aboutsummaryrefslogtreecommitdiff
path: root/openssl/doc/ssl
diff options
context:
space:
mode:
authormarha <marha@users.sourceforge.net>2010-03-29 17:08:02 +0000
committermarha <marha@users.sourceforge.net>2010-03-29 17:08:02 +0000
commit15272ab4ed1e6250412fccd48200ed9eae59608f (patch)
treea5996ea67966a778a16565f19dfc2e7c7f49b376 /openssl/doc/ssl
parent3827301b2ea5a45ac009c3bf9f08586ff40b8506 (diff)
downloadvcxsrv-15272ab4ed1e6250412fccd48200ed9eae59608f.tar.gz
vcxsrv-15272ab4ed1e6250412fccd48200ed9eae59608f.tar.bz2
vcxsrv-15272ab4ed1e6250412fccd48200ed9eae59608f.zip
Updated to openssl 1.0.0
Diffstat (limited to 'openssl/doc/ssl')
-rw-r--r--openssl/doc/ssl/SSL_CIPHER_get_name.pod2
-rw-r--r--openssl/doc/ssl/SSL_CTX_new.pod2
-rw-r--r--openssl/doc/ssl/SSL_CTX_set_mode.pod10
-rw-r--r--openssl/doc/ssl/SSL_CTX_set_options.pod123
-rw-r--r--openssl/doc/ssl/SSL_CTX_set_psk_client_callback.pod81
-rw-r--r--openssl/doc/ssl/SSL_CTX_set_ssl_version.pod6
-rw-r--r--openssl/doc/ssl/SSL_CTX_use_psk_identity_hint.pod102
-rw-r--r--openssl/doc/ssl/SSL_get_psk_identity.pod63
-rw-r--r--openssl/doc/ssl/SSL_library_init.pod1
-rw-r--r--openssl/doc/ssl/ssl.pod50
10 files changed, 416 insertions, 24 deletions
diff --git a/openssl/doc/ssl/SSL_CIPHER_get_name.pod b/openssl/doc/ssl/SSL_CIPHER_get_name.pod
index f62a869a9..eb772b55d 100644
--- a/openssl/doc/ssl/SSL_CIPHER_get_name.pod
+++ b/openssl/doc/ssl/SSL_CIPHER_get_name.pod
@@ -11,7 +11,7 @@ SSL_CIPHER_get_name, SSL_CIPHER_get_bits, SSL_CIPHER_get_version, SSL_CIPHER_des
const char *SSL_CIPHER_get_name(const SSL_CIPHER *cipher);
int SSL_CIPHER_get_bits(const SSL_CIPHER *cipher, int *alg_bits);
char *SSL_CIPHER_get_version(const SSL_CIPHER *cipher);
- char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int size);
+ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int size);
=head1 DESCRIPTION
diff --git a/openssl/doc/ssl/SSL_CTX_new.pod b/openssl/doc/ssl/SSL_CTX_new.pod
index 465220a75..73e8c47f9 100644
--- a/openssl/doc/ssl/SSL_CTX_new.pod
+++ b/openssl/doc/ssl/SSL_CTX_new.pod
@@ -8,7 +8,7 @@ SSL_CTX_new - create a new SSL_CTX object as framework for TLS/SSL enabled funct
#include <openssl/ssl.h>
- SSL_CTX *SSL_CTX_new(SSL_METHOD *method);
+ SSL_CTX *SSL_CTX_new(const SSL_METHOD *method);
=head1 DESCRIPTION
diff --git a/openssl/doc/ssl/SSL_CTX_set_mode.pod b/openssl/doc/ssl/SSL_CTX_set_mode.pod
index 9822544e5..8cb669dae 100644
--- a/openssl/doc/ssl/SSL_CTX_set_mode.pod
+++ b/openssl/doc/ssl/SSL_CTX_set_mode.pod
@@ -61,6 +61,16 @@ deal with read/write operations returning without success report. The
flag SSL_MODE_AUTO_RETRY will cause read/write operations to only
return after the handshake and successful completion.
+=item SSL_MODE_RELEASE_BUFFERS
+
+When we no longer need a read buffer or a write buffer for a given SSL,
+then release the memory we were using to hold it. Released memory is
+either appended to a list of unused RAM chunks on the SSL_CTX, or simply
+freed if the list of unused chunks would become longer than
+SSL_CTX->freelist_max_len, which defaults to 32. Using this flag can
+save around 34k per idle SSL connection.
