[openssl] OpenSSL_1_1_1-stable update
matthias.st.pierre at ncp-e.com
matthias.st.pierre at ncp-e.com
Tue Oct 15 14:08:39 UTC 2019
The branch OpenSSL_1_1_1-stable has been updated
via 7bcd13cebd9ebc6cf6026fff999beb34504a8068 (commit)
via abf92a9715383656881fb37777c6507c68b18e66 (commit)
via 109a00269daf671e5652495d00a7302995029129 (commit)
via 3c682fad5f6aaaa567bd395741a7864dc4947402 (commit)
via 44301079c8ad3c150cd4d11e4781bc1b144ee9ed (commit)
via 0388d212af3e3798724cff3b2a5036f17faf41fb (commit)
via 3fb4bdabc2cb23eeff8309b5abdc61bbedbc6bea (commit)
from ac8881e160632a8de6ca123a9f85b2e6f8ae173b (commit)
- Log -----------------------------------------------------------------
commit 7bcd13cebd9ebc6cf6026fff999beb34504a8068
Author: Matt Caswell <matt at openssl.org>
Date: Thu Jun 6 12:14:59 2019 +0100
Fix an incorrect macro
A macro was missing a space which was confusing find-doc-nits
Reviewed-by: Richard Levitte <levitte at openssl.org>
(cherry picked from commit 8caab503ba004abb555d636c1ca9f7bcde79657f)
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre at ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/10094)
commit abf92a9715383656881fb37777c6507c68b18e66
Author: Matt Caswell <matt at openssl.org>
Date: Thu Jun 6 12:14:28 2019 +0100
i2d_PublicKey was listed in 2 different man pages
find-doc-nits complains if a symbol is documented in more than one
location.
Reviewed-by: Richard Levitte <levitte at openssl.org>
(cherry picked from commit 4ff4e53f816855b07fc02dc931dd57b2ae324aa1)
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre at ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/10094)
commit 109a00269daf671e5652495d00a7302995029129
Author: Pauli <paul.dale at oracle.com>
Date: Sat Mar 30 11:22:51 2019 +1000
issue-8493: Fix for filenames with newlines using openssl dgst
The output format now matches coreutils *dgst tools.
[ edited to remove trailing white space ]
Reviewed-by: Richard Levitte <levitte at openssl.org>
Reviewed-by: Paul Dale <paul.dale at oracle.com>
(cherry picked from commit f3448f5481a8d1f6fbf5fd05caaca229af0b87f7)
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
Reviewed-by: Matt Caswell <matt at openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre at ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/10094)
commit 3c682fad5f6aaaa567bd395741a7864dc4947402
Author: Pauli <paul.dale at oracle.com>
Date: Tue Mar 19 11:22:32 2019 +1000
Add documentation for the -sigopt option.
Reviewed-by: Paul Yang <yang.yang at baishancloud.com>
(cherry picked from commit d7b2124a428f9e00ed7647554b5be7153aac71f6)
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
Reviewed-by: Matt Caswell <matt at openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre at ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/10094)
commit 44301079c8ad3c150cd4d11e4781bc1b144ee9ed
Author: David Benjamin <davidben at google.com>
Date: Fri Jan 25 13:56:45 2019 -0600
Document and add macros for additional DSA options
EVP_PKEY_CTRL_DSA_PARAMGEN_Q_BITS and EVP_PKEY_CTRL_DSA_PARAMGEN_MD are only
exposed from EVP_PKEY_CTX_ctrl, which means callers must write more error-prone
code (see also issue #1319). Add the missing wrapper macros and document them.
