The branch OpenSSL_1_1_1-stable has been updated via 7bcd13cebd9ebc6cf6026fff999beb34504a8068 (commit) via abf92a9715383656881fb37777c6507c68b18e66 (commit) via 109a00269daf671e5652495d00a7302995029129 (commit) via 3c682fad5f6aaaa567bd395741a7864dc4947402 (commit) via 44301079c8ad3c150cd4d11e4781bc1b144ee9ed (commit) via 0388d212af3e3798724cff3b2a5036f17faf41fb (commit) via 3fb4bdabc2cb23eeff8309b5abdc61bbedbc6bea (commit) from ac8881e160632a8de6ca123a9f85b2e6f8ae173b (commit)
- Log ----------------------------------------------------------------- commit 7bcd13cebd9ebc6cf6026fff999beb34504a8068 Author: Matt Caswell <m...@openssl.org> Date: Thu Jun 6 12:14:59 2019 +0100 Fix an incorrect macro A macro was missing a space which was confusing find-doc-nits Reviewed-by: Richard Levitte <levi...@openssl.org> (cherry picked from commit 8caab503ba004abb555d636c1ca9f7bcde79657f) Reviewed-by: Tomas Mraz <tm...@fedoraproject.org> Reviewed-by: Matthias St. Pierre <matthias.st.pie...@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/10094) commit abf92a9715383656881fb37777c6507c68b18e66 Author: Matt Caswell <m...@openssl.org> Date: Thu Jun 6 12:14:28 2019 +0100 i2d_PublicKey was listed in 2 different man pages find-doc-nits complains if a symbol is documented in more than one location. Reviewed-by: Richard Levitte <levi...@openssl.org> (cherry picked from commit 4ff4e53f816855b07fc02dc931dd57b2ae324aa1) Reviewed-by: Tomas Mraz <tm...@fedoraproject.org> Reviewed-by: Matthias St. Pierre <matthias.st.pie...@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/10094) commit 109a00269daf671e5652495d00a7302995029129 Author: Pauli <paul.d...@oracle.com> Date: Sat Mar 30 11:22:51 2019 +1000 issue-8493: Fix for filenames with newlines using openssl dgst The output format now matches coreutils *dgst tools. [ edited to remove trailing white space ] Reviewed-by: Richard Levitte <levi...@openssl.org> Reviewed-by: Paul Dale <paul.d...@oracle.com> (cherry picked from commit f3448f5481a8d1f6fbf5fd05caaca229af0b87f7) Reviewed-by: Tomas Mraz <tm...@fedoraproject.org> Reviewed-by: Matt Caswell <m...@openssl.org> Reviewed-by: Matthias St. Pierre <matthias.st.pie...@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/10094) commit 3c682fad5f6aaaa567bd395741a7864dc4947402 Author: Pauli <paul.d...@oracle.com> Date: Tue Mar 19 11:22:32 2019 +1000 Add documentation for the -sigopt option. Reviewed-by: Paul Yang <yang.y...@baishancloud.com> (cherry picked from commit d7b2124a428f9e00ed7647554b5be7153aac71f6) Reviewed-by: Tomas Mraz <tm...@fedoraproject.org> Reviewed-by: Matt Caswell <m...@openssl.org> Reviewed-by: Matthias St. Pierre <matthias.st.pie...@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/10094) commit 44301079c8ad3c150cd4d11e4781bc1b144ee9ed Author: David Benjamin <david...@google.com> Date: Fri Jan 25 13:56:45 2019 -0600 Document and add macros for additional DSA options EVP_PKEY_CTRL_DSA_PARAMGEN_Q_BITS and EVP_PKEY_CTRL_DSA_PARAMGEN_MD are only exposed from EVP_PKEY_CTX_ctrl, which means callers must write more error-prone code (see also issue #1319). Add the missing wrapper macros and document them. Reviewed-by: Matt Caswell <m...@openssl.org> (cherry picked from commit a97faad76a1be22eadd6c1a39972ad5e095d9e80) Reviewed-by: Tomas Mraz <tm...@fedoraproject.org> Reviewed-by: Matthias St. Pierre <matthias.st.pie...@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/10094) commit 0388d212af3e3798724cff3b2a5036f17faf41fb Author: Antoine Salon <asa...