+This flag has no effect on SSL v2 connections, or on DTLS connections.
+
=back
=head1 RETURN VALUES
diff --git a/openssl/doc/ssl/SSL_CTX_set_options.pod b/openssl/doc/ssl/SSL_CTX_set_options.pod
index eaed19080..310db84b3 100644
--- a/openssl/doc/ssl/SSL_CTX_set_options.pod
+++ b/openssl/doc/ssl/SSL_CTX_set_options.pod
@@ -2,7 +2,7 @@
=head1 NAME
-SSL_CTX_set_options, SSL_set_options, SSL_CTX_get_options, SSL_get_options - manipulate SSL engine options
+SSL_CTX_set_options, SSL_set_options, SSL_CTX_clear_options, SSL_clear_options, SSL_CTX_get_options, SSL_get_options, SSL_get_secure_renegotiation_support - manipulate SSL options
=head1 SYNOPSIS
@@ -11,26 +11,41 @@ SSL_CTX_set_options, SSL_set_options, SSL_CTX_get_options, SSL_get_options - man
long SSL_CTX_set_options(SSL_CTX *ctx, long options);
long SSL_set_options(SSL *ssl, long options);
+ long SSL_CTX_clear_options(SSL_CTX *ctx, long options);
+ long SSL_clear_options(SSL *ssl, long options);
+
long SSL_CTX_get_options(SSL_CTX *ctx);
long SSL_get_options(SSL *ssl);
+ long SSL_get_secure_renegotiation_support(SSL *ssl);
+
=head1 DESCRIPTION
+Note: all these functions are implemented using macros.
+
SSL_CTX_set_options() adds the options set via bitmask in B<options> to B<ctx>.
Options already set before are not cleared!
SSL_set_options() adds the options set via bitmask in B<options> to B<ssl>.
Options already set before are not cleared!
+SSL_CTX_clear_options() clears the options set via bitmask in B<options>
+to B<ctx>.
+
+SSL_clear_options() clears the options set via bitmask in B<options> to B<ssl>.
+
SSL_CTX_get_options() returns the options set for B<ctx>.
SSL_get_options() returns the options set for B<ssl>.
+SSL_get_secure_renegotiation_support() indicates whether the peer supports
+secure renegotiation.
+
=head1 NOTES
The behaviour of the SSL library can be changed by setting several options.
The options are coded as bitmasks and can be combined by a logical B<or>
-operation (|). Options can only be added but can never be reset.
+operation (|).
SSL_CTX_set_options() and SSL_set_options() affect the (external)
protocol behaviour of the SSL library. The (internal) behaviour of
@@ -199,26 +214,117 @@ Do not use the TLSv1 protocol.
When performing renegotiation as a server, always start a new session
(i.e., session resumption requests are only accepted in the initial
-handshake). This option is not needed for clients.
+handshake). This option is not needed for clients.
=item SSL_OP_NO_TICKET
Normally clients and servers will, where possible, transparently make use
-of RFC4507bis tickets for stateless session resumption if extension support
-is explicitly set when OpenSSL is compiled.
+of RFC4507bis tickets for stateless session resumption.
If this option is set this functionality is disabled and tickets will
not be used by clients or servers.
+=item SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
+
+Allow legacy insecure renegotiation between OpenSSL and unpatched clients or
+servers. See the B<SECURE RENEGOTIATION> section for more details.
+
+=item SSL_OP_LEGACY_SERVER_CONNECT
+
+Allow legacy insecure renegotiation between OpenSSL and unpatched servers
+B<only>: this option is currently set by default. See the
+B<SECURE RENEGOTIATION> section for more details.
+
=back
+=head1 SECURE RENEGOTIATION
+
+OpenSSL 0.9.8m and later always attempts to use secure renegotiation as
+described in RFC5746. This counters the prefix attack described in
+CVE-2009-3555 and elsewhere.
+
+The deprecated and highly broken SSLv2 protocol does not support
+renegotiation at all: its use is B<strongly> discouraged.
+
+This attack has far reaching consequences which application writers should be
+aware of. In the description below an implementation supporting secure
+renegotiation is referred to as I<patched>. A server not supporting secure
+renegotiation is referred to as I<unpatched>.