Reviewed-by: Matt Caswell <matt at openssl.org>
(cherry picked from commit a97faad76a1be22eadd6c1a39972ad5e095d9e80)
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre at ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/10094)
commit 0388d212af3e3798724cff3b2a5036f17faf41fb
Author: Antoine Salon <asalon at vmware.com>
Date: Fri Dec 14 12:47:07 2018 -0800
Add missing EVP_MD documentation
Signed-off-by: Antoine Salon <asalon at vmware.com>
Reviewed-by: Paul Dale <paul.dale at oracle.com>
Reviewed-by: Matt Caswell <matt at openssl.org>
(cherry picked from commit 37842dfaebcf28b4ca452c6abd93ebde1b4aa6dc)
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre at ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/10094)
commit 3fb4bdabc2cb23eeff8309b5abdc61bbedbc6bea
Author: Rich Salz <rsalz at akamai.com>
Date: Wed Oct 17 10:25:00 2018 -0400
Ignore duplicated undocumented things
Reviewed-by: Richard Levitte <levitte at openssl.org>
Reviewed-by: Paul Yang <yang.yang at baishancloud.com>
(cherry picked from commit ee4afacd96f5bfbe7662c8f0ec4464c6eee4c450)
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
Reviewed-by: Matt Caswell <matt at openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre at ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/10094)
-----------------------------------------------------------------------
Summary of changes:
CHANGES | 5 +++
apps/dgst.c | 48 ++++++++++++++++++++++-
crypto/dsa/dsa_pmeth.c | 8 +---
doc/man1/ca.pod | 6 +++
doc/man1/dgst.pod | 4 +-
doc/man1/req.pod | 8 +++-
doc/man1/x509.pod | 6 +++
doc/man3/EVP_DigestInit.pod | 88 +++++++++++++++++++++++++++++++++++-------
doc/man3/EVP_MD_meth_new.pod | 21 +++++++---
doc/man3/EVP_PKEY_CTX_ctrl.pod | 16 +++++++-
doc/man3/d2i_X509.pod | 1 -
include/openssl/dsa.h | 6 +++
include/openssl/ocsp.h | 2 +-
test/README | 2 +-
util/find-doc-nits | 10 +++--
util/private.num | 2 +
16 files changed, 199 insertions(+), 34 deletions(-)
diff --git a/CHANGES b/CHANGES
index a10d679ddb..c64247dc91 100644
--- a/CHANGES
+++ b/CHANGES
@@ -9,6 +9,11 @@
Changes between 1.1.1d and 1.1.1e [xx XXX xxxx]
+ *) Added newline escaping functionality to a filename when using openssl dgst.
+ This output format is to replicate the output format found in the '*sum'
+ checksum programs. This aims to preserve backward compatibility.
+ [Matt Eaton, Richard Levitte, and Paul Dale]
+
*) Print all values for a PKCS#12 attribute with 'openssl pkcs12', not just
the first value.
[Jon Spillett]
diff --git a/apps/dgst.c b/apps/dgst.c
index d6f5a0e2e7..9223133eb2 100644
--- a/apps/dgst.c
+++ b/apps/dgst.c
@@ -413,13 +413,52 @@ int dgst_main(int argc, char **argv)
return ret;
}
+/*
+ * The newline_escape_filename function performs newline escaping for any
+ * filename that contains a newline. This function also takes a pointer
+ * to backslash. The backslash pointer is a flag to indicating whether a newline
+ * is present in the filename. If a newline is present, the backslash flag is
+ * set and the output format will contain a backslash at the beginning of the
+ * digest output. This output format is to replicate the output format found
+ * in the '*sum' checksum programs. This aims to preserve backward
+ * compatibility.
+ */
+static const char *newline_escape_filename(const char *file, int * backslash)
+{
+ size_t i, e = 0, length = strlen(file), newline_count = 0, mem_len = 0;
+ char *file_cpy = NULL;
+
+ for (i = 0; i < length; i++)
+ if (file[i] == '\n')
+ newline_count++;
+
+ mem_len = length + newline_count + 1;
+ file_cpy = app_malloc(mem_len, file);
+ i = 0;
+
+ while(e < length) {
+ const char c = file[e];
+ if (c == '\n') {
+ file_cpy[i++] = '\\';
+ file_cpy[i++] = 'n';
