\- EVP_PKEY Ed25519 and Ed448 support .SH "DESCRIPTION" .IX Header "DESCRIPTION" The \fBEd25519\fR and \fBEd448\fR \s-1EVP_PKEY\s0 implementation supports key generation, one-shot digest sign and digest verify using PureEdDSA and \fBEd25519\fR or \fBEd448\fR (see \s-1RFC8032\s0). It has associated private and public key formats compatible with \&\s-1RFC 8410.\s0 .PP No additional parameters can be set during key generation, one-shot signing or verification. In particular, because PureEdDSA is used, a digest must \fB\s-1NOT\s0\fR be specified when signing or verifying. .SH "NOTES" .IX Header "NOTES" The PureEdDSA algorithm does not support the streaming mechanism of other signature algorithms using, for example, \fBEVP_DigestUpdate()\fR. The message to sign or verify must be passed using the one-shot \&\fBEVP_DigestSign()\fR and \fBEVP_DigestVerify()\fR functions. .PP When calling \fBEVP_DigestSignInit()\fR or \fBEVP_DigestVerifyInit()\fR, the digest \fBtype\fR parameter \fB\s-1MUST\s0\fR be set to \fB\s-1NULL\s0\fR. .PP Applications wishing to sign certificates (or other structures such as CRLs or certificate requests) using Ed25519 or Ed448 can either use \fBX509_sign()\fR or \fBX509_sign_ctx()\fR in the usual way. .PP A context for the \fBEd25519\fR algorithm can be obtained by calling: .PP .Vb 1 \& EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_ED25519, NULL); .Ve .PP For the \fBEd448\fR algorithm a context can be obtained by calling: .PP .Vb 1 \& EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_ED448, NULL); .Ve .PP Ed25519 or Ed448 private keys can be set directly using \&\fBEVP_PKEY_new_raw_private_key\fR\|(3) or loaded from a PKCS#8 private key file using \fBPEM_read_bio_PrivateKey\fR\|(3) (or similar function). Completely new keys can also be generated (see the example below). Setting a private key also sets the associated public key. .PP Ed25519 or Ed448 public keys can be set directly using \&\fBEVP_PKEY_new_raw_public_key\fR\|(3) or loaded from a SubjectPublicKeyInfo structure in a \s-1PEM\s0 file using \fBPEM_read_bio_PUBKEY\fR\|(3) (or similar function). .PP Ed25519 and Ed448 can be tested within \fBspeed\fR\|(1) application since version 1.1.1. Valid algorithm names are \fBed25519\fR, \fBed448\fR and \fBeddsa\fR. If \fBeddsa\fR is specified, then both Ed25519 and Ed448 are benchmarked. .SH "EXAMPLES" .IX Header "EXAMPLES" This example generates an \fB\s-1ED25519\s0\fR private key and writes it to standard output in \s-1PEM\s0 format: .PP .Vb 9 \& #include \& #include \& ... \& EVP_PKEY *pkey = NULL; \& EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_ED25519, NULL); \& EVP_PKEY_keygen_init(pctx); \& EVP_PKEY_keygen(pctx, &pkey); \& EVP_PKEY_CTX_free(pctx); \& PEM_write_PrivateKey(stdout, pkey, NULL, NULL, 0, NULL, NULL); .Ve .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBEVP_PKEY_CTX_new\fR\|(3), \&\fBEVP_PKEY_keygen\fR\|(3), \&\fBEVP_DigestSignInit\fR\|(3), \&\fBEVP_DigestVerifyInit\fR\|(3), .SH "COPYRIGHT" .IX Header "COPYRIGHT" Copyright 2017\-2020 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use this file except in compliance with the License. You can obtain a copy in the file \s-1LICENSE\s0 in the source distribution or at . PK!GCC X25519.7sslnu[.\" Automatically generated by Pod::Man 4.11 (Pod::Simple 3.35) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. \*(C+ will .\" give a nicer C++. Capital omega is used to do unbreakable dashes and .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, .\" nothing in troff, for use with C<>. .tr \(*W- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' . ds C` . ds C' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is >0, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .\" .\" Avoid warning from groff about undefined register 'F'. .de IX .. .nr rF 0 .if \n(.g .if rF .nr rF 1 .if (\n(rF:(\n(.g==0)) \{\ . if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} . \} .\} .rr rF .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. . \" fudge factors for nroff and troff .if n \{\ . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] \fP .\} .if t \{\ . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff .if n \{\ . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} .if t \{\ . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' .ds 8 \h'\*(#H'\(*b\h'-\*(#H' .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] .ds ae a\h'-(\w'a'u*4/10)'e .ds Ae A\h'-(\w'A'u*4/10)'E . \" corrections for vroff .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' . \" for low resolution devices (crt and lpr) .if \n(.H>23 .if \n(.V>19 \ \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} .rm #[ #] #H #V #F C .\" ======================================================================== .\" .IX Title "X25519 7" .TH X25519 7 "2023-09-11" "1.1.1w" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" X25519, X448 \&\- EVP_PKEY X25519 and X448 support .SH "DESCRIPTION" .IX Header "DESCRIPTION" The \fBX25519\fR and \fBX448\fR \s-1EVP_PKEY\s0 implementation supports key generation and key derivation using \fBX25519\fR and \fBX448\fR. It has associated private and public key formats compatible with \s-1RFC 8410.\s0 .PP No additional parameters can be set during key generation. .PP The peer public key must be set using \fBEVP_PKEY_derive_set_peer()\fR when performing key derivation. .SH "NOTES" .IX Header "NOTES" A context for the \fBX25519\fR algorithm can be obtained by calling: .PP .Vb 1 \& EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_X25519, NULL); .Ve .PP For the \fBX448\fR algorithm a context can be obtained by calling: .PP .Vb 1 \& EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_X448, NULL); .Ve .PP X25519 or X448 private keys can be set directly using \&\fBEVP_PKEY_new_raw_private_key\fR\|(3) or loaded from a PKCS#8 private key file using \fBPEM_read_bio_PrivateKey\fR\|(3) (or similar function). Completely new keys can also be generated (see the example below). Setting a private key also sets the associated public key. .PP X25519 or X448 public keys can be set directly using \&\fBEVP_PKEY_new_raw_public_key\fR\|(3) or loaded from a SubjectPublicKeyInfo structure in a \s-1PEM\s0 file using \fBPEM_read_bio_PUBKEY\fR\|(3) (or similar function). .SH "EXAMPLES" .IX Header "EXAMPLES" This example generates an \fBX25519\fR private key and writes it to standard output in \s-1PEM\s0 format: .PP .Vb 9 \& #include \& #include \& ... \& EVP_PKEY *pkey = NULL; \& EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_X25519, NULL); \& EVP_PKEY_keygen_init(pctx); \& EVP_PKEY_keygen(pctx, &pkey); \& EVP_PKEY_CTX_free(pctx); \& PEM_write_PrivateKey(stdout, pkey, NULL, NULL, 0, NULL, NULL); .Ve .PP The key derivation example in \fBEVP_PKEY_derive\fR\|(3) can be used with \&\fBX25519\fR and \fBX448\fR. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBEVP_PKEY_CTX_new\fR\|(3), \&\fBEVP_PKEY_keygen\fR\|(3), \&\fBEVP_PKEY_derive\fR\|(3), \&\fBEVP_PKEY_derive_set_peer\fR\|(3) .SH "COPYRIGHT" .IX Header "COPYRIGHT" Copyright 2017\-2020 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use this file except in compliance with the License. You can obtain a copy in the file \s-1LICENSE\s0 in the source distribution or at . PK!7 yCyCproxy-certificates.7sslnu[.\" Automatically generated by Pod::Man 4.11 (Pod::Simple 3.35) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. \*(C+ will .\" give a nicer C++. Capital omega is used to do unbreakable dashes and .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, .\" nothing in troff, for use with C<>. .tr \(*W- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' . ds C` . ds C' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is >0, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .\" .\" Avoid warning from groff about undefined register 'F'. .de IX .. .nr rF 0 .if \n(.g .if rF .nr rF 1 .if (\n(rF:(\n(.g==0)) \{\ . if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} . \} .\} .rr rF .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. . \" fudge factors for nroff and troff .if n \{\ . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] \fP .\} .if t \{\ . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff .if n \{\ . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} .if t \{\ . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' .ds 8 \h'\*(#H'\(*b\h'-\*(#H' .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] .ds ae a\h'-(\w'a'u*4/10)'e .ds Ae A\h'-(\w'A'u*4/10)'E . \" corrections for vroff .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' . \" for low resolution devices (crt and lpr) .if \n(.H>23 .if \n(.V>19 \ \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} .rm #[ #] #H #V #F C .\" ======================================================================== .\" .IX Title "PROXY-CERTIFICATES 7" .TH PROXY-CERTIFICATES 7 "2023-09-11" "1.1.1w" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" proxy\-certificates \- Proxy certificates in OpenSSL .SH "DESCRIPTION" .IX Header "DESCRIPTION" Proxy certificates are defined in \s-1RFC 3820.\s0 They are used to extend rights to some other entity (a computer process, typically, or sometimes to the user itself). This allows the entity to perform operations on behalf of the owner of the \s-1EE\s0 (End Entity) certificate. .PP The requirements for a valid proxy certificate are: .IP "\(bu" 4 They are issued by an End Entity, either a normal \s-1EE\s0 certificate, or another proxy certificate. .IP "\(bu" 4 They must not have the \fBsubjectAltName\fR or \fBissuerAltName\fR extensions. .IP "\(bu" 4 They must have the \fBproxyCertInfo\fR extension. .IP "\(bu" 4 They must have the subject of their issuer, with one \fBcommonName\fR added. .SS "Enabling proxy certificate verification" .IX Subsection "Enabling proxy certificate verification" OpenSSL expects applications that want to use proxy certificates to be specially aware of them, and make that explicit. This is done by setting an X509 verification flag: .PP .Vb 1 \& X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_ALLOW_PROXY_CERTS); .Ve .PP or .PP .Vb 1 \& X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_ALLOW_PROXY_CERTS); .Ve .PP See \*(L"\s-1NOTES\*(R"\s0 for a discussion on this requirement. .SS "Creating proxy certificates" .IX Subsection "Creating proxy certificates" Creating proxy certificates can be done using the \fBopenssl\-x509\fR\|(1) command, with some extra extensions: .PP .Vb 3 \& [ v3_proxy ] \& # A proxy certificate MUST NEVER be a CA certificate. \& basicConstraints=CA:FALSE \& \& # Usual authority key ID \& authorityKeyIdentifier=keyid,issuer:always \& \& # The extension which marks this certificate as a proxy \& proxyCertInfo=critical,language:id\-ppl\-anyLanguage,pathlen:1,policy:text:AB .Ve .PP It's also possible to specify the proxy extension in a separate section: .PP .Vb 1 \& proxyCertInfo=critical,@proxy_ext \& \& [ proxy_ext ] \& language=id\-ppl\-anyLanguage \& pathlen=0 \& policy=text:BC .Ve .PP The policy value has a specific syntax, \fIsyntag\fR:\fIstring\fR, where the \&\fIsyntag\fR determines what will be done with the string. The following \&\fIsyntag\fRs are recognised: .IP "\fBtext\fR" 4 .IX Item "text" indicates that the string is a byte sequence, without any encoding: .Sp .Vb 1 \& policy=text:ra\*:ksmo\*:rga\*os .Ve .IP "\fBhex\fR" 4 .IX Item "hex" indicates the string is encoded hexadecimal encoded binary data, with colons between each byte (every second hex digit): .Sp .Vb 1 \& policy=hex:72:E4:6B:73:6D:F6:72:67:E5:73 .Ve .IP "\fBfile\fR" 4 .IX Item "file" indicates that the text of the policy should be taken from a file. The string is then a filename. This is useful for policies that are large (more than a few lines, e.g. \s-1XML\s0 documents). .PP \&\fI\s-1NOTE:\s0 The proxy policy value is what determines the rights granted to the process during the proxy certificate. It's up to the application to interpret and combine these policies.\fR .PP With a proxy extension, creating a proxy certificate is a matter of two commands: .PP .Vb 3 \& openssl req \-new \-config proxy.cnf \e \& \-out proxy.req \-keyout proxy.key \e \& \-subj "/DC=org/DC=openssl/DC=users/CN=proxy 1" \& \& openssl x509 \-req \-CAcreateserial \-in proxy.req \-out proxy.crt \e \& \-CA user.crt \-CAkey user.key \-days 7 \e \& \-extfile proxy.cnf \-extensions v3_proxy1 .Ve .PP You can also create a proxy certificate using another proxy certificate as issuer (note: using a different configuration section for the proxy extensions): .PP .Vb 3 \& openssl req \-new \-config proxy.cnf \e \& \-out proxy2.req \-keyout proxy2.key \e \& \-subj "/DC=org/DC=openssl/DC=users/CN=proxy 1/CN=proxy 2" \& \& openssl x509 \-req \-CAcreateserial \-in proxy2.req \-out proxy2.crt \e \& \-CA proxy.crt \-CAkey proxy.key \-days 7 \e \& \-extfile proxy.cnf \-extensions v3_proxy2 .Ve .SS "Using proxy certs in applications" .IX Subsection "Using proxy certs in applications" To interpret proxy policies, the application would normally start with some default rights (perhaps none at all), then compute the resulting rights by checking the rights against the chain of proxy certificates, user certificate and \s-1CA\s0 certificates. .PP The complicated part is figuring out how to pass data between your application and the certificate validation procedure. .PP The following ingredients are needed for such processing: .IP "\(bu" 4 a callback function that will be called for every certificate being validated. The callback is called several times for each certificate, so you must be careful to do the proxy policy interpretation at the right time. You also need to fill in the defaults when the \s-1EE\s0 certificate is checked. .IP "\(bu" 4 a data structure that is shared between your application code and the callback. .IP "\(bu" 4 a wrapper function that sets it all up. .IP "\(bu" 4 an ex_data index function that creates an index into the generic ex_data store that is attached to an X509 validation context. .PP The following skeleton code can be used as a starting point: .PP .Vb 4 \& #include \& #include \& #include \& #include \& \& #define total_rights 25 \& \& /* \& * In this example, I will use a view of granted rights as a bit \& * array, one bit for each possible right. \& */ \& typedef struct your_rights { \& unsigned char rights[(total_rights + 7) / 8]; \& } YOUR_RIGHTS; \& \& /* \& * The following procedure will create an index for the ex_data \& * store in the X509 validation context the first time it\*(Aqs \& * called. Subsequent calls will return the same index. \& */ \& static int get_proxy_auth_ex_data_idx(X509_STORE_CTX *ctx) \& { \& static volatile int idx = \-1; \& \& if (idx < 0) { \& X509_STORE_lock(X509_STORE_CTX_get0_store(ctx)); \& if (idx < 0) { \& idx = X509_STORE_CTX_get_ex_new_index(0, \& "for verify callback", \& NULL,NULL,NULL); \& } \& X509_STORE_unlock(X509_STORE_CTX_get0_store(ctx)); \& } \& return idx; \& } \& \& /* Callback to be given to the X509 validation procedure. */ \& static int verify_callback(int ok, X509_STORE_CTX *ctx) \& { \& if (ok == 1) { \& /* \& * It\*(Aqs REALLY important you keep the proxy policy check \& * within this section. It\*(Aqs important to know that when \& * ok is 1, the certificates are checked from top to \& * bottom. You get the CA root first, followed by the \& * possible chain of intermediate CAs, followed by the EE \& * certificate, followed by the possible proxy \& * certificates. \& */ \& X509 *xs = X509_STORE_CTX_get_current_cert(ctx); \& \& if (X509_get_extension_flags(xs) & EXFLAG_PROXY) { \& YOUR_RIGHTS *rights = \& (YOUR_RIGHTS *)X509_STORE_CTX_get_ex_data(ctx, \& get_proxy_auth_ex_data_idx(ctx)); \& PROXY_CERT_INFO_EXTENSION *pci = \& X509_get_ext_d2i(xs, NID_proxyCertInfo, NULL, NULL); \& \& switch (OBJ_obj2nid(pci\->proxyPolicy\->policyLanguage)) { \& case NID_Independent: \& /* \& * Do whatever you need to grant explicit rights \& * to this particular proxy certificate, usually \& * by pulling them from some database. If there \& * are none to be found, clear all rights (making \& * this and any subsequent proxy certificate void \& * of any rights). \& */ \& memset(rights\->rights, 0, sizeof(rights\->rights)); \& break; \& case NID_id_ppl_inheritAll: \& /* \& * This is basically a NOP, we simply let the \& * current rights stand as they are. \& */ \& break; \& default: \& /* \& * This is usually the most complex section of \& * code. You really do whatever you want as long \& * as you follow RFC 3820. In the example we use \& * here, the simplest thing to do is to build \& * another, temporary bit array and fill it with \& * the rights granted by the current proxy \& * certificate, then use it as a mask on the \& * accumulated rights bit array, and voila\*`, you \& * now have a new accumulated rights bit array. \& */ \& { \& int i; \& YOUR_RIGHTS tmp_rights; \& memset(tmp_rights.rights, 0, \& sizeof(tmp_rights.rights)); \& \& /* \& * process_rights() is supposed to be a \& * procedure that takes a string and its \& * length, interprets it and sets the bits \& * in the YOUR_RIGHTS pointed at by the \& * third argument. \& */ \& process_rights((char *) pci\->proxyPolicy\->policy\->data, \& pci\->proxyPolicy\->policy\->length, \& &tmp_rights); \& \& for(i = 0; i < total_rights / 8; i++) \& rights\->rights[i] &= tmp_rights.rights[i]; \& } \& break; \& } \& PROXY_CERT_INFO_EXTENSION_free(pci); \& } else if (!(X509_get_extension_flags(xs) & EXFLAG_CA)) { \& /* We have an EE certificate, let\*(Aqs use it to set default! */ \& YOUR_RIGHTS *rights = \& (YOUR_RIGHTS *)X509_STORE_CTX_get_ex_data(ctx, \& get_proxy_auth_ex_data_idx(ctx)); \& \& /* \& * The following procedure finds out what rights the \& * owner of the current certificate has, and sets them \& * in the YOUR_RIGHTS structure pointed at by the \& * second argument. \& */ \& set_default_rights(xs, rights); \& } \& } \& return ok; \& } \& \& static int my_X509_verify_cert(X509_STORE_CTX *ctx, \& YOUR_RIGHTS *needed_rights) \& { \& int ok; \& int (*save_verify_cb)(int ok,X509_STORE_CTX *ctx) = \& X509_STORE_CTX_get_verify_cb(ctx); \& YOUR_RIGHTS rights; \& \& X509_STORE_CTX_set_verify_cb(ctx, verify_callback); \& X509_STORE_CTX_set_ex_data(ctx, get_proxy_auth_ex_data_idx(ctx), \& &rights); \& X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_ALLOW_PROXY_CERTS); \& ok = X509_verify_cert(ctx); \& \& if (ok == 1) { \& ok = check_needed_rights(rights, needed_rights); \& } \& \& X509_STORE_CTX_set_verify_cb(ctx, save_verify_cb); \& \& return ok; \& } .Ve .PP If you use \s-1SSL\s0 or \s-1TLS,\s0 you can easily set up a callback to have the certificates checked properly, using the code above: .PP .Vb 2 \& SSL_CTX_set_cert_verify_callback(s_ctx, my_X509_verify_cert, \& &needed_rights); .Ve .SH "NOTES" .IX Header "NOTES" To this date, it seems that proxy certificates have only been used in environments that are aware of them, and no one seems to have investigated how they can be used or misused outside of such an environment. .PP For that reason, OpenSSL requires that applications aware of proxy certificates must also make that explicit. .PP \&\fBsubjectAltName\fR and \fBissuerAltName\fR are forbidden in proxy certificates, and this is enforced in OpenSSL. The subject must be the same as the issuer, with one commonName added on. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBX509_STORE_CTX_set_flags\fR\|(3), \&\fBX509_STORE_CTX_set_verify_cb\fR\|(3), \&\fBX509_VERIFY_PARAM_set_flags\fR\|(3), \&\fBSSL_CTX_set_cert_verify_callback\fR\|(3), \&\fBopenssl\-req\fR\|(1), \fBopenssl\-x509\fR\|(1), \&\s-1RFC 3820\s0 .SH "COPYRIGHT" .IX Header "COPYRIGHT" Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use this file except in compliance with the License. You can obtain a copy in the file \s-1LICENSE\s0 in the source distribution or at . PK!ԬA{{ crypto.7sslnu[.\" Automatically generated by Pod::Man 4.11 (Pod::Simple 3.35) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. \*(C+ will .\" give a nicer C++. Capital omega is used to do unbreakable dashes and .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, .\" nothing in troff, for use with C<>. .tr \(*W- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' . ds C` . ds C' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is >0, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .\" .\" Avoid warning from groff about undefined register 'F'. .de IX .. .nr rF 0 .if \n(.g .if rF .nr rF 1 .if (\n(rF:(\n(.g==0)) \{\ . if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} . \} .\} .rr rF .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. . \" fudge factors for nroff and troff .if n \{\ . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] \fP .\} .if t \{\ . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff .if n \{\ . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} .if t \{\ . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' .ds 8 \h'\*(#H'\(*b\h'-\*(#H' .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] .ds ae a\h'-(\w'a'u*4/10)'e .ds Ae A\h'-(\w'A'u*4/10)'E . \" corrections for vroff .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' . \" for low resolution devices (crt and lpr) .if \n(.H>23 .if \n(.V>19 \ \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} .rm #[ #] #H #V #F C .\" ======================================================================== .\" .IX Title "CRYPTO 7" .TH CRYPTO 7 "2023-09-11" "1.1.1w" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" crypto \- OpenSSL cryptographic library .SH "SYNOPSIS" .IX Header "SYNOPSIS" See the individual manual pages for details. .SH "DESCRIPTION" .IX Header "DESCRIPTION" The OpenSSL \fBcrypto\fR library implements a wide range of cryptographic algorithms used in various Internet standards. The services provided by this library are used by the OpenSSL implementations of \s-1SSL, TLS\s0 and S/MIME, and they have also been used to implement \s-1SSH,\s0 OpenPGP, and other cryptographic standards. .PP \&\fBlibcrypto\fR consists of a number of sub-libraries that implement the individual algorithms. .PP The functionality includes symmetric encryption, public key cryptography and key agreement, certificate handling, cryptographic hash functions, cryptographic pseudo-random number generator, and various utilities. .SH "NOTES" .IX Header "NOTES" Some of the newer functions follow a naming convention using the numbers \&\fB0\fR and \fB1\fR. For example the functions: .PP .Vb 2 \& int X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev); \& int X509_add1_trust_object(X509 *x, const ASN1_OBJECT *obj); .Ve .PP The \fB0\fR version uses the supplied structure pointer directly in the parent and it will be freed up when the parent is freed. In the above example \fBcrl\fR would be freed but \fBrev\fR would not. .PP The \fB1\fR function uses a copy of the supplied structure pointer (or in some cases increases its link count) in the parent and so both (\fBx\fR and \fBobj\fR above) should be freed up. .SH "RETURN VALUES" .IX Header "RETURN VALUES" See the individual manual pages for details. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBopenssl\fR\|(1), \fBssl\fR\|(7) .SH "COPYRIGHT" .IX Header "COPYRIGHT" Copyright 2000\-2016 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use this file except in compliance with the License. You can obtain a copy in the file \s-1LICENSE\s0 in the source distribution or at . PK!hI.~~ssl.7sslnu[.\" Automatically generated by Pod::Man 4.11 (Pod::Simple 3.35) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. \*(C+ will .\" give a nicer C++. Capital omega is used to do unbreakable dashes and .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, .\" nothing in troff, for use with C<>. .tr \(*W- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' . ds C` . ds C' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is >0, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .\" .\" Avoid warning from groff about undefined register 'F'. .de IX .. .nr rF 0 .if \n(.g .if rF .nr rF 1 .if (\n(rF:(\n(.g==0)) \{\ . if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} . \} .\} .rr rF .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. . \" fudge factors for nroff and troff .if n \{\ . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] \fP .\} .if t \{\ . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff .if n \{\ . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} .if t \{\ . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' .ds 8 \h'\*(#H'\(*b\h'-\*(#H' .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] .ds ae a\h'-(\w'a'u*4/10)'e .ds Ae A\h'-(\w'A'u*4/10)'E . \" corrections for vroff .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' . \" for low resolution devices (crt and lpr) .if \n(.H>23 .if \n(.V>19 \ \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} .rm #[ #] #H #V #F C .