Adding upstream version 4.23.0.upstream/4.23.0

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

1 files changed, 114 insertions, 4 deletions

diff --git a/upstream/debian-unstable/man7/provider-base.7ssl b/upstream/debian-unstable/man7/provider-base.7ssl
index 004c5a95..565f6ce7 100644
--- a/upstream/debian-unstable/man7/provider-base.7ssl
+++ b/upstream/debian-unstable/man7/provider-base.7ssl
@@ -55,7 +55,7 @@
 .\" ========================================================================
 .\"
 .IX Title "PROVIDER-BASE 7SSL"
-.TH PROVIDER-BASE 7SSL 2024-02-03 3.1.5 OpenSSL
+.TH PROVIDER-BASE 7SSL 2024-04-04 3.2.2-dev OpenSSL
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -659,6 +659,116 @@ versions supported by the group. The values equate to the on-the-wire encoding
 of the various TLS versions. For example TLSv1.3 is 0x0304 (772 decimal), and
 TLSv1.2 is 0x0303 (771 decimal). A 0 indicates that there is no defined minimum
 or maximum. A \-1 indicates that the group should not be used in that protocol.
+.PP
+\fI"TLS-SIGALG" Capability\fR
+.IX Subsection """TLS-SIGALG"" Capability"
+.PP
+The "TLS-SIGALG" capability can be queried by libssl to discover the list of
+TLS signature algorithms that a provider can support. Each signature supported
+can be used for client\- or server-authentication in addition to the built-in
+signature algorithms.
+TLS1.3 clients can advertise the list of TLS signature algorithms they support
+in the signature_algorithms extension, and TLS servers can select an algorithm
+from the offered list that they also support. In this way a provider can add
+to the list of signature algorithms that libssl already supports with
+additional ones.
+.PP
+Each TLS signature algorithm that a provider supports should be described via
+the callback passed in through the provider_get_capabilities function. Each
+algorithm can have the following details supplied:
+.IP """iana-name"" (\fBOSSL_CAPABILITY_TLS_SIGALG_IANA_NAME\fR) <UTF8 string>" 4
+.IX Item """iana-name"" (OSSL_CAPABILITY_TLS_SIGALG_IANA_NAME) <UTF8 string>"
+The name of the signature algorithm as given in the IANA TLS Signature Scheme
+registry as "Description":
+<https://www.iana.org/assignments/tls\-parameters/tls\-parameters.xhtml#tls\-signaturescheme>.
+This value must be supplied.
+.IP """iana-code-point"" (\fBOSSL_CAPABILITY_TLS_SIGALG_CODE_POINT\fR) <unsigned integer>" 4
+.IX Item """iana-code-point"" (OSSL_CAPABILITY_TLS_SIGALG_CODE_POINT) <unsigned integer>"
+The TLS algorithm ID value as given in the IANA TLS SignatureScheme registry.
+This value must be supplied.
+.IP """sigalg-name"" (\fBOSSL_CAPABILITY_TLS_SIGALG_NAME\fR) <UTF8 string>" 4
+.IX Item """sigalg-name"" (OSSL_CAPABILITY_TLS_SIGALG_NAME) <UTF8 string>"
+A name for the full (possibly composite hash-and-signature) signature
+algorithm.
+The provider may, but is not obligated to, provide a signature implementation
+with this name; if it doesn't, this is assumed to be a composite of a pure
+signature algorithm and a hash algorithm, which must be given with the
+parameters "sig-name" and "hash-name".
+This value must be supplied.
+.IP """sigalg-oid"" (\fBOSSL_CAPABILITY_TLS_SIGALG_OID\fR) <UTF8 string>" 4
+.IX Item """sigalg-oid"" (OSSL_CAPABILITY_TLS_SIGALG_OID) <UTF8 string>"
+The OID of the "sigalg-name" algorithm in canonical numeric text form. If
+this parameter is given, \fBOBJ_create()\fR will be used to create an OBJ and
+a NID for this OID, using the "sigalg-name" parameter for its (short) name.
+Otherwise, it's assumed to already exist in the object database, possibly
+done by the provider with the \fBcore_obj_create()\fR upcall.
+This value is optional.
+.IP """sig-name"" (\fBOSSL_CAPABILITY_TLS_SIGALG_SIG_NAME\fR) <UTF8 string>" 4
+.IX Item """sig-name"" (OSSL_CAPABILITY_TLS_SIGALG_SIG_NAME) <UTF8 string>"
+The name of the pure signature algorithm that is part of a composite
+"sigalg-name". If "sigalg-name" is implemented by the provider, this
+parameter is redundant and must not be given.
+This value is optional.
+.IP """sig-oid"" (\fBOSSL_CAPABILITY_TLS_SIGALG_SIG_OID\fR) <UTF8 string>" 4
+.IX Item """sig-oid"" (OSSL_CAPABILITY_TLS_SIGALG_SIG_OID) <UTF8 string>"
+The OID of the "sig-name" algorithm in canonical numeric text form. If
+this parameter is given, \fBOBJ_create()\fR will be used to create an OBJ and
+a NID for this OID, using the "sig-name" parameter for its (short) name.
+Otherwise, it is assumed to already exist in the object database. This