+ *backslash = 1;
+ } else {
+ file_cpy[i++] = c;
+ }
+ e++;
+ }
+ file_cpy[i] = '\0';
+ return (const char*)file_cpy;
+}
+
+
int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
EVP_PKEY *key, unsigned char *sigin, int siglen,
const char *sig_name, const char *md_name,
const char *file)
{
size_t len;
- int i;
+ int i, backslash = 0;
while (BIO_pending(bp) || !BIO_eof(bp)) {
i = BIO_read(bp, (char *)buf, BUFSIZE);
@@ -467,9 +506,16 @@ int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
if (binout) {
BIO_write(out, buf, len);
} else if (sep == 2) {
+ file = newline_escape_filename(file, &backslash);
+
+ if (backslash == 1)
+ BIO_puts(out, "\\");
+
for (i = 0; i < (int)len; i++)
BIO_printf(out, "%02x", buf[i]);
+
BIO_printf(out, " *%s\n", file);
+ OPENSSL_free((char *)file);
} else {
if (sig_name != NULL) {
BIO_puts(out, sig_name);
diff --git a/crypto/dsa/dsa_pmeth.c b/crypto/dsa/dsa_pmeth.c
index 80e5735d83..4ca3747a46 100644
--- a/crypto/dsa/dsa_pmeth.c
+++ b/crypto/dsa/dsa_pmeth.c
@@ -178,9 +178,7 @@ static int pkey_dsa_ctrl_str(EVP_PKEY_CTX *ctx,
}
if (strcmp(type, "dsa_paramgen_q_bits") == 0) {
int qbits = atoi(value);
- return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DSA, EVP_PKEY_OP_PARAMGEN,
- EVP_PKEY_CTRL_DSA_PARAMGEN_Q_BITS, qbits,
- NULL);
+ return EVP_PKEY_CTX_set_dsa_paramgen_q_bits(ctx, qbits);
}
if (strcmp(type, "dsa_paramgen_md") == 0) {
const EVP_MD *md = EVP_get_digestbyname(value);
@@ -189,9 +187,7 @@ static int pkey_dsa_ctrl_str(EVP_PKEY_CTX *ctx,
DSAerr(DSA_F_PKEY_DSA_CTRL_STR, DSA_R_INVALID_DIGEST_TYPE);
return 0;
}
- return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DSA, EVP_PKEY_OP_PARAMGEN,
- EVP_PKEY_CTRL_DSA_PARAMGEN_MD, 0,
- (void *)md);
+ return EVP_PKEY_CTX_set_dsa_paramgen_md(ctx, md);
}
return -2;
}
diff --git a/doc/man1/ca.pod b/doc/man1/ca.pod
index 7385a00941..27bb31493a 100644
--- a/doc/man1/ca.pod
+++ b/doc/man1/ca.pod
@@ -51,6 +51,7 @@ B<openssl> B<ca>
[B<-engine id>]
[B<-subj arg>]
[B<-utf8>]
+[B<-sigopt nm:v>]
[B<-create_serial>]
[B<-rand_serial>]
[B<-multivalue-rdn>]
@@ -134,6 +135,11 @@ The private key to sign requests with.
The format of the data in the private key file.
The default is PEM.
+=item B<-sigopt nm:v>
+
+Pass options to the signature algorithm during sign or verify operations.
+Names and values of these options are algorithm-specific.
+
=item B<-key password>
The password used to encrypt the private key. Since on some
diff --git a/doc/man1/dgst.pod b/doc/man1/dgst.pod
index 66a6697eb1..6d48523c99 100644
--- a/doc/man1/dgst.pod
+++ b/doc/man1/dgst.pod
@@ -22,6 +22,7 @@ B<openssl dgst>
[B<-verify filename>]
[B<-prverify filename>]
[B<-signature filename>]
+[B<-sigopt nm:v>]
[B<-hmac key>]
[B<-fips-fingerprint>]
[B<-rand file...>]
@@ -78,7 +79,8 @@ Output the digest or signature in binary form.
=item B<-r>
-Output the digest in the "coreutils" format used by programs like B<sha1sum>.
+Output the digest in the "coreutils" format, including newlines.
+Used by programs like B<sha1sum>.
=item B<-out filename>
diff --git a/doc/man1/req.pod b/doc/man1/req.pod
index a9b5b1690a..730c59079d 100644
--- a/doc/man1/req.pod
+++ b/doc/man1/req.pod
@@ -46,6 +46,7 @@ B<openssl> B<req>
[B<-reqopt>]
[B<-subject>]
[B<-subj arg>]
+[B<-sigopt nm:v>]
[B<-batch>]
[B<-verbose>]
[B<-engine id>]
@@ -82,6 +83,11 @@ This specifies the input filename to read a request from or standard input
if this option is not specified. A request is only read if the creation
options (B<-new> and B<-newkey>) are not specified.
+=item B<-sigopt nm:v>
+
+Pass options to the signature algorithm during sign or verify operations.
+Names and values of these options are algorithm-specific.