+
+The following sections describe the operations permitted by OpenSSL's secure
+renegotiation implementation.
+
+=head2 Patched client and server
+
+Connections and renegotiation are always permitted by OpenSSL implementations.
+
+=head2 Unpatched client and patched OpenSSL server
+
+The initial connection suceeds but client renegotiation is denied by the
+server with a B<no_renegotiation> warning alert if TLS v1.0 is used or a fatal
+B<handshake_failure> alert in SSL v3.0.
+
+If the patched OpenSSL server attempts to renegotiate a fatal
+B<handshake_failure> alert is sent. This is because the server code may be
+unaware of the unpatched nature of the client.
+
+If the option B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION> is set then
+renegotiation B<always> succeeds.
+
+B<NB:> a bug in OpenSSL clients earlier than 0.9.8m (all of which are
+unpatched) will result in the connection hanging if it receives a
+B<no_renegotiation> alert. OpenSSL versions 0.9.8m and later will regard
+a B<no_renegotiation> alert as fatal and respond with a fatal
+B<handshake_failure> alert. This is because the OpenSSL API currently has
+no provision to indicate to an application that a renegotiation attempt
+was refused.
+
+=head2 Patched OpenSSL client and unpatched server.
+
+If the option B<SSL_OP_LEGACY_SERVER_CONNECT> or
+B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION> is set then initial connections
+and renegotiation between patched OpenSSL clients and unpatched servers
+succeeds. If neither option is set then initial connections to unpatched
+servers will fail.
+
+The option B<SSL_OP_LEGACY_SERVER_CONNECT> is currently set by default even
+though it has security implications: otherwise it would be impossible to
+connect to unpatched servers (i.e. all of them initially) and this is clearly
+not acceptable. Renegotiation is permitted because this does not add any
+additional security issues: during an attack clients do not see any
+renegotiations anyway.
+
+As more servers become patched the option B<SSL_OP_LEGACY_SERVER_CONNECT> will
+B<not> be set by default in a future version of OpenSSL.
+
+OpenSSL client applications wishing to ensure they can connect to unpatched
+servers should always B<set> B<SSL_OP_LEGACY_SERVER_CONNECT>
+
+OpenSSL client applications that want to ensure they can B<not> connect to
+unpatched servers (and thus avoid any security issues) should always B<clear>
+B<SSL_OP_LEGACY_SERVER_CONNECT> using SSL_CTX_clear_options() or
+SSL_clear_options().
+
+The difference between the B<SSL_OP_LEGACY_SERVER_CONNECT> and
+B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION> options is that
+B<SSL_OP_LEGACY_SERVER_CONNECT> enables initial connections and secure
+renegotiation between OpenSSL clients and unpatched servers B<only>, while
+B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION> allows initial connections
+and renegotiation between OpenSSL and unpatched clients or servers.
+
=head1 RETURN VALUES
SSL_CTX_set_options() and SSL_set_options() return the new options bitmask
after adding B<options>.
+SSL_CTX_clear_options() and SSL_clear_options() return the new options bitmask
+after clearing B<options>.
+
SSL_CTX_get_options() and SSL_get_options() return the current bitmask.
+SSL_get_secure_renegotiation_support() returns 1 is the peer supports
+secure renegotiation and 0 if it does not.
+
=head1 SEE ALSO
L<ssl(3)|ssl(3)>, L<SSL_new(3)|SSL_new(3)>, L<SSL_clear(3)|SSL_clear(3)>,
@@ -241,4 +347,11 @@ Versions up to OpenSSL 0.9.6c do not include the countermeasure that
can be disabled with this option (in OpenSSL 0.9.6d, it was always
enabled).
+SSL_CTX_clear_options() and SSL_clear_options() were first added in OpenSSL
+0.9.8m.
+
+B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION>, B<SSL_OP_LEGACY_SERVER_CONNECT>
+and the function SSL_get_secure_renegotiation_support() were first added in
+OpenSSL 0.9.8m.
+
=cut
diff --git a/openssl/doc/ssl/SSL_CTX_set_psk_client_callback.pod b/openssl/doc/ssl/SSL_CTX_set_psk_client_callback.pod
new file mode 100644
index 000000000..573f89a92
--- /dev/null
+++ b/openssl/doc/ssl/SSL_CTX_set_psk_client_callback.pod
@@ -0,0 +1,81 @@
+=pod
+
+=begin comment
+
+Copyright 2005 Nokia. All rights reserved.