+can be done by the provider using the \fBcore_obj_create()\fR upcall.
+This value is optional.
+.IP """hash-name"" (\fBOSSL_CAPABILITY_TLS_SIGALG_HASH_NAME\fR) <UTF8 string>" 4
+.IX Item """hash-name"" (OSSL_CAPABILITY_TLS_SIGALG_HASH_NAME) <UTF8 string>"
+The name of the hash algorithm that is part of a composite "sigalg-name".
+If "sigalg-name" is implemented by the provider, this parameter is redundant
+and must not be given.
+This value is optional.
+.IP """hash-oid"" (\fBOSSL_CAPABILITY_TLS_SIGALG_HASH_OID\fR) <UTF8 string>" 4
+.IX Item """hash-oid"" (OSSL_CAPABILITY_TLS_SIGALG_HASH_OID) <UTF8 string>"
+The OID of the "hash-name" algorithm in canonical numeric text form. If
+this parameter is given, \fBOBJ_create()\fR will be used to create an OBJ and
+a NID for this OID, using the "hash-name" parameter for its (short) name.
+Otherwise, it's assumed to already exist in the object database, possibly
+done by the provider with the \fBcore_obj_create()\fR upcall.
+This value is optional.
+.IP """key-type"" (\fBOSSL_CAPABILITY_TLS_SIGALG_KEYTYPE\fR) <UTF8 string>" 4
+.IX Item """key-type"" (OSSL_CAPABILITY_TLS_SIGALG_KEYTYPE) <UTF8 string>"
+The key type of the public key of applicable certificates. If this parameter
+isn't present, it's assumed to be the same as "sig-name" if that's present,
+otherwise "sigalg-name".
+This value is optional.
+.IP """key-type-oid"" (\fBOSSL_CAPABILITY_TLS_SIGALG_KEYTYPE_OID\fR) <UTF8 string>" 4
+.IX Item """key-type-oid"" (OSSL_CAPABILITY_TLS_SIGALG_KEYTYPE_OID) <UTF8 string>"
+The OID of the "key-type" in canonical numeric text form. If
+this parameter is given, \fBOBJ_create()\fR will be used to create an OBJ and
+a NID for this OID, using the "key-type" parameter for its (short) name.
+Otherwise, it's assumed to already exist in the object database, possibly
+done by the provider with the \fBcore_obj_create()\fR upcall.
+This value is optional.
+.IP """sec-bits"" (\fBOSSL_CAPABILITY_TLS_SIGALG_SECURITY_BITS\fR) <unsigned integer>" 4
+.IX Item """sec-bits"" (OSSL_CAPABILITY_TLS_SIGALG_SECURITY_BITS) <unsigned integer>"
+The number of bits of security offered by keys of this algorithm. The number
+of bits should be comparable with the ones given in table 2 and 3 of the NIST
+SP800\-57 document. This number is used to determine the security strength of
+the algorithm if no digest algorithm has been registered that otherwise
+defines the security strength. If the signature algorithm implements its own
+digest internally, this value needs to be set to properly reflect the overall
+security strength.
+This value must be supplied.
+.IP """tls-min-tls"" (\fBOSSL_CAPABILITY_TLS_SIGALG_MIN_TLS\fR) <integer>" 4
+.IX Item """tls-min-tls"" (OSSL_CAPABILITY_TLS_SIGALG_MIN_TLS) <integer>"
+.PD 0
+.IP """tls-max-tls"" (\fBOSSL_CAPABILITY_TLS_SIGALG_MAX_TLS\fR) <integer>" 4
+.IX Item """tls-max-tls"" (OSSL_CAPABILITY_TLS_SIGALG_MAX_TLS) <integer>"
+.PD
+These parameters can be used to describe the minimum and maximum TLS
+versions supported by the signature algorithm. The values equate to the
+on-the-wire encoding of the various TLS versions. For example TLSv1.3 is
+0x0304 (772 decimal), and TLSv1.2 is 0x0303 (771 decimal). A 0 indicates that
+there is no defined minimum or maximum. A \-1 indicates that the signature
+algorithm should not be used in that protocol.
+Presently values representing anything other than TLS1.3 mean that the
+complete algorithm is ignored.
 .SH NOTES
 .IX Header "NOTES"
 The \fBcore_obj_create()\fR and \fBcore_obj_add_sigid()\fR functions were not thread safe
@@ -680,7 +790,7 @@ operation \f(CW\*(C`BAR\*(C'\fR.
 \&
 \& static const OSSL_ITEM reasons[] = {
 \&     { E_MALLOC, "memory allocation failure" }.
-\&     { 0, NULL } /* Termination */
+\&     OSSL_DISPATCH_END
 \& };
 \&
 \& /*
@@ -760,7 +870,7 @@ operation \f(CW\*(C`BAR\*(C'\fR.
 \&     { OSSL_FUNC_BAR_INIT, (void (*)(void))foo_init },
 \&     { OSSL_FUNC_BAR_UPDATE, (void (*)(void))foo_update },
 \&     { OSSL_FUNC_BAR_FINAL, (void (*)(void))foo_final },
-\&     { 0, NULL }
+\&     OSSL_DISPATCH_END
 \& };
 \&
 \& static const OSSL_ALGORITHM bars[] = {
@@ -792,7 +902,7 @@ operation \f(CW\*(C`BAR\*(C'\fR.
 \&     { OSSL_FUNC_PROVIDER_TEARDOWN, (void (*)(void))p_teardown },
 \&     { OSSL_FUNC_PROVIDER_QUERY_OPERATION, (void (*)(void))p_query },
 \&     { OSSL_FUNC_PROVIDER_GET_REASON_STRINGS, (void (*)(void))p_reasons },
-\&     { 0, NULL }
+\&     OSSL_DISPATCH_END
 \& };
 \&
 \& int OSSL_provider_init(const OSSL_CORE_HANDLE *handle,