+
=item B<-passin arg>
The input file password source. For more information about the format of B<arg>
@@ -689,7 +695,7 @@ L<x509v3_config(5)>
=head1 COPYRIGHT
-Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff --git a/doc/man1/x509.pod b/doc/man1/x509.pod
index 7878753414..503d5e9fd4 100644
--- a/doc/man1/x509.pod
+++ b/doc/man1/x509.pod
@@ -61,6 +61,7 @@ B<openssl> B<x509>
[B<-clrext>]
[B<-extfile filename>]
[B<-extensions section>]
+[B<-sigopt nm:v>]
[B<-rand file...>]
[B<-writerand file>]
[B<-engine id>]
@@ -366,6 +367,11 @@ If the input is a certificate request then a self signed certificate
is created using the supplied private key using the subject name in
the request.
+=item B<-sigopt nm:v>
+
+Pass options to the signature algorithm during sign or verify operations.
+Names and values of these options are algorithm-specific.
+
=item B<-passin arg>
The key password source. For more information about the format of B<arg>
diff --git a/doc/man3/EVP_DigestInit.pod b/doc/man3/EVP_DigestInit.pod
index d5cbee45ca..434e22030f 100644
--- a/doc/man3/EVP_DigestInit.pod
+++ b/doc/man3/EVP_DigestInit.pod
@@ -2,17 +2,17 @@
=head1 NAME
-EVP_MD_CTX_new, EVP_MD_CTX_reset, EVP_MD_CTX_free, EVP_MD_CTX_copy_ex,
-EVP_MD_CTX_ctrl, EVP_MD_CTX_set_flags, EVP_MD_CTX_clear_flags,
-EVP_MD_CTX_test_flags, EVP_DigestInit_ex, EVP_DigestInit, EVP_DigestUpdate,
+EVP_MD_CTX_new, EVP_MD_CTX_reset, EVP_MD_CTX_free, EVP_MD_CTX_copy,
+EVP_MD_CTX_copy_ex, EVP_MD_CTX_ctrl, EVP_MD_CTX_set_flags,
+EVP_MD_CTX_clear_flags, EVP_MD_CTX_test_flags,
+EVP_Digest, EVP_DigestInit_ex, EVP_DigestInit, EVP_DigestUpdate,
EVP_DigestFinal_ex, EVP_DigestFinalXOF, EVP_DigestFinal,
-EVP_MD_CTX_copy, EVP_MD_type, EVP_MD_pkey_type, EVP_MD_size,
-EVP_MD_block_size, EVP_MD_CTX_md, EVP_MD_CTX_size,
-EVP_MD_CTX_block_size, EVP_MD_CTX_type, EVP_MD_CTX_md_data,
+EVP_MD_type, EVP_MD_pkey_type, EVP_MD_size, EVP_MD_block_size, EVP_MD_flags,
+EVP_MD_CTX_md, EVP_MD_CTX_type, EVP_MD_CTX_size, EVP_MD_CTX_block_size,
+EVP_MD_CTX_md_data, EVP_MD_CTX_update_fn, EVP_MD_CTX_set_update_fn,
EVP_md_null,
-EVP_get_digestbyname, EVP_get_digestbynid,
-EVP_get_digestbyobj,
-EVP_MD_CTX_set_pkey_ctx - EVP digest routines
+EVP_get_digestbyname, EVP_get_digestbynid, EVP_get_digestbyobj,
+EVP_MD_CTX_pkey_ctx, EVP_MD_CTX_set_pkey_ctx - EVP digest routines
=head1 SYNOPSIS
@@ -26,6 +26,8 @@ EVP_MD_CTX_set_pkey_ctx - EVP digest routines
void EVP_MD_CTX_clear_flags(EVP_MD_CTX *ctx, int flags);
int EVP_MD_CTX_test_flags(const EVP_MD_CTX *ctx, int flags);
+ int EVP_Digest(const void *data, size_t count, unsigned char *md,
+ unsigned int *size, const EVP_MD *type, ENGINE *impl);
int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl);
int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *d, size_t cnt);
int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s);
@@ -42,12 +44,18 @@ EVP_MD_CTX_set_pkey_ctx - EVP digest routines
int EVP_MD_pkey_type(const EVP_MD *md);
int EVP_MD_size(const EVP_MD *md);
int EVP_MD_block_size(const EVP_MD *md);
+ unsigned long EVP_MD_flags(const EVP_MD *md);
const EVP_MD *EVP_MD_CTX_md(const EVP_MD_CTX *ctx);
int EVP_MD_CTX_size(const EVP_MD_CTX *ctx);
int EVP_MD_CTX_block_size(const EVP_MD_CTX *ctx);
int EVP_MD_CTX_type(const EVP_MD_CTX *ctx);
void *EVP_MD_CTX_md_data(const EVP_MD_CTX *ctx);
+ int (*EVP_MD_CTX_update_fn(EVP_MD_CTX *ctx))(EVP_MD_CTX *ctx,
+ const void *data, size_t count);
+ void EVP_MD_CTX_set_update_fn(EVP_MD_CTX *ctx,
+ int (*update)(EVP_MD_CTX *ctx,
+ const void *data, size_t count));
const EVP_MD *EVP_md_null(void);
@@ -55,6 +63,7 @@ EVP_MD_CTX_set_pkey_ctx - EVP digest routines
const EVP_MD *EVP_get_digestbynid(int type);
const EVP_MD *EVP_get_digestbyobj(const ASN1_OBJECT *o);
+ EVP_PKEY_CTX *EVP_MD_CTX_pkey_ctx(const EVP_MD_CTX *ctx);
void EVP_MD_CTX_set_pkey_ctx(EVP_MD_CTX *ctx, EVP_PKEY_CTX *pctx);
=head1 DESCRIPTION
@@ -79,12 +88,24 @@ Cleans up digest context B<ctx> and frees up the space allocated to it.