+
+The portions of the attached software ("Contribution") is developed by
+Nokia Corporation and is licensed pursuant to the OpenSSL open source
+license.
+
+The Contribution, originally written by Mika Kousa and Pasi Eronen of
+Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
+support (see RFC 4279) to OpenSSL.
+
+No patent licenses or other rights except those expressly stated in
+the OpenSSL open source license shall be deemed granted or received
+expressly, by implication, estoppel, or otherwise.
+
+No assurances are provided by Nokia that the Contribution does not
+infringe the patent or other intellectual property rights of any third
+party or that the license provides you with all the necessary rights
+to make use of the Contribution.
+
+THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
+ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
+SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
+OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
+OTHERWISE.
+
+=end comment
+
+=head1 NAME
+
+SSL_CTX_set_psk_client_callback, SSL_set_psk_client_callback - set PSK client callback
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ void SSL_CTX_set_psk_client_callback(SSL_CTX *ctx,
+ unsigned int (*callback)(SSL *ssl, const char *hint,
+ char *identity, unsigned int max_identity_len,
+ unsigned char *psk, unsigned int max_psk_len));
+ void SSL_set_psk_client_callback(SSL *ssl,
+ unsigned int (*callback)(SSL *ssl, const char *hint,
+ char *identity, unsigned int max_identity_len,
+ unsigned char *psk, unsigned int max_psk_len));
+
+
+=head1 DESCRIPTION
+
+A client application must provide a callback function which is called
+when the client is sending the ClientKeyExchange message to the server.
+
+The purpose of the callback function is to select the PSK identity and
+the pre-shared key to use during the connection setup phase.
+
+The callback is set using functions SSL_CTX_set_psk_client_callback()
+or SSL_set_psk_client_callback(). The callback function is given the
+connection in parameter B<ssl>, a B<NULL>-terminated PSK identity hint
+sent by the server in parameter B<hint>, a buffer B<identity> of
+length B<max_identity_len> bytes where the the resulting
+B<NULL>-terminated identity is to be stored, and a buffer B<psk> of
+length B<max_psk_len> bytes where the resulting pre-shared key is to
+be stored.
+
+=head1 NOTES
+
+Note that parameter B<hint> given to the callback may be B<NULL>.
+
+=head1 RETURN VALUES
+
+Return values from the client callback are interpreted as follows:
+
+On success (callback found a PSK identity and a pre-shared key to use)
+the length (> 0) of B<psk> in bytes is returned.
+
+Otherwise or on errors callback should return 0. In this case
+the connection setup fails.
+
+=cut
diff --git a/openssl/doc/ssl/SSL_CTX_set_ssl_version.pod b/openssl/doc/ssl/SSL_CTX_set_ssl_version.pod
index 002018096..254f2b439 100644
--- a/openssl/doc/ssl/SSL_CTX_set_ssl_version.pod
+++ b/openssl/doc/ssl/SSL_CTX_set_ssl_version.pod
@@ -9,9 +9,9 @@ SSL_CTX_set_ssl_version, SSL_set_ssl_method, SSL_get_ssl_method
#include <openssl/ssl.h>
- int SSL_CTX_set_ssl_version(SSL_CTX *ctx, SSL_METHOD *method);
- int SSL_set_ssl_method(SSL *s, SSL_METHOD *method);
- SSL_METHOD *SSL_get_ssl_method(SSL *ssl);
+ int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *method);
+ int SSL_set_ssl_method(SSL *s, const SSL_METHOD *method);
+ const SSL_METHOD *SSL_get_ssl_method(SSL *ssl);
=head1 DESCRIPTION
diff --git a/openssl/doc/ssl/SSL_CTX_use_psk_identity_hint.pod b/openssl/doc/ssl/SSL_CTX_use_psk_identity_hint.pod
new file mode 100644
index 000000000..b80e25be7
--- /dev/null
+++ b/openssl/doc/ssl/SSL_CTX_use_psk_identity_hint.pod
@@ -0,0 +1,102 @@
+=pod
+
+=begin comment
+
+Copyright 2005 Nokia. All rights reserved.