@vmware.com> Date: Fri Dec 14 12:47:07 2018 -0800 Add missing EVP_MD documentation Signed-off-by: Antoine Salon <asa...@vmware.com> Reviewed-by: Paul Dale <paul.d...@oracle.com> Reviewed-by: Matt Caswell <m...@openssl.org> (cherry picked from commit 37842dfaebcf28b4ca452c6abd93ebde1b4aa6dc) Reviewed-by: Tomas Mraz <tm...@fedoraproject.org> Reviewed-by: Matthias St. Pierre <matthias.st.pie...@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/10094) commit 3fb4bdabc2cb23eeff8309b5abdc61bbedbc6bea Author: Rich Salz <rs...@akamai.com> Date: Wed Oct 17 10:25:00 2018 -0400 Ignore duplicated undocumented things Reviewed-by: Richard Levitte <levi...@openssl.org> Reviewed-by: Paul Yang <yang.y...@baishancloud.com> (cherry picked from commit ee4afacd96f5bfbe7662c8f0ec4464c6eee4c450) Reviewed-by: Tomas Mraz <tm...@fedoraproject.org> Reviewed-by: Matt Caswell <m...@openssl.org> Reviewed-by: Matthias St. Pierre <matthias.st.pie...@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/10094) ----------------------------------------------------------------------- Summary of changes: CHANGES | 5 +++ apps/dgst.c | 48 ++++++++++++++++++++++- crypto/dsa/dsa_pmeth.c | 8 +--- doc/man1/ca.pod | 6 +++ doc/man1/dgst.pod | 4 +- doc/man1/req.pod | 8 +++- doc/man1/x509.pod | 6 +++ doc/man3/EVP_DigestInit.pod | 88 +++++++++++++++++++++++++++++++++++------- doc/man3/EVP_MD_meth_new.pod | 21 +++++++--- doc/man3/EVP_PKEY_CTX_ctrl.pod | 16 +++++++- doc/man3/d2i_X509.pod | 1 - include/openssl/dsa.h | 6 +++ include/openssl/ocsp.h | 2 +- test/README | 2 +- util/find-doc-nits | 10 +++-- util/private.num | 2 + 16 files changed, 199 insertions(+), 34 deletions(-) diff --git a/CHANGES b/CHANGES index a10d679ddb..c64247dc91 100644 --- a/CHANGES +++ b/CHANGES @@ -9,6 +9,11 @@ Changes between 1.1.1d and 1.1.1e [xx XXX xxxx] + *) Added newline escaping functionality to a filename when using openssl dgst. + This output format is to replicate the output format found in the '*sum' + checksum programs. This aims to preserve backward compatibility. + [Matt Eaton, Richard Levitte, and Paul Dale] + *) Print all values for a PKCS#12 attribute with 'openssl pkcs12', not just the first value. [Jon Spillett] diff --git a/apps/dgst.c b/apps/dgst.c index d6f5a0e2e7..9223133eb2 100644 --- a/apps/dgst.c +++ b/apps/dgst.c @@ -413,13 +413,52 @@ int dgst_main(int argc, char **argv) return ret; } +/* + * The newline_escape_filename function performs newline escaping for any + * filename that contains a newline. This function also takes a pointer + * to backslash. The backslash pointer is a flag to indicating whether a newline + * is present in the filename. If a newline is present, the backslash flag is + * set and the output format will contain a backslash at the beginning of the + * digest output. This output format is to replicate the output format found + * in the '*sum' checksum programs. This aims to preserve backward + * compatibility. + */ +static const char *newline_escape_filename(const char *file, int * backslash) +{ + size_t i, e = 0, length = strlen(file), newline_count = 0, mem_len = 0; + char *file_cpy = NULL; + + for (i = 0; i < length; i++) + if (file[i] == '\n') + newline_count++; + + mem_len = length + newline_count + 1; + file_cpy = app_malloc(mem_len, file); + i = 0; + + while(e < length) { + const char c = file[e]; + if (c == '\n') { + file_cpy[i++] = '\\'; + file_cpy[i++] = 'n'; + *backslash = 1; + } else { + file_cpy[i++] = c; + } + e++; + } + file_cpy[i] = '\0'; + return (const char*)file_cpy; +} + + int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout, EVP_PKEY *key, unsigned char *sigin, int siglen, const char *sig_name, const char *md_name, const char *file) { size_t len; - int i; + int i, backslash = 0; while (BIO_pending(bp) || !BIO_eof(bp)) { i = BIO_read(bp, (char *)buf, BUFSIZE); @@ -467,9 +506,16 @@ int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout, if (binout) { BIO_write(out, buf, len); } else if (sep == 2) { + file = newline_escape_filename(file, &backslash); + + if (backslash == 1) + BIO_puts(out, "\\"); + for (i = 0; i < (int)len; i++) BIO_printf(out, "%02x", buf[i]); + BIO_printf(out, " *%s\n", file); + OPENSSL_free((char *)file); } else { if (sig_name != NULL) { BIO_puts(out, sig_name); diff --git a/crypto/dsa/dsa_pmeth.c b/crypto/dsa/dsa_pmeth.c index 80e5735d83..4ca3747a46 100644 --- a/crypto/dsa/dsa_pmeth.c +++ b/crypto/dsa/dsa_pmeth.c @@ -178,9 +178,7 @@ static int pkey_dsa_ctrl_str(EVP_PKEY_CTX *ctx, } if (strcmp(type, "dsa_paramgen_q_bits") == 0) { int qbits = atoi(value); - return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DSA, EVP_PKEY_OP_PARAMGEN, - EVP_PKEY_CTRL_DSA_PARAMGEN_Q_BITS, qbits, - NULL); + return EVP_PKEY_CTX_set_dsa_paramgen_q_bits(ctx, qbits); } if (strcmp(type, "dsa_paramgen_md") == 0) { const EVP_MD *md = EVP_get_digestbyname(value); @@ -189,9 +187,7 @@ static int pkey_dsa_ctrl_str(EVP_PKEY_CTX *ctx, DSAerr(DSA_F_PKEY_DSA_CTRL_STR, DSA_R_INVALID_DIGEST_TYPE); return 0; } - return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DSA, EVP_PKEY_OP_PARAMGEN, - EVP_PKEY_CTRL_DSA_PARAMGEN_MD, 0, - (void *)md); + return EVP_PKEY_CTX_set_dsa_paramgen_md(ctx, md); } return -2; } diff --git a/doc/man1/ca.pod b/doc/man1/ca.pod index 7385a00941..27bb31493a 100644 --- a/doc/man1/ca.pod +++ b/doc/man1/ca.pod @@ -51,6 +51,7 @@ B<openssl> B<ca> [B<-engine id>] [B<-subj arg>] [B<-utf8>] +[B<-sigopt nm:v>] [B<-create_serial>] [B<-rand_serial>] [B<-multivalue-rdn>] @@ -134,6 +135,11 @@ The private key to sign requests with. The format of the data in the private key file. The default is PEM. +=item B<-sigopt nm:v> + +Pass options to the signature algorithm during sign or verify operations. +Names and values of these options are algorithm-specific. + =item B<-key password> The password used to encrypt the private key. Since on some diff --git a/doc/man1/dgst.pod b/doc/man1/dgst.pod index 66a6697eb1..6d48523c99 100644 --- a/doc/man1/dgst.pod +++ b/doc/man1/dgst.pod @@ -22,6 +22,7 @@ B<openssl dgst> [B<-verify filename>] [B<-prverify filename>] [B<-signature filename>] +[B<-sigopt nm:v>] [B<-hmac key>] [B<-fips-fingerprint>] [B<-rand file...>] @@ -78,7 +79,8 @@ Output the digest or signature in binary form. =item B<-r> -Output the digest in the "coreutils" format used by programs like B<sha1sum>. +Output the digest in the "coreutils" format, including newlines. +Used by programs like B<sha1sum>. =item B<-out filename> diff --git a/doc/man1/req.pod b/doc/man1/req.pod index a9b5b1690a..730c59079d 100644 --- a/doc/man1/req.pod +++ b/doc/man1/req.pod @@ -46,6 +46,7 @@ B<openssl> B<req> [B<-reqopt>] [B<-subject>] [B<-subj arg>] +[B<-sigopt nm:v>] [B<-batch>] [B<-verbose>] [B<-engine id>] @@ -82,6 +83,11 @@ This specifies the input filename to read a request from or standard input if this option is not specified. A request is only read if the creation options (B<-new> and B<-newkey>) are