=item EVP_MD_CTX_ctrl()
-Performs digest-specific control actions on context B<ctx>.
+Performs digest-specific control actions on context B<ctx>. The control command
+is indicated in B<cmd> and any additional arguments in B<p1> and B<p2>.
+EVP_MD_CTX_ctrl() must be called after EVP_DigestInit_ex(). Other restrictions
+may apply depending on the control type and digest implementation.
+See L</CONTROLS> below for more information.
=item EVP_MD_CTX_set_flags(), EVP_MD_CTX_clear_flags(), EVP_MD_CTX_test_flags()
Sets, clears and tests B<ctx> flags. See L</FLAGS> below for more information.
+=item EVP_Digest()
+
+A wrapper around the Digest Init_ex, Update and Final_ex functions.
+Hashes B<count> bytes of data at B<data> using a digest B<type> from ENGINE
+B<impl>. The digest value is placed in B<md> and its length is written at B<size>
+if the pointer is not NULL. At most B<EVP_MAX_MD_SIZE> bytes will be written.
+If B<impl> is NULL the default implementation of digest B<type> is used.
+
=item EVP_DigestInit_ex()
Sets up digest context B<ctx> to use a digest B<type> from ENGINE B<impl>.
@@ -163,6 +184,21 @@ EVP_MD_meth_set_app_datasize().
Returns the B<EVP_MD> structure corresponding to the passed B<EVP_MD_CTX>.
+=item EVP_MD_CTX_set_update_fn()
+
+Sets the update function for B<ctx> to B<update>.
+This is the function that is called by EVP_DigestUpdate. If not set, the
+update function from the B<EVP_MD> type specified at initialization is used.
+
+=item EVP_MD_CTX_update_fn()
+
+Returns the update function for B<ctx>.
+
+=item EVP_MD_flags()
+
+Returns the B<md> flags. Note that these are different from the B<EVP_MD_CTX>
+ones. See L<EVP_MD_meth_set_flags(3)> for more information.
+
=item EVP_MD_pkey_type()
Returns the NID of the public key signing algorithm associated with this
@@ -182,10 +218,15 @@ EVP_get_digestbyobj()
Returns an B<EVP_MD> structure when passed a digest name, a digest B<NID> or an
B<ASN1_OBJECT> structure respectively.
+=item EVP_MD_CTX_pkey_ctx()
+
+Returns the B<EVP_PKEY_CTX> assigned to B<ctx>. The returned pointer should not
+be freed by the caller.
+
=item EVP_MD_CTX_set_pkey_ctx()
Assigns an B<EVP_PKEY_CTX> to B<EVP_MD_CTX>. This is usually used to provide
-a customzied B<EVP_PKEY_CTX> to L<EVP_DigestSignInit(3)> or
+a customized B<EVP_PKEY_CTX> to L<EVP_DigestSignInit(3)> or
L<EVP_DigestVerifyInit(3)>. The B<pctx> passed to this function should be freed
by the caller. A NULL B<pctx> pointer is also allowed to clear the B<EVP_PKEY_CTX>
assigned to B<ctx>. In such case, freeing the cleared B<EVP_PKEY_CTX> or not
@@ -193,6 +234,27 @@ depends on how the B<EVP_PKEY_CTX> is created.