\" ======================================================================== .\" .IX Title "SSL 7" .TH SSL 7 "2023-09-11" "1.1.1w" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" ssl \- OpenSSL SSL/TLS library .SH "SYNOPSIS" .IX Header "SYNOPSIS" See the individual manual pages for details. .SH "DESCRIPTION" .IX Header "DESCRIPTION" The OpenSSL \fBssl\fR library implements the Secure Sockets Layer (\s-1SSL\s0 v2/v3) and Transport Layer Security (\s-1TLS\s0 v1) protocols. It provides a rich \s-1API\s0 which is documented here. .PP An \fB\s-1SSL_CTX\s0\fR object is created as a framework to establish \&\s-1TLS/SSL\s0 enabled connections (see \fBSSL_CTX_new\fR\|(3)). Various options regarding certificates, algorithms etc. can be set in this object. .PP When a network connection has been created, it can be assigned to an \&\fB\s-1SSL\s0\fR object. After the \fB\s-1SSL\s0\fR object has been created using \&\fBSSL_new\fR\|(3), \fBSSL_set_fd\fR\|(3) or \&\fBSSL_set_bio\fR\|(3) can be used to associate the network connection with the object. .PP When the \s-1TLS/SSL\s0 handshake is performed using \&\fBSSL_accept\fR\|(3) or \fBSSL_connect\fR\|(3) respectively. \&\fBSSL_read_ex\fR\|(3), \fBSSL_read\fR\|(3), \fBSSL_write_ex\fR\|(3) and \fBSSL_write\fR\|(3) are used to read and write data on the \s-1TLS/SSL\s0 connection. \&\fBSSL_shutdown\fR\|(3) can be used to shut down the \&\s-1TLS/SSL\s0 connection. .SH "DATA STRUCTURES" .IX Header "DATA STRUCTURES" Currently the OpenSSL \fBssl\fR library functions deals with the following data structures: .IP "\fB\s-1SSL_METHOD\s0\fR (\s-1SSL\s0 Method)" 4 .IX Item "SSL_METHOD (SSL Method)" This is a dispatch structure describing the internal \fBssl\fR library methods/functions which implement the various protocol versions (SSLv3 TLSv1, ...). It's needed to create an \fB\s-1SSL_CTX\s0\fR. .IP "\fB\s-1SSL_CIPHER\s0\fR (\s-1SSL\s0 Cipher)" 4 .IX Item "SSL_CIPHER (SSL Cipher)" This structure holds the algorithm information for a particular cipher which are a core part of the \s-1SSL/TLS\s0 protocol. The available ciphers are configured on a \fB\s-1SSL_CTX\s0\fR basis and the actual ones used are then part of the \&\fB\s-1SSL_SESSION\s0\fR. .IP "\fB\s-1SSL_CTX\s0\fR (\s-1SSL\s0 Context)" 4 .IX Item "SSL_CTX (SSL Context)" This is the global context structure which is created by a server or client once per program life-time and which holds mainly default values for the \&\fB\s-1SSL\s0\fR structures which are later created for the connections. .IP "\fB\s-1SSL_SESSION\s0\fR (\s-1SSL\s0 Session)" 4 .IX Item "SSL_SESSION (SSL Session)" This is a structure containing the current \s-1TLS/SSL\s0 session details for a connection: \fB\s-1SSL_CIPHER\s0\fRs, client and server certificates, keys, etc. .IP "\fB\s-1SSL\s0\fR (\s-1SSL\s0 Connection)" 4 .IX Item "SSL (SSL Connection)" This is the main \s-1SSL/TLS\s0 structure which is created by a server or client per established connection. This actually is the core structure in the \s-1SSL API.\s0 At run-time the application usually deals with this structure which has links to mostly all other structures. .SH "HEADER FILES" .IX Header "HEADER FILES" Currently the OpenSSL \fBssl\fR library provides the following C header files containing the prototypes for the data structures and functions: .IP "\fBssl.h\fR" 4 .IX Item "ssl.h" This is the common header file for the \s-1SSL/TLS API.\s0 Include it into your program to make the \s-1API\s0 of the \fBssl\fR library available. It internally includes both more private \s-1SSL\s0 headers and headers from the \fBcrypto\fR library. Whenever you need hard-core details on the internals of the \s-1SSL API,\s0 look inside this header file. .IP "\fBssl2.h\fR" 4 .IX Item "ssl2.h" Unused. Present for backwards compatibility only. .IP "\fBssl3.h\fR" 4 .IX Item "ssl3.h" This is the sub header file dealing with the SSLv3 protocol only. \&\fIUsually you don't have to include it explicitly because it's already included by ssl.h\fR. .IP "\fBtls1.h\fR" 4 .IX Item "tls1.h" This is the sub header file dealing with the TLSv1 protocol only. \&\fIUsually you don't have to include it explicitly because it's already included by ssl.h\fR. .SH "API FUNCTIONS" .IX Header "API FUNCTIONS" Currently the OpenSSL \fBssl\fR library exports 214 \s-1API\s0 functions. They are documented in the following: .SS "Dealing with Protocol Methods" .IX Subsection "Dealing with Protocol Methods" Here we document the various \s-1API\s0 functions which deal with the \s-1SSL/TLS\s0 protocol methods defined in \fB\s-1SSL_METHOD\s0\fR structures. .IP "const \s-1SSL_METHOD\s0 *\fBTLS_method\fR(void);" 4 .IX Item "const SSL_METHOD *TLS_method(void);" Constructor for the \fIversion-flexible\fR \s-1SSL_METHOD\s0 structure for clients, servers or both. See \fBSSL_CTX_new\fR\|(3) for details. .IP "const \s-1SSL_METHOD\s0 *\fBTLS_client_method\fR(void);" 4 .IX Item "const SSL_METHOD *TLS_client_method(void);" Constructor for the \fIversion-flexible\fR \s-1SSL_METHOD\s0 structure for clients. Must be used to support the TLSv1.3 protocol. .IP "const \s-1SSL_METHOD\s0 *\fBTLS_server_method\fR(void);" 4 .IX Item "const SSL_METHOD *TLS_server_method(void);" Constructor for the \fIversion-flexible\fR \s-1SSL_METHOD\s0 structure for servers. Must be used to support the TLSv1.3 protocol. .IP "const \s-1SSL_METHOD\s0 *\fBTLSv1_2_method\fR(void);" 4 .IX Item "const SSL_METHOD *TLSv1_2_method(void);" Constructor for the TLSv1.2 \s-1SSL_METHOD\s0 structure for clients, servers or both. .IP "const \s-1SSL_METHOD\s0 *\fBTLSv1_2_client_method\fR(void);" 4 .IX Item "const SSL_METHOD *TLSv1_2_client_method(void);" Constructor for the TLSv1.2 \s-1SSL_METHOD\s0 structure for clients. .IP "const \s-1SSL_METHOD\s0 *\fBTLSv1_2_server_method\fR(void);" 4 .IX Item "const SSL_METHOD *TLSv1_2_server_method(void);" Constructor for the TLSv1.2 \s-1SSL_METHOD\s0 structure for servers. .IP "const \s-1SSL_METHOD\s0 *\fBTLSv1_1_method\fR(void);" 4 .IX Item "const SSL_METHOD *TLSv1_1_method(void);" Constructor for the TLSv1.1 \s-1SSL_METHOD\s0 structure for clients, servers or both. .IP "const \s-1SSL_METHOD\s0 *\fBTLSv1_1_client_method\fR(void);" 4 .IX Item "const SSL_METHOD *TLSv1_1_client_method(void);" Constructor for the TLSv1.1 \s-1SSL_METHOD\s0 structure for clients. .IP "const \s-1SSL_METHOD\s0 *\fBTLSv1_1_server_method\fR(void);" 4 .IX Item "const SSL_METHOD *TLSv1_1_server_method(void);" Constructor for the TLSv1.1 \s-1SSL_METHOD\s0 structure for servers. .IP "const \s-1SSL_METHOD\s0 *\fBTLSv1_method\fR(void);" 4 .IX Item "const SSL_METHOD *TLSv1_method(void);" Constructor for the TLSv1 \s-1SSL_METHOD\s0 structure for clients, servers or both. .IP "const \s-1SSL_METHOD\s0 *\fBTLSv1_client_method\fR(void);" 4 .IX Item "const SSL_METHOD *TLSv1_client_method(void);" Constructor for the TLSv1 \s-1SSL_METHOD\s0 structure for clients. .IP "const \s-1SSL_METHOD\s0 *\fBTLSv1_server_method\fR(void);" 4 .IX Item "const SSL_METHOD *TLSv1_server_method(void);" Constructor for the TLSv1 \s-1SSL_METHOD\s0 structure for servers. .IP "const \s-1SSL_METHOD\s0 *\fBSSLv3_method\fR(void);" 4 .IX Item "const SSL_METHOD *SSLv3_method(void);" Constructor for the SSLv3 \s-1SSL_METHOD\s0 structure for clients, servers or both. .IP "const \s-1SSL_METHOD\s0 *\fBSSLv3_client_method\fR(void);" 4 .IX Item "const SSL_METHOD *SSLv3_client_method(void);" Constructor for the SSLv3 \s-1SSL_METHOD\s0 structure for clients. .IP "const \s-1SSL_METHOD\s0 *\fBSSLv3_server_method\fR(void);" 4 .IX Item "const SSL_METHOD *SSLv3_server_method(void);" Constructor for the SSLv3 \s-1SSL_METHOD\s0 structure for servers. .SS "Dealing with Ciphers" .IX Subsection "Dealing with Ciphers" Here we document the various \s-1API\s0 functions which deal with the \s-1SSL/TLS\s0 ciphers defined in \fB\s-1SSL_CIPHER\s0\fR structures. .IP "char *\fBSSL_CIPHER_description\fR(\s-1SSL_CIPHER\s0 *cipher, char *buf, int len);" 4 .IX Item "char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len);" Write a string to \fIbuf\fR (with a maximum size of \fIlen\fR) containing a human readable description of \fIcipher\fR. Returns \fIbuf\fR. .IP "int \fBSSL_CIPHER_get_bits\fR(\s-1SSL_CIPHER\s0 *cipher, int *alg_bits);" 4 .IX Item "int SSL_CIPHER_get_bits(SSL_CIPHER *cipher, int *alg_bits);" Determine the number of bits in \fIcipher\fR. Because of export crippled ciphers there are two bits: The bits the algorithm supports in general (stored to \&\fIalg_bits\fR) and the bits which are actually used (the return value). .IP "const char *\fBSSL_CIPHER_get_name\fR(\s-1SSL_CIPHER\s0 *cipher);" 4 .IX Item "const char *SSL_CIPHER_get_name(SSL_CIPHER *cipher);" Return the internal name of \fIcipher\fR as a string. These are the various strings defined by the \fISSL3_TXT_xxx\fR and \fITLS1_TXT_xxx\fR definitions in the header files. .IP "const char *\fBSSL_CIPHER_get_version\fR(\s-1SSL_CIPHER\s0 *cipher);" 4 .IX Item "const char *SSL_CIPHER_get_version(SSL_CIPHER *cipher);" Returns a string like "\f(CW\*(C`SSLv3\*(C'\fR\*(L" or \*(R"\f(CW\*(C`TLSv1.2\*(C'\fR" which indicates the \&\s-1SSL/TLS\s0 protocol version to which \fIcipher\fR belongs (i.e. where it was defined in the specification the first time). .SS "Dealing with Protocol Contexts" .IX Subsection "Dealing with Protocol Contexts" Here we document the various \s-1API\s0 functions which deal with the \s-1SSL/TLS\s0 protocol context defined in the \fB\s-1SSL_CTX\s0\fR structure. .IP "int \fBSSL_CTX_add_client_CA\fR(\s-1SSL_CTX\s0 *ctx, X509 *x);" 4 .IX Item "int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x);" .PD 0 .IP "long \fBSSL_CTX_add_extra_chain_cert\fR(\s-1SSL_CTX\s0 *ctx, X509 *x509);" 4 .IX Item "long SSL_CTX_add_extra_chain_cert(SSL_CTX *ctx, X509 *x509);" .IP "int \fBSSL_CTX_add_session\fR(\s-1SSL_CTX\s0 *ctx, \s-1SSL_SESSION\s0 *c);" 4 .IX Item "int SSL_CTX_add_session(SSL_CTX *ctx, SSL_SESSION *c);" .IP "int \fBSSL_CTX_check_private_key\fR(const \s-1SSL_CTX\s0 *ctx);" 4 .IX Item "int SSL_CTX_check_private_key(const SSL_CTX *ctx);" .IP "long \fBSSL_CTX_ctrl\fR(\s-1SSL_CTX\s0 *ctx, int cmd, long larg, char *parg);" 4 .IX Item "long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, char *parg);" .IP "void \fBSSL_CTX_flush_sessions\fR(\s-1SSL_CTX\s0 *s, long t);" 4 .IX Item "void SSL_CTX_flush_sessions(SSL_CTX *s, long t);" .IP "void \fBSSL_CTX_free\fR(\s-1SSL_CTX\s0 *a);" 4 .IX Item "void SSL_CTX_free(SSL_CTX *a);" .IP "char *\fBSSL_CTX_get_app_data\fR(\s-1SSL_CTX\s0 *ctx);" 4 .IX Item "char *SSL_CTX_get_app_data(SSL_CTX *ctx);" .IP "X509_STORE *\fBSSL_CTX_get_cert_store\fR(\s-1SSL_CTX\s0 *ctx);" 4 .IX Item "X509_STORE *SSL_CTX_get_cert_store(SSL_CTX *ctx);" .IP "\s-1STACK\s0 *\fBSSL_CTX_get_ciphers\fR(const \s-1SSL_CTX\s0 *ctx);" 4 .IX Item "STACK *SSL_CTX_get_ciphers(const SSL_CTX *ctx);" .IP "\s-1STACK\s0 *\fBSSL_CTX_get_client_CA_list\fR(const \s-1SSL_CTX\s0 *ctx);" 4 .IX Item "STACK *SSL_CTX_get_client_CA_list(const SSL_CTX *ctx);" .IP "int (*\fBSSL_CTX_get_client_cert_cb\fR(\s-1SSL_CTX\s0 *ctx))(\s-1SSL\s0 *ssl, X509 **x509, \s-1EVP_PKEY\s0 **pkey);" 4 .IX Item "int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL *ssl, X509 **x509, EVP_PKEY **pkey);" .IP "void \fBSSL_CTX_get_default_read_ahead\fR(\s-1SSL_CTX\s0 *ctx);" 4 .IX Item "void SSL_CTX_get_default_read_ahead(SSL_CTX *ctx);" .IP "char *\fBSSL_CTX_get_ex_data\fR(const \s-1SSL_CTX\s0 *s, int idx);" 4 .IX Item "char *SSL_CTX_get_ex_data(const SSL_CTX *s, int idx);" .IP "int \fBSSL_CTX_get_ex_new_index\fR(long argl, char *argp, int (*new_func);(void), int (*dup_func)(void), void (*free_func)(void))" 4 .IX Item "int SSL_CTX_get_ex_new_index(long argl, char *argp, int (*new_func);(void), int (*dup_func)(void), void (*free_func)(void))" .IP "void (*\fBSSL_CTX_get_info_callback\fR(\s-1SSL_CTX\s0 *ctx))(\s-1SSL\s0 *ssl, int cb, int ret);" 4 .IX Item "void (*SSL_CTX_get_info_callback(SSL_CTX *ctx))(SSL *ssl, int cb, int ret);" .IP "int \fBSSL_CTX_get_quiet_shutdown\fR(const \s-1SSL_CTX\s0 *ctx);" 4 .IX Item "int SSL_CTX_get_quiet_shutdown(const SSL_CTX *ctx);" .IP "void \fBSSL_CTX_get_read_ahead\fR(\s-1SSL_CTX\s0 *ctx);" 4 .IX Item "void SSL_CTX_get_read_ahead(SSL_CTX *ctx);" .IP "int \fBSSL_CTX_get_session_cache_mode\fR(\s-1SSL_CTX\s0 *ctx);" 4 .IX Item "int SSL_CTX_get_session_cache_mode(SSL_CTX *ctx);" .IP "long \fBSSL_CTX_get_timeout\fR(const \s-1SSL_CTX\s0 *ctx);" 4 .IX Item "long SSL_CTX_get_timeout(const SSL_CTX *ctx);" .IP "int (*\fBSSL_CTX_get_verify_callback\fR(const \s-1SSL_CTX\s0 *ctx))(int ok, X509_STORE_CTX *ctx);" 4 .IX Item "int (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx))(int ok, X509_STORE_CTX *ctx);" .IP "int \fBSSL_CTX_get_verify_mode\fR(\s-1SSL_CTX\s0 *ctx);" 4 .IX Item "int SSL_CTX_get_verify_mode(SSL_CTX *ctx);" .IP "int \fBSSL_CTX_load_verify_locations\fR(\s-1SSL_CTX\s0 *ctx, const char *CAfile, const char *CApath);" 4 .IX Item "int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, const char *CApath);" .IP "\s-1SSL_CTX\s0 *\fBSSL_CTX_new\fR(const \s-1SSL_METHOD\s0 *meth);" 4 .IX Item "SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth);" .IP "int SSL_CTX_up_ref(\s-1SSL_CTX\s0 *ctx);" 4 .IX Item "int SSL_CTX_up_ref(SSL_CTX *ctx);" .IP "int \fBSSL_CTX_remove_session\fR(\s-1SSL_CTX\s0 *ctx, \s-1SSL_SESSION\s0 *c);" 4 .IX Item "int SSL_CTX_remove_session(SSL_CTX *ctx, SSL_SESSION *c);" .IP "int \fBSSL_CTX_sess_accept\fR(\s-1SSL_CTX\s0 *ctx);" 4 .IX Item "int SSL_CTX_sess_accept(SSL_CTX *ctx);" .IP "int \fBSSL_CTX_sess_accept_good\fR(\s-1SSL_CTX\s0 *ctx);" 4 .IX Item "int SSL_CTX_sess_accept_good(SSL_CTX *ctx);" .IP "int \fBSSL_CTX_sess_accept_renegotiate\fR(\s-1SSL_CTX\s0 *ctx);" 4 .IX Item "int SSL_CTX_sess_accept_renegotiate(SSL_CTX *ctx);" .IP "int \fBSSL_CTX_sess_cache_full\fR(\s-1SSL_CTX\s0 *ctx);" 4 .IX Item "int SSL_CTX_sess_cache_full(SSL_CTX *ctx);" .IP "int \fBSSL_CTX_sess_cb_hits\fR(\s-1SSL_CTX\s0 *ctx);" 4 .IX Item "int SSL_CTX_sess_cb_hits(SSL_CTX *ctx);" .IP "int \fBSSL_CTX_sess_connect\fR(\s-1SSL_CTX\s0 *ctx);" 4 .IX Item "int SSL_CTX_sess_connect(SSL_CTX *ctx);" .IP "int \fBSSL_CTX_sess_connect_good\fR(\s-1SSL_CTX\s0 *ctx);" 4 .IX Item "int SSL_CTX_sess_connect_good(SSL_CTX *ctx);" .IP "int \fBSSL_CTX_sess_connect_renegotiate\fR(\s-1SSL_CTX\s0 *ctx);" 4 .IX Item "int SSL_CTX_sess_connect_renegotiate(SSL_CTX *ctx);" .IP "int \fBSSL_CTX_sess_get_cache_size\fR(\s-1SSL_CTX\s0 *ctx);" 4 .IX Item "int SSL_CTX_sess_get_cache_size(SSL_CTX *ctx);" .IP "\s-1SSL_SESSION\s0 *(*\fBSSL_CTX_sess_get_get_cb\fR(\s-1SSL_CTX\s0 *ctx))(\s-1SSL\s0 *ssl, unsigned char *data, int len, int *copy);" 4 .IX Item "SSL_SESSION *(*SSL_CTX_sess_get_get_cb(SSL_CTX *ctx))(SSL *ssl, unsigned char *data, int len, int *copy);" .IP "int (*\fBSSL_CTX_sess_get_new_cb\fR(\s-1SSL_CTX\s0 *ctx)(\s-1SSL\s0 *ssl, \s-1SSL_SESSION\s0 *sess);" 4 .IX Item "int (*SSL_CTX_sess_get_new_cb(SSL_CTX *ctx)(SSL *ssl, SSL_SESSION *sess);" .IP "void (*\fBSSL_CTX_sess_get_remove_cb\fR(\s-1SSL_CTX\s0 *ctx)(\s-1SSL_CTX\s0 *ctx, \s-1SSL_SESSION\s0 *sess);" 4 .IX Item "void (*SSL_CTX_sess_get_remove_cb(SSL_CTX *ctx)(SSL_CTX *ctx, SSL_SESSION *sess);" .IP "int \fBSSL_CTX_sess_hits\fR(\s-1SSL_CTX\s0 *ctx);" 4 .IX Item "int SSL_CTX_sess_hits(SSL_CTX *ctx);" .IP "int \fBSSL_CTX_sess_misses\fR(\s-1SSL_CTX\s0 *ctx);" 4 .IX Item "int SSL_CTX_sess_misses(SSL_CTX *ctx);" .IP "int \fBSSL_CTX_sess_number\fR(\s-1SSL_CTX\s0 *ctx);" 4 .IX Item "int SSL_CTX_sess_number(SSL_CTX *ctx);" .IP "void \fBSSL_CTX_sess_set_cache_size\fR(\s-1SSL_CTX\s0 *ctx, t);" 4 .IX Item "void SSL_CTX_sess_set_cache_size(SSL_CTX *ctx, t);" .IP "void \fBSSL_CTX_sess_set_get_cb\fR(\s-1SSL_CTX\s0 *ctx, \s-1SSL_SESSION\s0 *(*cb)(\s-1SSL\s0 *ssl, unsigned char *data, int len, int *copy));" 4 .IX Item "void SSL_CTX_sess_set_get_cb(SSL_CTX *ctx, SSL_SESSION *(*cb)(SSL *ssl, unsigned char *data, int len, int *copy));" .IP "void \fBSSL_CTX_sess_set_new_cb\fR(\s-1SSL_CTX\s0 *ctx, int (*cb)(\s-1SSL\s0 *ssl, \s-1SSL_SESSION\s0 *sess));" 4 .IX Item "void SSL_CTX_sess_set_new_cb(SSL_CTX *ctx, int (*cb)(SSL *ssl, SSL_SESSION *sess));" .IP "void \fBSSL_CTX_sess_set_remove_cb\fR(\s-1SSL_CTX\s0 *ctx, void (*cb)(\s-1SSL_CTX\s0 *ctx, \s-1SSL_SESSION\s0 *sess));" 4 .IX Item "void SSL_CTX_sess_set_remove_cb(SSL_CTX *ctx, void (*cb)(SSL_CTX *ctx, SSL_SESSION *sess));" .IP "int \fBSSL_CTX_sess_timeouts\fR(\s-1SSL_CTX\s0 *ctx);" 4 .IX Item "int SSL_CTX_sess_timeouts(SSL_CTX *ctx);" .IP "\s-1LHASH\s0 *\fBSSL_CTX_sessions\fR(\s-1SSL_CTX\s0 *ctx);" 4 .IX Item "LHASH *SSL_CTX_sessions(SSL_CTX *ctx);" .IP "int \fBSSL_CTX_set_app_data\fR(\s-1SSL_CTX\s0 *ctx, void *arg);" 4 .IX Item "int SSL_CTX_set_app_data(SSL_CTX *ctx, void *arg);" .IP "void \fBSSL_CTX_set_cert_store\fR(\s-1SSL_CTX\s0 *ctx, X509_STORE *cs);" 4 .IX Item "void SSL_CTX_set_cert_store(SSL_CTX *ctx, X509_STORE *cs);" .IP "void \fBSSL_CTX_set1_cert_store\fR(\s-1SSL_CTX\s0 *ctx, X509_STORE *cs);" 4 .IX Item "void SSL_CTX_set1_cert_store(SSL_CTX *ctx, X509_STORE *cs);" .IP "void \fBSSL_CTX_set_cert_verify_cb\fR(\s-1SSL_CTX\s0 *ctx, int (*cb)(), char *arg)" 4 .IX Item "void SSL_CTX_set_cert_verify_cb(SSL_CTX *ctx, int (*cb)(), char *arg)" .IP "int \fBSSL_CTX_set_cipher_list\fR(\s-1SSL_CTX\s0 *ctx, char *str);" 4 .IX Item "int SSL_CTX_set_cipher_list(SSL_CTX *ctx, char *str);" .IP "void \fBSSL_CTX_set_client_CA_list\fR(\s-1SSL_CTX\s0 *ctx, \s-1STACK\s0 *list);" 4 .IX Item "void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK *list);" .IP "void \fBSSL_CTX_set_client_cert_cb\fR(\s-1SSL_CTX\s0 *ctx, int (*cb)(\s-1SSL\s0 *ssl, X509 **x509, \s-1EVP_PKEY\s0 **pkey));" 4 .IX Item "void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx, int (*cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey));" .IP "int \fBSSL_CTX_set_ct_validation_callback\fR(\s-1SSL_CTX\s0 *ctx, ssl_ct_validation_cb callback, void *arg);" 4 .IX Item "int SSL_CTX_set_ct_validation_callback(SSL_CTX *ctx, ssl_ct_validation_cb callback, void *arg);" .IP "void \fBSSL_CTX_set_default_passwd_cb\fR(\s-1SSL_CTX\s0 *ctx, int (*cb);(void))" 4 .IX Item "void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, int (*cb);(void))" .IP "void \fBSSL_CTX_set_default_read_ahead\fR(\s-1SSL_CTX\s0 *ctx, int m);" 4 .IX Item "void SSL_CTX_set_default_read_ahead(SSL_CTX *ctx, int m);" .IP "int \fBSSL_CTX_set_default_verify_paths\fR(\s-1SSL_CTX\s0 *ctx);" 4 .IX Item "int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx);" .PD Use the default paths to locate trusted \s-1CA\s0 certificates. There is one default directory path and one default file path. Both are set via this call. .IP "int \fBSSL_CTX_set_default_verify_dir\fR(\s-1SSL_CTX\s0 *ctx)" 4 .IX Item "int SSL_CTX_set_default_verify_dir(SSL_CTX *ctx)" Use the default directory path to locate trusted \s-1CA\s0 certificates. .IP "int \fBSSL_CTX_set_default_verify_file\fR(\s-1SSL_CTX\s0 *ctx)" 4 .IX Item "int SSL_CTX_set_default_verify_file(SSL_CTX *ctx)" Use the file path to locate trusted \s-1CA\s0 certificates. .IP "int \fBSSL_CTX_set_ex_data\fR(\s-1SSL_CTX\s0 *s, int idx, char *arg);" 4 .IX Item "int SSL_CTX_set_ex_data(SSL_CTX *s, int idx, char *arg);" .PD 0 .IP "void \fBSSL_CTX_set_info_callback\fR(\s-1SSL_CTX\s0 *ctx, void (*cb)(\s-1SSL\s0 *ssl, int cb, int ret));" 4 .IX Item "void SSL_CTX_set_info_callback(SSL_CTX *ctx, void (*cb)(SSL *ssl, int cb, int ret));" .IP "void \fBSSL_CTX_set_msg_callback\fR(\s-1SSL_CTX\s0 *ctx, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, \s-1SSL\s0 *ssl, void *arg));" 4 .IX Item "void SSL_CTX_set_msg_callback(SSL_CTX *ctx, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg));" .IP "void \fBSSL_CTX_set_msg_callback_arg\fR(\s-1SSL_CTX\s0 *ctx, void *arg);" 4 .IX Item "void SSL_CTX_set_msg_callback_arg(SSL_CTX *ctx, void *arg);" .IP "unsigned long \fBSSL_CTX_clear_options\fR(\s-1SSL_CTX\s0 *ctx, unsigned long op);" 4 .IX Item "unsigned long SSL_CTX_clear_options(SSL_CTX *ctx, unsigned long op);" .IP "unsigned long \fBSSL_CTX_get_options\fR(\s-1SSL_CTX\s0 *ctx);" 4 .IX Item "unsigned long SSL_CTX_get_options(SSL_CTX *ctx);" .IP "unsigned long \fBSSL_CTX_set_options\fR(\s-1SSL_CTX\s0 *ctx, unsigned long op);" 4 .IX Item "unsigned long SSL_CTX_set_options(SSL_CTX *ctx, unsigned long op);" .IP "void \fBSSL_CTX_set_quiet_shutdown\fR(\s-1SSL_CTX\s0 *ctx, int mode);" 4 .IX Item "void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx, int mode);" .IP "void \fBSSL_CTX_set_read_ahead\fR(\s-1SSL_CTX\s0 *ctx, int m);" 4 .IX Item "void SSL_CTX_set_read_ahead(SSL_CTX *ctx, int m);" .IP "void \fBSSL_CTX_set_session_cache_mode\fR(\s-1SSL_CTX\s0 *ctx, int mode);" 4 .IX Item "void SSL_CTX_set_session_cache_mode(SSL_CTX *ctx, int mode);" .IP "int \fBSSL_CTX_set_ssl_version\fR(\s-1SSL_CTX\s0 *ctx, const \s-1SSL_METHOD\s0 *meth);" 4 .IX Item "int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth);" .IP "void \fBSSL_CTX_set_timeout\fR(\s-1SSL_CTX\s0 *ctx, long t);" 4 .IX Item "void SSL_CTX_set_timeout(SSL_CTX *ctx, long t);" .IP "long \fBSSL_CTX_set_tmp_dh\fR(SSL_CTX* ctx, \s-1DH\s0 *dh);" 4 .IX Item "long SSL_CTX_set_tmp_dh(SSL_CTX* ctx, DH *dh);" .IP "long \fBSSL_CTX_set_tmp_dh_callback\fR(\s-1SSL_CTX\s0 *ctx, \s-1DH\s0 *(*cb)(void));" 4 .IX Item "long SSL_CTX_set_tmp_dh_callback(SSL_CTX *ctx, DH *(*cb)(void));" .IP "void \fBSSL_CTX_set_verify\fR(\s-1SSL_CTX\s0 *ctx, int mode, int (*cb);(void))" 4 .IX Item "void SSL_CTX_set_verify(SSL_CTX *ctx, int mode, int (*cb);(void))" .IP "int \fBSSL_CTX_use_PrivateKey\fR(\s-1SSL_CTX\s0 *ctx, \s-1EVP_PKEY\s0 *pkey);" 4 .IX Item "int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey);" .IP "int \fBSSL_CTX_use_PrivateKey_ASN1\fR(int type, \s-1SSL_CTX\s0 *ctx, unsigned char *d, long len);" 4 .IX Item "int SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx, unsigned char *d, long len);" .IP "int \fBSSL_CTX_use_PrivateKey_file\fR(\s-1SSL_CTX\s0 *ctx, const char *file, int type);" 4 .IX Item "int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type);" .IP "int \fBSSL_CTX_use_RSAPrivateKey\fR(\s-1SSL_CTX\s0 *ctx, \s-1RSA\s0 *rsa);" 4 .IX Item "int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa);" .IP "int \fBSSL_CTX_use_RSAPrivateKey_ASN1\fR(\s-1SSL_CTX\s0 *ctx, unsigned char *d, long len);" 4 .IX Item "int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, unsigned char *d, long len);" .IP "int \fBSSL_CTX_use_RSAPrivateKey_file\fR(\s-1SSL_CTX\s0 *ctx, const char *file, int type);" 4 .IX Item "int SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type);" .IP "int \fBSSL_CTX_use_certificate\fR(\s-1SSL_CTX\s0 *ctx, X509 *x);" 4 .IX Item "int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x);" .IP "int \fBSSL_CTX_use_certificate_ASN1\fR(\s-1SSL_CTX\s0 *ctx, int len, unsigned char *d);" 4 .IX Item "int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, unsigned char *d);" .IP "int \fBSSL_CTX_use_certificate_file\fR(\s-1SSL_CTX\s0 *ctx, const char *file, int type);" 4 .IX Item "int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type);" .IP "int \fBSSL_CTX_use_cert_and_key\fR(\s-1SSL_CTX\s0 *ctx, X509 *x, \s-1EVP_PKEY\s0 *pkey, \s-1STACK_OF\s0(X509) *chain, int override);" 4 .IX Item "int SSL_CTX_use_cert_and_key(SSL_CTX *ctx, X509 *x, EVP_PKEY *pkey, STACK_OF(X509) *chain, int override);" .IP "X509 *\fBSSL_CTX_get0_certificate\fR(const \s-1SSL_CTX\s0 *ctx);" 4 .IX Item "X509 *SSL_CTX_get0_certificate(const SSL_CTX *ctx);" .IP "\s-1EVP_PKEY\s0 *\fBSSL_CTX_get0_privatekey\fR(const \s-1SSL_CTX\s0 *ctx);" 4 .IX Item "EVP_PKEY *SSL_CTX_get0_privatekey(const SSL_CTX *ctx);" .IP "void \fBSSL_CTX_set_psk_client_callback\fR(\s-1SSL_CTX\s0 *ctx, unsigned int (*callback)(\s-1SSL\s0 *ssl, const char *hint, char *identity, unsigned int max_identity_len, unsigned char *psk, unsigned int max_psk_len));" 4 .IX Item "void SSL_CTX_set_psk_client_callback(SSL_CTX *ctx, unsigned int (*callback)(SSL *ssl, const char *hint, char *identity, unsigned int max_identity_len, unsigned char *psk, unsigned int max_psk_len));" .IP "int \fBSSL_CTX_use_psk_identity_hint\fR(\s-1SSL_CTX\s0 *ctx, const char *hint);" 4 .IX Item "int SSL_CTX_use_psk_identity_hint(SSL_CTX *ctx, const char *hint);" .IP "void \fBSSL_CTX_set_psk_server_callback\fR(\s-1SSL_CTX\s0 *ctx, unsigned int (*callback)(\s-1SSL\s0 *ssl, const char *identity, unsigned char *psk, int max_psk_len));" 4 .IX Item "void SSL_CTX_set_psk_server_callback(SSL_CTX *ctx, unsigned int (*callback)(SSL *ssl, const char *identity, unsigned char *psk, int max_psk_len));" .PD .SS "Dealing with Sessions" .IX Subsection "Dealing with Sessions" Here we document the various \s-1API\s0 functions which deal with the \s-1SSL/TLS\s0 sessions defined in the \fB\s-1SSL_SESSION\s0\fR structures. .IP "int \fBSSL_SESSION_cmp\fR(const \s-1SSL_SESSION\s0 *a, const \s-1SSL_SESSION\s0 *b);" 4 .IX Item "int SSL_SESSION_cmp(const SSL_SESSION *a, const SSL_SESSION *b);" .PD 0 .IP "void \fBSSL_SESSION_free\fR(\s-1SSL_SESSION\s0 *ss);" 4 .IX Item "void SSL_SESSION_free(SSL_SESSION *ss);" .IP "char *\fBSSL_SESSION_get_app_data\fR(\s-1SSL_SESSION\s0 *s);" 4 .IX Item "char *SSL_SESSION_get_app_data(SSL_SESSION *s);" .IP "char *\fBSSL_SESSION_get_ex_data\fR(const \s-1SSL_SESSION\s0 *s, int idx);" 4 .IX Item "char *SSL_SESSION_get_ex_data(const SSL_SESSION *s, int idx);" .IP "int \fBSSL_SESSION_get_ex_new_index\fR(long argl, char *argp, int (*new_func);(void), int (*dup_func)(void), void (*free_func)(void))" 4 .IX Item "int SSL_SESSION_get_ex_new_index(long argl, char *argp, int (*new_func);(void), int (*dup_func)(void), void (*free_func)(void))" .IP "long \fBSSL_SESSION_get_time\fR(const \s-1SSL_SESSION\s0 *s);" 4 .IX Item "long SSL_SESSION_get_time(const SSL_SESSION *s);" .IP "long \fBSSL_SESSION_get_timeout\fR(const \s-1SSL_SESSION\s0 *s);" 4 .IX Item "long SSL_SESSION_get_timeout(const SSL_SESSION *s);" .IP "unsigned long \fBSSL_SESSION_hash\fR(const \s-1SSL_SESSION\s0 *a);" 4 .IX Item "unsigned long SSL_SESSION_hash(const SSL_SESSION *a);" .IP "\s-1SSL_SESSION\s0 *\fBSSL_SESSION_new\fR(void);" 4 .IX Item "SSL_SESSION *SSL_SESSION_new(void);" .IP "int \fBSSL_SESSION_print\fR(\s-1BIO\s0 *bp, const \s-1SSL_SESSION\s0 *x);" 4 .IX Item "int SSL_SESSION_print(BIO *bp, const SSL_SESSION *x);" .IP "int \fBSSL_SESSION_print_fp\fR(\s-1FILE\s0 *fp, const \s-1SSL_SESSION\s0 *x);" 4 .IX Item "int SSL_SESSION_print_fp(FILE *fp, const SSL_SESSION *x);" .IP "int \fBSSL_SESSION_set_app_data\fR(\s-1SSL_SESSION\s0 *s, char *a);" 4 .IX Item "int SSL_SESSION_set_app_data(SSL_SESSION *s, char *a);" .IP "int \fBSSL_SESSION_set_ex_data\fR(\s-1SSL_SESSION\s0 *s, int idx, char *arg);" 4 .IX Item "int SSL_SESSION_set_ex_data(SSL_SESSION *s, int idx, char *arg);" .IP "long \fBSSL_SESSION_set_time\fR(\s-1SSL_SESSION\s0 *s, long t);" 4 .IX Item "long SSL_SESSION_set_time(SSL_SESSION *s, long t);" .IP "long \fBSSL_SESSION_set_timeout\fR(\s-1SSL_SESSION\s0 *s, long t);" 4 .IX Item "long SSL_SESSION_set_timeout(SSL_SESSION *s, long t);" .PD .SS "Dealing with Connections" .IX Subsection "Dealing with Connections" Here we document the various \s-1API\s0 functions which deal with the \s-1SSL/TLS\s0 connection defined in the \fB\s-1SSL\s0\fR structure. .IP "int \fBSSL_accept\fR(\s-1SSL\s0 *ssl);" 4 .IX Item "int SSL_accept(SSL *ssl);" .PD 0 .IP "int \fBSSL_add_dir_cert_subjects_to_stack\fR(\s-1STACK\s0 *stack, const char *dir);" 4 .IX Item "int SSL_add_dir_cert_subjects_to_stack(STACK *stack, const char *dir);" .IP "int \fBSSL_add_file_cert_subjects_to_stack\fR(\s-1STACK\s0 *stack, const char *file);" 4 .IX Item "int SSL_add_file_cert_subjects_to_stack(STACK *stack, const char *file);" .IP "int \fBSSL_add_client_CA\fR(\s-1SSL\s0 *ssl, X509 *x);" 4 .IX Item "int SSL_add_client_CA(SSL *ssl, X509 *x);" .IP "char *\fBSSL_alert_desc_string\fR(int value);" 4 .IX Item "char *SSL_alert_desc_string(int value);" .IP "char *\fBSSL_alert_desc_string_long\fR(int value);" 4 .IX Item "char *SSL_alert_desc_string_long(int value);" .IP "char *\fBSSL_alert_type_string\fR(int value);" 4 .IX Item "char *SSL_alert_type_string(int value);" .IP "char *\fBSSL_alert_type_string_long\fR(int value);" 4 .IX Item "char *SSL_alert_type_string_long(int value);" .IP "int \fBSSL_check_private_key\fR(const \s-1SSL\s0 *ssl);" 4 .IX Item "int SSL_check_private_key(const SSL *ssl);" .IP "void \fBSSL_clear\fR(\s-1SSL\s0 *ssl);" 4 .IX Item "void SSL_clear(SSL *ssl);" .IP "long \fBSSL_clear_num_renegotiations\fR(\s-1SSL\s0 *ssl);" 4 .IX Item "long SSL_clear_num_renegotiations(SSL *ssl);" .IP "int \fBSSL_connect\fR(\s-1SSL\s0 *ssl);" 4 .IX Item "int SSL_connect(SSL *ssl);" .IP "int \fBSSL_copy_session_id\fR(\s-1SSL\s0 *t, const \s-1SSL\s0 *f);" 4 .IX Item "int SSL_copy_session_id(SSL *t, const SSL *f);" .PD Sets the session details for \fBt\fR to be the same as in \fBf\fR. Returns 1 on success or 0 on failure. .IP "long \fBSSL_ctrl\fR(\s-1SSL\s0 *ssl, int cmd, long larg, char *parg);" 4 .IX Item "long SSL_ctrl(SSL *ssl, int cmd, long larg, char *parg);" .PD 0 .IP "int \fBSSL_do_handshake\fR(\s-1SSL\s0 *ssl);" 4 .IX Item "int SSL_do_handshake(SSL *ssl);" .IP "\s-1SSL\s0 *\fBSSL_dup\fR(\s-1SSL\s0 *ssl);" 4 .IX Item "SSL *SSL_dup(SSL *ssl);" .PD \&\fBSSL_dup()\fR allows applications to configure an \s-1SSL\s0 handle for use in multiple \s-1SSL\s0 connections, and then duplicate it prior to initiating each connection with the duplicated handle. Use of \fBSSL_dup()\fR avoids the need to repeat the configuration of the handles for each connection. .Sp For \fBSSL_dup()\fR to work, the connection \s-1MUST\s0 be in its initial state and \s-1MUST NOT\s0 have not yet have started the \s-1SSL\s0 handshake. For connections that are not in their initial state \fBSSL_dup()\fR just increments an internal reference count and returns the \fIsame\fR handle. It may be possible to use \fBSSL_clear\fR\|(3) to recycle an \s-1SSL\s0 handle that is not in its initial state for re-use, but this is best avoided. Instead, save and restore the session, if desired, and construct a fresh handle for each connection. .IP "\s-1STACK\s0 *\fBSSL_dup_CA_list\fR(\s-1STACK\s0 *sk);" 4 .IX Item "STACK *SSL_dup_CA_list(STACK *sk);" .PD 0 .IP "void \fBSSL_free\fR(\s-1SSL\s0 *ssl);" 4 .IX Item "void SSL_free(SSL *ssl);" .IP "\s-1SSL_CTX\s0 *\fBSSL_get_SSL_CTX\fR(const \s-1SSL\s0 *ssl);" 4 .IX Item "SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl);" .IP "char *\fBSSL_get_app_data\fR(\s-1SSL\s0 *ssl);" 4 .IX Item "char *SSL_get_app_data(SSL *ssl);" .IP "X509 *\fBSSL_get_certificate\fR(const \s-1SSL\s0 *ssl);" 4 .IX Item "X509 *SSL_get_certificate(const SSL *ssl);" .IP "const char *\fBSSL_get_cipher\fR(const \s-1SSL\s0 *ssl);" 4 .IX Item "const char *SSL_get_cipher(const SSL *ssl);" .IP "int \fBSSL_is_dtls\fR(const \s-1SSL\s0 *ssl);" 4 .IX Item "int SSL_is_dtls(const SSL *ssl);" .IP "int \fBSSL_get_cipher_bits\fR(const \s-1SSL\s0 *ssl, int *alg_bits);" 4 .IX Item "int SSL_get_cipher_bits(const SSL *ssl, int *alg_bits);" .IP "char *\fBSSL_get_cipher_list\fR(const \s-1SSL\s0 *ssl, int n);" 4 .IX Item "char *SSL_get_cipher_list(const SSL *ssl, int n);" .IP "char *\fBSSL_get_cipher_name\fR(const \s-1SSL\s0 *ssl);" 4 .IX Item "char *SSL_get_cipher_name(const SSL *ssl);" .IP "char *\fBSSL_get_cipher_version\fR(const \s-1SSL\s0 *ssl);" 4 .IX Item "char *SSL_get_cipher_version(const SSL *ssl);" .IP "\s-1STACK\s0 *\fBSSL_get_ciphers\fR(const \s-1SSL\s0 *ssl);" 4 .IX Item "STACK *SSL_get_ciphers(const SSL *ssl);" .IP "\s-1STACK\s0 *\fBSSL_get_client_CA_list\fR(const \s-1SSL\s0 *ssl);" 4 .IX Item "STACK *SSL_get_client_CA_list(const SSL *ssl);" .IP "\s-1SSL_CIPHER\s0 *\fBSSL_get_current_cipher\fR(\s-1SSL\s0 *ssl);" 4 .IX Item "SSL_CIPHER *SSL_get_current_cipher(SSL *ssl);" .IP "long \fBSSL_get_default_timeout\fR(const \s-1SSL\s0 *ssl);" 4 .IX Item "long SSL_get_default_timeout(const SSL *ssl);" .IP "int \fBSSL_get_error\fR(const \s-1SSL\s0 *ssl, int i);" 4 .IX Item "int SSL_get_error(const SSL *ssl, int i);" .IP "char *\fBSSL_get_ex_data\fR(const \s-1SSL\s0 *ssl, int idx);" 4 .IX Item "char *SSL_get_ex_data(const SSL *ssl, int idx);" .IP "int \fBSSL_get_ex_data_X509_STORE_CTX_idx\fR(void);" 4 .IX Item "int SSL_get_ex_data_X509_STORE_CTX_idx(void);" .IP "int \fBSSL_get_ex_new_index\fR(long argl, char *argp, int (*new_func);(void), int (*dup_func)(void), void (*free_func)(void))" 4 .IX Item "int SSL_get_ex_new_index(long argl, char *argp, int (*new_func);(void), int (*dup_func)(void), void (*free_func)(void))" .IP "int \fBSSL_get_fd\fR(const \s-1SSL\s0 *ssl);" 4 .IX Item "int SSL_get_fd(const SSL *ssl);" .IP "void (*\fBSSL_get_info_callback\fR(const \s-1SSL\s0 *ssl);)()" 4 .IX Item "void (*SSL_get_info_callback(const SSL *ssl);)()" .IP "int \fBSSL_get_key_update_type\fR(\s-1SSL\s0 *s);" 4 .IX Item "int SSL_get_key_update_type(SSL *s);" .IP "\s-1STACK\s0 *\fBSSL_get_peer_cert_chain\fR(const \s-1SSL\s0 *ssl);" 4 .IX Item "STACK *SSL_get_peer_cert_chain(const SSL *ssl);" .IP "X509 *\fBSSL_get_peer_certificate\fR(const \s-1SSL\s0 *ssl);" 4 .IX Item "X509 *SSL_get_peer_certificate(const SSL *ssl);" .IP "const \s-1STACK_OF\s0(\s-1SCT\s0) *\fBSSL_get0_peer_scts\fR(\s-1SSL\s0 *s);" 4 .IX Item "const STACK_OF(SCT) *SSL_get0_peer_scts(SSL *s);" .IP "\s-1EVP_PKEY\s0 *\fBSSL_get_privatekey\fR(const \s-1SSL\s0 *ssl);" 4 .IX Item "EVP_PKEY *SSL_get_privatekey(const SSL *ssl);" .IP "int \fBSSL_get_quiet_shutdown\fR(const \s-1SSL\s0 *ssl);" 4 .IX Item "int SSL_get_quiet_shutdown(const SSL *ssl);" .IP "\s-1BIO\s0 *\fBSSL_get_rbio\fR(const \s-1SSL\s0 *ssl);" 4 .IX Item "BIO *SSL_get_rbio(const SSL *ssl);" .IP "int \fBSSL_get_read_ahead\fR(const \s-1SSL\s0 *ssl);" 4 .IX Item "int SSL_get_read_ahead(const SSL *ssl);" .IP "\s-1SSL_SESSION\s0 *\fBSSL_get_session\fR(const \s-1SSL\s0 *ssl);" 4 .IX Item "SSL_SESSION *SSL_get_session(const SSL *ssl);" .IP "char *\fBSSL_get_shared_ciphers\fR(const \s-1SSL\s0 *ssl, char *buf, int size);" 4 .IX Item "char *SSL_get_shared_ciphers(const SSL *ssl, char *buf, int size);" .IP "int \fBSSL_get_shutdown\fR(const \s-1SSL\s0 *ssl);" 4 .IX Item "int SSL_get_shutdown(const SSL *ssl);" .IP "const \s-1SSL_METHOD\s0 *\fBSSL_get_ssl_method\fR(\s-1SSL\s0 *ssl);" 4 .IX Item "const SSL_METHOD *SSL_get_ssl_method(SSL *ssl);" .IP "int \fBSSL_get_state\fR(const \s-1SSL\s0 *ssl);" 4 .IX Item "int SSL_get_state(const SSL *ssl);" .IP "long \fBSSL_get_time\fR(const \s-1SSL\s0 *ssl);" 4 .IX Item "long SSL_get_time(const SSL *ssl);" .IP "long \fBSSL_get_timeout\fR(const \s-1SSL\s0 *ssl);" 4 .IX Item "long SSL_get_timeout(const SSL *ssl);" .IP "int (*\fBSSL_get_verify_callback\fR(const \s-1SSL\s0 *ssl))(int, X509_STORE_CTX *)" 4 .IX Item "int (*SSL_get_verify_callback(const SSL *ssl))(int, X509_STORE_CTX *)" .IP "int \fBSSL_get_verify_mode\fR(const \s-1SSL\s0 *ssl);" 4 .IX Item "int SSL_get_verify_mode(const SSL *ssl);" .IP "long \fBSSL_get_verify_result\fR(const \s-1SSL\s0 *ssl);" 4 .IX Item "long SSL_get_verify_result(const SSL *ssl);" .IP "char *\fBSSL_get_version\fR(const \s-1SSL\s0 *ssl);" 4 .IX Item "char *SSL_get_version(const SSL *ssl);" .IP "\s-1BIO\s0 *\fBSSL_get_wbio\fR(const \s-1SSL\s0 *ssl);" 4 .IX Item "BIO *SSL_get_wbio(const SSL *ssl);" .IP "int \fBSSL_in_accept_init\fR(\s-1SSL\s0 *ssl);" 4 .IX Item "int SSL_in_accept_init(SSL *ssl);" .IP "int \fBSSL_in_before\fR(\s-1SSL\s0 *ssl);" 4 .IX Item "int SSL_in_before(SSL *ssl);" .IP "int \fBSSL_in_connect_init\fR(\s-1SSL\s0 *ssl);" 4 .IX Item "int SSL_in_connect_init(SSL *ssl);" .IP "int \fBSSL_in_init\fR(\s-1SSL\s0 *ssl);" 4 .IX Item "int SSL_in_init(SSL *ssl);" .IP "int \fBSSL_is_init_finished\fR(\s-1SSL\s0 *ssl);" 4 .IX Item "int SSL_is_init_finished(SSL *ssl);" .IP "int \fBSSL_key_update\fR(\s-1SSL\s0 *s, int updatetype);" 4 .IX Item "int SSL_key_update(SSL *s, int updatetype);" .IP "\s-1STACK\s0 *\fBSSL_load_client_CA_file\fR(const char *file);" 4 .IX Item "STACK *SSL_load_client_CA_file(const char *file);" .IP "\s-1SSL\s0 *\fBSSL_new\fR(\s-1SSL_CTX\s0 *ctx);" 4 .IX Item "SSL *SSL_new(SSL_CTX *ctx);" .IP "int SSL_up_ref(\s-1SSL\s0 *s);" 4 .IX Item "int SSL_up_ref(SSL *s);" .IP "long \fBSSL_num_renegotiations\fR(\s-1SSL\s0 *ssl);" 4 .IX Item "long SSL_num_renegotiations(SSL *ssl);" .IP "int \fBSSL_peek\fR(\s-1SSL\s0 *ssl, void *buf, int num);" 4 .IX Item "int SSL_peek(SSL *ssl, void *buf, int num);" .IP "int \fBSSL_pending\fR(const \s-1SSL\s0 *ssl);" 4 .IX Item "int SSL_pending(const SSL *ssl);" .IP "int \fBSSL_read\fR(\s-1SSL\s0 *ssl, void *buf, int num);" 4 .IX Item "int SSL_read(SSL *ssl, void *buf, int num);" .IP "int \fBSSL_renegotiate\fR(\s-1SSL\s0 *ssl);" 4 .IX Item "int SSL_renegotiate(SSL *ssl);" .IP "char *\fBSSL_rstate_string\fR(\s-1SSL\s0 *ssl);" 4 .IX Item "char *SSL_rstate_string(SSL *ssl);" .IP "char *\fBSSL_rstate_string_long\fR(\s-1SSL\s0 *ssl);" 4 .IX Item "char *SSL_rstate_string_long(SSL *ssl);" .IP "long \fBSSL_session_reused\fR(\s-1SSL\s0 *ssl);" 4 .IX Item "long SSL_session_reused(SSL *ssl);" .IP "void \fBSSL_set_accept_state\fR(\s-1SSL\s0 *ssl);" 4 .IX Item "void SSL_set_accept_state(SSL *ssl);" .IP "void \fBSSL_set_app_data\fR(\s-1SSL\s0 *ssl, char *arg);" 4 .IX Item "void SSL_set_app_data(SSL *ssl, char *arg);" .IP "void \fBSSL_set_bio\fR(\s-1SSL\s0 *ssl, \s-1BIO\s0 *rbio, \s-1BIO\s0 *wbio);" 4 .IX Item "void SSL_set_bio(SSL *ssl, BIO *rbio, BIO *wbio);" .IP "int \fBSSL_set_cipher_list\fR(\s-1SSL\s0 *ssl, char *str);" 4 .IX Item "int SSL_set_cipher_list(SSL *ssl, char *str);" .IP "void \fBSSL_set_client_CA_list\fR(\s-1SSL\s0 *ssl, \s-1STACK\s0 *list);" 4 .IX Item "void SSL_set_client_CA_list(SSL *ssl, STACK *list);" .IP "void \fBSSL_set_connect_state\fR(\s-1SSL\s0 *ssl);" 4 .IX Item "void SSL_set_connect_state(SSL *ssl);" .IP "int \fBSSL_set_ct_validation_callback\fR(\s-1SSL\s0 *ssl, ssl_ct_validation_cb callback, void *arg);" 4 .IX Item "int SSL_set_ct_validation_callback(SSL *ssl, ssl_ct_validation_cb callback, void *arg);" .IP "int \fBSSL_set_ex_data\fR(\s-1SSL\s0 *ssl, int idx, char *arg);" 4 .IX Item "int SSL_set_ex_data(SSL *ssl, int idx, char *arg);" .IP "int \fBSSL_set_fd\fR(\s-1SSL\s0 *ssl, int fd);" 4 .IX Item "int SSL_set_fd(SSL *ssl, int fd);" .IP "void \fBSSL_set_info_callback\fR(\s-1SSL\s0 *ssl, void (*cb);(void))" 4 .IX Item "void SSL_set_info_callback(SSL *ssl, void (*cb);(void))" .IP "void \fBSSL_set_msg_callback\fR(\s-1SSL\s0 *ctx, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, \s-1SSL\s0 *ssl, void *arg));" 4 .IX Item "void SSL_set_msg_callback(SSL *ctx, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg));" .IP "void \fBSSL_set_msg_callback_arg\fR(\s-1SSL\s0 *ctx, void *arg);" 4 .IX Item "void SSL_set_msg_callback_arg(SSL *ctx, void *arg);" .IP "unsigned long \fBSSL_clear_options\fR(\s-1SSL\s0 *ssl, unsigned long op);" 4 .IX Item "unsigned long SSL_clear_options(SSL *ssl, unsigned long op);" .IP "unsigned long \fBSSL_get_options\fR(\s-1SSL\s0 *ssl);" 4 .IX Item "unsigned long SSL_get_options(SSL *ssl);" .IP "unsigned long \fBSSL_set_options\fR(\s-1SSL\s0 *ssl, unsigned long op);" 4 .IX Item "unsigned long SSL_set_options(SSL *ssl, unsigned long op);" .IP "void \fBSSL_set_quiet_shutdown\fR(\s-1SSL\s0 *ssl, int mode);" 4 .IX Item "void SSL_set_quiet_shutdown(SSL *ssl, int mode);" .IP "void \fBSSL_set_read_ahead\fR(\s-1SSL\s0 *ssl, int yes);" 4 .IX Item "void SSL_set_read_ahead(SSL *ssl, int yes);" .IP "int \fBSSL_set_rfd\fR(\s-1SSL\s0 *ssl, int fd);" 4 .IX Item "int SSL_set_rfd(SSL *ssl, int fd);" .IP "int \fBSSL_set_session\fR(\s-1SSL\s0 *ssl, \s-1SSL_SESSION\s0 *session);" 4 .IX Item "int SSL_set_session(SSL *ssl, SSL_SESSION *session);" .IP "void \fBSSL_set_shutdown\fR(\s-1SSL\s0 *ssl, int mode);" 4 .IX Item "void SSL_set_shutdown(SSL *ssl, int mode);" .IP "int \fBSSL_set_ssl_method\fR(\s-1SSL\s0 *ssl, const \s-1SSL_METHOD\s0 *meth);" 4 .IX Item "int SSL_set_ssl_method(SSL *ssl, const SSL_METHOD *meth);" .IP "void \fBSSL_set_time\fR(\s-1SSL\s0 *ssl, long t);" 4 .IX Item "void SSL_set_time(SSL *ssl, long t);" .IP "void \fBSSL_set_timeout\fR(\s-1SSL\s0 *ssl, long t);" 4 .IX Item "void SSL_set_timeout(SSL *ssl, long t);" .IP "void \fBSSL_set_verify\fR(\s-1SSL\s0 *ssl, int mode, int (*callback);(void))" 4 .IX Item "void SSL_set_verify(SSL *ssl, int mode, int (*callback);(void))" .IP "void \fBSSL_set_verify_result\fR(\s-1SSL\s0 *ssl, long arg);" 4 .IX Item "void SSL_set_verify_result(SSL *ssl, long arg);" .IP "int \fBSSL_set_wfd\fR(\s-1SSL\s0 *ssl, int fd);" 4 .IX Item "int SSL_set_wfd(SSL *ssl, int fd);" .IP "int \fBSSL_shutdown\fR(\s-1SSL\s0 *ssl);" 4 .IX Item "int SSL_shutdown(SSL *ssl);" .IP "\s-1OSSL_HANDSHAKE_STATE\s0 \fBSSL_get_state\fR(const \s-1SSL\s0 *ssl);" 4 .IX Item "OSSL_HANDSHAKE_STATE SSL_get_state(const SSL *ssl);" .PD Returns the current handshake state. .IP "char *\fBSSL_state_string\fR(const \s-1SSL\s0 *ssl);" 4 .IX Item "char *SSL_state_string(const SSL *ssl);" .PD 0 .IP "char *\fBSSL_state_string_long\fR(const \s-1SSL\s0 *ssl);" 4 .IX Item "char *SSL_state_string_long(const SSL *ssl);" .IP "long \fBSSL_total_renegotiations\fR(\s-1SSL\s0 *ssl);" 4 .IX Item "long SSL_total_renegotiations(SSL *ssl);" .IP "int \fBSSL_use_PrivateKey\fR(\s-1SSL\s0 *ssl, \s-1EVP_PKEY\s0 *pkey);" 4 .IX Item "int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey);" .IP "int \fBSSL_use_PrivateKey_ASN1\fR(int type, \s-1SSL\s0 *ssl, unsigned char *d, long len);" 4 .IX Item "int SSL_use_PrivateKey_ASN1(int type, SSL *ssl, unsigned char *d, long len);" .IP "int \fBSSL_use_PrivateKey_file\fR(\s-1SSL\s0 *ssl, const char *file, int type);" 4 .IX Item "int SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type);" .IP "int \fBSSL_use_RSAPrivateKey\fR(\s-1SSL\s0 *ssl, \s-1RSA\s0 *rsa);" 4 .IX Item "int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa);" .IP "int \fBSSL_use_RSAPrivateKey_ASN1\fR(\s-1SSL\s0 *ssl, unsigned char *d, long len);" 4 .IX Item "int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, unsigned char *d, long len);" .IP "int \fBSSL_use_RSAPrivateKey_file\fR(\s-1SSL\s0 *ssl, const char *file, int type);" 4 .IX Item "int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type);" .IP "int \fBSSL_use_certificate\fR(\s-1SSL\s0 *ssl, X509 *x);" 4 .IX Item "int SSL_use_certificate(SSL *ssl, X509 *x);" .IP "int \fBSSL_use_certificate_ASN1\fR(\s-1SSL\s0 *ssl, int len, unsigned char *d);" 4 .IX Item "int SSL_use_certificate_ASN1(SSL *ssl, int len, unsigned char *d);" .IP "int \fBSSL_use_certificate_file\fR(\s-1SSL\s0 *ssl, const char *file, int type);" 4 .IX Item "int SSL_use_certificate_file(SSL *ssl, const char *file, int type);" .IP "int \fBSSL_use_cert_and_key\fR(\s-1SSL\s0 *ssl, X509 *x, \s-1EVP_PKEY\s0 *pkey, \s-1STACK_OF\s0(X509) *chain, int override);" 4 .IX Item "int SSL_use_cert_and_key(SSL *ssl, X509 *x, EVP_PKEY *pkey, STACK_OF(X509) *chain, int override);" .IP "int \fBSSL_version\fR(const \s-1SSL\s0 *ssl);" 4 .IX Item "int SSL_version(const SSL *ssl);" .IP "int \fBSSL_want\fR(const \s-1SSL\s0 *ssl);" 4 .IX Item "int SSL_want(const SSL *ssl);" .IP "int \fBSSL_want_nothing\fR(const \s-1SSL\s0 *ssl);" 4 .IX Item "int SSL_want_nothing(const SSL *ssl);" .IP "int \fBSSL_want_read\fR(const \s-1SSL\s0 *ssl);" 4 .IX Item "int SSL_want_read(const SSL *ssl);" .IP "int \fBSSL_want_write\fR(const \s-1SSL\s0 *ssl);" 4 .IX Item "int SSL_want_write(const SSL *ssl);" .IP "int \fBSSL_want_x509_lookup\fR(const \s-1SSL\s0 *ssl);" 4 .IX Item "int SSL_want_x509_lookup(const SSL *ssl);" .IP "int \fBSSL_write\fR(\s-1SSL\s0 *ssl, const void *buf, int num);" 4 .IX Item "int SSL_write(SSL *ssl, const void *buf, int num);" .IP "void \fBSSL_set_psk_client_callback\fR(\s-1SSL\s0 *ssl, unsigned int (*callback)(\s-1SSL\s0 *ssl, const char *hint, char *identity, unsigned int max_identity_len, unsigned char *psk, unsigned int max_psk_len));" 4 .IX Item "void SSL_set_psk_client_callback(SSL *ssl, unsigned int (*callback)(SSL *ssl, const char *hint, char *identity, unsigned int max_identity_len, unsigned char *psk, unsigned int max_psk_len));" .IP "int \fBSSL_use_psk_identity_hint\fR(\s-1SSL\s0 *ssl, const char *hint);" 4 .IX Item "int SSL_use_psk_identity_hint(SSL *ssl, const char *hint);" .IP "void \fBSSL_set_psk_server_callback\fR(\s-1SSL\s0 *ssl, unsigned int (*callback)(\s-1SSL\s0 *ssl, const char *identity, unsigned char *psk, int max_psk_len));" 4 .IX Item "void SSL_set_psk_server_callback(SSL *ssl, unsigned int (*callback)(SSL *ssl, const char *identity, unsigned char *psk, int max_psk_len));" .IP "const char *\fBSSL_get_psk_identity_hint\fR(\s-1SSL\s0 *ssl);" 4 .IX Item "const char *SSL_get_psk_identity_hint(SSL *ssl);" .IP "const char *\fBSSL_get_psk_identity\fR(\s-1SSL\s0 *ssl);" 4 .IX Item "const char *SSL_get_psk_identity(SSL *ssl);" .PD .SH "RETURN VALUES" .IX Header "RETURN VALUES" See the individual manual pages for details. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBopenssl\fR\|(1), \fBcrypto\fR\|(7), \&\fBCRYPTO_get_ex_new_index\fR\|(3), \&\fBSSL_accept\fR\|(3), \fBSSL_clear\fR\|(3), \&\fBSSL_connect\fR\|(3), \&\fBSSL_CIPHER_get_name\fR\|(3), \&\fBSSL_COMP_add_compression_method\fR\|(3), \&\fBSSL_CTX_add_extra_chain_cert\fR\|(3), \&\fBSSL_CTX_add_session\fR\|(3), \&\fBSSL_CTX_ctrl\fR\|(3), \&\fBSSL_CTX_flush_sessions\fR\|(3), \&\fBSSL_CTX_get_verify_mode\fR\|(3), \&\fBSSL_CTX_load_verify_locations\fR\|(3) \&\fBSSL_CTX_new\fR\|(3), \&\fBSSL_CTX_sess_number\fR\|(3), \&\fBSSL_CTX_sess_set_cache_size\fR\|(3), \&\fBSSL_CTX_sess_set_get_cb\fR\|(3), \&\fBSSL_CTX_sessions\fR\|(3), \&\fBSSL_CTX_set_cert_store\fR\|(3), \&\fBSSL_CTX_set_cert_verify_callback\fR\|(3), \&\fBSSL_CTX_set_cipher_list\fR\|(3), \&\fBSSL_CTX_set_client_CA_list\fR\|(3), \&\fBSSL_CTX_set_client_cert_cb\fR\|(3), \&\fBSSL_CTX_set_default_passwd_cb\fR\|(3), \&\fBSSL_CTX_set_generate_session_id\fR\|(3), \&\fBSSL_CTX_set_info_callback\fR\|(3), \&\fBSSL_CTX_set_max_cert_list\fR\|(3), \&\fBSSL_CTX_set_mode\fR\|(3), \&\fBSSL_CTX_set_msg_callback\fR\|(3), \&\fBSSL_CTX_set_options\fR\|(3), \&\fBSSL_CTX_set_quiet_shutdown\fR\|(3), \&\fBSSL_CTX_set_read_ahead\fR\|(3), \&\fBSSL_CTX_set_security_level\fR\|(3), \&\fBSSL_CTX_set_session_cache_mode\fR\|(3), \&\fBSSL_CTX_set_session_id_context\fR\|(3), \&\fBSSL_CTX_set_ssl_version\fR\|(3), \&\fBSSL_CTX_set_timeout\fR\|(3), \&\fBSSL_CTX_set_tmp_dh_callback\fR\|(3), \&\fBSSL_CTX_set_verify\fR\|(3), \&\fBSSL_CTX_use_certificate\fR\|(3), \&\fBSSL_alert_type_string\fR\|(3), \&\fBSSL_do_handshake\fR\|(3), \&\fBSSL_enable_ct\fR\|(3), \&\fBSSL_get_SSL_CTX\fR\|(3), \&\fBSSL_get_ciphers\fR\|(3), \&\fBSSL_get_client_CA_list\fR\|(3), \&\fBSSL_get_default_timeout\fR\|(3), \&\fBSSL_get_error\fR\|(3), \&\fBSSL_get_ex_data_X509_STORE_CTX_idx\fR\|(3), \&\fBSSL_get_fd\fR\|(3), \&\fBSSL_get_peer_cert_chain\fR\|(3), \&\fBSSL_get_rbio\fR\|(3), \&\fBSSL_get_session\fR\|(3), \&\fBSSL_get_verify_result\fR\|(3), \&\fBSSL_get_version\fR\|(3), \&\fBSSL_load_client_CA_file\fR\|(3), \&\fBSSL_new\fR\|(3), \&\fBSSL_pending\fR\|(3), \&\fBSSL_read_ex\fR\|(3), \&\fBSSL_read\fR\|(3), \&\fBSSL_rstate_string\fR\|(3), \&\fBSSL_session_reused\fR\|(3), \&\fBSSL_set_bio\fR\|(3), \&\fBSSL_set_connect_state\fR\|(3), \&\fBSSL_set_fd\fR\|(3), \&\fBSSL_set_session\fR\|(3), \&\fBSSL_set_shutdown\fR\|(3), \&\fBSSL_shutdown\fR\|(3), \&\fBSSL_state_string\fR\|(3), \&\fBSSL_want\fR\|(3), \&\fBSSL_write_ex\fR\|(3), \&\fBSSL_write\fR\|(3), \&\fBSSL_SESSION_free\fR\|(3), \&\fBSSL_SESSION_get_time\fR\|(3), \&\fBd2i_SSL_SESSION\fR\|(3), \&\fBSSL_CTX_set_psk_client_callback\fR\|(3), \&\fBSSL_CTX_use_psk_identity_hint\fR\|(3), \&\fBSSL_get_psk_identity\fR\|(3), \&\fBDTLSv1_listen\fR\|(3) .SH "HISTORY" .IX Header "HISTORY" \&\fBSSLv2_client_method\fR, \fBSSLv2_server_method\fR and \fBSSLv2_method\fR were removed in OpenSSL 1.1.0. .PP The return type of \fBSSL_copy_session_id\fR was changed from void to int in OpenSSL 1.1.0. .SH "COPYRIGHT" .IX Header "COPYRIGHT" Copyright 2000\-2018 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use this file except in compliance with the License. You can obtain a copy in the file \s-1LICENSE\s0 in the source distribution or at . PK!g+Ko%o%evp.7sslnu[.\" Automatically generated by Pod::Man 4.11 (Pod::Simple 3.35) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. \*(C+ will .\" give a nicer C++. Capital omega is used to do unbreakable dashes and .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, .\" nothing in troff, for use with C<>. .tr \(*W- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' . ds C` . ds C' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is >0, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .\" .\" Avoid warning from groff about undefined register 'F'. .de IX .. .nr rF 0 .if \n(.g .if rF .nr rF 1 .if (\n(rF:(\n(.g==0)) \{\ . if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} . \} .\} .rr rF .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. . \" fudge factors for nroff and troff .if n \{\ . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] \fP .\} .if t \{\ . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff .if n \{\ . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} .if t \{\ . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' .ds 8 \h'\*(#H'\(*b\h'-\*(#H' .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] .ds ae a\h'-(\w'a'u*4/10)'e .ds Ae A\h'-(\w'A'u*4/10)'E . \" corrections for vroff .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' . \" for low resolution devices (crt and lpr) .if \n(.H>23 .if \n(.V>19 \ \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} .rm #[ #] #H #V #F C .\" ======================================================================== .\" .IX Title "EVP 7" .TH EVP 7 "2023-09-11" "1.1.1w" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" evp \- high\-level cryptographic functions .