not specified. +=item B<-sigopt nm:v> + +Pass options to the signature algorithm during sign or verify operations. +Names and values of these options are algorithm-specific. + =item B<-passin arg> The input file password source. For more information about the format of B<arg> @@ -689,7 +695,7 @@ L<x509v3_config(5)> =head1 COPYRIGHT -Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man1/x509.pod b/doc/man1/x509.pod index 7878753414..503d5e9fd4 100644 --- a/doc/man1/x509.pod +++ b/doc/man1/x509.pod @@ -61,6 +61,7 @@ B<openssl> B<x509> [B<-clrext>] [B<-extfile filename>] [B<-extensions section>] +[B<-sigopt nm:v>] [B<-rand file...>] [B<-writerand file>] [B<-engine id>] @@ -366,6 +367,11 @@ If the input is a certificate request then a self signed certificate is created using the supplied private key using the subject name in the request. +=item B<-sigopt nm:v> + +Pass options to the signature algorithm during sign or verify operations. +Names and values of these options are algorithm-specific. + =item B<-passin arg> The key password source. For more information about the format of B<arg> diff --git a/doc/man3/EVP_DigestInit.pod b/doc/man3/EVP_DigestInit.pod index d5cbee45ca..434e22030f 100644 --- a/doc/man3/EVP_DigestInit.pod +++ b/doc/man3/EVP_DigestInit.pod @@ -2,17 +2,17 @@ =head1 NAME -EVP_MD_CTX_new, EVP_MD_CTX_reset, EVP_MD_CTX_free, EVP_MD_CTX_copy_ex, -EVP_MD_CTX_ctrl, EVP_MD_CTX_set_flags, EVP_MD_CTX_clear_flags, -EVP_MD_CTX_test_flags, EVP_DigestInit_ex, EVP_DigestInit, EVP_DigestUpdate, +EVP_MD_CTX_new, EVP_MD_CTX_reset, EVP_MD_CTX_free, EVP_MD_CTX_copy, +EVP_MD_CTX_copy_ex, EVP_MD_CTX_ctrl, EVP_MD_CTX_set_flags, +EVP_MD_CTX_clear_flags, EVP_MD_CTX_test_flags, +EVP_Digest, EVP_DigestInit_ex, EVP_DigestInit, EVP_DigestUpdate, EVP_DigestFinal_ex, EVP_DigestFinalXOF, EVP_DigestFinal, -EVP_MD_CTX_copy, EVP_MD_type, EVP_MD_pkey_type, EVP_MD_size, -EVP_MD_block_size, EVP_MD_CTX_md, EVP_MD_CTX_size, -EVP_MD_CTX_block_size, EVP_MD_CTX_type, EVP_MD_CTX_md_data, +EVP_MD_type, EVP_MD_pkey_type, EVP_MD_size, EVP_MD_block_size, EVP_MD_flags, +EVP_MD_CTX_md, EVP_MD_CTX_type, EVP_MD_CTX_size, EVP_MD_CTX_block_size, +EVP_MD_CTX_md_data, EVP_MD_CTX_update_fn, EVP_MD_CTX_set_update_fn, EVP_md_null, -EVP_get_digestbyname, EVP_get_digestbynid, -EVP_get_digestbyobj, -EVP_MD_CTX_set_pkey_ctx - EVP digest routines +EVP_get_digestbyname, EVP_get_digestbynid, EVP_get_digestbyobj, +EVP_MD_CTX_pkey_ctx, EVP_MD_CTX_set_pkey_ctx - EVP digest routines =head1 SYNOPSIS @@ -26,6 +26,8 @@ EVP_MD_CTX_set_pkey_ctx - EVP digest routines void EVP_MD_CTX_clear_flags(EVP_MD_CTX *ctx, int flags); int EVP_MD_CTX_test_flags(const EVP_MD_CTX *ctx, int flags); + int EVP_Digest(const void *data, size_t count, unsigned char *md, + unsigned int *size, const EVP_MD *type, ENGINE *impl); int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl); int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *d, size_t cnt); int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s); @@ -42,12 +44,18 @@ EVP_MD_CTX_set_pkey_ctx - EVP digest routines int EVP_MD_pkey_type(const EVP_MD *md); int EVP_MD_size(const EVP_MD *md); int EVP_MD_block_size(const EVP_MD *md); + unsigned long EVP_MD_flags(const EVP_MD *md); const EVP_MD *EVP_MD_CTX_md(const EVP_MD_CTX *ctx); int EVP_MD_CTX_size(const EVP_MD_CTX *ctx); int EVP_MD_CTX_block_size(const EVP_MD_CTX *ctx); int EVP_MD_CTX_type(const EVP_MD_CTX *ctx); void *EVP_MD_CTX_md_data(const EVP_MD_CTX *ctx); + int (*EVP_MD_CTX_update_fn(EVP_MD_CTX *ctx))(EVP_MD_CTX *ctx, + const void *data, size_t count); + void EVP_MD_CTX_set_update_fn(EVP_MD_CTX *ctx, + int (*update)(EVP_MD_CTX *ctx, + const void *data, size_t count)); const EVP_MD *EVP_md_null(void); @@ -55,6 +63,7 @@ EVP_MD_CTX_set_pkey_ctx - EVP digest routines const EVP_MD *EVP_get_digestbynid(int type); const EVP_MD *EVP_get_digestbyobj(const ASN1_OBJECT *o); + EVP_PKEY_CTX *EVP_MD_CTX_pkey_ctx(const EVP_MD_CTX *ctx); void EVP_MD_CTX_set_pkey_ctx(EVP_MD_CTX *ctx, EVP_PKEY_CTX *pctx); =head1 DESCRIPTION @@ -79,12 +88,24 @@ Cleans up digest context B<ctx> and frees up the space allocated to it. =item EVP_MD_CTX_ctrl() -Performs digest-specific control actions on context B<ctx>. +Performs digest-specific control actions on context B<ctx>. The control command +is indicated in B<cmd> and any additional arguments in B<p1> and B<p2>. +EVP_MD_CTX_ctrl() must be called after EVP_DigestInit_ex(). Other restrictions +may apply depending on the control type and digest implementation. +See L</CONTROLS> below for more information. =item EVP_MD_CTX_set_flags(), EVP_MD_CTX_clear_flags(), EVP_MD_CTX_test_flags() Sets, clears and tests B<ctx> flags. See L</FLAGS> below for more information. +=item EVP_Digest() + +A wrapper around the Digest Init_ex, Update and Final_ex functions. +Hashes B<count> bytes of data at B<data> using a digest B<type> from ENGINE +B<impl>. The digest value is placed in B<md> and its length is written at B<size> +if the pointer is not NULL. At most B<EVP_MAX_MD_SIZE> bytes will be written. +If B<impl> is NULL the default implementation of digest B<type> is used. + =item EVP_DigestInit_ex() Sets up digest context B<ctx> to use a digest B<type> from ENGINE B<impl>. @@ -163,6 +184,21 @@ EVP_MD_meth_set_app_datasize(). Returns the B<EVP_MD> structure corresponding to the passed B<EVP_MD_CTX>. +=item EVP_MD_CTX_set_update_fn() + +Sets the update function for B<ctx> to B<update>. +This is the function that is called by EVP_DigestUpdate. If not set, the +update function from the B<EVP_MD> type specified at initialization is used. + +=item EVP_MD_CTX_update_fn() + +Returns the update function for B<ctx>. + +=item EVP_MD_flags() + +Returns the B<md> flags. Note that these are different from the B<EVP_MD_CTX> +ones. See L<EVP_MD_meth_set_flags(3)> for more information. + =item EVP_MD_pkey_type() Returns the NID of the public key signing algorithm associated with this @@ -182,10 +218,15 @@ EVP_get_digestbyobj() Returns an B<EVP_MD> structure when passed a digest name, a digest B<NID> or an B<ASN1_OBJECT> structure respectively. +=item EVP_MD_CTX_pkey_ctx() + +Returns the B<EVP_PKEY_CTX> assigned to B<ctx>. The returned pointer should not +be freed by the caller. + =item EVP_MD_CTX_set_pkey_ctx() Assigns an B<EVP_PKEY_CTX> to B<EVP_MD_CTX>. This is usually used to provide -a customzied B<EVP_PKEY_CTX> to L<EVP_DigestSignInit(3)> or +a customized B<EVP_PKEY_CTX> to L<EVP_DigestSignInit(3)> or L<EVP_DigestVerifyInit(3)>. The B<pctx> passed to this function should be freed by the caller. A NULL B<pctx> pointer is also allowed to clear the B<EVP_PKEY_CTX> assigned to B<ctx>. In such case, freeing the cleared B<EVP_PKEY_CTX> or not @@ -193,6 +234,27 @@ depends on how the B<EVP_PKEY_CTX> is created. =back +=head1 CONTROLS + +EVP_MD_CTX_ctrl() can be used to send the following standard controls: + +=over 4 + +=item EVP_MD_CTRL_MICALG + +Gets the digest Message Integrity Check