=back
+=head1 CONTROLS
+
+EVP_MD_CTX_ctrl() can be used to send the following standard controls:
+
+=over 4
+
+=item EVP_MD_CTRL_MICALG
+
+Gets the digest Message Integrity Check algorithm string. This is used when
+creating S/MIME multipart/signed messages, as specified in RFC 3851.
+The string value is written to B<p2>.
+
+=item EVP_MD_CTRL_XOF_LEN
+
+This control sets the digest length for extendable output functions to B<p1>.
+Sending this control directly should not be necessary, the use of
+C<EVP_DigestFinalXOF()> is preferred.
+Currently used by SHAKE.
+
+=back
+
=head1 FLAGS
EVP_MD_CTX_set_flags(), EVP_MD_CTX_clear_flags() and EVP_MD_CTX_test_flags()
@@ -245,8 +307,7 @@ Returns 1 if successful or 0 for failure.
Returns 1 if successful or 0 for failure.
=item EVP_MD_type(),
-EVP_MD_pkey_type(),
-EVP_MD_type()
+EVP_MD_pkey_type()
Returns the NID of the corresponding OBJECT IDENTIFIER or NID_undef if none
exists.
@@ -350,6 +411,7 @@ digest name passed on the command line.
=head1 SEE ALSO
+L<EVP_MD_meth_new(3)>,
L<dgst(1)>,
L<evp(7)>
diff --git a/doc/man3/EVP_MD_meth_new.pod b/doc/man3/EVP_MD_meth_new.pod
index 0265c7d504..e17a4cd519 100644
--- a/doc/man3/EVP_MD_meth_new.pod
+++ b/doc/man3/EVP_MD_meth_new.pod
@@ -84,7 +84,12 @@ together. The available flags are:
=item EVP_MD_FLAG_ONESHOT
-This digest method can only handles one block of input.
+This digest method can only handle one block of input.
+
+=item EVP_MD_FLAG_XOF
+
+This digest method is an extensible-output function (XOF) and supports
+the B<EVP_MD_CTRL_XOF_LEN> control.
=item EVP_MD_FLAG_DIGALGID_NULL
@@ -105,19 +110,24 @@ B<EVP_MD_FLAG_DIGALGID_ABSENT> as default. I<Note: if combined with
EVP_MD_FLAG_DIGALGID_NULL, the latter will be overridden.>
Currently unused.
+=item EVP_MD_FLAG_FIPS
+
+This digest method is suitable for use in FIPS mode.
+Currently unused.
+
=back
EVP_MD_meth_set_init() sets the digest init function for B<md>.
-The digest init function is called by EVP_DigestInit(),
+The digest init function is called by EVP_Digest(), EVP_DigestInit(),
EVP_DigestInit_ex(), EVP_SignInit, EVP_SignInit_ex(), EVP_VerifyInit()
and EVP_VerifyInit_ex().
EVP_MD_meth_set_update() sets the digest update function for B<md>.
-The digest update function is called by EVP_DigestUpdate(),
+The digest update function is called by EVP_Digest(), EVP_DigestUpdate() and
EVP_SignUpdate().
EVP_MD_meth_set_final() sets the digest final function for B<md>.
-The digest final function is called by EVP_DigestFinal(),
+The digest final function is called by EVP_Digest(), EVP_DigestFinal(),
EVP_DigestFinal_ex(), EVP_SignFinal() and EVP_VerifyFinal().
EVP_MD_meth_set_copy() sets the function for B<md> to do extra
@@ -138,6 +148,7 @@ This cleanup function is called by EVP_MD_CTX_reset() and
EVP_MD_CTX_free().
EVP_MD_meth_set_ctrl() sets the control function for B<md>.
+See L<EVP_MD_CTX_ctrl(3)> for the available controls.