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" The \s-1EVP\s0 library provides a high-level interface to cryptographic functions. .PP The \fBEVP_Seal\fR\fI\s-1XXX\s0\fR and \fBEVP_Open\fR\fI\s-1XXX\s0\fR functions provide public key encryption and decryption to implement digital \*(L"envelopes\*(R". .PP The \fBEVP_DigestSign\fR\fI\s-1XXX\s0\fR and \&\fBEVP_DigestVerify\fR\fI\s-1XXX\s0\fR functions implement digital signatures and Message Authentication Codes (MACs). Also see the older \&\fBEVP_Sign\fR\fI\s-1XXX\s0\fR and \fBEVP_Verify\fR\fI\s-1XXX\s0\fR functions. .PP Symmetric encryption is available with the \fBEVP_Encrypt\fR\fI\s-1XXX\s0\fR functions. The \fBEVP_Digest\fR\fI\s-1XXX\s0\fR functions provide message digests. .PP The \fB\s-1EVP_PKEY\s0\fR\fI\s-1XXX\s0\fR functions provide a high-level interface to asymmetric algorithms. To create a new \s-1EVP_PKEY\s0 see \&\fBEVP_PKEY_new\fR\|(3). EVP_PKEYs can be associated with a private key of a particular algorithm by using the functions described on the \fBEVP_PKEY_set1_RSA\fR\|(3) page, or new keys can be generated using \fBEVP_PKEY_keygen\fR\|(3). EVP_PKEYs can be compared using \fBEVP_PKEY_cmp\fR\|(3), or printed using \&\fBEVP_PKEY_print_private\fR\|(3). .PP The \s-1EVP_PKEY\s0 functions support the full range of asymmetric algorithm operations: .IP "For key agreement see \fBEVP_PKEY_derive\fR\|(3)" 4 .IX Item "For key agreement see EVP_PKEY_derive" .PD 0 .IP "For signing and verifying see \fBEVP_PKEY_sign\fR\|(3), \fBEVP_PKEY_verify\fR\|(3) and \fBEVP_PKEY_verify_recover\fR\|(3). However, note that these functions do not perform a digest of the data to be signed. Therefore, normally you would use the \fBEVP_DigestSignInit\fR\|(3) functions for this purpose." 4 .IX Item "For signing and verifying see EVP_PKEY_sign, EVP_PKEY_verify and EVP_PKEY_verify_recover. However, note that these functions do not perform a digest of the data to be signed. Therefore, normally you would use the EVP_DigestSignInit functions for this purpose." .ie n .IP "For encryption and decryption see \fBEVP_PKEY_encrypt\fR\|(3) and \fBEVP_PKEY_decrypt\fR\|(3) respectively. However, note that these functions perform encryption and decryption only. As public key encryption is an expensive operation, normally you would wrap an encrypted message in a ""digital envelope"" using the \fBEVP_SealInit\fR\|(3) and \fBEVP_OpenInit\fR\|(3) functions." 4 .el .IP "For encryption and decryption see \fBEVP_PKEY_encrypt\fR\|(3) and \fBEVP_PKEY_decrypt\fR\|(3) respectively. However, note that these functions perform encryption and decryption only. As public key encryption is an expensive operation, normally you would wrap an encrypted message in a ``digital envelope'' using the \fBEVP_SealInit\fR\|(3) and \fBEVP_OpenInit\fR\|(3) functions." 4 .IX Item "For encryption and decryption see EVP_PKEY_encrypt and EVP_PKEY_decrypt respectively. However, note that these functions perform encryption and decryption only. As public key encryption is an expensive operation, normally you would wrap an encrypted message in a digital envelope using the EVP_SealInit and EVP_OpenInit functions." .PD .PP The \fBEVP_BytesToKey\fR\|(3) function provides some limited support for password based encryption. Careful selection of the parameters will provide a PKCS#5 \s-1PBKDF1\s0 compatible implementation. However, new applications should not typically use this (preferring, for example, \&\s-1PBKDF2\s0 from PCKS#5). .PP The \fBEVP_Encode\fR\fI\s-1XXX\s0\fR and \&\fBEVP_Decode\fR\fI\s-1XXX\s0\fR functions implement base 64 encoding and decoding. .PP All the symmetric algorithms (ciphers), digests and asymmetric algorithms (public key algorithms) can be replaced by \s-1ENGINE\s0 modules providing alternative implementations. If \s-1ENGINE\s0 implementations of ciphers or digests are registered as defaults, then the various \s-1EVP\s0 functions will automatically use those implementations automatically in preference to built in software implementations. For more information, consult the \fBengine\fR\|(3) man page. .PP Although low-level algorithm specific functions exist for many algorithms their use is discouraged. They cannot be used with an \s-1ENGINE\s0 and \s-1ENGINE\s0 versions of new algorithms cannot be accessed using the low-level functions. Also makes code harder to adapt to new algorithms and some options are not cleanly supported at the low-level and some operations are more efficient using the high-level interface. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBEVP_DigestInit\fR\|(3), \&\fBEVP_EncryptInit\fR\|(3), \&\fBEVP_OpenInit\fR\|(3), \&\fBEVP_SealInit\fR\|(3), \&\fBEVP_DigestSignInit\fR\|(3), \&\fBEVP_SignInit\fR\|(3), \&\fBEVP_VerifyInit\fR\|(3), \&\fBEVP_EncodeInit\fR\|(3), \&\fBEVP_PKEY_new\fR\|(3), \&\fBEVP_PKEY_set1_RSA\fR\|(3), \&\fBEVP_PKEY_keygen\fR\|(3), \&\fBEVP_PKEY_print_private\fR\|(3), \&\fBEVP_PKEY_decrypt\fR\|(3), \&\fBEVP_PKEY_encrypt\fR\|(3), \&\fBEVP_PKEY_sign\fR\|(3), \&\fBEVP_PKEY_verify\fR\|(3), \&\fBEVP_PKEY_verify_recover\fR\|(3), \&\fBEVP_PKEY_derive\fR\|(3), \&\fBEVP_BytesToKey\fR\|(3), \&\fBENGINE_by_id\fR\|(3) .SH "COPYRIGHT" .IX Header "COPYRIGHT" Copyright 2000\-2020 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use this file except in compliance with the License. You can obtain a copy in the file \s-1LICENSE\s0 in the source distribution or at . PK!Zossl_store.7sslnu[.\" Automatically generated by Pod::Man 4.11 (Pod::Simple 3.35) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. \*(C+ will .\" give a nicer C++. Capital omega is used to do unbreakable dashes and .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, .\" nothing in troff, for use with C<>. .tr \(*W- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' . ds C` . ds C' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is >0, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .\" .\" Avoid warning from groff about undefined register 'F'. .de IX .. .nr rF 0 .if \n(.g .if rF .nr rF 1 .if (\n(rF:(\n(.g==0)) \{\ . if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} . \} .\} .rr rF .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. . \" fudge factors for nroff and troff .if n \{\ . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] \fP .\} .if t \{\ . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff .if n \{\ . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} .if t \{\ . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' .ds 8 \h'\*(#H'\(*b\h'-\*(#H' .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] .ds ae a\h'-(\w'a'u*4/10)'e .ds Ae A\h'-(\w'A'u*4/10)'E . \" corrections for vroff .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' . \" for low resolution devices (crt and lpr) .if \n(.H>23 .if \n(.V>19 \ \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} .rm #[ #] #H #V #F C .\" ======================================================================== .\" .IX Title "OSSL_STORE 7" .TH OSSL_STORE 7 "2023-09-11" "1.1.1w" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" ossl_store \- Store retrieval functions .SH "SYNOPSIS" .IX Header "SYNOPSIS" #include .SH "DESCRIPTION" .IX Header "DESCRIPTION" .SS "General" .IX Subsection "General" A \s-1STORE\s0 is a layer of functionality to retrieve a number of supported objects from a repository of any kind, addressable as a filename or as a \s-1URI.\s0 .PP The functionality supports the pattern \*(L"open a channel to the repository\*(R", \*(L"loop and retrieve one object at a time\*(R", and \*(L"finish up by closing the channel\*(R". .PP The retrieved objects are returned as a wrapper type \fB\s-1OSSL_STORE_INFO\s0\fR, from which an OpenSSL type can be retrieved. .SS "\s-1URI\s0 schemes and loaders" .IX Subsection "URI schemes and loaders" Support for a \s-1URI\s0 scheme is called a \s-1STORE\s0 \*(L"loader\*(R", and can be added dynamically from the calling application or from a loadable engine. .PP Support for the 'file' scheme is built into \f(CW\*(C`libcrypto\*(C'\fR. See \fBossl_store\-file\fR\|(7) for more information. .SS "\s-1UI_METHOD\s0 and pass phrases" .IX Subsection "UI_METHOD and pass phrases" The \fB\s-1OSS_STORE\s0\fR \s-1API\s0 does nothing to enforce any specific format or encoding on the pass phrase that the \fB\s-1UI_METHOD\s0\fR provides. However, the pass phrase is expected to be \s-1UTF\-8\s0 encoded. The result of any other encoding is undefined. .SH "EXAMPLES" .IX Header "EXAMPLES" .SS "A generic call" .IX Subsection "A generic call" .Vb 1 \& OSSL_STORE_CTX *ctx = OSSL_STORE_open("file:/foo/bar/data.pem"); \& \& /* \& * OSSL_STORE_eof() simulates file semantics for any repository to signal \& * that no more data can be expected \& */ \& while (!OSSL_STORE_eof(ctx)) { \& OSSL_STORE_INFO *info = OSSL_STORE_load(ctx); \& \& /* \& * Do whatever is necessary with the OSSL_STORE_INFO, \& * here just one example \& */ \& switch (OSSL_STORE_INFO_get_type(info)) { \& case OSSL_STORE_INFO_CERT: \& /* Print the X.509 certificate text */ \& X509_print_fp(stdout, OSSL_STORE_INFO_get0_CERT(info)); \& /* Print the X.509 certificate PEM output */ \& PEM_write_X509(stdout, OSSL_STORE_INFO_get0_CERT(info)); \& break; \& } \& } \& \& OSSL_STORE_close(ctx); .Ve .SH "SEE ALSO" .IX Header "SEE ALSO" \&\s-1\fBOSSL_STORE_INFO\s0\fR\|(3), \s-1\fBOSSL_STORE_LOADER\s0\fR\|(3), \&\fBOSSL_STORE_open\fR\|(3), \fBOSSL_STORE_expect\fR\|(3), \&\s-1\fBOSSL_STORE_SEARCH\s0\fR\|(3) .SH "COPYRIGHT" .IX Header "COPYRIGHT" Copyright 2016\-2021 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use this file except in compliance with the License. You can obtain a copy in the file \s-1LICENSE\s0 in the source distribution or at . PK!pVDVDRAND_DRBG.7sslnu[.\" Automatically generated by Pod::Man 4.11 (Pod::Simple 3.35) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. \*(C+ will .\" give a nicer C++. Capital omega is used to do unbreakable dashes and .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, .\" nothing in troff, for use with C<>. .tr \(*W- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' . ds C` . ds C' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is >0, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .\" .\" Avoid warning from groff about undefined register 'F'. .de IX .. .nr rF 0 .if \n(.g .if rF .nr rF 1 .if (\n(rF:(\n(.g==0)) \{\ . if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} . \} .\} .rr rF .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. . \" fudge factors for nroff and troff .if n \{\ . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] \fP .\} .if t \{\ . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff .if n \{\ . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} .if t \{\ . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' .ds 8 \h'\*(#H'\(*b\h'-\*(#H' .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] .ds ae a\h'-(\w'a'u*4/10)'e .ds Ae A\h'-(\w'A'u*4/10)'E . \" corrections for vroff .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' . \" for low resolution devices (crt and lpr) .if \n(.H>23 .if \n(.V>19 \ \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} .rm #[ #] #H #V #F C .\" ======================================================================== .\" .IX Title "RAND_DRBG 7" .TH RAND_DRBG 7 "2023-09-11" "1.1.1w" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" RAND_DRBG \- the deterministic random bit generator .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" The default OpenSSL \s-1RAND\s0 method is based on the \s-1RAND_DRBG\s0 class, which implements a deterministic random bit generator (\s-1DRBG\s0). A \s-1DRBG\s0 is a certain type of cryptographically-secure pseudo-random number generator (\s-1CSPRNG\s0), which is described in [\s-1NIST SP 800\-90A\s0 Rev. 1]. .PP While the \s-1RAND API\s0 is the 'frontend' which is intended to be used by application developers for obtaining random bytes, the \s-1RAND_DRBG API\s0 serves as the 'backend', connecting the former with the operating systems's entropy sources and providing access to the \s-1DRBG\s0's configuration parameters. .SS "Disclaimer" .IX Subsection "Disclaimer" Unless you have very specific requirements for your random generator, it is in general not necessary to utilize the \s-1RAND_DRBG API\s0 directly. The usual way to obtain random bytes is to use \fBRAND_bytes\fR\|(3) or \&\fBRAND_priv_bytes\fR\|(3), see also \s-1\fBRAND\s0\fR\|(7). .SS "Typical Use Cases" .IX Subsection "Typical Use Cases" Typical examples for such special use cases are the following: .IP "\(bu" 2 You want to use your own private \s-1DRBG\s0 instances. Multiple \s-1DRBG\s0 instances which are accessed only by a single thread provide additional security (because their internal states are independent) and better scalability in multithreaded applications (because they don't need to be locked). .IP "\(bu" 2 You need to integrate a previously unsupported entropy source. .IP "\(bu" 2 You need to change the default settings of the standard OpenSSL \s-1RAND\s0 implementation to meet specific requirements. .SH "CHAINING" .IX Header "CHAINING" A \s-1DRBG\s0 instance can be used as the entropy source of another \s-1DRBG\s0 instance, provided it has itself access to a valid entropy source. The \s-1DRBG\s0 instance which acts as entropy source is called the \fIparent\fR \s-1DRBG,\s0 the other instance the \fIchild\fR \s-1DRBG.\s0 .PP This is called chaining. A chained \s-1DRBG\s0 instance is created by passing a pointer to the parent \s-1DRBG\s0 as argument to the \fBRAND_DRBG_new()\fR call. It is possible to create chains of more than two \s-1DRBG\s0 in a row. .SH "THE THREE SHARED DRBG INSTANCES" .IX Header "THE THREE SHARED DRBG INSTANCES" Currently, there are three shared \s-1DRBG\s0 instances, the , , and \s-1DRBG.\s0 While the \s-1DRBG\s0 is a single global instance, the and \&\s-1DRBG\s0 are created per thread and accessed through thread-local storage. .PP By default, the functions \fBRAND_bytes\fR\|(3) and \fBRAND_priv_bytes\fR\|(3) use the thread-local and \s-1DRBG\s0 instance, respectively. .SS "The \s-1DRBG\s0 instance" .IX Subsection "The DRBG instance" The \s-1DRBG\s0 is not used directly by the application, only for reseeding the two other two \s-1DRBG\s0 instances. It reseeds itself by obtaining randomness either from os entropy sources or by consuming randomness which was added previously by \fBRAND_add\fR\|(3). .SS "The \s-1DRBG\s0 instance" .IX Subsection "The DRBG instance" This instance is used per default by \fBRAND_bytes\fR\|(3). .SS "The \s-1DRBG\s0 instance" .IX Subsection "The DRBG instance" This instance is used per default by \fBRAND_priv_bytes\fR\|(3) .SH "LOCKING" .IX Header "LOCKING" The \s-1DRBG\s0 is intended to be accessed concurrently for reseeding by its child \s-1DRBG\s0 instances. The necessary locking is done internally. It is \fInot\fR thread-safe to access the \s-1DRBG\s0 directly via the \&\s-1RAND_DRBG\s0 interface. The and \s-1DRBG\s0 are thread-local, i.e. there is an instance of each per thread. So they can safely be accessed without locking via the \s-1RAND_DRBG\s0 interface. .PP Pointers to these \s-1DRBG\s0 instances can be obtained using \&\fBRAND_DRBG_get0_master()\fR, \&\fBRAND_DRBG_get0_public()\fR, and \&\fBRAND_DRBG_get0_private()\fR, respectively. Note that it is not allowed to store a pointer to one of the thread-local \&\s-1DRBG\s0 instances in a variable or other memory location where it will be accessed and used by multiple threads. .PP All other \s-1DRBG\s0 instances created by an application don't support locking, because they are intended to be used by a single thread. Instead of accessing a single \s-1DRBG\s0 instance concurrently from different threads, it is recommended to instantiate a separate \s-1DRBG\s0 instance per thread. Using the \s-1DRBG\s0 as entropy source for multiple \s-1DRBG\s0 instances on different threads is thread-safe, because the \s-1DRBG\s0 instance will lock the \s-1DRBG\s0 automatically for obtaining random input. .SH "THE OVERALL PICTURE" .IX Header "THE OVERALL PICTURE" The following picture gives an overview over how the \s-1DRBG\s0 instances work together and are being used. .PP .Vb 10 \& +\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-+ \& | os entropy sources | \& +\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-+ \& | \& v +\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-+ \& RAND_add() ==> <\-| shared DRBG (with locking) | \& / \e +\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-+ \& / \e +\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-+ \& <\- | per\-thread DRBG instances | \& | | +\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-+ \& v v \& RAND_bytes() RAND_priv_bytes() \& | ^ \& | | \& +\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-+ +\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-+ \& | general purpose | | used for secrets like session keys | \& | random generator | | and private keys for certificates | \& +\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-+ +\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-+ .Ve .PP The usual way to obtain random bytes is to call RAND_bytes(...) or RAND_priv_bytes(...). These calls are roughly equivalent to calling RAND_DRBG_bytes(, ...) and RAND_DRBG_bytes(, ...), respectively. The method \fBRAND_DRBG_bytes\fR\|(3) is a convenience method wrapping the \fBRAND_DRBG_generate\fR\|(3) function, which serves the actual request for random data. .SH "RESEEDING" .IX Header "RESEEDING" A \s-1DRBG\s0 instance seeds itself automatically, pulling random input from its entropy source. The entropy source can be either a trusted operating system entropy source, or another \s-1DRBG\s0 with access to such a source. .PP Automatic reseeding occurs after a predefined number of generate requests. The selection of the trusted entropy sources is configured at build time using the \-\-with\-rand\-seed option. The following sections explain the reseeding process in more detail. .SS "Automatic Reseeding" .IX Subsection "Automatic Reseeding" Before satisfying a generate request (\fBRAND_DRBG_generate\fR\|(3)), the \s-1DRBG\s0 reseeds itself automatically, if one of the following conditions holds: .PP \&\- the \s-1DRBG\s0 was not instantiated (=seeded) yet or has been uninstantiated. .PP \&\- the number of generate requests since the last reseeding exceeds a certain threshold, the so called \fIreseed_interval\fR. This behaviour can be disabled by setting the \fIreseed_interval\fR to 0. .PP \&\- the time elapsed since the last reseeding exceeds a certain time interval, the so called \fIreseed_time_interval\fR. This can be disabled by setting the \fIreseed_time_interval\fR to 0. .PP \&\- the \s-1DRBG\s0 is in an error state. .PP \&\fBNote\fR: An error state is entered if the entropy source fails while the \s-1DRBG\s0 is seeding or reseeding. The last case ensures that the \s-1DRBG\s0 automatically recovers from the error as soon as the entropy source is available again. .SS "Manual Reseeding" .IX Subsection "Manual Reseeding" In addition to automatic reseeding, the caller can request an immediate reseeding of the \s-1DRBG\s0 with fresh entropy by setting the \&\fIprediction resistance\fR parameter to 1 when calling \fBRAND_DRBG_generate\fR\|(3). .PP The document [\s-1NIST SP 800\-90C\s0] describes prediction resistance requests in detail and imposes strict conditions on the entropy sources that are approved for providing prediction resistance. Since the default \s-1DRBG\s0 implementation does not have access to such an approved entropy source, a request for prediction resistance will currently always fail. In other words, prediction resistance is currently not supported yet by the \s-1DRBG.\s0 .PP For the three shared DRBGs (and only for these) there is another way to reseed them manually: If \fBRAND_add\fR\|(3) is called with a positive \fIrandomness\fR argument (or \fBRAND_seed\fR\|(3)), then this will immediately reseed the \s-1DRBG.\s0 The and \s-1DRBG\s0 will detect this on their next generate call and reseed, pulling randomness from . .PP The last feature has been added to support the common practice used with previous OpenSSL versions to call \fBRAND_add()\fR before calling \fBRAND_bytes()\fR. .SS "Entropy Input vs. Additional Data" .IX Subsection "Entropy Input vs. Additional Data" The \s-1DRBG\s0 distinguishes two different types of random input: \fIentropy\fR, which comes from a trusted source, and \fIadditional input\fR', which can optionally be added by the user and is considered untrusted. It is possible to add \fIadditional input\fR not only during reseeding, but also for every generate request. This is in fact done automatically by \fBRAND_DRBG_bytes\fR\|(3). .SS "Configuring the Random Seed Source" .IX Subsection "Configuring the Random Seed Source" In most cases OpenSSL will automatically choose a suitable seed source for automatically seeding and reseeding its \s-1DRBG.\s0 In some cases however, it will be necessary to explicitly specify a seed source during configuration, using the \-\-with\-rand\-seed option. For more information, see the \s-1INSTALL\s0 instructions. There are also operating systems where no seed source is available and automatic reseeding is disabled by default. .PP The following two sections describe the reseeding process of the master \&\s-1DRBG,\s0 depending on whether automatic reseeding is available or not. .SS "Reseeding the master \s-1DRBG\s0 with automatic seeding enabled" .IX Subsection "Reseeding the master DRBG with automatic seeding enabled" Calling \fBRAND_poll()\fR or \fBRAND_add()\fR is not necessary, because the \s-1DRBG\s0 pulls the necessary entropy from its source automatically. However, both calls are permitted, and do reseed the \s-1RNG.\s0 .PP \&\fBRAND_add()\fR can be used to add both kinds of random input, depending on the value of the \fBrandomness\fR argument: .IP "randomness == 0:" 4 .IX Item "randomness == 0:" The random bytes are mixed as additional input into the current state of the \s-1DRBG.\s0 Mixing in additional input is not considered a full reseeding, hence the reseed counter is not reset. .IP "randomness > 0:" 4 .IX Item "randomness > 0:" The random bytes are used as entropy input for a full reseeding (resp. reinstantiation) if the \s-1DRBG\s0 is instantiated (resp. uninstantiated or in an error state). The number of random bits required for reseeding is determined by the security strength of the \s-1DRBG.\s0 Currently it defaults to 256 bits (32 bytes). It is possible to provide less randomness than required. In this case the missing randomness will be obtained by pulling random input from the trusted entropy sources. .SS "Reseeding the master \s-1DRBG\s0 with automatic seeding disabled" .IX Subsection "Reseeding the master DRBG with automatic seeding disabled" Calling \fBRAND_poll()\fR will always fail. .PP \&\fBRAND_add()\fR needs to be called for initial seeding and periodic reseeding. At least 48 bytes (384 bits) of randomness have to be provided, otherwise the (re\-)seeding of the \s-1DRBG\s0 will fail. This corresponds to one and a half times the security strength of the \s-1DRBG.\s0 The extra half is used for the nonce during instantiation. .PP More precisely, the number of bytes needed for seeding depend on the \&\fIsecurity strength\fR of the \s-1DRBG,\s0 which is set to 256 by default. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBRAND_DRBG_bytes\fR\|(3), \&\fBRAND_DRBG_generate\fR\|(3), \&\fBRAND_DRBG_reseed\fR\|(3), \&\fBRAND_DRBG_get0_master\fR\|(3), \&\fBRAND_DRBG_get0_public\fR\|(3), \&\fBRAND_DRBG_get0_private\fR\|(3), \&\fBRAND_DRBG_set_reseed_interval\fR\|(3), \&\fBRAND_DRBG_set_reseed_time_interval\fR\|(3), \&\fBRAND_DRBG_set_reseed_defaults\fR\|(3), \&\s-1\fBRAND\s0\fR\|(7), .SH "COPYRIGHT" .IX Header "COPYRIGHT" Copyright 2017\-2018 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use this file except in compliance with the License. You can obtain a copy in the file \s-1LICENSE\s0 in the source distribution or at . PK!5*wwSM2.7sslnu[.\" Automatically generated by Pod::Man 4.11 (Pod::Simple 3.35) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. \*(C+ will .\" give a nicer C++. Capital omega is used to do unbreakable dashes and .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, .\" nothing in troff, for use with C<>. .tr \(*W- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' . ds C` . ds C' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is >0, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .\" .\" Avoid warning from groff about undefined register 'F'. .de IX .. .nr rF 0 .if \n(.g .if rF .nr rF 1 .if (\n(rF:(\n(.g==0)) \{\ . if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} . \} .\} .rr rF .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. . \" fudge factors for nroff and troff .if n \{\ . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] \fP .\} .if t \{\ . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff .if n \{\ . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} .if t \{\ . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' .ds 8 \h'\*(#H'\(*b\h'-\*(#H' .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] .ds ae a\h'-(\w'a'u*4/10)'e .ds Ae A\h'-(\w'A'u*4/10)'E . \" corrections for vroff .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' . \" for low resolution devices (crt and lpr) .if \n(.H>23 .if \n(.V>19 \ \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} .rm #[ #] #H #V #F C .\" ======================================================================== .\" .IX Title "SM2 7" .TH SM2 7 "2023-09-11" "1.1.1w" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" SM2 \- Chinese SM2 signature and encryption algorithm support .SH "DESCRIPTION" .IX Header "DESCRIPTION" The \fB\s-1SM2\s0\fR algorithm was first defined by the Chinese national standard \s-1GM/T 0003\-2012\s0 and was later standardized by \s-1ISO\s0 as \s-1ISO/IEC 14888.\s0 \fB\s-1SM2\s0\fR is actually an elliptic curve based algorithm. The current implementation in OpenSSL supports both signature and encryption schemes via the \s-1EVP\s0 interface. .PP When doing the \fB\s-1SM2\s0\fR signature algorithm, it requires a distinguishing identifier to form the message prefix which is hashed before the real message is hashed. .SH "NOTES" .IX Header "NOTES" \&\fB\s-1SM2\s0\fR signatures can be generated by using the 'DigestSign' series of APIs, for instance, \fBEVP_DigestSignInit()\fR, \fBEVP_DigestSignUpdate()\fR and \fBEVP_DigestSignFinal()\fR. Ditto for the verification process by calling the 'DigestVerify' series of APIs. .PP There are several special steps that need to be done before computing an \fB\s-1SM2\s0\fR signature. .PP The \fB\s-1EVP_PKEY\s0\fR structure will default to using \s-1ECDSA\s0 for signatures when it is created. It should be set to \fB\s-1EVP_PKEY_SM2\s0\fR by calling: .PP .Vb 1 \& EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2); .Ve .PP Then an \s-1ID\s0 should be set by calling: .PP .Vb 1 \& EVP_PKEY_CTX_set1_id(pctx, id, id_len); .Ve .PP When calling the \fBEVP_DigestSignInit()\fR or \fBEVP_DigestVerifyInit()\fR functions, a preallocated \fB\s-1EVP_PKEY_CTX\s0\fR should be assigned to the \fB\s-1EVP_MD_CTX\s0\fR. This is done by calling: .PP .Vb 1 \& EVP_MD_CTX_set_pkey_ctx(mctx, pctx); .Ve .PP And normally there is no need to pass a \fBpctx\fR parameter to \fBEVP_DigestSignInit()\fR or \fBEVP_DigestVerifyInit()\fR in such a scenario. .SH "EXAMPLES" .IX Header "EXAMPLES" This example demonstrates the calling sequence for using an \fB\s-1EVP_PKEY\s0\fR to verify a message with the \s-1SM2\s0 signature algorithm and the \s-1SM3\s0 hash algorithm: .PP .Vb 1 \& #include \& \& /* obtain an EVP_PKEY using whatever methods... */ \& EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2); \& mctx = EVP_MD_CTX_new(); \& pctx = EVP_PKEY_CTX_new(pkey, NULL); \& EVP_PKEY_CTX_set1_id(pctx, id, id_len); \& EVP_MD_CTX_set_pkey_ctx(mctx, pctx);; \& EVP_DigestVerifyInit(mctx, NULL, EVP_sm3(), NULL, pkey); \& EVP_DigestVerifyUpdate(mctx, msg, msg_len); \& EVP_DigestVerifyFinal(mctx, sig, sig_len) .Ve .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBEVP_PKEY_CTX_new\fR\|(3), \&\fBEVP_PKEY_set_alias_type\fR\|(3), \&\fBEVP_DigestSignInit\fR\|(3), \&\fBEVP_DigestVerifyInit\fR\|(3), \&\fBEVP_PKEY_CTX_set1_id\fR\|(3), \&\fBEVP_MD_CTX_set_pkey_ctx\fR\|(3) .SH "COPYRIGHT" .IX Header "COPYRIGHT" Copyright 2018\-2020 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use this file except in compliance with the License. You can obtain a copy in the file \s-1LICENSE\s0 in the source distribution or at . PK!ed@.@.passphrase-encoding.7sslnu[.\" Automatically generated by Pod::Man 4.11 (Pod::Simple 3.35) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. \*(C+ will .\" give a nicer C++. Capital omega is used to do unbreakable dashes and .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, .\" nothing in troff, for use with C<>. .tr \(*W- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' . ds C` . ds C' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is >0, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .\" .\" Avoid warning from groff about undefined register 'F'. .de IX .. .nr rF 0 .if \n(.g .if rF .nr rF 1 .if (\n(rF:(\n(.g==0)) \{\ . if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} . \} .\} .rr rF .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. . \" fudge factors for nroff and troff .if n \{\ . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] \fP .\} .if t \{\ . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff .if n \{\ . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} .if t \{\ . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' .ds 8 \h'\*(#H'\(*b\h'-\*(#H' .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] .ds ae a\h'-(\w'a'u*4/10)'e .ds Ae A\h'-(\w'A'u*4/10)'E . \" corrections for vroff .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' . \" for low resolution devices (crt and lpr) .if \n(.H>23 .if \n(.V>19 \ \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} .rm #[ #] #H #V #F C .\" ======================================================================== .\" .IX Title "PASSPHRASE-ENCODING 7" .TH PASSPHRASE-ENCODING 7 "2023-09-11" "1.1.1w" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" passphrase\-encoding \&\- How diverse parts of OpenSSL treat pass phrases character encoding .SH "DESCRIPTION" .IX Header "DESCRIPTION" In a modern world with all sorts of character encodings, the treatment of pass phrases has become increasingly complex. This manual page attempts to give an overview over how this problem is currently addressed in different parts of the OpenSSL library. .SS "The general case" .IX Subsection "The general case" The OpenSSL library doesn't treat pass phrases in any special way as a general rule, and trusts the application or user to choose a suitable character set and stick to that throughout the lifetime of affected objects. This means that for an object that was encrypted using a pass phrase encoded in \&\s-1ISO\-8859\-1,\s0 that object needs to be decrypted using a pass phrase encoded in \&\s-1ISO\-8859\-1.\s0 Using the wrong encoding is expected to cause a decryption failure. .SS "PKCS#12" .IX Subsection "PKCS#12" PKCS#12 is a bit different regarding pass phrase encoding. The standard stipulates that the pass phrase shall be encoded as an \s-1ASN.1\s0 BMPString, which consists of the code points of the basic multilingual plane, encoded in big endian (\s-1UCS\-2 BE\s0). .PP OpenSSL tries to adapt to this requirements in one of the following manners: .IP "1." 4 Treats the received pass phrase as \s-1UTF\-8\s0 encoded and tries to re-encode it to \&\s-1UTF\-16\s0 (which is the same as \s-1UCS\-2\s0 for characters U+0000 to U+D7FF and U+E000 to U+FFFF, but becomes an expansion for any other character), or failing that, proceeds with step 2. .IP "2." 4 Assumes that the pass phrase is encoded in \s-1ASCII\s0 or \s-1ISO\-8859\-1\s0 and opportunistically prepends each byte with a zero byte to obtain the \s-1UCS\-2\s0 encoding of the characters, which it stores as a BMPString. .Sp Note that since there is no check of your locale, this may produce \s-1UCS\-2 / UTF\-16\s0 characters that do not correspond to the original pass phrase characters for other character sets, such as any \s-1ISO\-8859\-X\s0 encoding other than \&\s-1ISO\-8859\-1\s0 (or for Windows, \s-1CP 1252\s0 with exception for the extra \*(L"graphical\*(R" characters in the 0x80\-0x9F range). .PP OpenSSL versions older than 1.1.0 do variant 2 only, and that is the reason why OpenSSL still does this, to be able to read files produced with older versions. .PP It should be noted that this approach isn't entirely fault free. .PP A pass phrase encoded in \s-1ISO\-8859\-2\s0 could very well have a sequence such as 0xC3 0xAF (which is the two characters \*(L"\s-1LATIN CAPITAL LETTER A WITH BREVE\*(R"\s0 and \*(L"\s-1LATIN CAPITAL LETTER Z WITH DOT ABOVE\*(R"\s0 in \s-1ISO\-8859\-2\s0 encoding), but would be misinterpreted as the perfectly valid \s-1UTF\-8\s0 encoded code point U+00EF (\s-1LATIN SMALL LETTER I WITH DIAERESIS\s0) \fIif the pass phrase doesn't contain anything that would be invalid \s-1UTF\-8\s0\fR. A pass phrase that contains this kind of byte sequence will give a different outcome in OpenSSL 1.1.0 and newer than in OpenSSL older than 1.1.0. .PP .Vb 2 \& 0x00 0xC3 0x00 0xAF # OpenSSL older than 1.1.0 \& 0x00 0xEF # OpenSSL 1.1.0 and newer .Ve .PP On the same accord, anything encoded in \s-1UTF\-8\s0 that was given to OpenSSL older than 1.1.0 was misinterpreted as \s-1ISO\-8859\-1\s0 sequences. .SS "\s-1OSSL_STORE\s0" .IX Subsection "OSSL_STORE" \&\fBossl_store\fR\|(7) acts as a general interface to access all kinds of objects, potentially protected with a pass phrase, a \s-1PIN\s0 or something else. This \s-1API\s0 stipulates that pass phrases should be \s-1UTF\-8\s0 encoded, and that any other pass phrase encoding may give undefined results. This \s-1API\s0 relies on the application to ensure \s-1UTF\-8\s0 encoding, and doesn't check that this is the case, so what it gets, it will also pass to the underlying loader. .SH "RECOMMENDATIONS" .IX Header "RECOMMENDATIONS" This section assumes that you know what pass phrase was used for encryption, but that it may have been encoded in a different character encoding than the one used by your current input method. For example, the pass phrase may have been used at a time when your default encoding was \s-1ISO\-8859\-1\s0 (i.e. \*(L"nai\*:ve\*(R" resulting in the byte sequence 0x6E 0x61 0xEF 0x76 0x65), and you're now in an environment where your default encoding is \s-1UTF\-8\s0 (i.e. \*(L"nai\*:ve\*(R" resulting in the byte sequence 0x6E 0x61 0xC3 0xAF 0x76 0x65). Whenever it's mentioned that you should use a certain character encoding, it should be understood that you either change the input method to use the mentioned encoding when you type in your pass phrase, or use some suitable tool to convert your pass phrase from your default encoding to the target encoding. .PP Also note that the sub-sections below discuss human readable pass phrases. This is particularly relevant for PKCS#12 objects, where human readable pass phrases are assumed. For other objects, it's as legitimate to use any byte sequence (such as a sequence of bytes from `/dev/urandom` that's been saved away), which makes any character encoding discussion irrelevant; in such cases, simply use the same byte sequence as it is. .SS "Creating new objects" .IX Subsection "Creating new objects" For creating new pass phrase protected objects, make sure the pass phrase is encoded using \s-1UTF\-8.\s0 This is default on most modern Unixes, but may involve an effort on other platforms. Specifically for Windows, setting the environment variable \&\f(CW\*(C`OPENSSL_WIN32_UTF8\*(C'\fR will have anything entered on [Windows] console prompt converted to \s-1UTF\-8\s0 (command line and separately prompted pass phrases alike). .SS "Opening existing objects" .IX Subsection "Opening existing objects" For opening pass phrase protected objects where you know what character encoding was used for the encryption pass phrase, make sure to use the same encoding again. .PP For opening pass phrase protected objects where the character encoding that was used is unknown, or where the producing application is unknown, try one of the following: .IP "1." 4 Try the pass phrase that you have as it is in the character encoding of your environment. It's possible that its byte sequence is exactly right. .IP "2." 4 Convert the pass phrase to \s-1UTF\-8\s0 and try with the result. Specifically with PKCS#12, this should open up any object that was created according to the specification. .IP "3." 4 Do a nai\*:ve (i.e. purely mathematical) \s-1ISO\-8859\-1\s0 to \s-1UTF\-8\s0 conversion and try with the result. This differs from the previous attempt because \s-1ISO\-8859\-1\s0 maps directly to U+0000 to U+00FF, which other non\-UTF\-8 character sets do not. .Sp This also takes care of the case when a \s-1UTF\-8\s0 encoded string was used with OpenSSL older than 1.1.0. (for example, \f(CW\*(C`i\*:\*(C'\fR, which is 0xC3 0xAF when encoded in \s-1UTF\-8,\s0 would become 0xC3 0x83 0xC2 0xAF when re-encoded in the nai\*:ve manner. The conversion to BMPString would then yield 0x00 0xC3 0x00 0xA4 0x00 0x00, the erroneous/non\-compliant encoding used by OpenSSL older than 1.1.0) .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBevp\fR\|(7), \&\fBossl_store\fR\|(7), \&\fBEVP_BytesToKey\fR\|(3), \fBEVP_DecryptInit\fR\|(3), \&\fBPEM_do_header\fR\|(3), \&\fBPKCS12_parse\fR\|(3), \fBPKCS12_newpass\fR\|(3), \&\fBd2i_PKCS8PrivateKey_bio\fR\|(3) .SH "COPYRIGHT" .IX Header "COPYRIGHT" Copyright 2018\-2020 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use this file except in compliance with the License. You can obtain a copy in the file \s-1LICENSE\s0 in the source distribution or at . PK!"^**ossl_store-file.7sslnu[.\" Automatically generated by Pod::Man 4.11 (Pod::Simple 3.35) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. \*(C+ will .\" give a nicer C++. Capital omega is used to do unbreakable dashes and .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, .\" nothing in troff, for use with C<>. .tr \(*W- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' . ds C` . ds C' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is >0, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .\" .\" Avoid warning from groff about undefined register 'F'. .de IX .. .nr rF 0 .if \n(.g .if rF .nr rF 1 .if (\n(rF:(\n(.g==0)) \{\ . if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} . \} .\} .rr rF .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. . \" fudge factors for nroff and troff .if n \{\ . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] \fP .\} .if t \{\ . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff .if n \{\ . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} .if t \{\ . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' .ds 8 \h'\*(#H'\(*b\h'-\*(#H' .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] .ds ae a\h'-(\w'a'u*4/10)'e .ds Ae A\h'-(\w'A'u*4/10)'E . \" corrections for vroff .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' . \" for low resolution devices (crt and lpr) .if \n(.H>23 .if \n(.V>19 \ \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} .rm #[ #] #H #V #F C .\" ======================================================================== .\" .IX Title "OSSL_STORE-FILE 7" .TH OSSL_STORE-FILE 7 "2023-09-11" "1.1.1w" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" ossl_store\-file \- The store 'file' scheme loader .SH "SYNOPSIS" .IX Header "SYNOPSIS" #include .SH "DESCRIPTION" .IX Header "DESCRIPTION" Support for the 'file' scheme is built into \f(CW\*(C`libcrypto\*(C'\fR. Since files come in all kinds of formats and content types, the 'file' scheme has its own layer of functionality called \*(L"file handlers\*(R", which are used to try to decode diverse types of file contents. .PP In case a file is formatted as \s-1PEM,\s0 each called file handler receives the \s-1PEM\s0 name (everything following any '\f(CW\*(C`\-\-\-\-\-BEGIN \*(C'\fR') as well as possible \s-1PEM\s0 headers, together with the decoded \s-1PEM\s0 body. Since \s-1PEM\s0 formatted files can contain more than one object, the file handlers are called upon for each such object. .PP If the file isn't determined to be formatted as \s-1PEM,\s0 the content is loaded in raw form in its entirety and passed to the available file handlers as is, with no \s-1PEM\s0 name or headers. .PP Each file handler is expected to handle \s-1PEM\s0 and non-PEM content as appropriate. Some may refuse non-PEM content for the sake of determinism (for example, there are keys out in the wild that are represented as an \s-1ASN.1 OCTET STRING.\s0 In raw form, it's not easily possible to distinguish those from any other data coming as an \s-1ASN.1 OCTET STRING,\s0 so such keys would naturally be accepted as \s-1PEM\s0 files only). .SH "NOTES" .IX Header "NOTES" When needed, the 'file' scheme loader will require a pass phrase by using the \f(CW\*(C`UI_METHOD\*(C'\fR that was passed via \fBOSSL_STORE_open()\fR. This pass phrase is expected to be \s-1UTF\-8\s0 encoded, anything else will give an undefined result. The files made accessible through this loader are expected to be standard compliant with regards to pass phrase encoding. Files that aren't should be re-generated with a correctly encoded pass phrase. See \fBpassphrase\-encoding\fR\|(7) for more information. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBossl_store\fR\|(7), \fBpassphrase\-encoding\fR\|(7) .SH "COPYRIGHT" .IX Header "COPYRIGHT" Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use this file except in compliance with the License. You can obtain a copy in the file \s-1LICENSE\s0 in the source distribution or at . PK!%CBct.7sslnu[.\" Automatically generated by Pod::Man 4.11 (Pod::Simple 3.35) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. \*(C+ will .\" give a nicer C++. Capital omega is used to do unbreakable dashes and .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, .\" nothing in troff, for use with C<>. .tr \(*W- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' . ds C` . ds C' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is >0, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .\" .\" Avoid warning from groff about undefined register 'F'. .de IX .. .nr rF 0 .if \n(.g .if rF .nr rF 1 .if (\n(rF:(\n(.g==0)) \{\ . if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} . \} .\} .rr rF .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. . \" fudge factors for nroff and troff .if n \{\ . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] \fP .\} .if t \{\ . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff .if n \{\ . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} .if t \{\ . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' .ds 8 \h'\*(#H'\(*b\h'-\*(#H' .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] .ds ae a\h'-(\w'a'u*4/10)'e .ds Ae A\h'-(\w'A'u*4/10)'E . \" corrections for vroff .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' . \" for low resolution devices (crt and lpr) .if \n(.H>23 .if \n(.V>19 \ \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} .rm #[ #] #H #V #F C .\" ======================================================================== .\" .IX Title "CT 7" .TH CT 7 "2023-09-11" "1.1.1w" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" ct \- Certificate Transparency .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" This library implements Certificate Transparency (\s-1CT\s0) verification for \s-1TLS\s0 clients, as defined in \s-1RFC 6962.\s0 This verification can provide some confidence that a certificate has been publicly logged in a set of \s-1CT\s0 logs. .PP By default, these checks are disabled. They can be enabled using \&\fBSSL_CTX_enable_ct\fR\|(3) or \fBSSL_enable_ct\fR\|(3). .PP This library can also be used to parse and examine \s-1CT\s0 data structures, such as Signed Certificate Timestamps (SCTs), or to read a list of \s-1CT\s0 logs. There are functions for: \&\- decoding and encoding SCTs in \s-1DER\s0 and \s-1TLS\s0 wire format. \&\- printing SCTs. \&\- verifying the authenticity of SCTs. \&\- loading a \s-1CT\s0 log list from a \s-1CONF\s0 file. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBd2i_SCT_LIST\fR\|(3), \&\fBCTLOG_STORE_new\fR\|(3), \&\fBCTLOG_STORE_get0_log_by_id\fR\|(3), \&\fBSCT_new\fR\|(3), \&\fBSCT_print\fR\|(3), \&\fBSCT_validate\fR\|(3), \&\fBSCT_validate\fR\|(3), \&\fBCT_POLICY_EVAL_CTX_new\fR\|(3), \&\fBSSL_CTX_set_ct_validation_callback\fR\|(3) .SH "HISTORY" .IX Header "HISTORY" The ct library was added in OpenSSL 1.1.0. .SH "COPYRIGHT" .IX Header "COPYRIGHT" Copyright 2016\-2017 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use this file except in compliance with the License. You can obtain a copy in the file \s-1LICENSE\s0 in the source distribution or at . PK! RAND.7sslnu[.\" Automatically generated by Pod::Man 4.11 (Pod::Simple 3.35) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. \*(C+ will .\" give a nicer C++. Capital omega is used to do unbreakable dashes and .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, .\" nothing in troff, for use with C<>. .tr \(*W- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' . ds C` . ds C' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is >0, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .\" .\" Avoid warning from groff about undefined register 'F'. .de IX .. .nr rF 0 .if \n(.g .if rF .nr rF 1 .if (\n(rF:(\n(.g==0)) \{\ . if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} . \} .\} .rr rF .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. . \" fudge factors for nroff and troff .if n \{\ . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] \fP .\} .if t \{\ . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff .if n \{\ . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} .if t \{\ . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' .ds 8 \h'\*(#H'\(*b\h'-\*(#H' .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] .ds ae a\h'-(\w'a'u*4/10)'e .ds Ae A\h'-(\w'A'u*4/10)'E . \" corrections for vroff .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' . \" for low resolution devices (crt and lpr) .if \n(.H>23 .if \n(.V>19 \ \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} .rm #[ #] #H #V #F C .\" ======================================================================== .\" .IX Title "RAND 7" .TH RAND 7 "2023-09-11" "1.1.1w" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" RAND \&\- the OpenSSL random generator .SH "DESCRIPTION" .IX Header "DESCRIPTION" Random numbers are a vital part of cryptography, they are needed to provide unpredictability for tasks like key generation, creating salts, and many more. Software-based generators must be seeded with external randomness before they can be used as a cryptographically-secure pseudo-random number generator (\s-1CSPRNG\s0). The availability of common hardware with special instructions and modern operating systems, which may use items such as interrupt jitter and network packet timings, can be reasonable sources of seeding material. .PP OpenSSL comes with a default implementation of the \s-1RAND API\s0 which is based on the deterministic random bit generator (\s-1DRBG\s0) model as described in [\s-1NIST SP 800\-90A\s0 Rev. 1]. The default random generator will initialize automatically on first use and will be fully functional without having to be initialized ('seeded') explicitly. It seeds and reseeds itself automatically using trusted random sources provided by the operating system. .PP As a normal application developer, you do not have to worry about any details, just use \fBRAND_bytes\fR\|(3) to obtain random data. Having said that, there is one important rule to obey: Always check the error return value of \fBRAND_bytes\fR\|(3) and do not take randomness for granted. Although (re\-)seeding is automatic, it can fail because no trusted random source is available or the trusted source(s) temporarily fail to provide sufficient random seed material. In this case the \s-1CSPRNG\s0 enters an error state and ceases to provide output, until it is able to recover from the error by reseeding itself. For more details on reseeding and error recovery, see \s-1\fBRAND_DRBG\s0\fR\|(7). .PP For values that should remain secret, you can use \fBRAND_priv_bytes\fR\|(3) instead. This method does not provide 'better' randomness, it uses the same type of \s-1CSPRNG.\s0 The intention behind using a dedicated \s-1CSPRNG\s0 exclusively for private values is that none of its output should be visible to an attacker (e.g., used as salt value), in order to reveal as little information as possible about its internal state, and that a compromise of the \*(L"public\*(R" \&\s-1CSPRNG\s0 instance will not affect the secrecy of these private values. .PP In the rare case where the default implementation does not satisfy your special requirements, there are two options: .IP "\(bu" 2 Replace the default \s-1RAND\s0 method by your own \s-1RAND\s0 method using \&\fBRAND_set_rand_method\fR\|(3). .IP "\(bu" 2 Modify the default settings of the OpenSSL \s-1RAND\s0 method by modifying the security parameters of the underlying \s-1DRBG,\s0 which is described in detail in \s-1\fBRAND_DRBG\s0\fR\|(7). .PP Changing the default random generator or its default parameters should be necessary only in exceptional cases and is not recommended, unless you have a profound knowledge of cryptographic principles and understand the implications of your changes. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBRAND_add\fR\|(3), \&\fBRAND_bytes\fR\|(3), \&\fBRAND_priv_bytes\fR\|(3), \&\fBRAND_get_rand_method\fR\|(3), \&\fBRAND_set_rand_method\fR\|(3), \&\fBRAND_OpenSSL\fR\|(3), \&\s-1\fBRAND_DRBG\s0\fR\|(7) .SH "COPYRIGHT" .IX Header "COPYRIGHT" Copyright 2018\-2019 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use this file except in compliance with the License. You can obtain a copy in the file \s-1LICENSE\s0 in the source distribution or at . PK!E5B-- RSA-PSS.7sslnu[.\" Automatically generated by Pod::Man 4.11 (Pod::Simple 3.35) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. \*(C+ will .\" give a nicer C++. Capital omega is used to do unbreakable dashes and .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, .\" nothing in troff, for use with C<>. .tr \(*W- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' . ds C` . ds C' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is >0, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .\" .\" Avoid warning from groff about undefined register 'F'. .de IX .. .nr rF 0 .if \n(.g .if rF .nr rF 1 .if (\n(rF:(\n(.g==0)) \{\ . if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} . \} .\} .rr rF .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. . \" fudge factors for nroff and troff .if n \{\ . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] \fP .\} .if t \{\ . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff .if n \{\ . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} .if t \{\ . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' .ds 8 \h'\*(#H'\(*b\h'-\*(#H' .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] .ds ae a\h'-(\w'a'u*4/10)'e .ds Ae A\h'-(\w'A'u*4/10)'E . \" corrections for vroff .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' . \" for low resolution devices (crt and lpr) .if \n(.H>23 .if \n(.V>19 \ \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} .rm #[ #] #H #V #F C .\" ======================================================================== .\" .IX Title "RSA-PSS 7" .TH RSA-PSS 7 "2023-09-11" "1.1.1w" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" RSA\-PSS \- EVP_PKEY RSA\-PSS algorithm support .SH "DESCRIPTION" .IX Header "DESCRIPTION" The \fBRSA-PSS\fR \s-1EVP_PKEY\s0 implementation is a restricted version of the \s-1RSA\s0 algorithm which only supports signing, verification and key generation using \s-1PSS\s0 padding modes with optional parameter restrictions. .PP It has associated private key and public key formats. .PP This algorithm shares several control operations with the \fB\s-1RSA\s0\fR algorithm but with some restrictions described below. .SS "Signing and Verification" .IX Subsection "Signing and Verification" Signing and verification is similar to the \fB\s-1RSA\s0\fR algorithm except the padding mode is always \s-1PSS.\s0 If the key in use has parameter restrictions then the corresponding signature parameters are set to the restrictions: for example, if the key can only be used with digest \s-1SHA256, MGF1 SHA256\s0 and minimum salt length 32 then the digest, \s-1MGF1\s0 digest and salt length will be set to \s-1SHA256, SHA256\s0 and 32 respectively. .SS "Key Generation" .IX Subsection "Key Generation" By default no parameter restrictions are placed on the generated key. .SH "NOTES" .IX Header "NOTES" The public key format is documented in \s-1RFC4055.\s0 .PP The PKCS#8 private key format used for RSA-PSS keys is similar to the \s-1RSA\s0 format except it uses the \fBid-RSASSA-PSS\fR \s-1OID\s0 and the parameters field, if present, restricts the key parameters in the same way as the public key. .SH "CONFORMING TO" .IX Header "CONFORMING TO" \&\s-1RFC 4055\s0 .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBEVP_PKEY_CTX_set_rsa_pss_keygen_md\fR\|(3), \&\fBEVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md\fR\|(3), \&\fBEVP_PKEY_CTX_set_rsa_pss_keygen_saltlen\fR\|(3), \&\fBEVP_PKEY_CTX_new\fR\|(3), \&\fBEVP_PKEY_CTX_ctrl_str\fR\|(3), \&\fBEVP_PKEY_derive\fR\|(3) .SH "COPYRIGHT" .IX Header "COPYRIGHT" Copyright 2017\-2018 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use this file except in compliance with the License. You can obtain a copy in the file \s-1LICENSE\s0 in the source distribution or at . PK!u|j   x509.7sslnu[.\" Automatically generated by Pod::Man 4.11 (Pod::Simple 3.35) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. \*(C+ will .\" give a nicer C++. Capital omega is used to do unbreakable dashes and .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, .\" nothing in troff, for use with C<>. .tr \(*W- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' . ds C` . ds C' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is >0, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .\" .\" Avoid warning from groff about undefined register 'F'. .de IX .. .nr rF 0 .if \n(.g .if rF .nr rF 1 .if (\n(rF:(\n(.g==0)) \{\ . if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} . \} .\} .rr rF .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. . \" fudge factors for nroff and troff .if n \{\ . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] \fP .\} .if t \{\ . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff .if n \{\ . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} .if t \{\ . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' .ds 8 \h'\*(#H'\(*b\h'-\*(#H' .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] .ds ae a\h'-(\w'a'u*4/10)'e .ds Ae A\h'-(\w'A'u*4/10)'E . \" corrections for vroff .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' . \" for low resolution devices (crt and lpr) .if \n(.H>23 .if \n(.V>19 \ \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} .rm #[ #] #H #V #F C .\" ======================================================================== .\" .IX Title "X509 7" .TH X509 7 "2023-09-11" "1.1.1w" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" x509 \- X.509 certificate handling .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" An X.509 certificate is a structured grouping of information about an individual, a device, or anything one can imagine. An X.509 \s-1CRL\s0 (certificate revocation list) is a tool to help determine if a certificate is still valid. The exact definition of those can be found in the X.509 document from ITU-T, or in \s-1RFC3280\s0 from \s-1PKIX.\s0 In OpenSSL, the type X509 is used to express such a certificate, and the type X509_CRL is used to express a \s-1CRL.\s0 .PP A related structure is a certificate request, defined in PKCS#10 from \&\s-1RSA\s0 Security, Inc, also reflected in \s-1RFC2896.\s0 In OpenSSL, the type X509_REQ is used to express such a certificate request. .PP To handle some complex parts of a certificate, there are the types X509_NAME (to express a certificate name), X509_ATTRIBUTE (to express a certificate attribute), X509_EXTENSION (to express a certificate extension) and a few more. .PP Finally, there's the supertype X509_INFO, which can contain a \s-1CRL,\s0 a certificate and a corresponding private key. .PP \&\fBX509_\fR\fI\s-1XXX\s0\fR, \fBd2i_X509_\fR\fI\s-1XXX\s0\fR, and \fBi2d_X509_\fR\fI\s-1XXX\s0\fR functions handle X.509 certificates, with some exceptions, shown below. .PP \&\fBX509_CRL_\fR\fI\s-1XXX\s0\fR, \fBd2i_X509_CRL_\fR\fI\s-1XXX\s0\fR, and \fBi2d_X509_CRL_\fR\fI\s-1XXX\s0\fR functions handle X.509 CRLs. .PP \&\fBX509_REQ_\fR\fI\s-1XXX\s0\fR, \fBd2i_X509_REQ_\fR\fI\s-1XXX\s0\fR, and \fBi2d_X509_REQ_\fR\fI\s-1XXX\s0\fR functions handle PKCS#10 certificate requests. .PP \&\fBX509_NAME_\fR\fI\s-1XXX\s0\fR functions handle certificate names. .PP \&\fBX509_ATTRIBUTE_\fR\fI\s-1XXX\s0\fR functions handle certificate attributes. .PP \&\fBX509_EXTENSION_\fR\fI\s-1XXX\s0\fR functions handle certificate extensions. .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBX509_NAME_ENTRY_get_object\fR\|(3), \&\fBX509_NAME_add_entry_by_txt\fR\|(3), \&\fBX509_NAME_add_entry_by_NID\fR\|(3), \&\fBX509_NAME_print_ex\fR\|(3), \&\fBX509_NAME_new\fR\|(3), \&\fBd2i_X509\fR\|(3), \&\fBd2i_X509_ALGOR\fR\|(3), \&\fBd2i_X509_CRL\fR\|(3), \&\fBd2i_X509_NAME\fR\|(3), \&\fBd2i_X509_REQ\fR\|(3), \&\fBd2i_X509_SIG\fR\|(3), \&\fBX509v3\fR\|(3), \&\fBcrypto\fR\|(7) .SH "COPYRIGHT" .IX Header "COPYRIGHT" Copyright 2003\-2021 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use this file except in compliance with the License. You can obtain a copy in the file \s-1LICENSE\s0 in the source distribution or at . PK! \ \ scrypt.7sslnu[.\" Automatically generated by Pod::Man 4.11 (Pod::Simple 3.35) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. \*(C+ will .\" give a nicer C++. Capital omega is used to do unbreakable dashes and .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, .\" nothing in troff, for use with C<>. .tr \(*W- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' . ds C` . ds C' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is >0, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .\" .\" Avoid warning from groff about undefined register 'F'. .de IX .. .nr rF 0 .if \n(.g .if rF .nr rF 1 .if (\n(rF:(\n(.g==0)) \{\ . if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} . \} .\} .rr rF .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. . \" fudge factors for nroff and troff .if n \{\ . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] \fP .\} .if t \{\ . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff .if n \{\ . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} .if t \{\ . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' .ds 8 \h'\*(#H'\(*b\h'-\*(#H' .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] .ds ae a\h'-(\w'a'u*4/10)'e .ds Ae A\h'-(\w'A'u*4/10)'E . \" corrections for vroff .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' . \" for low resolution devices (crt and lpr) .if \n(.H>23 .if \n(.V>19 \ \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} .rm #[ #] #H #V #F C .\" ======================================================================== .\" .IX Title "SCRYPT 7" .TH SCRYPT 7 "2023-09-11" "1.1.1w" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" scrypt \- EVP_PKEY scrypt KDF support .SH "DESCRIPTION" .IX Header "DESCRIPTION" The \s-1EVP_PKEY_SCRYPT\s0 algorithm implements the scrypt password based key derivation function, as described in \s-1RFC 7914.\s0 It is memory-hard in the sense that it deliberately requires a significant amount of \s-1RAM\s0 for efficient computation. The intention of this is to render brute forcing of passwords on systems that lack large amounts of main memory (such as GPUs or ASICs) computationally infeasible. .PP scrypt provides three work factors that can be customized: N, r and p. N, which has to be a positive power of two, is the general work factor and scales \s-1CPU\s0 time in an approximately linear fashion. r is the block size of the internally used hash function and p is the parallelization factor. Both r and p need to be greater than zero. The amount of \s-1RAM\s0 that scrypt requires for its computation is roughly (128 * N * r * p) bytes. .PP In the original paper of Colin Percival (\*(L"Stronger Key Derivation via Sequential Memory-Hard Functions\*(R", 2009), the suggested values that give a computation time of less than 5 seconds on a 2.5 GHz Intel Core 2 Duo are N = 2^20 = 1048576, r = 8, p = 1. Consequently, the required amount of memory for this computation is roughly 1 GiB. On a more recent \s-1CPU\s0 (Intel i7\-5930K at 3.5 GHz), this computation takes about 3 seconds. When N, r or p are not specified, they default to 1048576, 8, and 1, respectively. The default amount of \s-1RAM\s0 that may be used by scrypt defaults to 1025 MiB. .SH "NOTES" .IX Header "NOTES" A context for scrypt can be obtained by calling: .PP .Vb 1 \& EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_SCRYPT, NULL); .Ve .PP The output length of an scrypt key derivation is specified via the length parameter to the \fBEVP_PKEY_derive\fR\|(3) function. .SH "EXAMPLES" .IX Header "EXAMPLES" This example derives a 64\-byte long test vector using scrypt using the password \&\*(L"password\*(R", salt \*(L"NaCl\*(R" and N = 1024, r = 8, p = 16. .PP .Vb 2 \& EVP_PKEY_CTX *pctx; \& unsigned char out[64]; \& \& size_t outlen = sizeof(out); \& pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_SCRYPT, NULL); \& \& if (EVP_PKEY_derive_init(pctx) <= 0) { \& error("EVP_PKEY_derive_init"); \& } \& if (EVP_PKEY_CTX_set1_pbe_pass(pctx, "password", 8) <= 0) { \& error("EVP_PKEY_CTX_set1_pbe_pass"); \& } \& if (EVP_PKEY_CTX_set1_scrypt_salt(pctx, "NaCl", 4) <= 0) { \& error("EVP_PKEY_CTX_set1_scrypt_salt"); \& } \& if (EVP_PKEY_CTX_set_scrypt_N(pctx, 1024) <= 0) { \& error("EVP_PKEY_CTX_set_scrypt_N"); \& } \& if (EVP_PKEY_CTX_set_scrypt_r(pctx, 8) <= 0) { \& error("EVP_PKEY_CTX_set_scrypt_r"); \& } \& if (EVP_PKEY_CTX_set_scrypt_p(pctx, 16) <= 0) { \& error("EVP_PKEY_CTX_set_scrypt_p"); \& } \& if (EVP_PKEY_derive(pctx, out, &outlen) <= 0) { \& error("EVP_PKEY_derive"); \& } \& \& { \& const unsigned char expected[sizeof(out)] = { \& 0xfd, 0xba, 0xbe, 0x1c, 0x9d, 0x34, 0x72, 0x00, \& 0x78, 0x56, 0xe7, 0x19, 0x0d, 0x01, 0xe9, 0xfe, \& 0x7c, 0x6a, 0xd7, 0xcb, 0xc8, 0x23, 0x78, 0x30, \& 0xe7, 0x73, 0x76, 0x63, 0x4b, 0x37, 0x31, 0x62, \& 0x2e, 0xaf, 0x30, 0xd9, 0x2e, 0x22, 0xa3, 0x88, \& 0x6f, 0xf1, 0x09, 0x27, 0x9d, 0x98, 0x30, 0xda, \& 0xc7, 0x27, 0xaf, 0xb9, 0x4a, 0x83, 0xee, 0x6d, \& 0x83, 0x60, 0xcb, 0xdf, 0xa2, 0xcc, 0x06, 0x40 \& }; \& \& assert(!memcmp(out, expected, sizeof(out))); \& } \& \& EVP_PKEY_CTX_free(pctx); .Ve .SH "CONFORMING TO" .IX Header "CONFORMING TO" \&\s-1RFC 7914\s0 .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBEVP_PKEY_CTX_set1_scrypt_salt\fR\|(3), \&\fBEVP_PKEY_CTX_set_scrypt_N\fR\|(3), \&\fBEVP_PKEY_CTX_set_scrypt_r\fR\|(3), \&\fBEVP_PKEY_CTX_set_scrypt_p\fR\|(3), \&\fBEVP_PKEY_CTX_set_scrypt_maxmem_bytes\fR\|(3), \&\fBEVP_PKEY_CTX_new\fR\|(3), \&\fBEVP_PKEY_CTX_ctrl_str\fR\|(3), \&\fBEVP_PKEY_derive\fR\|(3) .SH "COPYRIGHT" .IX Header "COPYRIGHT" Copyright 2017\-2019 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use this file except in compliance with the License. You can obtain a copy in the file \s-1LICENSE\s0 in the source distribution or at . PK!$))des_modes.7sslnu[.\" Automatically generated by Pod::Man 4.11 (Pod::Simple 3.35) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. \*(C+ will .\" give a nicer C++. Capital omega is used to do unbreakable dashes and .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, .\" nothing in troff, for use with C<>. .tr \(*W- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' . ds C` . ds C' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is >0, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .\" .\" Avoid warning from groff about undefined register 'F'. .de IX .. .nr rF 0 .if \n(.g .if rF .nr rF 1 .if (\n(rF:(\n(.g==0)) \{\ . if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} . \} .\} .rr rF .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. . \" fudge factors for nroff and troff .if n \{\ . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] \fP .\} .if t \{\ . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff .if n \{\ . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} .if t \{\ . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' .ds 8 \h'\*(#H'\(*b\h'-\*(#H' .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] .ds ae a\h'-(\w'a'u*4/10)'e .ds Ae A\h'-(\w'A'u*4/10)'E . \" corrections for vroff .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' . \" for low resolution devices (crt and lpr) .if \n(.H>23 .if \n(.V>19 \ \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} .rm #[ #] #H #V #F C .\" ======================================================================== .\" .IX Title "DES_MODES 7" .TH DES_MODES 7 "2023-09-11" "1.1.1w" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" des_modes \- the variants of DES and other crypto algorithms of OpenSSL .SH "DESCRIPTION" .IX Header "DESCRIPTION" Several crypto algorithms for OpenSSL can be used in a number of modes. Those are used for using block ciphers in a way similar to stream ciphers, among other things. .SH "OVERVIEW" .IX Header "OVERVIEW" .SS "Electronic Codebook Mode (\s-1ECB\s0)" .IX Subsection "Electronic Codebook Mode (ECB)" Normally, this is found as the function \fIalgorithm\fR\fB_ecb_encrypt()\fR. .IP "\(bu" 2 64 bits are enciphered at a time. .IP "\(bu" 2 The order of the blocks can be rearranged without detection. .IP "\(bu" 2 The same plaintext block always produces the same ciphertext block (for the same key) making it vulnerable to a 'dictionary attack'. .IP "\(bu" 2 An error will only affect one ciphertext block. .SS "Cipher Block Chaining Mode (\s-1CBC\s0)" .IX Subsection "Cipher Block Chaining Mode (CBC)" Normally, this is found as the function \fIalgorithm\fR\fB_cbc_encrypt()\fR. Be aware that \fBdes_cbc_encrypt()\fR is not really \s-1DES CBC\s0 (it does not update the \s-1IV\s0); use \fBdes_ncbc_encrypt()\fR instead. .IP "\(bu" 2 a multiple of 64 bits are enciphered at a time. .IP "\(bu" 2 The \s-1CBC\s0 mode produces the same ciphertext whenever the same plaintext is encrypted using the same key and starting variable. .IP "\(bu" 2 The chaining operation makes the ciphertext blocks dependent on the current and all preceding plaintext blocks and therefore blocks can not be rearranged. .IP "\(bu" 2 The use of different starting variables prevents the same plaintext enciphering to the same ciphertext. .IP "\(bu" 2 An error will affect the current and the following ciphertext blocks. .SS "Cipher Feedback Mode (\s-1CFB\s0)" .IX Subsection "Cipher Feedback Mode (CFB)" Normally, this is found as the function \fIalgorithm\fR\fB_cfb_encrypt()\fR. .IP "\(bu" 2 a number of bits (j) <= 64 are enciphered at a time. .IP "\(bu" 2 The \s-1CFB\s0 mode produces the same ciphertext whenever the same plaintext is encrypted using the same key and starting variable. .IP "\(bu" 2 The chaining operation makes the ciphertext variables dependent on the current and all preceding variables and therefore j\-bit variables are chained together and can not be rearranged. .IP "\(bu" 2 The use of different starting variables prevents the same plaintext enciphering to the same ciphertext. .IP "\(bu" 2 The strength of the \s-1CFB\s0 mode depends on the size of k (maximal if j == k). In my implementation this is always the case. .IP "\(bu" 2 Selection of a small value for j will require more cycles through the encipherment algorithm per unit of plaintext and thus cause greater processing overheads. .IP "\(bu" 2 Only multiples of j bits can be enciphered. .IP "\(bu" 2 An error will affect the current and the following ciphertext variables. .SS "Output Feedback Mode (\s-1OFB\s0)" .IX Subsection "Output Feedback Mode (OFB)" Normally, this is found as the function \fIalgorithm\fR\fB_ofb_encrypt()\fR. .IP "\(bu" 2 a number of bits (j) <= 64 are enciphered at a time. .IP "\(bu" 2 The \s-1OFB\s0 mode produces the same ciphertext whenever the same plaintext enciphered using the same key and starting variable. More over, in the \s-1OFB\s0 mode the same key stream is produced when the same key and start variable are used. Consequently, for security reasons a specific start variable should be used only once for a given key. .IP "\(bu" 2 The absence of chaining makes the \s-1OFB\s0 more vulnerable to specific attacks. .IP "\(bu" 2 The use of different start variables values prevents the same plaintext enciphering to the same ciphertext, by producing different key streams. .IP "\(bu" 2 Selection of a small value for j will require more cycles through the encipherment algorithm per unit of plaintext and thus cause greater processing overheads. .IP "\(bu" 2 Only multiples of j bits can be enciphered. .IP "\(bu" 2 \&\s-1OFB\s0 mode of operation does not extend ciphertext errors in the resultant plaintext output. Every bit error in the ciphertext causes only one bit to be in error in the deciphered plaintext. .IP "\(bu" 2 \&\s-1OFB\s0 mode is not self-synchronizing. If the two operation of encipherment and decipherment get out of synchronism, the system needs to be re-initialized. .IP "\(bu" 2 Each re-initialization should use a value of the start variable different from the start variable values used before with the same key. The reason for this is that an identical bit stream would be produced each time from the same parameters. This would be susceptible to a 'known plaintext' attack. .SS "Triple \s-1ECB\s0 Mode" .IX Subsection "Triple ECB Mode" Normally, this is found as the function \fIalgorithm\fR\fB_ecb3_encrypt()\fR. .IP "\(bu" 2 Encrypt with key1, decrypt with key2 and encrypt with key3 again. .IP "\(bu" 2 As for \s-1ECB\s0 encryption but increases the key length to 168 bits. There are theoretic attacks that can be used that make the effective key length 112 bits, but this attack also requires 2^56 blocks of memory, not very likely, even for the \s-1NSA.\s0 .IP "\(bu" 2 If both keys are the same it is equivalent to encrypting once with just one key. .IP "\(bu" 2 If the first and last key are the same, the key length is 112 bits. There are attacks that could reduce the effective key strength to only slightly more than 56 bits, but these require a lot of memory. .IP "\(bu" 2 If all 3 keys are the same, this is effectively the same as normal ecb mode. .SS "Triple \s-1CBC\s0 Mode" .IX Subsection "Triple CBC Mode" Normally, this is found as the function \fIalgorithm\fR\fB_ede3_cbc_encrypt()\fR. .IP "\(bu" 2 Encrypt with key1, decrypt with key2 and then encrypt with key3. .IP "\(bu" 2 As for \s-1CBC\s0 encryption but increases the key length to 168 bits with the same restrictions as for triple ecb mode. .SH "NOTES" .IX Header "NOTES" This text was been written in large parts by Eric Young in his original documentation for SSLeay, the predecessor of OpenSSL. In turn, he attributed it to: .PP .Vb 5 \& AS 2805.5.2 \& Australian Standard \& Electronic funds transfer \- Requirements for interfaces, \& Part 5.2: Modes of operation for an n\-bit block cipher algorithm \& Appendix A .Ve .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBBF_encrypt\fR\|(3), \fBDES_crypt\fR\|(3) .SH "COPYRIGHT" .IX Header "COPYRIGHT" Copyright 2000\-2017 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use this file except in compliance with the License. You can obtain a copy in the file \s-1LICENSE\s0 in the source distribution or at . PK!sbio.7sslnu[.\" Automatically generated by Pod::Man 4.11 (Pod::Simple 3.35) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. \*(C+ will .\" give a nicer C++. Capital omega is used to do unbreakable dashes and .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, .\" nothing in troff, for use with C<>. .tr \(*W- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' . ds C` . ds C' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is >0, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .\" .\" Avoid warning from groff about undefined register 'F'. .de IX .. .nr rF 0 .if \n(.g .if rF .nr rF 1 .if (\n(rF:(\n(.g==0)) \{\ . if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} . \} .\} .rr rF .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. . \" fudge factors for nroff and troff .if n \{\ . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] \fP .\} .if t \{\ . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff .if n \{\ . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} .if t \{\ . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' .ds 8 \h'\*(#H'\(*b\h'-\*(#H' .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] .ds ae a\h'-(\w'a'u*4/10)'e .ds Ae A\h'-(\w'A'u*4/10)'E . \" corrections for vroff .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' . \" for low resolution devices (crt and lpr) .if \n(.H>23 .if \n(.V>19 \ \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} .rm #[ #] #H #V #F C .\" ======================================================================== .\" .IX Title "BIO 7" .TH BIO 7 "2023-09-11" "1.1.1w" "OpenSSL" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" bio \- Basic I/O abstraction .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& #include .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" A \s-1BIO\s0 is an I/O abstraction, it hides many of the underlying I/O details from an application. If an application uses a \s-1BIO\s0 for its I/O it can transparently handle \s-1SSL\s0 connections, unencrypted network connections and file I/O. .PP There are two type of \s-1BIO,\s0 a source/sink \s-1BIO\s0 and a filter \s-1BIO.\s0 .PP As its name implies a source/sink \s-1BIO\s0 is a source and/or sink of data, examples include a socket \s-1BIO\s0 and a file \s-1BIO.