+
+The portions of the attached software ("Contribution") is developed by
+Nokia Corporation and is licensed pursuant to the OpenSSL open source
+license.
+
+The Contribution, originally written by Mika Kousa and Pasi Eronen of
+Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
+support (see RFC 4279) to OpenSSL.
+
+No patent licenses or other rights except those expressly stated in
+the OpenSSL open source license shall be deemed granted or received
+expressly, by implication, estoppel, or otherwise.
+
+No assurances are provided by Nokia that the Contribution does not
+infringe the patent or other intellectual property rights of any third
+party or that the license provides you with all the necessary rights
+to make use of the Contribution.
+
+THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
+ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
+SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
+OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
+OTHERWISE.
+
+=end comment
+
+=head1 NAME
+
+SSL_CTX_use_psk_identity_hint, SSL_use_psk_identity_hint,
+SSL_CTX_set_psk_server_callback, SSL_set_psk_server_callback - set PSK
+identity hint to use
+
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ int SSL_CTX_use_psk_identity_hint(SSL_CTX *ctx, const char *hint);
+ int SSL_use_psk_identity_hint(SSL *ssl, const char *hint);
+
+ void SSL_CTX_set_psk_server_callback(SSL_CTX *ctx,
+ unsigned int (*callback)(SSL *ssl, const char *identity,
+ unsigned char *psk, int max_psk_len));
+ void SSL_set_psk_server_callback(SSL *ssl,
+ unsigned int (*callback)(SSL *ssl, const char *identity,
+ unsigned char *psk, int max_psk_len));
+
+
+=head1 DESCRIPTION
+
+SSL_CTX_use_psk_identity_hint() sets the given B<NULL>-terminated PSK
+identity hint B<hint> to SSL context object
+B<ctx>. SSL_use_psk_identity_hint() sets the given B<NULL>-terminated
+PSK identity hint B<hint> to SSL connection object B<ssl>. If B<hint>
+is B<NULL> the current hint from B<ctx> or B<ssl> is deleted.
+
+In the case where PSK identity hint is B<NULL>, the server
+does not send the ServerKeyExchange message to the client.
+
+A server application must provide a callback function which is called
+when the server receives the ClientKeyExchange message from the
+client. The purpose of the callback function is to validate the
+received PSK identity and to fetch the pre-shared key used during the
+connection setup phase. The callback is set using functions
+SSL_CTX_set_psk_server_callback() or
+SSL_set_psk_server_callback(). The callback function is given the
+connection in parameter B<ssl>, B<NULL>-terminated PSK identity sent
+by the client in parameter B<identity>, and a buffer B<psk> of length
+B<max_psk_len> bytes where the pre-shared key is to be stored.
+
+
+=head1 RETURN VALUES
+
+SSL_CTX_use_psk_identity_hint() and SSL_use_psk_identity_hint() return
+1 on success, 0 otherwise.
+
+Return values from the server callback are interpreted as follows:
+
+=item > 0
+
+PSK identity was found and the server callback has provided the PSK
+successfully in parameter B<psk>. Return value is the length of
+B<psk> in bytes. It is an error to return a value greater than
+B<max_psk_len>.
+
+If the PSK identity was not found but the callback instructs the
+protocol to continue anyway, the callback must provide some random
+data to B<psk> and return the length of the random data, so the
+connection will fail with decryption_error before it will be finished
+completely.
+
+=item 0
+
+PSK identity was not found. An "unknown_psk_identity" alert message
+will be sent and the connection setup fails.
+
+=cut
diff --git a/openssl/doc/ssl/SSL_get_psk_identity.pod b/openssl/doc/ssl/SSL_get_psk_identity.pod
new file mode 100644
index 000000000..fe6291649
--- /dev/null
+++ b/openssl/doc/ssl/SSL_get_psk_identity.pod
@@ -0,0 +1,63 @@
+=pod
+
+=begin comment
+
+Copyright 2005 Nokia. All rights reserved.
+
+The portions of the attached software ("Contribution") is developed by
+Nokia Corporation and is licensed pursuant to the OpenSSL open source
+license.
+
+The Contribution, originally written by Mika Kousa and Pasi Eronen of
+Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
+support (see RFC 4279) to OpenSSL.
+
+No patent licenses or other rights except those expressly stated in
+the OpenSSL open source license shall be deemed granted or received
+expressly, by implication, estoppel, or otherwise.