EVP_MD_meth_get_input_blocksize(), EVP_MD_meth_get_result_size(),
EVP_MD_meth_get_app_datasize(), EVP_MD_meth_get_flags(),
@@ -169,7 +180,7 @@ The B<EVP_MD> structure was openly available in OpenSSL before version
=head1 COPYRIGHT
-Copyright 2015-2017 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff --git a/doc/man3/EVP_PKEY_CTX_ctrl.pod b/doc/man3/EVP_PKEY_CTX_ctrl.pod
index 75fad0f70c..16d8462a42 100644
--- a/doc/man3/EVP_PKEY_CTX_ctrl.pod
+++ b/doc/man3/EVP_PKEY_CTX_ctrl.pod
@@ -23,6 +23,8 @@ EVP_PKEY_CTX_get_rsa_oaep_md,
EVP_PKEY_CTX_set0_rsa_oaep_label,
EVP_PKEY_CTX_get0_rsa_oaep_label,
EVP_PKEY_CTX_set_dsa_paramgen_bits,
+EVP_PKEY_CTX_set_dsa_paramgen_q_bits,
+EVP_PKEY_CTX_set_dsa_paramgen_md,
EVP_PKEY_CTX_set_dh_paramgen_prime_len,
EVP_PKEY_CTX_set_dh_paramgen_subprime_len,
EVP_PKEY_CTX_set_dh_paramgen_generator,
@@ -93,6 +95,8 @@ EVP_PKEY_CTX_set1_id, EVP_PKEY_CTX_get1_id, EVP_PKEY_CTX_get1_id_len
#include <openssl/dsa.h>
int EVP_PKEY_CTX_set_dsa_paramgen_bits(EVP_PKEY_CTX *ctx, int nbits);
+ int EVP_PKEY_CTX_set_dsa_paramgen_q_bits(EVP_PKEY_CTX *ctx, int qbits);
+ int EVP_PKEY_CTX_set_dsa_paramgen_md(EVP_PKEY_CTX *ctx, const EVP_MD *md);
#include <openssl/dh.h>
@@ -255,7 +259,17 @@ by the library and should not be freed by the caller.
=head2 DSA parameters
The EVP_PKEY_CTX_set_dsa_paramgen_bits() macro sets the number of bits used
-for DSA parameter generation to B<bits>. If not specified 1024 is used.
+for DSA parameter generation to B<nbits>. If not specified, 1024 is used.
+
+The EVP_PKEY_CTX_set_dsa_paramgen_q_bits() macro sets the number of bits in the
+subprime parameter B<q> for DSA parameter generation to B<qbits>. If not
+specified, 160 is used. If a digest function is specified below, this parameter
+is ignored and instead, the number of bits in B<q> matches the size of the
+digest.
+
+The EVP_PKEY_CTX_set_dsa_paramgen_md() macro sets the digest function used for
+DSA parameter generation to B<md>. If not specified, one of SHA-1, SHA-224, or
+SHA-256 is selected to match the bit length of B<q> above.
=head2 DH parameters
diff --git a/doc/man3/d2i_X509.pod b/doc/man3/d2i_X509.pod
index e36270f739..075f87295a 100644
--- a/doc/man3/d2i_X509.pod
+++ b/doc/man3/d2i_X509.pod
@@ -307,7 +307,6 @@ i2d_POLICYQUALINFO,
i2d_PROFESSION_INFO,
i2d_PROXY_CERT_INFO_EXTENSION,
i2d_PROXY_POLICY,
-i2d_PublicKey,
i2d_RSAPrivateKey,
i2d_RSAPrivateKey_bio,
i2d_RSAPrivateKey_fp,
diff --git a/include/openssl/dsa.h b/include/openssl/dsa.h
index 822eff347a..6d8a18a4ad 100644
--- a/include/openssl/dsa.h
+++ b/include/openssl/dsa.h
@@ -162,6 +162,12 @@ DH *DSA_dup_DH(const DSA *r);
# define EVP_PKEY_CTX_set_dsa_paramgen_bits(ctx, nbits) \
EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DSA, EVP_PKEY_OP_PARAMGEN, \
EVP_PKEY_CTRL_DSA_PARAMGEN_BITS, nbits, NULL)
+# define EVP_PKEY_CTX_set_dsa_paramgen_q_bits(ctx, qbits) \
+ EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DSA, EVP_PKEY_OP_PARAMGEN, \
+ EVP_PKEY_CTRL_DSA_PARAMGEN_Q_BITS, qbits, NULL)
+# define EVP_PKEY_CTX_set_dsa_paramgen_md(ctx, md) \
+ EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DSA, EVP_PKEY_OP_PARAMGEN, \