\s0 .PP A filter \s-1BIO\s0 takes data from one \s-1BIO\s0 and passes it through to another, or the application. The data may be left unmodified (for example a message digest \s-1BIO\s0) or translated (for example an encryption \s-1BIO\s0). The effect of a filter \s-1BIO\s0 may change according to the I/O operation it is performing: for example an encryption \&\s-1BIO\s0 will encrypt data if it is being written to and decrypt data if it is being read from. .PP BIOs can be joined together to form a chain (a single \s-1BIO\s0 is a chain with one component). A chain normally consist of one source/sink \&\s-1BIO\s0 and one or more filter BIOs. Data read from or written to the first \s-1BIO\s0 then traverses the chain to the end (normally a source/sink \&\s-1BIO\s0). .PP Some BIOs (such as memory BIOs) can be used immediately after calling \&\fBBIO_new()\fR. Others (such as file BIOs) need some additional initialization, and frequently a utility function exists to create and initialize such BIOs. .PP If \fBBIO_free()\fR is called on a \s-1BIO\s0 chain it will only free one \s-1BIO\s0 resulting in a memory leak. .PP Calling \fBBIO_free_all()\fR on a single \s-1BIO\s0 has the same effect as calling \&\fBBIO_free()\fR on it other than the discarded return value. .PP Normally the \fBtype\fR argument is supplied by a function which returns a pointer to a \s-1BIO_METHOD.\s0 There is a naming convention for such functions: a source/sink \s-1BIO\s0 is normally called BIO_s_*() and a filter \s-1BIO\s0 BIO_f_*(); .SH "EXAMPLES" .IX Header "EXAMPLES" Create a memory \s-1BIO:\s0 .PP .Vb 1 \& BIO *mem = BIO_new(BIO_s_mem()); .Ve .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fBBIO_ctrl\fR\|(3), \&\fBBIO_f_base64\fR\|(3), \fBBIO_f_buffer\fR\|(3), \&\fBBIO_f_cipher\fR\|(3), \fBBIO_f_md\fR\|(3), \&\fBBIO_f_null\fR\|(3), \fBBIO_f_ssl\fR\|(3), \&\fBBIO_find_type\fR\|(3), \fBBIO_new\fR\|(3), \&\fBBIO_new_bio_pair\fR\|(3), \&\fBBIO_push\fR\|(3), \fBBIO_read_ex\fR\|(3), \&\fBBIO_s_accept\fR\|(3), \fBBIO_s_bio\fR\|(3), \&\fBBIO_s_connect\fR\|(3), \fBBIO_s_fd\fR\|(3), \&\fBBIO_s_file\fR\|(3), \fBBIO_s_mem\fR\|(3), \&\fBBIO_s_null\fR\|(3), \fBBIO_s_socket\fR\|(3), \&\fBBIO_set_callback\fR\|(3), \&\fBBIO_should_retry\fR\|(3) .SH "COPYRIGHT" .IX Header "COPYRIGHT" Copyright 2000\-2019 The OpenSSL Project Authors. All Rights Reserved. .PP Licensed under the OpenSSL license (the \*(L"License\*(R"). You may not use this file except in compliance with the License. You can obtain a copy in the file \s-1LICENSE\s0 in the source distribution or at . PK!/f kerberos.7nu[.\" Man page generated from reStructuredText. . .TH "KERBEROS" "7" " " "1.17" "MIT Kerberos" .SH NAME kerberos \- Overview of using Kerberos . .nr rst2man-indent-level 0 . .de1 rstReportMargin \\$1 \\n[an-margin] level \\n[rst2man-indent-level] level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] - \\n[rst2man-indent0] \\n[rst2man-indent1] \\n[rst2man-indent2] .. .de1 INDENT .\" .rstReportMargin pre: . RS \\$1 . nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] . nr rst2man-indent-level +1 .\" .rstReportMargin post: .. .de UNINDENT . RE .\" indent \\n[an-margin] .\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] .nr rst2man-indent-level -1 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. .SH DESCRIPTION .sp The Kerberos system authenticates individual users in a network environment. After authenticating yourself to Kerberos, you can use Kerberos\-enabled programs without having to present passwords or certificates to those programs. .sp If you receive the following response from kinit(1): .sp kinit: Client not found in Kerberos database while getting initial credentials .sp you haven\(aqt been registered as a Kerberos user. See your system administrator. .sp A Kerberos name usually contains three parts. The first is the \fBprimary\fP, which is usually a user\(aqs or service\(aqs name. The second is the \fBinstance\fP, which in the case of a user is usually null. Some users may have privileged instances, however, such as \fBroot\fP or \fBadmin\fP\&. In the case of a service, the instance is the fully qualified name of the machine on which it runs; i.e. there can be an ssh service running on the machine ABC (\fI\%ssh/ABC@REALM\fP), which is different from the ssh service running on the machine XYZ (\fI\%ssh/XYZ@REALM\fP). The third part of a Kerberos name is the \fBrealm\fP\&. The realm corresponds to the Kerberos service providing authentication for the principal. Realms are conventionally all\-uppercase, and often match the end of hostnames in the realm (for instance, host01.example.com might be in realm EXAMPLE.COM). .sp When writing a Kerberos name, the principal name is separated from the instance (if not null) by a slash, and the realm (if not the local realm) follows, preceded by an "@" sign. The following are examples of valid Kerberos names: .INDENT 0.0 .INDENT 3.5 .sp .nf .ft C david jennifer/admin joeuser@BLEEP.COM cbrown/root@FUBAR.ORG .ft P .fi .UNINDENT .UNINDENT .sp When you authenticate yourself with Kerberos you get an initial Kerberos \fBticket\fP\&. (A Kerberos ticket is an encrypted protocol message that provides authentication.) Kerberos uses this ticket for network utilities such as ssh. The ticket transactions are done transparently, so you don\(aqt have to worry about their management. .sp Note, however, that tickets expire. Administrators may configure more privileged tickets, such as those with service or instance of \fBroot\fP or \fBadmin\fP, to expire in a few minutes, while tickets that carry more ordinary privileges may be good for several hours or a day. If your login session extends beyond the time limit, you will have to re\-authenticate yourself to Kerberos to get new tickets using the kinit(1) command. .sp Some tickets are \fBrenewable\fP beyond their initial lifetime. This means that \fBkinit \-R\fP can extend their lifetime without requiring you to re\-authenticate. .sp If you wish to delete your local tickets, use the kdestroy(1) command. .sp Kerberos tickets can be forwarded. In order to forward tickets, you must request \fBforwardable\fP tickets when you kinit. Once you have forwardable tickets, most Kerberos programs have a command line option to forward them to the remote host. This can be useful for, e.g., running kinit on your local machine and then sshing into another to do work. Note that this should not be done on untrusted machines since they will then have your tickets. .SH ENVIRONMENT VARIABLES .sp Several environment variables affect the operation of Kerberos\-enabled programs. These include: .INDENT 0.0 .TP \fBKRB5CCNAME\fP Default name for the credentials cache file, in the form \fITYPE\fP:\fIresidual\fP\&. The type of the default cache may determine the availability of a cache collection. \fBFILE\fP is not a collection type; \fBKEYRING\fP, \fBDIR\fP, and \fBKCM\fP are. .sp If not set, the value of \fBdefault_ccache_name\fP from configuration files (see \fBKRB5_CONFIG\fP) will be used. If that is also not set, the default \fItype\fP is \fBFILE\fP, and the \fIresidual\fP is the path /tmp/krb5cc_*uid*, where \fIuid\fP is the decimal user ID of the user. .TP \fBKRB5_KTNAME\fP Specifies the location of the default keytab file, in the form \fITYPE\fP:\fIresidual\fP\&. If no \fItype\fP is present, the \fBFILE\fP type is assumed and \fIresidual\fP is the pathname of the keytab file. If unset, \fBFILE:/etc/krb5.keytab\fP will be used. .TP \fBKRB5_CONFIG\fP Specifies the location of the Kerberos configuration file. The default is \fB/etc\fP\fB/krb5.conf\fP\&. Multiple filenames can be specified, separated by a colon; all files which are present will be read. .TP \fBKRB5_KDC_PROFILE\fP Specifies the location of the KDC configuration file, which contains additional configuration directives for the Key Distribution Center daemon and associated programs. The default is \fB/opt/alt/krb5/usr/var\fP\fB/krb5kdc\fP\fB/kdc.conf\fP\&. .TP \fBKRB5RCACHETYPE\fP Specifies the default type of replay cache to use for servers. Valid types include \fBdfl\fP for the normal file type and \fBnone\fP for no replay cache. The default is \fBdfl\fP\&. .TP \fBKRB5RCACHEDIR\fP Specifies the default directory for replay caches used by servers. The default is the value of the \fBTMPDIR\fP environment variable, or \fB/var/tmp\fP if \fBTMPDIR\fP is not set. .TP \fBKRB5_TRACE\fP Specifies a filename to write trace log output to. Trace logs can help illuminate decisions made internally by the Kerberos libraries. For example, \fBenv KRB5_TRACE=/dev/stderr kinit\fP would send tracing information for kinit(1) to \fB/dev/stderr\fP\&. The default is not to write trace log output anywhere. .TP \fBKRB5_CLIENT_KTNAME\fP Default client keytab file name. If unset, \fBFILE:/opt/alt/krb5/usr/var/krb5/user/%{euid}/client.keytab\fP will be used). .TP \fBKPROP_PORT\fP kprop(8) port to use. Defaults to 754. .UNINDENT .sp Most environment variables are disabled for certain programs, such as login system programs and setuid programs, which are designed to be secure when run within an untrusted process environment. .SH SEE ALSO .sp kdestroy(1), kinit(1), klist(1), kswitch(1), kpasswd(1), ksu(1), krb5.conf(5), kdc.conf(5), kadmin(1), kadmind(8), kdb5_util(8), krb5kdc(8) .SH BUGS .SH AUTHORS .nf Steve Miller, MIT Project Athena/Digital Equipment Corporation Clifford Neuman, MIT Project Athena Greg Hudson, MIT Kerberos Consortium Robbie Harwood, Red Hat, Inc. .fi .sp .SH HISTORY .sp The MIT Kerberos 5 implementation was developed at MIT, with contributions from many outside parties. It is currently maintained by the MIT Kerberos Consortium. .SH RESTRICTIONS .sp Copyright 1985, 1986, 1989\-1996, 2002, 2011, 2018 Masachusetts Institute of Technology .SH AUTHOR MIT .SH COPYRIGHT 1985-2019, MIT .\" Generated by docutils manpage writer. . PK!ӌ$alt-nodejs6.7.gznu[U]o8|[|86,wBS+ E $ewI%i_K2Iރ)L xޥ`fp>H=t 5Z*Te5\$L,q1L_+}AﺱRKz)𻻂 L;nnR(4|uhMMȅ${ӘC-WBi,:"e&Yf,'4Kg𣟏r<-͸x]|~(hYLEA'^5-yF3vd= ѕ:Ҵ%%n" wщn6tmZZkҚu}4{gz8E7Q>vgI:c\Bu?sbWmh_v>gnAdYqׁQxR;_6(UC".ꕹh_DKQOV%S ĝ'Mǭm-4|<3|C vo?*O=K'O覡'τ4+5FPK!t-alt-nodejs9.7.gznu[U]o8|[pEp-X.BS+ E $eoI%i_K2Iу)Lsxަw`~p>H=%jc ԨˆkH~d~Wdz;Z+\Pp[ /3_Zzrz,ar8fs|P ?H4Ӝ%bE| ~QQb8jGMEQo+Bm?nnk/(fl:OpSc3l ,eo(r;SWo[<w":ď,{7n糧;_V=Ub),>ɕ(Wp Ե0m3kF6*QBXY&n⃨l]ۍaD;Y 8RYw ׇ^VJkd a,Y/p3% d8;E49TJʷBT mr[M,M;_/VA=@NkX!A5dHЮ/Dwmk]`n;>m&~5~BcZЊU %AeI+XZ ֍t_iZ^#:$-LuK%79b4>38.d0E(z̧@&v % KhjqKL7K)qJ6TnlI%|79-d:33r kM[G0>1(t5A*i#j3oޒ;ǠũJ9e 7d%K$`bū8Z f_\Wޚcq$d*hu% 1?ɾ.]:}Pmt@oJ3 9¤ oIk@m:^$]wLyPtڝJT!U1eF<[p틫6Eݕ6`tT3٫C_ ;܊oWޒq%iIJ}A)-&"N)RS.~[}݉&ptdCKm}j)R) -;ao\^]&ش2'W &pJ\Zѐqe|mAԤ A|$~0θGHȌ$H?f b^̲{twif8M:3YhC ğ,*קE!{Ҕ@Γ[mwdMb))5HL&"*E?d=2h),găLV Yhk<^@TBdʄ7cR-H"훂 Ga"*A/mS,jݮTꐉ9莓,jVq-(4TRLi ḵhι""SD `:V|dMF٢Oe{JJA2ˆ :)D1x"۝~H4x5㩺{::_@txh>98L`>aipzprlZkcKqa y7ĀH\*&Pϐ]rfʣі=d4ۨЇ&X&|tMr(e(n(ڔJ6nj@ӒL v=-V[+5,T' *`|3*Ԫ.$Qш f)Wgm'>kռ$#{L|1ӵ+mF;rl A_.Y ;#}A.] mO+w$+ɗE.7(:wȻ035$2  xqqj>׸83W/ w1wyM?aȡ~# (G]QON?J5jy?|s|ל\4kD_=?].n=oݝ27ae)nFEFuS/kGAL;htb}C?$;NOҏY#`n?9$t^OQ"'F2PCq_*PJ2Wǁ4A%/qCg;zϗ4z#r]O tKu?7J0 ѽ1;*SȤy骘ҳPn_i윿Lf=U6gc@Jە(PSV*l`=#< y% vg'ː %ZmxBf=EAϢ]>bԉJD,mLHX&np;[GD9] 0"QX/5hDKs.{ :t|[[h! 'RTŞsSQPpؖU14b0݃ FY/TKB.;| 90˿P&esh.6ѫdŧO%!n رePK!Jrr registry.7.gznu[Vo6~_A[nM:]NQ0PeH}wdNJ!%w}ݥoEy]}JDZsg/ξ?|~!9I8~errWjCwJV+72ɍErɭ^gJBAXY)!m! [WfDkѩ,Ff+ڨJWU^"Br]\R tefBh["$:RoZ = n3s1+wFn5ō!u~sw%B5M*>+)fUPUŘzw]jl~rȥ==CU#kf KFԌK ZzxpD\UBJDơFbC ںvlK#:O\yu Bpǘ1 8a;aB`PrCo2]k&GuU]|$A6^ld&hV[‹T{Da"uߤLJ/ cE]=oHiPV:IŲ牑T1='"s>F=ГH@գ^#E\!@4x|v|>d}p9P9Tk6D,x"p r+'&q)i+D!^DVFM2_-K QBuтV"]3XW   <>ޝЧ(ZVGd|p뼬nVFEfQ)i) [B{$ %L8*"J?s(N7_QG]v<2M1/n3YOaI G1SS TYVZ4@~:X&AٽΒJxq.oi֊oi UCGB7 j$80Udp6D=Y͑jD%q&1S(㼠b!WQ=?k嵲b1Co/àxvioGk=i|"E)#"K{ېkۺ4j$3s7LNcbw#q(MeWPp7kb/#1X~x?<]]^[^^eʜK9i &(FIo Si?(p^C'7 qO^C9iExy0B(g>R9&El$w[jEL@b 2k"E-GZD[ 꿺H[סx n9OY罖fXU't` ͒Lݽ %Gъ )^t4J 0=SQP(WR{GTɹ jDŽ~9wL'h>~S09+'yB'Ük ҌdH!$NcDޜ5\x1ME;T_=!}jO\먌I=} ?"=ҤϿ Qփ6nc < ʓ_ P@}$gPK!Όa orgs.7.gznu[VM0W8T=@Z誻ҶVaكة퀐;c/-$p<3y3!~_ G`|5~N>?c19^yp?;mVv~kj[2x ~cI04z̄2#b#r z *+.W0B!p<¯IJ_JjL-(]S)k2LE53Yb5>ƹ6/R#!l/UeKvJnGMlG ꍧm3 )bt1Dp +_ -b8,SJnEbzc2f8m8F{\gV9]0'9Hٵ7{l`a_TzXjWfeBut}J*V,-Җn-$N;aI"WWY@n}+p&0!2KG[C5>>-) .Px),|IjߙˠRhCd_*G=Qk %mU}CxTXs&wx5̐Ӯ{A)QQCp'xa/%Wg[?L}olm͛G]wgjظ8NM^o.Ofh:7lo_LoMY.ԇ!:FvVdGd>IǝF'hu:'||޻=sͥKt/.ʅe*?%9?K;7յ|3zpb/a3R< ^͐"r `\.}`cG;DunM+.ूa #`4Z~w .7Of-~ϵ#DŽBDps!ՈBrjL=mX6ũ}lWfAq#f(|1a?GzP6rn`B !c bm҄eDx)H6h|?!VK U놆1&cZy>bM>y8~lLtCZTLBa M"eR.a C;ÃG_FTn7A~ Ah`l#\b 7<%w܃z\ %rŘE<J ^la*oL~fsAVm aF*pȖ y2žn]L#й:+fT@ǀE,Ё꽾\ùK1+brɸv 1iZZp{I-my!&;C3rs0ZOI@$lUP@\13V6メ2!!<\{j`QoadG5Ea[/ I*9 N>FU̺l6/Q&#6iIbه|0`,^KE;̽g N6ܩMӠ_'su'=q&y"\dCsK]NȨG"pQK{YT$?Bv08+@WT\s8h%g%2#aʄcKTDdwo9BF:@^\fqQ"RǠD*OӐEdC M6+ 3_TLT>8qr2l/>?{pp%&z: (L(3#"vքLjȩGnUYH" 0';TiPGƉ)Y兮 rh*)#ix<,e}x(PA>0Qaeۀ:dmn.PHh*kqG k <$Ly,h30tU֗\![/쥛dJp>M`2^ P45n9~7A2.K ' wHc.kڲ^ *#)鈸ޙC"+ r\'{9wJdXr&Lo$Q #0BD!!UmwoR*f5ie$й1RsߛNpv.@sn ]HG.SԄȃzGiâW."6"wIoCpt Y/a7[a&>PF2,k=tזϓKvЩhgkNq3d s"8 |)uj vh'WZ4\DEP&BlDa*obsO~!ԕiNORYrKǧ~¥.RUFo8TxT28HG+pL {L JEn\t|| '3 MJ[୎ѬJNΎu&]!5S:w˾a]'vVU[?K]5Kl7%G.wT͗%?a^sI*ɨ*훋5x˾#bH1kn a9&0]D+D5Q1PK!@ alt-nodejs8.7.gznu[U]o8|[p-p-X.BS+ E $eoI%i_K2Iу)Lsxަw`~p>H=%jc ԨˆkH~d~Wdz;Z+\Pp[ /3_Zzrz,ar8fs|P ?H4Ӝ%bE| ~QQb8jGMEQo+Bm?nnk/(fl:OpSc3l ,eoь0HE,0eKnfb(͸zHV-QdrqL͞џ?N=x=_)i|Xek|A5ۍZ릪WڨYX1SKk>f< oNni!mbm붦v--luyWͻk6ۭk;j´bۺ; [*" ؖ66tK]I;{`W.lv/ԍZWLwRj 4L>T?( Ժ6{X;5x?K#"vk]Ɓ<#$ͺ>X̾lvBm9ǣ8.{PۨlMStjȩmZ~ޭ~RggƅnS7tdAC.~*ދ 5^\~{\H/9[}ڏջC/'_N]&qpuIa!VX*KV^HT$3݆5uqn;N[r ɛS05`t=~>5$iH O D_ Ma \7WߟȆ[&`ᓷt):'"+.=dpot:)}qQ\ RoFh HPUfqJd ?B'F׮$Qu! R׌Gwlt7f/S yR]/I7 ZَMpFcƊ̉)CyDnTޛhyT>jbf #򓃷ԃA<ST>!Ly+"ǯ;= } y ?}m5}QE-{r+܆^w_"EA7ų?-ĸ` GRd3 A}hVpjs&7HU,Y&g~!a/ޥcU<p@dh[j$  qBkDua$%/\eҀ+2De:j*(FR#ל'"yn?u ԊEPX6f+ӧaHFC7`nk""OPwJb]F޶igު >XEi~7{@({8:xzM\egZE*=y@U`K( K:RLd=X8M(-vI /3/ejCUCY|継_L[a5>!'/6^ZC?>&wG_`e zwt.K{c Ч QPgٞ{Kk=M|g-ECH35(3ؒp7(=H;C`C_ on16To$4IxySLã;}#٩ϹƆ@+ DI g.7l_Z 7[*zG=En.o 7)aj!՛HKuLݧs7Q4`&ɗR>P.C:,?i+Ґ3a=&1*媞ҳu餇&2]+^& 4k)lBzoÎJt C/}ÙC0+zN`b(G;QkKn vVPzpd6ܒeï{ۺd2 7A{=8R3 2pzVF2+ͯI^JUHFt e]*m[!z[ϲbP~?Bm<|Oу>FYQ)?zO<L8g—gR͖,MX]OO<1*řLPt1,yF"K&oDxlKyam˵ ;&0]r9/(Qwx\3ΘG&y(G'mG| ?ʼHi\AEYDr)Q"/gO;pLqM(Z%(hۣ1N'̚4e5|Brb1SЪ݇:"UTA""4SG ̣gqk4ËÒ8nv34#bffp]$ S/wRNM>!,g@ܤ|㳒+}A B 0j'&2CI3[ѓ:I{V zBbTb]F*)z5 n8a 9.}Ų+ q娶 &Lꞹ<p?*?X qE^yԈv8 "N8NĄ<&0 FNI Q)4! r{Q r[BCJ8y>oU7DҦVod,r'ɾQe+陧qMKQ.k[79i)i[_09j@0]%76Ck>,v0'4wLtܧpr--tI={mݨwKaR ڡ&gs 4a?v;̓]ᮟtyc ٥eM$00K[ wF.? 5_nfr3k뻔[xw݀$5f!qlS`/|B3%\HW@;|M9G|.qN+:OQb׊myL+l$81nAw|a.RrFq&($Rq:pn 0 ^@O\b5"[4l+~Ocmk81j-Yі *)M/H,t?.h8ދ6 > jp!*B(Pr1ޚ+ K,njnu׵},%]ΊKnJ FbF2YiK*Ee2_ZJ* V3! #=޻;y8!bIX`@BSSCT]򯯎|̒*^BF#YC[7 6}\:Jk&Im¿`'5@΂h6PK!离% % developers.7.gznu[Ymo6_l(p(Mn/X`%Q6IԉT\߯gfHYv9>3(G5{}۟nW35iw/}f/cveiM:սZz3` /zZ;[ڹѨXVjRՅnK]nT7ei.iat~1QU٪:V9tJQ6]X5-&+u׹0+ƴϢF^4jt:6>Sk|7ԥ:F8t<|Nr6zmP359[zxeu-$|1urЍZb=6i8YvR_ewE>o%]KpͶ84 9n$߱,,Cf*,'aخ }N~HЗ-Z7ՏƓ’+߶}ĝ/A KY[68h$K0X`Wuk\Ya׸`}ću$jK *jךrNj`[r.FyeO$#~%]Pr[SYH߃' nQjx% +͈(4W$h;uݸsF{ejo`DiR I8}*tW,k3j7CYRX|_ac^~ n37!te^s_ڕU='%A'A;yIs{q*OLD#XTȏQDW 5y" xHXJHA҇IG#A1]K&RswZ\bhXWpK y,cYۍc_ ZS-HNjZ/*ze\fqAV5Z; 2u-uݩac;0LJyĥ⤃HbHQb:!wK./'KAs5ć38w@ @8YB+0˕H 8u . s(_C)l}V|ƨ\cHt2ԁ6]G[ ﳁȕ"|`(!Z&Ԙi"ĝ@B:Y'"?`TK 'z»Cgri\/A,2=K{<1B^WpvBXDAɡU#apN!I!JHkrd"wV: V4&1~ 8F4R Dl2>oX*n_#SQm_p]zlߣ@#d-j9vM>Sm:WC> ssm$A˴|M]$5*z(X0aHBDž/9LZvb xI{S H"mTzĚPx_zYKy?8FY_z,*/պvy|RB_%aܒ_k'.S;?%<ښ5#lyۛsZF@8 tr z 7 Tttm!t2N<| "Љ.6ʟx'׮xXlrxOlP Cֻ>}Ӈ4m* ˾.Aջ"#Hd? .`2T|hKBL[XbN+DqI Ti#r#t9CG"̐'?,5A`< NQ@? ϣ&w7$B:RK?V}u~Œ*~usx՜Za?aqw,E |8Qׂiѳ ]jTTه!BxRv1jq,66NL:o6z 2R_i7P{H8VT-mY`& wa]BD !.eSLXf "0GRpOף?$PȄ94+@=]Xdw"G ^f0xHG,i :tO$[TvS[ZoÒ!IicMaUu8LFT %!Fci<)e%M u=MS{ -AjE`zHC5,` [˙|XHM&aE]InӔI74u&$C%6N-HI|KSђgWu+nEy}Mz0qA$…6^|#-%LKerpag¸s2/_EX.1OC: \ X07NSu Őb(ڥS5 # <1Rlv|B+eCFY9 X.U#Vw ?UYDMzM) vNr4{sp0kPwo_n-]8`U\(<8iMfh3K`Z)0c;bm PkbI7T:uMVC7 X+B|ٝ1_T&b*,{PЃ DO֢)W3M,q?3 NKqtz",\fݥ%Nd%NPlETzyLwOiwh@<0/.QDR3JDI^u&'}alQOMI2 {`ȄGaFv4gghyhU̞]Syp.gr68umtO1:`<̀Qx4>`/v56Y=0[4#<alhyr:^q6Yj^U2SfLa3y:jJ 3;0 u fhqwgG<_<54>_F/!zVfE:FqDm&s$ްrCŨ*!E :4Yr_Hm ,Ú"Qh2ӑszhUu#Sx60WwF0Ά|m;X 8!_qXX-!ctmOC"[:7 Dwdk(ICW })7'‚?k0y rT) "NHbqh4JR*0w9&p!ӕ71Sڤ;y,'~jvn BXX\!\B2cfuO9,Gb: jQForK+Pr-ty Ái$=EGIs {!e0x6Ϧ?9h4s ʋHv!H0읈$+G5?t-+㚰e{ŶKXڴF$2Fc6m ;k %Mr?Xj6M6wt*IC3%>Ŵ=Z/< FrLrKj>˔Ze Jo+UD}njͳ1H9DœkY\ϗ$kҐD#حsgA9?0\`ipBӃl۔(Y% x,+:puM(+%hC%IC,7*_јT=.XJ`#G M_isp=Ÿz!GQxSj~6lKoqܵ.t]EGLSl H, PFGK5mtTV#$ҁcW뉳vMT1 GFrtڥ)tYs}iz(6wt^Max3e!M9C?M l%%R6w !ջ :EuS0WMb(ՎYĩQR =zLM+1_$կ-8:`G0SXHEBsq%}CA#Nj@:4Yb@E9I\"8HC Z=+\<W).vβ=ۄ_O^MĔ5NIjڭJZB9d%9[%YQȠU6TpΘԆ0"InIO<Ïg'}|~Q2GeA^1(J֎DrN>[C:b+r=n1d8<OЏ; xkRCxn]_QX緣d2c8\8;WD}x '&O-?*O|0U9 = ,XfMBAg[R~-|(ȇObZ"^%:e0/! ӶayX7.rR!sjDc"2]œw~ܦz2 @ S?ΩՒ do $DRoFÓD%.NHv+ 1``'h)\I7`Haң!P!D 3j\d?N1J:)@n5~*qv~st~z~z(dۋx 6,v^ VPh j<suXH#X#Hϐ1'GPu MM͐\FgC؅045tB^n3eyUsXƬgpT-kښ|X$oCŪfk ,J:YC݅v E '0ƀeK.#^z#r5E V[^F: $Uvf`Y\IU!a?kck>Ic{[=曮^N9i<_ڜFO?H_!?i*:?IQ{O ̓15! z6ķ/ѼؠU۬8{%{BcB^[2=8 &}3eɤ zqrv'59JfV]Pvt9Pi8)ǢC2J'WgqS*D֣ Ɠ󏊵J_-эox}0bjhx?o08 ]DJ͆DsQTƀMM!L T7}:vg91Iф WH|oIU?s˰]Ks{H8 J][]Ui_994- U~UVop$B;Q_߳kn1{j(iX {a3Hh)v4M~$>Ga:~r}N5O>ScOW?]]y+1a,IcG%}n=V8AʍW$~poNi1Q?sr]"6,ꎺ lR 6ҋt@\H[Q?h}E.^F,ƕ+ktHͬ33_p*/ėȧk=OZW/O5Lk)1y +ۖzXv(`;x f({v%֤UB؄J@HS@wS&i^Y*-vӪM(L~Mki%5h&Z,Be-lTMIoa`^C= ,tF+jñ^v C64& fnasGp]av5z~IsѵQcf ɫMph}:%A(;K;QN)WD|0ʇ9aJ[|柼"`DW!Y HL;o$ܵB`'qBT c}ohE910Z$mn}T~8j5zt}PlZLWtuu->cv~ S^Tҳ ,JD8p4F4 qeYrAr,̌P$a|X\XƏCsK&Y^ƀ(F8W8}_ö? 6jj&aZ0TR$:X: _> :=##% %RO#f=NKfo bʚ.E% ov b߃BORx~ 3 EzC4QUGS!A)MaO /<q!ȪB;k;(?UR!5 K~R-@OY+ d[kp>=p5|jB_wW+u_3[V2?E'Ho"=ՖZq=$47Qo2/dN M{YP2ϙDu Cw^{4]@AI;{HtuNenh<>G;4 [#rnbW$Ӌ\!0͐@ ]тKdEիOݵck% b?e)״M䀓>W6ҘE΁@@ WxV{ | &eg\few,fɒOTY70 K^~q6):}wUrg"R(]paZ8w[VoDy%]3A[]> Ŭȵlu=ͫz~yL, ]RfpʠG0唕"1ؖzOx:ELu<ԍC h8>/7؀|͖oaw-1r ϝ`(SXzڱ+t?4,E- OA4D7xxU0]HS)zC/I^ ׬rW@ Lr ED֬v WȺSGϣsAvn`j+"#| `0t;V <:=:aj<!6K q%E3OG9qM ^ҊO.<ǘ5njl'/>a X&r Euu4K$Ak?jJqnвY-q$"z/yqT%7tF #n3ׅ]ю#^&ڒ X4І4b@G4EÁaM~+L2ISNdYUw47O6I+PC&(;!N#67TYƋ+y=lBBhg1WL}qSd3'1+Kl΁$3t)Ŗf > 7V&[N7>nSfRøc]oJ GU#&G "0TցeZ'Vay6Sf4}l0; "w% MK:%mhBc6?jݿ_ }!٠{s-Bm#6=@HH߀@784 qI8`!d AcrqPj Qro+#KzTZ5;Dv,B :*ш؁DW@=nyJK$.Fn}@?뗸nڜRg7 ada?˙@2LJO3iV- 9xСL_2Ńmmzb=S>n+EqP0b@I~L<֊#,%&P)9]˜CLp~.ڔVvOhbt8bgEJ/ xFW]ǻdTBiC8#'(I1=NKQi GG)К'Fygi!?ဧ}_ lsGgwױFB<0 9j`x )RX^ -ag0%DDr"'=|79 JȑAõ͜RTiY:m^0JO#5)+}̞HoM1o^חې@UXD\} ku^) G)s lN7PDOPTښy`b8uᮤqgZND1 Z3m4Kb~|C%_E9r>ۚdBhx[0k:GjFeV P \)Lˑr',y(,ҳm[U 0q.WÀ8QxD^V]]l*`#^|Ё 0w9]xjˢ˫%|?|drɊ,` Q\4(wH(.! :5=RY:G D "Cu1fAw)E4׮7' ysD VT'=*R'{~ne0Iړ'e'˻zd#鹜PZk}zuFn)۲3hUȝ'poȄV 3ImDM&D{z1zdB*ykEcR oJ~ eLAO5 dTP 1BL *5u%|:Tu.Hŀ`N2]EE<{OLyKOGL8♑+ZF"u`mCPàJ(,kc:5چIg0d;zލb-B~*>CF9aB&h7NZs% Of"gf18dE :kf)Jڙ `Kx}D|mt:ގQ!L|Țk|6;xZ0H:jrZ#L3Jc^A7!rw`ǣrOS# U[&$w C0͕qHFwɕ}3s*0UT-YQ핖A<;h$۷?).#P0nAq`#Ԧz}|~ g*|[)"'\J¢vg 1~ǼEߘ'ʰä9 |CP^&橬,Hg |8L'XB:=s*_ D\d^{_P#LhJ*dEp{Y`F xWDzdwa8A|w" !wH$ڗV@.167])r}dq{m n %aWH]D@։d# .:5̓ ۈ;,:78Wg*ƺqL !mb$oocA{W{ɊVy k{~Ay.O9eDtxd4zݵrwͻSTm;1|hTfpU[W7&aǰU}]>PzP(ipĞ~,rTНl&ɚqޘW0Ȉh#'1pLM s()mOp-цfUP#!a/~åGLœ,1ԀధEx4оڟ$7[zJA,=6bU<9=La:R)dhj|tC<`Z6s~_9;v'"Asɕ쾗ĩOp 7כ,ዑO$Ưf zpߡ5h+%NgYknb 1դX}QE>Pjo7Zfp]4d7u?)fcgd y0 e^::RЈ'F; B@f\^# @eҴWe 5{.WEj9iO ?' u&Xt NZRI RCEUS lE&fK [ښՊy-nyQO0r_ @Z ' ;Ď|Lr-?:iWȣt)RxaL.mLodIZWGQZdU%XW:Fg3qq(*M}ߞg8|g_d_ё $yQeLVׄ~y )wmDH@ܪHأQHw֬|AjEI.\ UIUd/| ܡ q  M/zTaU8ߌhO]vzH;.J%t{:HP]"_+>0$E}/ɱD ̱G >}tb>{4ڸCϏ es0y %}>ɩA#5$^uW `|* ǞϳW.$b*gUn۷ v(]>\¾k-+%CH~Ij_ltɇ{2!OU E@P=^E__| (ITM"yCIM=u5c>8+[|P^ĒRۘ)sj$GQ-_uwf}9Wk MU:Yה'0@CJTVRa!t%CӮ3W baDPjr9 |N=zEzrxU=LivL0c$b6V[ 0&#G1z$̥pD PDՈz%Cc9`5Ǻ?|'j/؁ !8L&C!kC+wFf-5a" nPg_(Vi>f 6]ʠ"0u -ٜ]WgK@tзX͝Yja;b)vf{t2WatJ Ol@,/b qHH2ڔr(I?퀶o7sZC~'K6z3/6Mp繡F&.=Z@ARA`vѱ:[fέ"j=%=a)ZsoܽQMC,ܓԊuF!> M]Á[ -P*[-âE>#Or?[)ƏF#J2J% Q6$~hip.`J(NcT^(` hz鮀ˠú|3u<"9rV,<^HڔXƖLkSXvIH U143Jt0d JUVsMՃ'GӲM+fi=rH ; uTv2P33pAkSFm9Q3+,UgQ: !F v7%&fOEPSgh$ie^~RmUFWm@Acl ' 8wGT;ҤV?"`nR8gdEhP)5+e(#WF.&M ; 4cVvjXoC$ ŷtܖSBw-9<*deļZq͌C/Sq`:%P>JT]$IGw}7߷/uXJ LfXfW➷+HdQc ,b"a^]|svKgPJ93vM=;9f=vh|W= rct4O>wEGIvu4 ܘe}ޥEZK#V&ҟH18q9; ɶ(Ky4%h㸾s+'c6}喟KI<- ܝpwL5gnw '.&b9=]<༝E?ğ}h\6NM4[uϱo67o`}yusx)~}e둁b{A,u$ƀjX0{8 ~ز}$7垢'Tvҕݟ2hC(aS@FuwuE?F|d ɓФPA'T`4N=`B*SY)RcK`2T|@yή Qj[Ĥ:\;ZihoQtV n֨[]%kq`%#!L3bG 'ҳ'KÑb0SҏëDؔhD ogx?RqH؄Q6rRU ^նJ~|قqx'`DͿhZy}ͯM){wG#[E!%CP&xWi;cY/YPPK!Ы߅alt-nodejs14.7.gznu[Un8}WL&((ӨHlr[@/45P@Rv_CNC9g93NNa264a r%,6Pj/"1+av5=]V*|yI/\6%pt|[ /KZvz,ar8f' ZD#V}24g58XQ5_(<臧~1*Y 74 ˸x y)8F֬d&%USi -)G2CmX[wġ1T!縸sk ,^ zD1\)i2`Z*Ej#l>pGMEȑo+<-Y!عer̢%O'̶URD掭k)jxPFDIBqkIδ ؂ Q aH6tM02щZ\1awnU#Τښυi/dȝTFA;?VsOK9;G"ָBM5h]mt1\ضt4%3 O$Ii9U%$h+ǭC=jG"W0RT̀ kR:o%5zSJ t[QGkZls:/xp;GOBQ5!IW8gt %񬐾n*HŐe%if/$`H.eOv>gn?FIڽ\^\bT3 HWC0"RΤe(_y״Nu![ٔrw=Y7g<|o_ake-2T{=GyBK,P XPK! 8 x509.7ssl.gznu[Y{wFO1K NRǍ};ԱY sHE0|Il⃭s_#fTVٖٜ>5l1|c)*K"欱Z8PKYpFsY$b\麤~F^%gP?`)Kk/5=t4i8: ۓd I"r-زS41& "[9B:Ic/':cFVKRsoɁ̲p~`ZXɢEDTH'a b>wSI${ coH0@]XPippy)<uRJRuI)]"l%w3]ZO9ߏ Qcp[ mIJH0AS e +ca 6xy 13O~iÕ gsuc mD{t]Eq_ )'S+[ Ӭa'=<0}sLeZM~`FR{\\J&zo`J6tZjU}XeiF.%qE0&`C.Qan,6'k {Tj@~#ͥ!aCХd,FuH(qѧFG;CDz*FC^4[l-rB$%V @+0j $I`şY2o^9Fׯak"dZd$B"WXM{Ȋ4fԾ>p5c6zôtXñdhfHZٽ9{pց-M$#i1HBKgD䮸\Znf'IPv8ٰoӮs}rBgf=X#LjlK^a8KhU;nr` 1 JŧC-{6iP2m44RЙ3% &I I[pT#{}^;+q\4QeK`$9CRWR^IH4t۲E\X5&HVt*vpYƋ!+O̬U1Kr!U>#d,c$/%"@hhS m cY*Ψ(ڃGuxæ4Oͳ #@ Y5^v9XC 'KՖϋbiJYz..W:/.r'gx"Õ$\3:XzqiB'~{Vݑf`V 1yKaO>\]&É2Ņ&51{䅶a2z)~b/Ngx8mm$l0>YDCIni-5pm -='|̴y|é;ݝy8]9c3%bFU/.ITR> G`)49ڎ :&{M1;IqI"Qx@W8XnTj$||>8u!B N CGgKRL׸hܞqitO2{+JAm-,a0䫏F> <#m9IbhOWGR&I K- 6 ⬎xNr0jRٿ uT[Aɛ;o=Q)-YcˀUp\$j:_n׶7Ykqfzv5ARw)rqؔb._@\z.B;(2W׸.o9l c!D1Hؘ;HļR+\,_m(_zaB\ighhl:lTj")PxP!p$8o%"A8rЕ^.4J;j#.yGZ4OaSU PK!*JFٚ X25519.7ssl.gznu[Y{WFߟ⮳le@KH8f) >Pz֑Fn6}wFe =]z sϙfN, ̳-_B"2|M9:zkr/hO;h7tɿ4ͬбDXGr/i莠iL y#)*e j" T>@0ϥ4&NB^5t]Һ3bt'9(YCw3CLF$i:O\'5$)ȵDBYb(L b[9B:/\:vi$SaُLK.;|p2աؓ{ڞEp3IȉrGH8|}8lhP =* wwqbh^@݅E^^p(@B.)eK7J"t,C} &v$0ʖ0fr@V˖4|ud pe ihi]ݸ̥5bL{Lנ!2e6 hMb=B̰-#8 ;ȵwA>he&wUur@C4jkWyb >-F qчuFVcTR(*(XP }2$ h^Rz2.Ʀ[Hk~t'VOU.G&Qr"OS$Bɢ9"I8Tx{@K>owh),@y9eSaR)WqV)HR%J>"dP߾:asL..QuK i\i*IRQyƧpw,SB}rL,rzyj%|fp /Xe1LS%s|+kbPrF}Y g [ĐHFnoM"m2lr4fq63 3&<R698߱h -߄U˶.*v /zRݲm2:<!Mߎ_*FU9V>WySvg4E\ޒ.~Pey$K =Bv! i\D~v^*ϋګ-%56߰(leݖ8Ϳn-~ooq{U(Ēo4? }{_Qt͏G\[RUs3]gmDOi~(o@ GK D |Z_V6 ޟOua-uۥ#ke>]_gϟ7>(@IΙZIhAGhmڽ$BIWV.n&O_J8H$48J2f4^'wBr|,k%ӽR7*l/9K~l,ԹGQ >_x ;-^:3 4lO>2]0-n1x#^'z"sͮ'/nѻ7=Xy2i`4GN]p"+6Ѹc;9_^4L )Q+-Kͤ #ڬ9?K4b"%ףSh, #(=RhYrqH1]ϫ oi'{:ڜb5VW헠$$ų@E mı*#Tp2Sʸݷ=qʏ_$3Jլ@ꙟ[{mu>rԬn#r=_4u6DF[=¥1e#k483!T X~V*t;h5 1YBX[IA`zV?i ?XR~ې|(MQhQF{6p=@+F~ط Rot{vr1Njz;ir[E[! d|N'Fqu-dۤ Ng^h9"4{.֗'Ob0Z&!Xc"/md7z,!zΒ0s!jEiŹ:$ ~}Y\4҉^Dͮ"kn}FEW hDngDaeXYkmqV <^N~z[03fMY O4I"NP(Iu I>]1FJW *ېoBMD|N](ZKcZk.{U I(]"Y]LSP`W#QnHcgx8z7aG(O@Qqt+kZfYzJ/OEO e'z?(Q OPK!s EVP_KDF_TLS1_PRF.7ssl.gznu[Y{WFߟ⮻lmKIYטgI4MOՂ,m5zU#aܦ3%In,=4;w5iթQ`c" +WvHfK xA 75Ӫ/MR;tĥ8v0űE?54 $߈DJ2ABءR&WW̛QJ|o A {k&lR(]| M@VK4x~I;ߵJ i`m{gX ݍ K{%;خ"BͪA6"Ѐr9=B5adgnp1E6Ƀu;:'u>NHS[U¤^_+2xeL)xo5D`2UFUFQaTR+P:v,H¯E0Jv!8u, I",#dJ5@`*Z_ +B'kƣG&Q 9q/;-S%$Bɢ"I8tx{y}lB儗2JR b7u~*T$w,o_ds\]„3r,U i\RJTq2Pe*v{2fHSf-ҿ9a`XXcLHA6%;mi!@gyF.wbؕfAivz{M\4nr)ޡQЊ &6`@P{}AbƉhw|suӳIj|F9=SuڝvgmS|\"L.t>+:E, KϙL..JUK} 0tE+ 0 񎺖gk9Y,n6"#f9__ GXm8E98p2G`cquS!Ow7cbp&m4, |V#;/+ } NftE7ͫSl.)eVИTIF}T"!ě ~`>K8 أ=g#$֡4k Soۄ[!G1BTY;udzs!QjC9Pȅվa'B=AQd,@'懇,z!ʈ.>-M#NR/89h ӁQT5;?˱%{hɺDI溤WқhY8Uޯ&o_D{ \wg@} U"TNF ǝfFY8{Tg6y(طS5&L~]Yt{D` Y))>xC|{YESZ7b“&z!VV:xbEp*VMq*j؍\o*T .BJ1aa2z*2>Rٍ0Js:u ,O{ZVMGlH"BGrzBWGP@uBd9S >+Uz1'yf\MIӰp~^ӈ5DfwS7N@rP.0]P/0J8qqa* 5l!÷fSLOdsAuDh[?j MS[=ObqAc5oԅk2s;'2=[ۋsQW;½Ym[ƦwbFn[0q& SF'K5%w3G*S?O$3On OYw~;J,ekOpmpAk*Y8Hӆz;^Oa:jpk52UKz9C7#C#@Sjuh0mP5C$m4:Mrwc뀭9Gؕ[`S-j>%LPjWk奭$OϣVK#'"5IU`%B.SPbr %T67D+lA`Olɟ mlۘwpyxM+Aߔ{z_*~Q(&Qƌ+gN !w ;vOC=C UXib">(WjCԃ┵߳CG'S^ j4Eu1 _OTtxHk/i㽽riF0%=}dy/iN}^1!PK![Z EVP_KDF_SCRYPT.7ssl.gznu[Ziwί}[ Yv̪cj!M`Bn>{IIץE֙<bX;toc{ފ*P)MV4 /n2~)fͰvKv<(V?ԱL>5ch@RJId;˅ hȱzJY@;$"AFj!^Ms5wzPwi͘4f3|YuCGF%%vl;) p, XVS5s:Ic7'n<5w6SL ٷ6DKS;Yxh(ȕʜMhf|,LUKc؝/ҍ6AXbs܄04Vº@J*V0V Yw}]xE<7uڂ8Z)dz-,tAA/iLVm24mPv7[Iw*LHZ5FPS0:"W`o +h'YF?1B5zzrH`:JpfLvvb3{T ^=>%V .Ǥ>%I9.aQbE]|=-6O/V4[@XDk7zF̚9ϳAQ{?n8_Ssjtxp莎xwI۳cvNowzm&Rx|SE%Zfq@f%;Cɪ^%*B)ߣdC}(B+Q$YҲNC'9EGjC(P/iNm uvU;%g82 o.ZgQ2G5UbnQM$2;=/8Tq4Yhh`v T10ۛ1Y͑[dUXrm8? fwrl:zg2)x^]1 QtaЩ+|o#scYQa1 wf4ӗfႇlnE̾gCn0@ Gu436`[ZJ;"=yGN~;;j$`ŘNAҬ%w=n0Svr-j*d.ɚVܝ-HBn݁^ME0}pl.la{0SKBX-*K &<攺> Ds}+- lX:.bAM*@碴%EqE5&'=k|c|&MV茵ڠPsHzz+*XrO4F̱GS=vm r\K\Ft[/s!0d*}[T5<&O\ 1uX{4s+Ht!NjfNP=`P4il-½b}n 3!7[#54>xHgHf q|3bAp0H9:jJ;R-趸ƈz;hmGj>S`*1ǓhDdQ`#]L3.3ہ'3Mi1(7rZlɓQ`p>P{wh2¹s&Ð?K>f=?guv^ݏGfw}]ll-3n~?q|zuEy@dZbGy#X<%OBX6z|kYzE_Fs$7~ ۝/9#-双" m=x.!:Yc}gHS)]8WV8{_g~uG_ ?ڀex RmbM`A}_cmyATډōYP$BLZyZ H#ǁ $doǛx>u*BPt)spr̿籤xՄUuw~D͈TY !_tlSe.AE؈cm_IncP!ק/GWR*'8wi@\[m}^sڃhPRyU[=vr-Yf6G=fw )o=Wx+t y EiߤNӤ2<8'Ґ`7'fV1^IVoZMڗ#.2?G~#.3?t~u9Zo׸'`_ >%NZ@S` #2'*"T6X]aiY8:"qAA{qsrxn6S֒*njuv=mǭjeT >a[EG|!/w*aftٗ3fQb@)gЩ-HVj35T~M%a@se,R{fo̒%PK!Fy ct.7ssl.gznu[Xmw_1\Mbr49.Sa-l5zCZ^.>z:ǎvfvgvGݦ\šP#`CKT(bC=:z-"zbZurI ztױAp0vAݑlG`Gڣa YYq)ZCsGs\|/s悯}s]]֠syװq?s⿻P=֠oYզ?ٳ񗯈 86î0?v' 1Tu:MW;t@էA=~:<MЛe[%@Thއfg邅+gAJM?,{AF يw5e&6%аYmPcHCv5{գWnlYv; ]>P6۳& Y 8N勒3ւy#a9?5*^q%)P':ƝJ:p5n\'iuru~f2eNUi(4d׳U^AјAκTIN Ix~2Eќ~`~NDz {gZ&xLd4]GYuӈg0HrH`il_m #f8odhC!;ѣtVMCVf5y D ܿg~szn985z4yV+"iV2r6l2+\p/;P V~D r܈^0=˂ dx6L7v.HE!}j;%l9.OŵKu3n~1>361و=64AGZF{øb#ȑ-(!rڭ `!%``[. i2LGҌ(MVLrƣtnP]?;kBA:a\E0W1\{]kGޕs%G W({ ,f18 gRw I>p<RXf dz{DAVk~UM{!*רSEa횸h.&?w58p<{f7M?qA7+ A&|@W#+ɳ*ZNˌTX$(Pa~Vg]_Cq+9PL[h@*wfV)9p %tr`ZiNlY[2LN*,TJ$;Y f.Ŗ~iRapb݊PK!u|N scrypt.7ssl.gznu[YywOqAynb>ulqT#jU1i~$q k3gi۩؞ TljL +;ۥ yfͰ6Kv<(V?ԡLK1V4(ߨXX$EL4WA=,Qd `̝PJF{'G5\oF빚ݩx}J}Z3&)_En $?r+Y D>ٱ*4X$ujun0M "iݦyj)l,Amv2klԛ"W.6*s6yj q1Yͱ;+;5Cu(pĎ),q6 [aLiLDtT&ahF{g+IG<wuق8LZ)dzЊ/tF.iLVOm2Էm{Wfv7[I7*\H?x#)GOG4LfVN.