+
+No assurances are provided by Nokia that the Contribution does not
+infringe the patent or other intellectual property rights of any third
+party or that the license provides you with all the necessary rights
+to make use of the Contribution.
+
+THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
+ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
+SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
+OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
+OTHERWISE.
+
+=end comment
+
+=head1 NAME
+
+SSL_get_psk_identity, SSL_get_psk_identity_hint - get PSK client identity and hint
+
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ const char *SSL_get_psk_identity_hint(const SSL *ssl);
+ const char *SSL_get_psk_identity(const SSL *ssl);
+
+
+=head1 DESCRIPTION
+
+SSL_get_psk_identity_hint() is used to retrieve the PSK identity hint
+used during the connection setup related to SSL object
+B<ssl>. Similarly, SSL_get_psk_identity() is used to retrieve the PSK
+identity used during the connection setup.
+
+
+=head1 RETURN VALUES
+
+If non-B<NULL>, SSL_get_psk_identity_hint() returns the PSK identity
+hint and SSL_get_psk_identity() returns the PSK identity. Both are
+B<NULL>-terminated. SSL_get_psk_identity_hint() may return B<NULL> if
+no PSK identity hint was used during the connection setup.
+
+Note that the return value is valid only during the lifetime of the
+SSL object B<ssl>.
+
+=cut
diff --git a/openssl/doc/ssl/SSL_library_init.pod b/openssl/doc/ssl/SSL_library_init.pod
index ecf3c4858..eed526e47 100644
--- a/openssl/doc/ssl/SSL_library_init.pod
+++ b/openssl/doc/ssl/SSL_library_init.pod
@@ -23,6 +23,7 @@ for SSL_library_init().
=head1 NOTES
SSL_library_init() must be called before any other action takes place.
+SSL_library_init() is not reentrant.
=head1 WARNING
diff --git a/openssl/doc/ssl/ssl.pod b/openssl/doc/ssl/ssl.pod
index 266697d22..2b6004ee3 100644
--- a/openssl/doc/ssl/ssl.pod
+++ b/openssl/doc/ssl/ssl.pod
@@ -130,39 +130,39 @@ protocol methods defined in B<SSL_METHOD> structures.
=over 4
-=item SSL_METHOD *B<SSLv2_client_method>(void);
+=item const SSL_METHOD *B<SSLv2_client_method>(void);
Constructor for the SSLv2 SSL_METHOD structure for a dedicated client.
-=item SSL_METHOD *B<SSLv2_server_method>(void);
+=item const SSL_METHOD *B<SSLv2_server_method>(void);
Constructor for the SSLv2 SSL_METHOD structure for a dedicated server.
-=item SSL_METHOD *B<SSLv2_method>(void);
+=item const SSL_METHOD *B<SSLv2_method>(void);
Constructor for the SSLv2 SSL_METHOD structure for combined client and server.
-=item SSL_METHOD *B<SSLv3_client_method>(void);
+=item const SSL_METHOD *B<SSLv3_client_method>(void);
Constructor for the SSLv3 SSL_METHOD structure for a dedicated client.
-=item SSL_METHOD *B<SSLv3_server_method>(void);
+=item const SSL_METHOD *B<SSLv3_server_method>(void);
Constructor for the SSLv3 SSL_METHOD structure for a dedicated server.
-=item SSL_METHOD *B<SSLv3_method>(void);
+=item const SSL_METHOD *B<SSLv3_method>(void);
Constructor for the SSLv3 SSL_METHOD structure for combined client and server.
-=item SSL_METHOD *B<TLSv1_client_method>(void);
+=item const SSL_METHOD *B<TLSv1_client_method>(void);
Constructor for the TLSv1 SSL_METHOD structure for a dedicated client.
-=item SSL_METHOD *B<TLSv1_server_method>(void);
+=item cosnt SSL_METHOD *B<TLSv1_server_method>(void);
Constructor for the TLSv1 SSL_METHOD structure for a dedicated server.
-=item SSL_METHOD *B<TLSv1_method>(void);
+=item const SSL_METHOD *B<TLSv1_method>(void);
Constructor for the TLSv1 SSL_METHOD structure for combined client and server.
@@ -249,7 +249,7 @@ protocol context defined in the B<SSL_CTX> structure.