+ EVP_PKEY_CTRL_DSA_PARAMGEN_MD, 0, (void *)(md))
# define EVP_PKEY_CTRL_DSA_PARAMGEN_BITS (EVP_PKEY_ALG_CTRL + 1)
# define EVP_PKEY_CTRL_DSA_PARAMGEN_Q_BITS (EVP_PKEY_ALG_CTRL + 2)
diff --git a/include/openssl/ocsp.h b/include/openssl/ocsp.h
index 8582fe1ee1..4d759a49de 100644
--- a/include/openssl/ocsp.h
+++ b/include/openssl/ocsp.h
@@ -123,7 +123,7 @@ typedef struct ocsp_service_locator_st OCSP_SERVICELOC;
(char *(*)())d2i_OCSP_REQUEST,PEM_STRING_OCSP_REQUEST, \
bp,(char **)(x),cb,NULL)
-# define PEM_read_bio_OCSP_RESPONSE(bp,x,cb)(OCSP_RESPONSE *)PEM_ASN1_read_bio(\
+# define PEM_read_bio_OCSP_RESPONSE(bp,x,cb) (OCSP_RESPONSE *)PEM_ASN1_read_bio(\
(char *(*)())d2i_OCSP_RESPONSE,PEM_STRING_OCSP_RESPONSE, \
bp,(char **)(x),cb,NULL)
diff --git a/test/README b/test/README
index 37722e79f3..ebe7784605 100644
--- a/test/README
+++ b/test/README
@@ -114,7 +114,7 @@ Generic form of C test executables
int observed;
observed = function(); /* Call the code under test */
- if (!TEST_int_equal(observed, 2)) /* Check the result is correct */
+ if (!TEST_int_eq(observed, 2)) /* Check the result is correct */
goto end; /* Exit on failure - optional */
testresult = 1; /* Mark the test case a success */
diff --git a/util/find-doc-nits b/util/find-doc-nits
index 699887a267..f2fd85ce8e 100755
--- a/util/find-doc-nits
+++ b/util/find-doc-nits
@@ -35,7 +35,7 @@ Find small errors (nits) in documentation. Options:
-l Print bogus links
-n Print nits in POD pages
-p Warn if non-public name documented (implies -n)
- -u List undocumented functions
+ -u Count undocumented functions
-h Print this help message
-c List undocumented commands and options
EOF
@@ -294,6 +294,7 @@ my %docced;
sub checkmacros()
{
my $count = 0;
+ my %seen;
print "# Checking macros (approximate)\n";
foreach my $f ( glob('include/openssl/*.h') ) {
@@ -305,7 +306,7 @@ sub checkmacros()
while ( <IN> ) {
next unless /^#\s*define\s*(\S+)\(/;
my $macro = $1;
- next if $docced{$macro};
+ next if $docced{$macro} || defined $seen{$macro};
next if $macro =~ /i2d_/
|| $macro =~ /d2i_/
|| $macro =~ /DEPRECATEDIN/
@@ -313,6 +314,7 @@ sub checkmacros()
|| $macro =~ /DECLARE_/;
print "$f:$macro\n" if $opt_d;
$count++;
+ $seen{$macro} = 1;
}
close(IN);
}
@@ -324,15 +326,17 @@ sub printem()
my $libname = shift;
my $numfile = shift;
my $count = 0;
+ my %seen;
foreach my $func ( &parsenum($numfile) ) {
- next if $docced{$func};
+ next if $docced{$func} || defined $seen{$func};
# Skip ASN1 utilities
next if $func =~ /^ASN1_/;
print "$libname:$func\n" if $opt_d;
$count++;
+ $seen{$func} = 1;
}
print "# Found $count missing from $numfile\n\n";
}
diff --git a/util/private.num b/util/private.num
index a6ef44e4a6..ecf00bb3fe 100644
--- a/util/private.num
+++ b/util/private.num
@@ -228,6 +228,8 @@ EVP_PKEY_CTX_set_dh_pad define
EVP_PKEY_CTX_set_dh_rfc5114 define
EVP_PKEY_CTX_set_dhx_rfc5114 define
EVP_PKEY_CTX_set_dsa_paramgen_bits define
+EVP_PKEY_CTX_set_dsa_paramgen_q_bits define
+EVP_PKEY_CTX_set_dsa_paramgen_md define
EVP_PKEY_CTX_set_ec_param_enc define
EVP_PKEY_CTX_set_ec_paramgen_curve_nid define
EVP_PKEY_CTX_set_ecdh_cofactor_mode define
More information about the openssl-commits
mailing list