ԙ}]z[άdc]Σ([_VC_U%Jݻ*zBB gı#E Z8c\ġOSz=p* n*: ?l$|>aϤS\xN IΡG2VUivS ٢!l(GL 1|GMB@PD|;~~3VTx5!'3fsf#L+Q:*IX$Afi 4+;>'G)3J߅.1(!ċ,Vj~Z) :sc SJWVCQ\ƛ.61L}:grζR aTё?`;sm;i1T\b*'85v[ _l"rt!0Ɨ!2Ȏ$l}3pCĝgO{[Nu۳fBM +FaaIԫ\t;[n046dF7FU*6LK5ƶ,h, M+KT6&J<e 3_K&I=Š Z:b"z$'796U=Msmc; bj (Ie+lT'Nݽ(n왹MͳYjr9$U(IAHv/Ÿi|z((Z\ 3l%aI^|NHDž-p?Eσ#0;݃vl{er`8Х -J8 N+gINpd@con/l)ߣEC]}hB A3 :e'PF;>|xFǯN6j/"T6~<_S0N5|>9J9rm+iVk gi}I 0'nN1d? ^-jމRnOc 0Hq*O17E{WDҙ>n̍> .l?'h2ǯ` jN裭͍Ayf:~?XQ[Zl)N,iƅIvҌ$߷!IX%/4LՊL|Aaxw. r0:Ǣm>;pw?!](wg.v3[Ds4EaƓ9e%Ö(чJKgVsj+;m@qM(,Z&7sVF} o= F6-w+30Aš#u^z VlU/qMg5{.4Z w5u!G3|Ceo)6bTw]vWl~##4Q"W5-2;%T%|M =E_TĀӧ@i!脁:% FsD2wԐjϧ!h9ו: FF$Qdqرv-1e>b_G y iV7Rn)*ƪ[*m w,OjT'{&Sr£O{H2J+ID"I{Yy}>9O| G,ͱBLⶎOE@*v ÛSV *ȑy"72g6W6'i")T2/o$"N/i{h,DsM_mb4j5J5DJVD8Ht򐳗Yv6͆L6͸!:y#Wdus3?r с0S}l<&]95SoUZe4N\/7@'q;kIuyPi2Ʉې_@(ѓX>x0 cTȮJUc3A(QˢW+ tڸFYMAUǨ2ԮnYk@=+m̨h)cȕd2WA6Eqhh/\+bCN Q|4Y1^vTE%:_6,-+`Wzz;+~](Ct4dJGrScӀst+#mѲS WMM8/YJDPLYPNPD8|t0FHDKt1Zue8\~!^+$8z6s,mèg}n}VBt?~U'Wg,z3ūNS:/e'mUp<**S `/94g"B͠c"9`-պ,L ~kxZrx %Ya>:G̮%1氊 LTqRej$80|7?HU6P,Zk9=W9Ǵ]ONf,f5p0^^MO.r_*pe!6X-wByD+)DR-T o}ȃ7σDC{ѻscl)IPHw%xaA0'\_qosOtOazv)[΀-.îޫ  2bmrZUB=ט̭̕yv@Oջg_g46n׉ %G[V+°5<|(ʗ񘆗Kj=W- }@A.gY1pPi9|<.j$@鏳w׻ՖG2vXU^Dag+ -f|"p;]J$ޢJ|al#Q(sԪN D;"K BǷ#GlS`l!* 5|}(Lh~ BʜE^vxʲ8=vYL]}[He085}PK!$§EVP_KDF_HKDF.7ssl.gznu[Z{wV_\z[ p:uPǬ80i##DHT;tos"YF#VC 4Z۩Ap'2JW,UCE3 80^ jЯvڱ+6׋@_1LWF;3"؎ە ŭ6S%RWW D*d#7< id&z X?˥/Zsj^*FfW ~qHҡq82_74$(و$ZN*cv8HVN)[?ҿ,p~!ZɪC&Qm1\ QXB=0qJW#q.c6?k1!Q̶R A}@Dܩsd7B),ǁXUk-]{㈾BC1{;yHJ"Ҏg;#uJ"w{Huciy/stvG1TJ JO:+VyB[7 @8nmYez~f5|j~P4*JlSmVa~Yt/Kk}:(bvog^y컳vBNiQEXRgU*{~~;tvi7;;6jn78X$0-rm?뢴A;WR-g쁸=z:>xz|&4K"Ia؇+ r邐F_a޳nѕM-Av̓JL )b7v87.m~ij@ >FxNIWI~_q YKA(2@&{ jAi⤙=PG`Htx3/9(GR91J^J1׆ڸ0'<~~ik}cUs0f%GaDHIdD+ld'N܃M.R^Q .GBχ"IA$Vԇ=-i=+bSgίS43oMAQ{~X'Ŝ)~srz}?4?9n;@]7FٹJӧy4CA!_YKRX]R6h6y5O2ah؇b+Lx'֨hBnW̼yFggq1|;n5N.!?y0x6N %3.6ff"h*9*u-giC}74T#llnԴT&&ZoH`,!QPK⓼ &d6 6/ T8héb"NQ(l_QSY Ԁh= Q!B~7Y') |-C*A2 r kAS Fcgv.xDfnv2qFaDwBI+ėG~:?7ٮ'A#!% *;g3"4А) ˮ f[­Clhۓ-&2;GnG[_~4km Gi'̂6uQVLÂj^1]gMDc|z~=ϯgb!3 2X6mIޞ4fI"$6Bc#ĉT7]^̧36I'Zڡ*Egl>jc zrqz([I{0&M8-4R6f;^!x1`T :w^$u]$q$>@Ȯ"Zњp)EFuXNn3"/ǀSٖk w0ӳef2&H sp]Xw`9rP`H=wFilnG {|쪋BZ~I4"r4E.5]BPv${WGdeKQeq@!6Dda '7*r.44VG-Kn*qZ"%A5hZjGl6fY$J Kq '{1w"QƩEWQf8> }!cJRw i`5" /5Bv|dާ\LPpc?z{y2~R+vuQ( :O9cъVt6tOȕK. St21a"D_voUfz~>Ë<_ 8w CZ:G[X6y4g% lrʄ rY:K$]ϩwNYezN(#UE2m>w)FQYO ]к*w!gK=5, +Z6*/w чD%gg8;:ٶ_,۬8('DB=n,w &P^\[GTl4{ҌPG)2:3LNXkS<Pʆ ZX>lL[GGZMm?2V=/ OFL#߈;[C'!CqM >y-(9—aFkTv=&T'bVf*aK燇qD^ ` Gx IiH;tK:CJ20b즀vYzvݚ,[~Ԛ$|8I*$BXM4@=qDz'A۾<}ukW|vVsaV:[wt?c-7(2AtSyO-zjM[jrWfhʈ*!*a1(GHfN$EeLH["W#q z+!,M :YnĺsksG[9ќ4S1CB >;ɴT-$d:@Y"W1Ro/m^vb)1=&43 04QQAr⏰,V_;߾ , 3"sLa+QdЖTQ,J:9|10;pz4pL&nXα֫r_'_#Z!oHW'ӣN7^xfQc#b I:N< 3 NOUpr%:kcĠ#%5oL[(5A\,*|Mgl&3q|hXߌ+s{L4BUH-w O5r4y.$9KC9@ (}Ql\{aGHI71x¡g?7xmkN \`mm;FJOr+C|{_LRsDtJH w0N6ʖMA'6JJ'h@w3PWsҀV|0i/1#U^KC4k)Ze"?B.W{Pxڀ8jet(Q4h@SAk<~2B$_h 2J~7bh w86A,~>Dgyed`+YAnψVDrو8eu˳aޟ\N?$B䟡QE}Ӣfm>LQaƷ<!9I2:9#ÃkҏqK8^O^Ҁ8 zmHk_i?$(+I@8ۤxF(3?! CM룴* t+S9s,lb:dv5)U 8L鮈^5 "PP,ҵ! %FoDւ^%k$Y1qx Rl,j$y+ĕi*Ԝ_GWq6ʘz ΪKס 5AZZ.E%`x)C 䈵{]6+ѻYF 1GpḱuM^0CpmOv%%#;}[ g5LK! 9+J+ '5 |!Z$B >UrBvk kRc:h7b|9x)ӎƷëZYL]Ս>+M9++]g]<ʦ03շ{YUTE7 w~8ɵUH8(%P#rt$ Rɰ[ cg!U~bk3r+3hdќO>9KjNUO_dv[os'iW-BT+5,T$,,C r1srLgξڄ}[ȍb9|̠ʓJ"p3)n#]Ъt9ʓD1~J&WbΪu>l kU2o7SC-r=kf5S&zKﲫ[ W"THTFQwmv7A%j(KCjX+Jlmbٓr!QR·/n_4pgm2jSr."\ɚ 7{wQI?9$FJwD?kr@vϻ}M2ӳBOwgsmDiGc˯Kj iK;ՃJ4snWd˺;H oXdZ^՞x<ÉoJ3b(eN >ZlH|#JR 6嶐NӲzƋ$uYt|=wF)*ƶmn֕9 憤﫞*ԋZ;`{JЊJ( {BܝMPZp}Rڪ: 'B. lNT"$zM8}A 1 ՝z+Ä&=PǖՔ&_&?E>lŞ0jPSJk 7fnQ8酺љ`8бKVHBE} ^ Uc*uubc9PQƥ曎.2nXDL~qu 4ai ; JeS|Ӝ|ʀr"L:078azq]2efIzNv索 ,9dOQ L 1]vhDHD#!U{W%|y+QHb?UX7bqnYQ꩝J ̼)¨zuD9hfE'QlwO*\vH3r z"8$;GdttdtLDD)5Qje+1XySt$:(/d7IOi DR @e6Pa<ʀ,U"zލ8'0 q=LœͥݖtGX] rL}P:nîBSubaq9%]%Cc4/P$mr)VI>X$58H>.70(,oCΒvDW̕4\YQ5llinšfBF(N=ynQ֮N2tR[fi4$7c21nWY3LZB5٦DΖ!;2/`fM,,rN6Z;Q-5ޫ>fyTuWEZ\{Y݇%z6[tGxj>qg]l5lH/c 7tRXጆ*+Pp 0TI$,6w/ISN sbsiM+I;R)Cy#S#MYI.ANiGCž.^FJbƙC(s.'L+^!OGGN7>xVl4~9B1!R̶2ˊ- [DPp>`;ܙsdja9Ū,'P㈁/vÝB};zD;$r&t3Rg49&v8BBN( FZiDȊM~r^^7<!*,oPp©l={m (˿3sv6}AAVqYhbo~ozuk}8(g;~yyǰS>c0jXg& ;AyGt1l`F ;ƗGN5iU/K\7RB8)2 ^!58ȉWd NIکRpWsaP@(U baWϰ(iQOu5Mvk30if\d3"2<"8/n(NމktsQ ְ?x{QL2lvY"HP`#W$'^z}Nb ib4Cc&Zp"eM;yHq,{PFAJ|v.ޜo._+S'7O_DȖU$qilt5^O.h9syo*,J7V4DW4N:߼Y#|G1F!ULU5y*&_14i蠿;OSL2TFbIQ9 5Wa 8斛^f|yVS7V/z=(i:m]6hUʌjw}8Tͩ/ Q @ *D\NipM}j-}F PJ0hHo.5沥:z R,YxiFC+"N! S&ZvH4BX8bO3y^#kծq&겖ah| ;̄V.lJmT*z-*ނ4g8ȕUK7 J.q]>q}vãğ%݉Y珒;4\q }ʋ NB&Zeڍ.Z s7ΫװK1G`u7o4s՛fzk;m p!2cc3 #t V1~zTU>0=x[V\';?`p^t(lKt":M媿ڋ+V(2[ҹofoE%H˗"!M+*PH+l+L3 2"(U0' flBVn Refn" $S?鮶$s3 .g<{>8ؔ[8AKU*-5E/$̊Yҩ?zM긼8 /fI$ً !6Fͅ $ $[9B|I< LH&pAՊFABcNdqY"׋4ñ9׾k)L3Y.cHrv\go>΀͙T;`iδTbĩn 5 N{Z٭R Z. ![J ݝ}-dD6`tF.ڜt;R,F[9&JY"QIf4, //4KWTJ٨vKw¨,[,[\nR12|X.f-?ã5O|[H=],ma<;g)'LoFIY7~TX{؀)V^] 8]Vn5ZzEog! LꓬJXD>4g"bImon-D~>]8Kl\Hl+`3At"GnO}9;QӳԂ/7NY[.baLj2YdEwNw9]+ʦsH0g uumE& hCp% ɴx5p}ӱ,a/ۅ[%bfy B; o> DKH!2R/Жޞ%1I^ #~Ev7F1ɔˑd ٪ɇ+^*k`05w)ٖO#hRt>qJ4rK!R7`< 𗬼&gg?$<c]QpO#/,aG(z!rA̐OI<.%C@މ#AJ7 ?ЁF"&?O1G zԻ-*a)Ll!Kj*2zǺdKbʴfǑ7qBJ( eIEFmQ}Af`҈=Ot=KiˮgPD%TC#,eO5Y|+US~{:&)p +0?FŪs)JP'}G<Ե]wK8 TSHK,V~78}zD>^vt1h+)/c.=@3x9HN=7+Yd'=:(mxR;N2=Ϡ}6] ;gbh@f?U5):&d{.='#DeBPN|Udftz=ǘb =YAy$^qoweKZ Dte-tD/6JyDOѽKhl.7DgnO7o>Q'f[Hq! U{I;zBWU*˗߀-oA08J e-SJ")?m5f~t"NҽLV9]_ `nUt4SQla$}QN C~5bMkumǷmeV}rZNɔl cTNMƵ *hY-C(ncka0jo \2 FniL;E3K*d$cvn .|\PY">6}fr&LBrWWhЊJUGx4XuSgUZn&zT`/DHGi5)=_dVFAR:O[JuB+}%D h}_ S>>͹{uݧ ðցS*ϟ3/ 1[ g I4bj0j:b*F=hC.EtM9Ɵ"z SU~enkS3T, v]yP gK@!0tw .VzQWxtovYXw+Lm5!徚% {sDQrjeY姞2]^~ޞBV<?}gQ'۴xDBgmL}eDeg}j#)0C#VuJ/Ky:cͬ,>%faL[ZT5!œbV!nRZ$&RY=7 HIcZ.iťW8|>1BxzMvN*>gk? 'PK!bņ SM2.7ssl.gznu[YWFF6`2I+5?LhVoJ6gv%Yv WL;}fgޡ.ͩ~R?J o/i- {nİeW|߳e!$Bd# XlW5͋yy {Bˍ6ɇ1Y]_&wUzur80٩V7+2xeLR Sh7Eh2$uFFQKɢ(: (\C4i^7$AXTjT~c͔N?@:+B5*)G&S 9q'}S$"y"M9txY@Ӽh\8rKOpu)[+0iT IY*߾:as`)qJd*Y̹4E$i )Y%E*γ$ I2 '=y@S)3+.b\1j'grHU3 ]2oUMRJϩp |VC<=?R>;>Z|Sk6~BɎfۙmG%DR&98߰[{[q'er]K]?4Bi:K;^{Hڨo?%r.|niXm|Ī&NBOLn# Fi\D[q+E=r520_hD*]n/qكp{p;p6o aQ E 3+?g/ MS$AJ{ Y7Eky&4>а=9_!ǘٔMgl8|VPgBn~ob=k^:h>MPnsFɊmmICpt^%dRt%/T0 ;tZN+ؠ 7N_TyP]=YuT`J! jشlY!W/q58YV \q#i=HVu5^\ܝXߑݨ#CZTQ*,lb؞mؘ$4U;i͘=3(n3*2<*8vob[hg|գaWu^-XĿ \'"/|^iD\PeO1JSitVr  =3TԀ*NC!yS/vYΞFv^^ vݦ>aҟg "rU fq/D$qiBgqf8^fP =3Lx(.$ʌN?7d .|&Uv6|dL c.(?5I>4_+DY:A&>7z'EKn'8))Qj)kp 8c7E:[h^3qdǟ@D5F*/~:&ۀxXçy _dcWe ]J/GCtd^:[lt }<vhlN4JzUo\ ҡA&>ɂctB./X5 C堚>M(AWf6ă:O0{G=eT(עx̱ʢzJ)+J#+Frr3?r*ƍ#eĜ.œUb/QI@l{4Mߙ|:J$M Kְ*i~syjŀ?Ō*2Fi1Kwlh/HATy()Zs+~ׯF%b>W$kao. Unt dh'?x=.OdZOdW,KQ\."8uN9l qopPK!yCi i RSA-PSS.7ssl.gznu[XysHOD@88ص1Ôx8Ԁ& fZqhNa.>^M*΅.iqI[~" ^]ZZa`x޳U۵]D Ѝ<ap^!Zv2Ϗg-+8-;Ȍs>x;̹Uuv C4tu`Ș%o{ݒ}Pd5A5)#bI q-Qq}W ͓(GP32BRCnu ډOlbը眙tF EF;h2J+? 4Bh$K}l̫vR`)*)KS,qS ЬJ!H>tR{v\ /DYPٛ(c5eZȑJIUq29m*"?Os)3+"RE5Jbnj3#ow' %g}TXzS<9;ҙ8>zӄg[XMοӀ#vjv0hj%J<xvzZ;v߄M:q.*~((S8Y^o?Ny"gR$sr8ˠ~q{KЉu{EN3w!L'wO3Ϗאl[UH9}Hь,һ75]iie5_hW8+[M3uueFhp|`3+ҋR7(-+n-4V`@ v՞5,d6rZ86G~%+bW%7`AWT ( X'{N˽joT%%Iyrů:_c}gvYS*V`ڬ f=lمq4XW ܲq"8Iݏvu4 Od7d|HJU@DzFF,OΑby9"coJlW8N[QqܜёѵՏ;yd:zuNHAz'f-3<\2N_Yy.t(͒ԛJZlvqԻ?aHQ* x" 0HgK9Y},@I|zNͷoFvFדɫ{|84'}1/ǓAzļqQ֞?/d/˷k铓u&+8[1q:W]Q>35k^,1REybTQVox|YA( ʇ(fT3$\pdzR7qxTgh/"-(l͸C+}p"qrTvnť1h|]W@97w,J i1uiytՍ>Ύ=Hu·UUۑq `ȫ*.LU>ߺ9 wG1(9[JNn ipQ,8y;<җ*8"3q&:V{z~:8xҡ7/,Xi=ȐOɗsh6LFЯUfuLMJ"^U|o!2(F=3DAۗ}pYtKK)!NI-lpQTɫNQ,t8e7Ǟ+eͧ,2gZ=黜Doʫ;Ogȱ)<9x{vqf%]]z֖p״Әt4[U͟fxv(q+uEߛ/v/,Oɏܿ*4oxH[xr{ao~=$Nb0IKܔM >]2Klkm!*HtK&~E-@/Y+G \E80Ҕ9'y"t)twQ$Iz<^i%7/NY>DxLXz*Q$*sp9-PK!F౗ crypto.7ssl.gznu[X{wFOqn#A [CpͮcsqSuA fwG9v4wf9ݦ@ZÔGKhjjン>XJ| n7`e|Z;t+Cc=xeQe{&p8qv4"K&Rnc{4Jt#oDO,+`Ȟ,~H~fj[Q"= ٝ1ƈ4䐳}zQ/˖j.74Vh4reMfؚ  :`hpFɊ^ :Q9<1*\qE)ӏ3Jw!ڻ&8qVE#~SFi2M(XCz|* ޢ48șWTN٨Niw[ƫgϬdd}JJՋD ^dV{`X&0ӐvfLrrFFFGGɣk~-} U+jp}^2oDFuQ/У,O#K2@ɦxV~K0`ТJc94X1 юB=G#=j6!+j\[NKЩ}*JEtTl1]:]eRh X"N\abb<7H6b޼tb:ЃCqZ"X):ذy ó*03QB(鶖}yE]`ƞ՚r7գƼGbrrRݸ+gSꁶFWb&6abkXp/N˜Z#h7xu.gk5Xa^ *8/t~` r. %F fGz`ܵR$J#atH*r v^cPv)Q2w>|E[J\VqZr M {s{7y%hL\ pbfp"zEs t0s2KUhȦs ߦ нfЯ:*7GtF ϯ M&֩tA84cp}ܵf)x F@Gzg2XXoo}2#}^PIPڏRy~;Hwb\jkq.[빂MY^p_\㜯=5-Ltm$6fgfSBBE$-VUӮ#N*SI(g8 1z?4*+Kj}(S.;ܽ`OɄ.JB վ#G)z?vnyv Lٛ􇫻CT .^ G~C0KcvS~T^c4QP Esɉ=Mzq^ ku4ɲ2&Ρ;AKdlA'"rg@FV)18E~ ]FU.1q'7 grKaFe$"k}βD ,mjP\R, R\\{PK!|A bio.7ssl.gznu[YkwF_1NlhӔp֘ds)jX["13qHjfGv=6.tpfUC6y~ђy_zpl9=wxx控zS7NB!kA6@n* pGmIy&'#<0wf #?E?chi?*Yj5Q&{{jk7WrE|HM#@&#i0jpXT<LU0*rp!(mư$;̐&kF[k?B:aS:5"1(q]R%H!$RH))lxG:A۽>tY(8Ni9*J`k-bwl~T$eݳdˋ0łY!2{$fȑȕ\fPT2B&(@ "aT"x {.-̭-2"p g|rHs[2LML%gl`p ;m(H+I|2b.QurgC);:Fdcș|giXɨwĦ\jU E, qG1N"JOeWl&JyZeQY[o[ 7߱1v{X>pnTt:0l~`-f-RYenj4io.h.~E]n b?w=e3N&oǑqRan>`Km38_v`B?x aGjh'NHZӽ[pv# ch1BKĮi` 6Ȑ칇)'hggA3 ϕ) &yp#Bfg[= /+01f. 4i?$ NpYhhu|ڠ8uQC0# u0"Q):bRcr$mŁ FaƂq}vZIY5Q:L[?6,xI4JM̨$AA'ۖ0䊳ZdEWKm=enGZ}>yfq9f~>bJՋehxZnMަȜyIkrC~0&Ϝ/⌊" =~X5Slsfh07Fc7E.mgU?2]ȔQAP(-p$@qk99' gBjha']ˇ\N/Wnu3!Lsft5POzWϦ Tk i 7l:&87C..Ö=R?.0=ˠRq9 %t6^^O/lS:3JoX7 |q'M,3i &D q+sy׶.m0^Mޔ8=qC\T)vטpA(3Y yDuNo2RWm5L-"8uMQ LqnH]b1+}Jn1Nh-]cEc̦1%2~R9#}X@kmOF7po)x(=1 0ѷRqZС̊e hqx eb`0% ]p7J:8MR1R2C|wR/mn(j Ybx|$0Z1;BaL6<6%)u̶`! Jyhj`JFZjd@l@[@%dž+8(ܿtFBkE~Q,aqy5QvdNmDҤD )-O%V`&["[Mw? s-+]%hb_c61^[~8ꘀk٩LjaEI"aG$0 ܤbx+]TMYw|ĘG!?Mu["I3 q׸ɥh!`~Ezk -x4&]Qܔ!; 毛G >D5F|n(D('`'pNS7vم! Eì@uulirq؞dp1 ^ׁL/oRf f-hvE] z&[$^^R7ì)3K l~EAdf(0Qh0*{Dޣ 8_2AJ:%>\sS\}Featrfvj=*E?-dpzj~Z_R+7Ima*PK!h윤%% ssl.7ssl.gznu[\{sFbN,A"e9:u %TC%ʎ4 I Ľ?us*c{5!'Yv9Ȃ4Sي\E{;$/ b#UcMv2Nе Occ$?ӄC%,JzK{J;$cXWW̛X,&֫;SDz83+]x! HJҎ5OJ&(: ]ÐkQĄEZډ4!iḃaQ uҹYxYLv{}NjQLpAĵr;^]Swvw6<(ñdQJ8{|]xeZ)^Ts@ыcd^ q6Z%ij)SJ4(>B̀W>dv -L|S t ÷)K,{/]_ vS2NF5NAܝ ;f\ Mgl 0$(_9bO<&aϺx2oa0?[F0ST,n7T݂k@gG/$N\_ tqX\@h8Y"& po/g\ȒЊc|dٌQGx5W Wq_O΀RL;ŝ_Au\}<~'3{esi4'CC8(K,^۟# jy9LSf9xn#4 cٓt2 ;0 T? @a8?"ʻs2,ޡE(8`.n*I+w~,qzE^>8&oR?~D;$rN\g!=Fs*[A$5I9aPgbG֑w2PO Mw8]kpKRwXSOo+mWU?|#c=.}`py쇋~w9eOh9vtk|&1 j? c|=Co΂4͠fqAOzi6Ls\c}(Wxt ㏟lZ$pگ pBKgD<֨:+u?rQv)` mD}gro]Ih*NIo92}rS5x0a,4@LjAn;<8c4[!^ qP1GV#m _rg턒vDI(|^wݟugDٷu6M0.&YCjd!V !#8Iݏ~/~dу1ϯ cCDg(EE|\,. xv*ed 08CD 虗~X/x G3<8؁1 H*4KB_K9,%( ؉oXѾ\Űo8~KM"T<Y|qFN`;C!|8ya'}"<7P;Y}x5 %\2R;׫P-zwsU)GחW7?n6 P'kt`7[ +@a-EwG}KW?XnrGX:;/:JP佺꜄_bnDfŽ+Tc#yb> g [v&?ItR"p (\BaW $iHQvELXjN\,H",a5@S \3vǖX` )G]5*5f3-BLC/QI?9͋%% ]j|4MT=f:wkk;6ͼ(oզ W`I#li Q6\-a#4Ec],>TCĐlUK|0wJjZ`|{ Z[ѐЎR =yکRȅ4lnt6i v+li srsB7ןF7*ѫ8 x< Tsȇ,s 4+Eg7O1=M!/9KXt#GbR >x1\v ( 蘓x3#b3LBrMN鱃B2TdP!7 9˲- &uĬMDSj ]^]]4 #&BAPPe"Y ӍXl̷pBBthup@=[fMc^f$pν r;Mcn{0Hۛ![H'ŀa)l<4ڨSIQ&|U]rC ?@G4jJW1̳YP{bbC. w~TDNE0Kv~&TtPy9ETZWYI%)ù`P#TwӦn)f#R5t2ACTisLukPirڿ+3~UvHusO{-X8z :K'/JU=-3)+//B$Y(<ϼ8e3O,ER~j c_1*0DxޠLTg'/UTmrZ`2|XFT܍tSI$pmIjZe;Q`MXYiΠ,AeKdǎYhY\Svs_AA˹@ka|O;WsԁJnNHchzn /w|p̨cD s<$ x x9aJĨ4 Ì /ٔv +8 y0CmkJGLO_PR5j*0ګ0V9tr◨#T RFRRKv 0W7e~tF FI+痲ޟ84&L0bȳyˠuFhQ~GXKKK,ARnG]=r [+@5lݤݭxև?L[x'rk)A/ K}i4x/ 㐷I>=<{g8>j-\#|><ʷ bynE/ + R2I2"t l &z~0b :b8xG XSUV92|>q5DK:-3!3Nd)h9U02&z*N}OFSN^Wgd~_`1_EDE`;|5on !Oz&fQ<[".KqEf3>lk&"綘X%l ~ʿC8<*AdUcA=+pb^b4{\6X3-53/q.Tfwnk7.EL{ 4 D *dDnRNתDyшlaW%m!VT_u>u &`BB+#p79ȏ5V*yt+N0U\2CCZ;5jPX4"Z(Uu`ژ,AtGU-omt+Eh(rƒؚoBCRz5JQH=| [pMmX[˿ y?1|k~Or* xXe*k֪0U9%NmY/DB~#(^@_\gP䜰o.IHl}QSaWLIiAӔIeIζ.MSR+IdO yŻccyr{VH|kZ60(UlnF6}̞id0_09u6 l; Gg. mjSʷL4ZvҙQдv˅cߜ]/uG٭n6nKuL77T}|}/i7iD5x~X%hM6}(.'=$Ki-N&ӈU74kV; iL! vmÒJ+FxL&6g'me1CuRw|jF~T2#j̶"̚-vb{QO8jFQnAEʍ;lу6id=CQq7'ͤ󉉋WqMU}oB h~}+ῡ# s"76D ]Y|7-?._y=j&`֤ttک)"Wk-, &ar?~$ VϙVaTKMT7GnͧC@[l%Fʫ}-ft3=c\O墯" lTY#Pm c;N끵"#ɍ |]S;_IՈ<<F>zPitKFl#j5`Z'/4WK7YvT=[Ӳ1ah}` l{`Ў!al]?ny\Mtu Iڕ #7-52<à|Iy*z; 9vQC#X"Ք_ZDm÷_ n޼*}JH֪nh[AY,KB? e/7-7Yp9/QC 0qh#ɚ|UE\^Q8_[ lۈz|;'0{ LhS4ځ♽ΤnP& 5lƱVV[3~Vݫ,S;tէ/ސ(}sx} s[ɨ]_4p^϶z jM6}PRdh 4P2!17Uc|Չo؈}u F*LtUWݵw "OryiQ|6S4@)K, $;{!wggvTrNGroݙoќJl;%ܴ|wo; $-F@兇1ACxֻ5L }?Vl{Wk.`eM9_<WЖxkE*r!pHm$E'&U٧n|GC'N.mQ̧LQbqlcDB!p"'sq> ]m E:=Gr>"x0'477ڛEFgQ# 1-kGlWma]8܉e|onY[vlE:p/47mɟ]ZfOul+Y1C RI)v2G1߀@6W(H_]0(M231m+6LJ'6x8:?dC}8I'T`vlNMp2|;RF Hݽu7KoǤ(^#L)n-7IԐxT](8G[趤\tOj;i Y,Yp@u8NH(k82AEJWE5 di[ѳ%49lcHbA!Ʈ"CDMUDX yiPآj C1NJD B}EI ׅ)qڀ y9"4HѶ+: &@)j" n7G_y(zU-6\| } +(DJh#OmHXCM}WjR54ry3i]]fB-Qݺvu{zPu%Eowu'TZT{]D3W#66 ~rbz *G,vUkAmDhݘyRY]V0h e!XU͐+2v %ƿf#- nOce~pVpTS4zo)]eqv~S:FwMsH.=,XϩNa |a49]1]ݟJ8ė#!Ғb^ڧͼh7`N%hIMH2J X );]eu6\c;WlBd~#1SՆS3̂#ۖTTOY450-$cq/BHPuUG&:4r=!['c۬.z)r\f!KZ[(bj//v4=bG|\C>o8P3^;+,)"1+0 g8MЎlNf6ѮLpvYgɡ m¸Bfʌ3\HZkU>M9 n0_ ^ssl IvCYD=5^ $腷SWȎ9hF\Dl =IiX3Ey1m`î"1q-٭cXRCqXhAp׈H\{Be#|qH^f M$6ћKڦpN8p2N#:ʥ ړ ^$ ۜ1-åǥ6fŀUY XzzӠ-0ыКƀ7.W qB”  tZJs1h,hD1o!lHb 0Mi_i H%W[K#֣W:"-~-8pJNƯ!t <9υF6U(;sܜtM>_clJBYg[P*z;e s'st $g?]b.eJ`BcW[F0>VřΈo}|0H9U 3!栭|s c1m'*R8ee|8"U,ErrHDe1Xd)H+9 2H1-";;wi;gilѝKc%XbL!avX߹)zQ`X!`VV#Ԗ|L۪].SucB:T-iɚJרzi4b}j%;8%z#[I?[ ؍5tCr;t|'۸a0-ҵ)Ia|;(Rgwٻۋ/}rqQ.6PޣReiۺ>.Y:}d]\dg]2ڕ[aD==:qvm~ѱ"DQȌWGOT*o>~PK!-LM M ossl_store-file.7ssl.gznu[YkwF_1&;Ц)l0NsBhO[*Fh}w$[ 'S?eYD Re1߈NO_T<}4JXcIBJ&X%*gVB:TX+[(M&`,ZBx&ޓ;^r pSp<'׳1Z8唖lAm 0H",v꟞:&7/›X27.P"L+YQʂnv$%SsYb0cV#w:UӍ…Bb[M8'/Vur=}Q7حm,zY$bL*;~X P=죣 yoB v{7'vZ,`.6`DzN' Ѡwt"/?X>GmP22)6ך[21L慩 V \~G 1F$J_UUlZxZI[ZǍ/_w_Xp齇ݖwY~3(G^8iv{ZZ6%J6qk.~k.:gyqJYG'QueQS>~@\7EWb=Nhf, bFi4:.WTJ٨`w-gcQ/^L.BmO1ۅr b/ßVmj;l;va<㝫n#LU/䌌$ =G?*Č)qp3^nnG݋H|٥b[ wnqwmDGe J41X<^ˍٝ #' 2 riJ"Lyh L(yL*a4Ḩo R]0m \aBkj,-t< 䖳 Jq驆@¿Ml|sb`ZfkSyF/[7<|oB4/o=g vСD&/ $z|K XLNS%tz!An6a(SNcF z 9F[ΣpY":'" x0<0zBRqF&Lq 2Fd>L%CJL$U<5AX(2IYA@*!gKx:Fr/r9wm[{>q|-jmbbei QؠQ *а^)AX-sl=eK̕yez0qBN\@V MJ֠{6qv yUfJpΗ;[B0$<|sF ڷ"p8%rf(&…(W"~l,8D*&Y’ҶcD9G} exT],R2ܗ)xHNZң}: کDX%d^!'G-8 t*Cnox>^{}q3fb:_ ڶʦ1s| Dfȩp22DUYHJ%t&]֓X.!z3پ;xC'^έd\\is}Շ2"o,)7NIO W/G˛u\[կiw绲R~͉wFf=?[{5'R|z2u- qAd@Ngm0劌ʕȫpL fq$KZaFC ySݑ ,W7u' W2^ERgnM ?ksqfRk H_Mo5B+f>Pg; \Sj!t;F*z]PMNWYS,5;)262ϺDq 9өdEj/ԮTx* TDk,8U=ê u2I9\x='/ɕFe\ )j%U'f $ޝqnsW#9erq4?b,o >=r_>.m>rfԶ>=BqfmNWa X^w0ɰ]9Ͼ$7l[UH}J1,bev}ii ˎ}>Ѿq![0;uodOVɨ,ym-ר1fd w DƉ}>PĮ>pF†BN GVwtAImkzL+`gV+l( }bQ~ 7 %JU(Wͱ0}~WOF3u)T`ƬNv=[ua&+: slLjoco^8ߑۨ73SzHHlQ&b 69R 3 f鶌r5B8N[ayEܜёѵՏ[;JTvYnS,A}֩"Mò񳂦j}I-4cp{H8Eܐ֩a%,D(ʓAj3Kdhw#Hjrn"$ [V['wP%8T*~D~3gQ%>%Y&,e)N쭫`z2,[:9gu5~XfYώV%ZvGQX^fQn;iPK!0?passphrase-encoding.7ssl.gznu[ZkwF_+oB"!E}(ۙ 3vhDq6߾>0GّYY0܈{Tf;n'|; VIĩ{帳#LFL}J:ǯE?&$?Y:REb'F&r;`!2D/.;uև9zHI \N`&GG^k]cqU+gM^xH}\ߨѨmTۥFd^ cԤ0/4^{zC0ʮX7=KkA٧r,S\A¢_w2 r8#p4%3d!U-JbntV x4#kE7e7`R&+~gQk"Y/S 9pSJƞҚĤn|mXBlџ5'ۜ]tE_{k V} °I bTB=sOǍyE@Ӵw }ܧ}9=y(h&J -vQ@A16(FxqI<N1יO\ׅRgzX/%[DakF9@!K360I[ejz?͇׽̩s3uy Y^â؊z1ۈ}ܔr&Aɣ?!QaW'Fh-#.^Wܢ6% 89:YRYGE@f: &0y, {$R%3AYkUhAs1oǓ͵ԝqo`4Tgnn3fn4r R~i 7kJ揮s F9$H$'ȶ@jb d hx9D}8"UІ,* `tM#FZqO W:Kd0:Q^dE,:i=KaLڨ05oJqN9JsB~l VeKD7 * HEBNuq Šdf1E9RGkKH7 I`v`c' 62:gg/uzmT%) L]=cWoT11%)ʜh#/d橲V1p7r^e)աZ)o=l>AYIJ*2$oW'kG~n22pH2}8Gs8'Vy!V'2Rm3E2lؤN_aWf&MTBҗIfIoy*D1T"@IL}iO(q`ob`.adS|؏,32UQ bk7jf'-We>+!'(L]//y#Kiuzt]sk1񘎄vS/N< t9NR% %!&7)u[& RĂ$!6*%A>0U94ɄuoKnǖv4O)ˈb,b[8̫ҹ. 06[ܺ;fK-/2 ,Jߪhą-HAZR ca.H1p sIz5"Ka(Q-=z~T/"+"b֩ob` m͹Oӻ[%>Ⱥxk~SSez eA" xl'(Fv(ʂfdi+q0ӦȚAf|`[!ZY͉ziznU;v U9&(٤ 9BԴoEvHIE;Mo)o;U!c1YGmP; 1gi8N aLkݻŀ v 7ȇ,E!P\-_Ryn %nlLV+8@Qj@mܘ\]pl ']QRu L05 U egP=% f*פHʼq6FSc+tv?=CR}+FRkS0C80n%fPTtKY)EY^ 둦Tʙi_dNlÈFq , ƬN֟sRNF8SmI,@dߢ²B`qloyuP ?f2j]UQ 9NtBzi/^ C? y6QH"p~Iꁐ'bQٚeJzu%+K n8C84k~ۆ%wgDWڟO|p^3ojIU\M@"~WS*@ڦ0N6`7 nSJoQHa?E#uc)[:଱_ {=)VΊv(xS8$0^vdXRnaޭZ \V4ꑉ##r3]8>g ІcRJB/v_,U9'Mj'zuR7R0SGVPۂ_#u(c6B)?=ƎƫH^˫io'2HV3xKZq؄-[튭aèNq`VY csʖN+le0dkX-f.jfp8oP i;\wd[ {Zim ,6J;.ǣ66M5;g;h8wLiRKG^S"o,:!ɹ'TAw89sr2fc"!s]!7 HMɝNRd 8u ;])25fyQ>,Zu u O'{Vtn"C*b"Yvu 1KM~PT\*3Z:֗`L4khn$cx(\W/nRxOX dg)LI3frem?Uځчɧ7K⿨MnqSya'sur+2 !C0j`ڶ,Y]abc)xʹ0=8XCqClE B?9Y.EQ'fɉ=Vkom 9.PK!Bk evp.7ssl.gznu[ZsοJ7iA٩؞ʔq∊cOJGH"+84[{{AJt:Syd^{=vfisoB"pl&{riYS/}̣'ݖiMSYQHi*XfXx![d,Җ9O藖+m* :t{\oOm$nP3k"aiCXJv\1BZ.ɘﳵ [ lfY8g?r\.{q2VSsڵ9|1O 7YBWۛoLvjFMX9;F؃ˮa#?c$k{KQyZVq{=l֠6eωï\vGs5:.䦏NBZ*z܇!;`6KYMz}̰Q,=R{0rt d< _Үtf*XMuup/Fh$0,71f);볳6>+[V؎XQgKi2@k\wx:86Gã.%JVD۪\0s*HʓF[`X)Pkky0N$E%_vRa}W}PWF3bDu)%k=lAegD+lD'Iq-C+[?0Uw.'LLr1^~CYЧE5t$^niҀȘŕ_WjT!&ɜ/ '=K? )>7a%S=X?{d?3|E8A=fIȡԛ$bod(-H? aR3xhEY8u#' _E!g$By%V(ilbI6q-/=1 RfErE9q*Y }J/qn!v͉-]ld&T%b516`rh a'9wuVw/[+fb yIT%6^YEh&/#YGۚqz>.oLKzp+885;VM^`مE9DRyj̻"R~h)yt篤7C*" tP%$❌^Nm4 q׶=#F+#\@p #%x("OJ̈́[V" LD#V*U{9%܌JT!QWM9!;H5r), OD<ܚKjOeO(R0VQIfcGOjIxy~^ޓ|U@ȍ.<^X&ԐP9|![ЖQ5rɁQvA Q:5S' ht!ū~uKMSVWi^ھRݻN:Uj0 3krl|4pAEq.3-޸pN=z٢XPǕ|hWUySm4uFSzb^g߱ڌf`56vk%RXf\jVz-UdsS#j.7UYcm.ۿ,vW[,*mnr\l;m%PK!> RAND.7ssl.gznu[YrF}W2HDƮi)b/,Qq x HD3 ì߾{d"G=c4q d+*S4*+Gh$|=rkR߁lBT'"#g]飪;J!1;C\eg ܩ#7n1ٍF0{{]O%w-6d(ڌ޽k3rEQ.t %4ڀQDo#FDe%y;2Gr~#-Z!|OSϺ;ӈ).E)pg>KRG߅ $3H$Yx&B׻JIpNC]- l*S+dLaŠgdٛ0HyUjD6H̕D"V2֤+STvaw NSUY|*K2 C7Ylg1ҵ)sĬr/L+#^!gӧ^oo|r?fXФbJ&;ϾMqh?@!98_w.x?G mO%7V]*vk/E/՞ 1xx*毦Fng/K%K2='w6NuNwL鵐ѵ8URɁ;Ju%Qov@q(O;MCx5Ih?Ù5_wvjF՗{N =8`ն(lW[M]{K{o>Ϩ e.c_\\wJVΪNy%{mKyhx<5~L~>=揟lqm=='B?NZ>4;uCJz#k>3.G.W<}gqz{!aڧ+L1#^?|o1TnmIDJ ٳL4y!ܸݚq﮶1"3l89<lvfmt3+& U}4Y,.(NG(m{ nhLǵt&Apx\f|vLesRįwqkS>|#Y}Cm 0VQ@Z-daȕ\:O*lAiIQvWճhoi'3vߧB r D1Fr?W4! w>oxl?C~3&\Է_JIY{7~tN7TOkL\ -:`8B;g7Zln0U J)UIr T;O6rmW wL P\ɶ"EC+~`q{ARS(PϯDלkHE-5/.f浵הw٬JToʒ5gT @1Rmoy[ЎuѸCTq`"Fݽe4o5[%n6ꃰjD-mkM.sydPEBRS-(ۖiK m2]mծj4E좙I+.TC8C7RIф 6 dGV0ʖS[ S˪0!elrԒ nAWR34C+HlS4*%$g3t6@R*.K"B$0FgZ|4DօyЮP B A"fgdF~qM,> *BQD{^O7b>á?x2<'jϞafVAb_2ޖIrtR'"2,o`92I-l EkqQ"dL ݾ wl:PO]UvSqÅ !dsp'H/0Ynv Tn붍uߡTȖ_[~th֬6Fz[юЬ7G)T^neYg nYEqX*μkTw(dZ+ʺ@ ( (39 &䛔TAvKk'E;H_Ik]( ]%Dp ݶV]sN<2vBb(kB| 6?Ԋǵy,6нu.!1l[z}Iխ=9gJNr<#]-gb)\[y$續qd rJJO&nUBYT -ܘ6 ,P62PZmM Tk аPfHz9d$V¹!whys%﫸 d Ltꈱs^,K:ֈ[ԌMv2SY++AWޠ;*h{ ?>h.EJg5k "5z,*}##u=JfF׬CL['S`SE};8l- z}P&9WRbrh-n|p 7&qԄF萕!H]/ qr. T^4Wlouyw['of?^O9T5=ɋ \:4o+Tj7R"iFAoj ZF}r]]7sꡟ(JPR bA (%$s 2"Vө)T_\ŔP/ mr-!˜^qYSfNȴN\#ǵVʤ3` PK!Qdes_modes.7ssl.gznu[Zysb4iIYĞJ4Uqƶ4S4Xp0X@4ԟIYIO#{\qi%OZUR)_L*ON^X'l{vo|0ĘDvB1\701>`=>G? ssk\ 92MZXu%(gH;D9AXL^2BfxD;h$rd 8yOQJzMɖQt Q'aN"+PFFҌ=\*5^rppfp9z>ZWDVԇ=ibz{g^]31ifTd3"2<"8~X߉ח+ ј{^noY fⵈP 7"[ܨG9"T h!B^d̈Gz&%J;Γ`[  H^nƗo.Z{.w֌{:/L/uHdZ2Պh=;^i5ڼSJFQ-'7u$5bvt};}Ocv2{ M w1m$!hQ ׵ IU?v G : IYWHQi;WBtgMP1K_=5PT>{*tL6$(@Djk %oOYD= @2AL1} ~NQ*+7V\-ߩuL!ITi  ]&;{X}HHg3]Q>\_|x6|Xġߧtom) sEJ-oo#q&'7\q 8j~?"xk/d5I>_XB,C0DC_]hNQ ·P]ׄlQ0][^RF.sGGJ4TPDKs@Xy<*\~㎀di hLQU3M5=*Dley<삔Bn=B*$ʣ~mFUEd{Ɲ$-a/ڪkR7mElt0n@{@vzikDO*lV/gIu5',(>šKoJ;; LwDO icUإ&mU_AWcoA=O()U;Y%f@N'HZ@uOD"FXՖ"U]~!C$mah(|DW$Mj%;Jbߟ]Y3u*b0- ܚSUX*)bvNd`f:מZfA*5lu7)eWÞbﻰ8|,̒,lL ؎C!`s80M sD`]qXh7ߡ4]{Vc-OPlg d0B4tRC-=+>8S !uBapH Ey_B̾:vSibKfQuV8/E2 ڢL-Y ŽgζFSΛe Ggl * E }:/M('N$$džVUґ"L8E)pWjWe%SIђĂsubQÞOv:|跹^F5׎} .D Ҡx%# H)cM6r)ϻ )eCU7:#`: ΃J-M!J&WJWTn$iܴstO_lD|\]YT!Nw9,1Ei5V7ΰ z_@ nW\Wٔҙ+}@z֧7+.xфy_gMj)SFEH\njE1;;;/- aC7Rfcր^^zMa\^z?q._G\;j OlP=_ \x@OOyK Y-\6HNE*;, C~O9KC^(($LYEyǐ^7_<D?N2E-jrXI9rPp,(|Xzg.)PK!; ea-ruby27.7.gznu[Xw8ߟBmi0zeJiiЦӤrGDrR>NNI,KOw߯-z.#v>x?}Fg!;=yX߱%l*0܉%5/b'8GghuŶNEb*njh 3UR~|?cC=qKn;y.R'®k+ V VI>=cxY|*D'?nܼd㮲:3J{9ҎRk3`_lӗ*(ut}޻[yY.DMK+/όh^ ^8SKm$5+=YJ7n|ӥTgSAhO<{[GJ*ύeqm¤ekiEN6R(Z7TSs5 PQeȼ B,p*7kfS#KGb&L1FNTXʜKŜI #y.?2vm q;q`E]0p99hhv0$q!;mTkHvcC/ k_ٹЦg%#iҜ[Z7Kyn#([")IcV.V 2Հ`!Lymm*J fr߅փqkWoIҍC˯k A8f VqΤ ;y.qq8kEr.za? D.#qQܿ"50OΫ]&\wY:GLT+gdRc,tk[%Q­r W,HK^[+!TxJXGIJn\:̢υ8W&-˘h>KEF͇th&@!c"TrxnueRT,Ls PA/I4Cso Z 5c,'W:"c40,$t0RtxVgJvψBW:$%W<)'ZfmVi@Frj'!tV(Q9!6[_](Lã7m2QjY}ExiyZTyPf.j=s.s_ԠS$wdF&mZP=PU%T>"ߺ&dPʙ`괿,djQ q&ːcmtA~AUº_C>֗5/~R}|{ AZX)ݍFʃ 4xoӹLh!ؿ9M1!k3 ywur$:u8<^`E[ICf'\)1Tm&rJ WXd:C!6{0b/gHKW]EЙH4Z8,E*'uOQ hhq:H Ff>抠y!E& )!]yneПV_N҅ -w؈Yסmtet$Cp5kp"L\wU7oZ?HfçLm:2GQ_=Zyѝƥq`^"eM W]"gDҐPߏӆGCԔR'X|<` 쿹`T` ʄOTm~#F#W}3vGT H,^3Ao: ?ߤƐ=Tt7^Ț6O,0#6:M mq(So70'p wLWG;3]IM}A6F+4i2W9 N)0KpAE#ri[WS$+'%L|F !͋;&xYFeoe)~]_]೸w*7f84>m DH3}5V5*)D-_uPK!dependency-selectors.7.gznu[[{6?9$vB[,A$K&iAQ4텖hYYTH^w73|hZ 9g~8lo~~} 6ݻs|~wd_e ;/||tn;Y--ްCLԢ*D؉(Enf'3v@ᄍ kY[*Ǖ`Uf+Q#eZyU0qV+# [VkqkePz- 6ZÒ p8 ɻŋw㒯lVM)ly0Eq|7fOv%A9^f=88 ;Y0+^ g ~⡯&+öҮ@ZcZHտgҠXRۊZ6&&S5 %,Z3U S ij/y~Il/@wx c) oRn|.KiwHWf+4w]3OSZy๰p A檱l0S$%5 `V6?7FmDNSJ AZ KeY2G0r-Kh`5$cql4|/M ƕ:#xSHd,<U ψFn+8Ǎۣyqh8*FvW#˗&^͔N[6֪rၩ I`KP>܀]qrg/H^R=zF*S0\.%P UՂja]9O\iPgxՑSˊtx@L0+F;*,_ɲ e8d'JO(01f8@Ye<ި+ R,a»_ʯ9#Pѻ_׿9}z{?5;2b qd`)%YaJ0PЬ;R=8±M!Æ#ҹZ~TA0Rv Ex@>Uv%) EB8K<{yPf3]  #fu#dKHpҠxz:]{@wlƥ,*} 4,P\e(,Q|0xY^Yc},"q:JqEQN&fڙ%֋P);~h8%7Z.˒S\'÷'$Ob>g-+rגR`9\DkGbB!`rXsypDzLa[$02v%sYrDƸ,`Lg|9my8g@AҔ3nxA2tEQHl Abz˔㩥<9I)u  ,\LLYX fYOL>K~^|5&B#B-/Y؁et Cxؖ^RI'G`e € U-wDF8eŧt NE `sez@=s T_WpPNZR!61Ls^}Bw->NCY˱i>ow;ٝI[xH$`NP\LT 8E8QS/ExjY7Fzg/?*۝j$Mo01ps6;e%Rv\+$>#V=4p/Np ԁ*QXB̡atWvBܩFw5_9c U"ꂳa-C^^=qݥ80I@p R!)?AoJ"p cowA:Tf"9vQWg?xַ}-+ơס]c y54ѽ/ ICυF E{Ghֵ)3Q!q|EoQIkJg3$, :82z|Pb8~ +#Zs7Љo,l[j(݊V/7Q~SW |>wٚbE:(bNJs0:pK?K+$Ud!ȸ˨ZMA8vIK>Z\,P🕕90.nhObJqWMijdE+?ż ]%b#&D"i bfpHΎSA+݋0rD3 53xRˠgʻ.0U~5cdI8ߏ̾ K9ҘuuN.ԏ<<"ݥAqL"5/NA.s$~t̋4 i,P8UeSYR7WEX EEA&p і*-h%r~nXHT1[86E~s86N_aȮ9 k8ϫvŚڏиc;SiaMu޲kPDn:KOϱmB5FWcl4]{C$o3u2퓨hs.^"&_Ɋ>P-S\Rf~MR, ^Xjf8D$نzc)2gS FNadV|{Lv{H$xdYv!O! /wˈݾ*1CQհ/rm^FK(_?/!Et$3qMTW_L$*Rɜ* ֒Mڏ1kRy3"f{Y2Sk vۡŏTՑGLm+|A,uҕz;VM۳1܄΅nW3 z}N&%=MAe1re}c"_,C$mreS:mMv!C:;c33@љ\xاz] #mw9{ɫdgy}LgF~+P;""8PK!@Uz logging.7.gznu[Xn6}W[ &M -q&"/ JiYKBR{fHie[Hp.gnx6^>z6ճϾᛧcsW9pMcls]_xQ=RoQ}$8q6?S(q:ޟ}8yw|suAjoTGA[jU8#5yQtKmPVBӬXQ)n|ƪuU⛭M3x9-[:W#DWr(նuMPړ:z#YUE:xP8|65+뽱*ejT"ғ֦e\zh{veQOet~T&O;ml0QJ]h>pԲrNWLu׷F77DJ38(@Vb ZƇJ Ɖg@\6%~wtx[[ /K_Zrz,`z4ag ZB#Vm:4g 8XQ5_*<臧~1*y 4[)˸xy)8E֬e%USi -F"cmT[ġ1T!󗸸sk ,]zD1\)Wy2`[F*Ej#l6>pGMEȑok<-!إe6r̲%'̶URDmj)jxPFDIBukIؒ Q aH.tM02љZ\1aWTG#Τښ5υi/dȝT۝FA;?VsK9;G"ָFM5h]mt1\ضt4#3 $Ii9U%$h+ǭC=jG"W0VT̀ kR:o%5zSZ t;QGklFls:/[xp;GOCQ5!I?O$gt %񢐾m*HŐU%i/$pDƮO>g0FIڽ^^\bǚT ^DWC0"Z.g(y״Nu![Ŕr{@o>fE: 7_?=6ʲ[es4iY>%?!PVPK!Pworkspaces.7.gznu[Xm_A(@J+0]7>"W8.%]n M{"96>CKrޞyfwz\ =}\}ofɞa>ˮ͋_g{ܹZnމbNZ\k[+3گb*\xՔڨ oS^؍(F9+~]եȍ;][׶bcQJnI5^F [,46\Ϋ2|#{ H Z#hS/Wf!k}:+#`ɱmͺH(Di񍒥ѕ*ecb'ƪ'f z[J.wjX/8\+1}HK{7W rtŒhJ`X%lS(rEB\q:9(ng[S5[Ft y>CiTlv8D@A׊%,{E ] a:BJVM3ZV) CPS@zε 8ǽ : T\ޞm[6` Wq钖~5HFmGKJ,!t$r:($`ٺI V?ȥ ifY&ļ_yyX;}T/h qy? >26^ kd8!%1@$b}B76: ] xK;T @nNpӄ6E$ $axʥO˥7_@ҏ_@>LV +,A4mUM'$g=#PPNƠDyd'`yL "bACćx"KԽos* \%q q*=9__Ezۇ1\Bh~|'{TNk[CWرE0 T5׈@/̰O)Sg}\c~7K:ZP:Id("!ڋ^\:5!Ԗ%E1CnԎQ&Zq7\iUDw+v0*)s,8qJ@1sGS-bQxQ tU@ס>$KkÊԄb=ں JcXê˹^o}3t k$!A/[s] zdI.;E@נKj0:/b:RGgK;МHjgqK;pB:!vE/g2X&Rҍ2BXפ{ܣ|V=/Ey6:@i[~o p7:gP$RFmR`{}.V+.vU +C_<{X6z @*>|ER㤏!!oz]CfԀtEdЂeKL~i!&BFH0Ƒ%ǝ`TZ{H-zLN|+,,7zݯ#/(Eα 8y\D vov:B^ġ,"aXWY p(7<8ej&ZRp1(yҦ#j^?yCIa%Ylj2u@z]k.gqxp?֮Uc!qj䪘oTO0x~6'zdV ˗B))/3A咎 i!t6vQ.>C;Tv#Sh㩏|bL ߫ a*wܮ"]=вCQOhoNrЕXLF,?deu",NpCBA~bُߎ%86L iw11C/'oVR| zVnRG7BK)mHS/+ue3z覷IMC6pYrY>W.%}dWZA͘'b|JsZ$F[ߥNx T8<ŞK?H"ktKw41J8_uheNk%3 .M\WA|.m)XK z7KDG"H*Ǘr_pGB)| gY`\)x 7숺/\.f"p<W#}A%FgBS ō=v?sβ+q{nN'o]A!HPK!3package-spec.7.gznu[W[o6~ϯ ) !tC;#Po-QIHʉwΡ(,nQss eog|v3`skl2'/ɗϳ2~_Q$rdK.;6bs K*V|64tJh~t\ez eTa2w̥EE$fV܂].Ue%g,[Ik8F"C80#9 ggD¬6m YL6dN2mXC-kS|R`'4 XOdȈZﲟ+=Ytʱlf0lJ`:'#>l݂9[*vP/fP*X~5[CJN/647̈" AarMǪnp{R.E'dDHh1dņaե @!hJ5yk LuFlI&Gg"Vq'tb c6(0&Xc-m/v vs<0SX4N;~?}q,$uv7/^ sraT~9<4Mg&J8Nl}bE꘾ۗPGH-i3_H8QKHa.F^=0%dϧ [+,$i7JJ%\$\/"Ch-<*L;g1WS*《2 z4g#,Q)\nOOd"z ~!xU=~ 9g ?|rM |-@)4>@B""I$jco3ө P ON'K+~_0O"oqQzVkt -l z%"'BUr+@tų\NZ`9f>@wظrP08UVΝnӉ*ř)2F$&$"W_ 9׆] Uu獟{SUi PK!.alt-nodejs20.7.gznu[Un8}WL&]@(ӨHlr[@/45P@Rz~-^8M_ I䜙s8)zp;t҇Ú;XF=@lODŽ%{z'=>7p=rڔknnR(4.}whKCȥ$㘝C+h2^X4Ӝ%bE|Ũf1vlN',)䥀Z%:З䧃VqO5P+cm PR_Ο!1x{.HzCs^+uʀmLkǫԲX}7!GplYLu(`T$.Ayl[%EdغeDԱJ*tk踖K+̀-H弱@ *PJZ"ę}=sFp\ T ]YflkQHwd YQdg|c$i%v)AE;#L/t53X.9wP/uL]5>GNyMd[E;џM9!~7wؓzq6W5P2.?kϣK{'t ݂VPK!ER ea-php81.7.gznu[PK!((  des_modes.7nu[PK!t.. 2ea-php72.7.gznu[PK!k*-- A7ea-php74.7.gznu[PK!J-- ;ea-php71.7.gznu[PK!٫''@npm-config.7.gznu[PK!vsZ Z gnpm-developers.7.gznu[PK!h0suremoving-npm.7.gznu[PK!Z ysemver.7.gznu[PK! vnpm-registry.7.gznu[PK!$Bnpm-scripts.7.gznu[PK!V.B76alt-nodejs11.7.gznu[PK!Fnpm-scope.7.gznu[PK!RCd d 8npm-coding-style.7.gznu[PK!Mrt t npm-disputes.7.gznu[PK!{KO+llnpm-index.7.gznu[PK!kr @npm-orgs.7.gznu[PK!N-- dea-php73.7.gznu[PK!~$-- ea-php70.7.gznu[PK!hI.~~8ssl.7nu[PK!ԬA{{crypto.7nu[PK!  Ed25519.7nu[PK!sbio.7nu[PK!Z ossl_store.7nu[PK!7 yCyCproxy-certificates.7nu[PK!GCCVX25519.7nu[PK!u|j  ox509.7nu[PK!pVDVD TRAND_DRBG.7nu[PK!%CBct.7nu[PK!"^**!ossl_store-file.7nu[PK! \ \ scrypt.7nu[PK!g+Ko%o% evp.7nu[PK!DRAND.7nu[PK!ed@.@.bpassphrase-encoding.7nu[PK!5*ww@SM2.7nu[PK!E5B-- RSA-PSS.7nu[PK!OO REd25519.htmlnu[PK!^s92>2>RAND_DRBG.htmlnu[PK!99Mevp.htmlnu[PK!Wk] ] 2crypto.htmlnu[PK!yv   V>X25519.htmlnu[PK!PGeeLSM2.htmlnu[PK!MˤN\des_modes.htmlnu[PK!B4Vtt 0|scrypt.htmlnu[PK!Ђnnߑbio.htmlnu[PK! Z x509.htmlnu[PK! g~ssl.htmlnu[PK!.Eռ;; AzRAND.htmlnu[PK!8} ossl_store-file.htmlnu[PK!4Gossl_store.htmlnu[PK!Uk(  RSA-PSS.htmlnu[PK!z̶88proxy-certificates.htmlnu[PK! '6#6#passphrase-encoding.htmlnu[PK!J䖵 nct.htmlnu[PK!  ZEd25519.7sslnu[PK!GCC O;X25519.7sslnu[PK!7 yCyCTproxy-certificates.7sslnu[PK!ԬA{{ crypto.7sslnu[PK!hI.~~Cssl.7sslnu[PK!g+Ko%o%zevp.7sslnu[PK!Zossl_store.7sslnu[PK!pVDVDRAND_DRBG.7sslnu[PK!5*ww(SM2.7sslnu[PK!ed@.@.passphrase-encoding.7sslnu[PK!"^**_Jossl_store-file.7sslnu[PK!%CBcct.7sslnu[PK!  zRAND.7sslnu[PK!E5B-- RSA-PSS.7sslnu[PK!u|j   ox509.7sslnu[PK! \ \ scrypt.7sslnu[PK!$))_des_modes.7sslnu[PK!sy bio.7sslnu[PK!/f 1 kerberos.7nu[PK!ӌ$N alt-nodejs6.7.gznu[PK!t-R alt-nodejs9.7.gznu[PK!mD KV scope.7.gznu[PK!up d^ removal.7.gznu[PK!Jrr 5b registry.7.gznu[PK!Όa h orgs.7.gznu[PK!,N N l disputes.7.gznu[PK!@ x alt-nodejs8.7.gznu[PK!ӵFF E| scripts.7.gznu[PK!离% % ǎ developers.7.gznu[PK! 77 + config.7.gznu[PK!Ы߅B alt-nodejs14.7.gznu[PK! 8  x509.7ssl.gznu[PK!*JFٚ  X25519.7ssl.gznu[PK!s  EVP_KDF_TLS1_PRF.7ssl.gznu[PK![Z  EVP_KDF_SCRYPT.7ssl.gznu[PK!Fy N ct.7ssl.gznu[PK!u|N m scrypt.7ssl.gznu[PK!= @" ossl_store.7ssl.gznu[PK!$§. EVP_KDF_HKDF.7ssl.gznu[PK!Se{= RAND_DRBG.7ssl.gznu[PK!^[/ / CU Ed25519.7ssl.gznu[PK!uua EVP_KDF_SSHKDF.7ssl.gznu[PK!bņ lp SM2.7ssl.gznu[PK!yCi i -| RSA-PSS.7ssl.gznu[PK!F౗ Ն crypto.7ssl.gznu[PK!|A  bio.7ssl.gznu[PK!h윤%% ߝ ssl.7ssl.gznu[PK!-LM M  ossl_store-file.7ssl.gznu[PK!, R EVP_KDF_PBKDF2.7ssl.gznu[PK!0?] passphrase-encoding.7ssl.gznu[PK!Bk y evp.7ssl.gznu[PK!> H RAND.7ssl.gznu[PK!Q des_modes.7ssl.gznu[PK!; l ea-ruby27.7.gznu[PK!C! dependency-selectors.7.gznu[PK!@Uz 2 logging.7.gznu[PK!Jt9 alt-nodejs22.7.gznu[PK!P= workspaces.7.gznu[PK!3F package-spec.7.gznu[PK!.9L alt-nodejs20.7.gznu[PKrr"O