=item long B<SSL_CTX_need_tmp_RSA>(SSL_CTX *ctx);
-=item SSL_CTX *B<SSL_CTX_new>(SSL_METHOD *meth);
+=item SSL_CTX *B<SSL_CTX_new>(const SSL_METHOD *meth);
=item int B<SSL_CTX_remove_session>(SSL_CTX *ctx, SSL_SESSION *c);
@@ -327,7 +327,7 @@ protocol context defined in the B<SSL_CTX> structure.
=item void B<SSL_CTX_set_session_cache_mode>(SSL_CTX *ctx, int mode);
-=item int B<SSL_CTX_set_ssl_version>(SSL_CTX *ctx, SSL_METHOD *meth);
+=item int B<SSL_CTX_set_ssl_version>(SSL_CTX *ctx, const SSL_METHOD *meth);
=item void B<SSL_CTX_set_timeout>(SSL_CTX *ctx, long t);
@@ -374,6 +374,15 @@ session instead of a context.
=item int B<SSL_CTX_use_certificate_file>(SSL_CTX *ctx, char *file, int type);
+=item void B<SSL_CTX_set_psk_client_callback>(SSL_CTX *ctx, unsigned int (*callback)(SSL *ssl, const char *hint, char *identity, unsigned int max_identity_len, unsigned char *psk, unsigned int max_psk_len));
+
+=item int B<SSL_CTX_use_psk_identity_hint>(SSL_CTX *ctx, const char *hint);
+
+=item void B<SSL_CTX_set_psk_server_callback>(SSL_CTX *ctx, unsigned int (*callback)(SSL *ssl, const char *identity, unsigned char *psk, int max_psk_len));
+
+
+
+
=back
=head2 DEALING WITH SESSIONS
@@ -512,7 +521,7 @@ connection defined in the B<SSL> structure.
=item int B<SSL_get_shutdown>(const SSL *ssl);
-=item SSL_METHOD *B<SSL_get_ssl_method>(SSL *ssl);
+=item const SSL_METHOD *B<SSL_get_ssl_method>(SSL *ssl);
=item int B<SSL_get_state>(const SSL *ssl);
@@ -596,7 +605,7 @@ connection defined in the B<SSL> structure.
=item void B<SSL_set_shutdown>(SSL *ssl, int mode);
-=item int B<SSL_set_ssl_method>(SSL *ssl, SSL_METHOD *meth);
+=item int B<SSL_set_ssl_method>(SSL *ssl, const SSL_METHOD *meth);
=item void B<SSL_set_time>(SSL *ssl, long t);
@@ -650,6 +659,16 @@ connection defined in the B<SSL> structure.
=item int B<SSL_write>(SSL *ssl, const void *buf, int num);
+=item void B<SSL_set_psk_client_callback>(SSL *ssl, unsigned int (*callback)(SSL *ssl, const char *hint, char *identity, unsigned int max_identity_len, unsigned char *psk, unsigned int max_psk_len));
+
+=item int B<SSL_use_psk_identity_hint>(SSL *ssl, const char *hint);
+
+=item void B<SSL_set_psk_server_callback>(SSL *ssl, unsigned int (*callback)(SSL *ssl, const char *identity, unsigned char *psk, int max_psk_len));
+
+=item const char *B<SSL_get_psk_identity_hint>(SSL *ssl);
+
+=item const char *B<SSL_get_psk_identity>(SSL *ssl);
+
=back
=head1 SEE ALSO
@@ -726,7 +745,10 @@ L<SSL_write(3)|SSL_write(3)>,
L<SSL_SESSION_free(3)|SSL_SESSION_free(3)>,
L<SSL_SESSION_get_ex_new_index(3)|SSL_SESSION_get_ex_new_index(3)>,
L<SSL_SESSION_get_time(3)|SSL_SESSION_get_time(3)>,
-L<d2i_SSL_SESSION(3)|d2i_SSL_SESSION(3)>
+L<d2i_SSL_SESSION(3)|d2i_SSL_SESSION(3)>,
+L<SSL_CTX_set_psk_client_callback(3)|SSL_CTX_set_psk_client_callback(3)>,
+L<SSL_CTX_use_psk_identity_hint(3)|SSL_CTX_use_psk_identity_hint(3)>,
+L<SSL_get_psk_identity(3)|SSL_get_psk_identity(3)>
=head1 HISTORY