algorithm string. This is used when +creating S/MIME multipart/signed messages, as specified in RFC 3851. +The string value is written to B<p2>. + +=item EVP_MD_CTRL_XOF_LEN + +This control sets the digest length for extendable output functions to B<p1>. +Sending this control directly should not be necessary, the use of +C<EVP_DigestFinalXOF()> is preferred. +Currently used by SHAKE. + +=back + =head1 FLAGS EVP_MD_CTX_set_flags(), EVP_MD_CTX_clear_flags() and EVP_MD_CTX_test_flags() @@ -245,8 +307,7 @@ Returns 1 if successful or 0 for failure. Returns 1 if successful or 0 for failure. =item EVP_MD_type(), -EVP_MD_pkey_type(), -EVP_MD_type() +EVP_MD_pkey_type() Returns the NID of the corresponding OBJECT IDENTIFIER or NID_undef if none exists. @@ -350,6 +411,7 @@ digest name passed on the command line. =head1 SEE ALSO +L<EVP_MD_meth_new(3)>, L<dgst(1)>, L<evp(7)> diff --git a/doc/man3/EVP_MD_meth_new.pod b/doc/man3/EVP_MD_meth_new.pod index 0265c7d504..e17a4cd519 100644 --- a/doc/man3/EVP_MD_meth_new.pod +++ b/doc/man3/EVP_MD_meth_new.pod @@ -84,7 +84,12 @@ together. The available flags are: =item EVP_MD_FLAG_ONESHOT -This digest method can only handles one block of input. +This digest method can only handle one block of input. + +=item EVP_MD_FLAG_XOF + +This digest method is an extensible-output function (XOF) and supports +the B<EVP_MD_CTRL_XOF_LEN> control. =item EVP_MD_FLAG_DIGALGID_NULL @@ -105,19 +110,24 @@ B<EVP_MD_FLAG_DIGALGID_ABSENT> as default. I<Note: if combined with EVP_MD_FLAG_DIGALGID_NULL, the latter will be overridden.> Currently unused. +=item EVP_MD_FLAG_FIPS + +This digest method is suitable for use in FIPS mode. +Currently unused. + =back EVP_MD_meth_set_init() sets the digest init function for B<md>. -The digest init function is called by EVP_DigestInit(), +The digest init function is called by EVP_Digest(), EVP_DigestInit(), EVP_DigestInit_ex(), EVP_SignInit, EVP_SignInit_ex(), EVP_VerifyInit() and EVP_VerifyInit_ex(). EVP_MD_meth_set_update() sets the digest update function for B<md>. -The digest update function is called by EVP_DigestUpdate(), +The digest update function is called by EVP_Digest(), EVP_DigestUpdate() and EVP_SignUpdate(). EVP_MD_meth_set_final() sets the digest final function for B<md>. -The digest final function is called by EVP_DigestFinal(), +The digest final function is called by EVP_Digest(), EVP_DigestFinal(), EVP_DigestFinal_ex(), EVP_SignFinal() and EVP_VerifyFinal(). EVP_MD_meth_set_copy() sets the function for B<md> to do extra @@ -138,6 +148,7 @@ This cleanup function is called by EVP_MD_CTX_reset() and EVP_MD_CTX_free(). EVP_MD_meth_set_ctrl() sets the control function for B<md>. +See L<EVP_MD_CTX_ctrl(3)> for the available controls. EVP_MD_meth_get_input_blocksize(), EVP_MD_meth_get_result_size(), EVP_MD_meth_get_app_datasize(), EVP_MD_meth_get_flags(), @@ -169,7 +180,7 @@ The B<EVP_MD> structure was openly available in OpenSSL before version =head1 COPYRIGHT -Copyright 2015-2017 The OpenSSL Project Authors. All Rights Reserved. +Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. Licensed under the OpenSSL license (the "License"). You may not use this file except in compliance with the License. You can obtain a copy diff --git a/doc/man3/EVP_PKEY_CTX_ctrl.pod b/doc/man3/EVP_PKEY_CTX_ctrl.pod index 75fad0f70c..16d8462a42 100644 --- a/doc/man3/EVP_PKEY_CTX_ctrl.pod +++ b/doc/man3/EVP_PKEY_CTX_ctrl.pod @@ -23,6 +23,8 @@ EVP_PKEY_CTX_get_rsa_oaep_md, EVP_PKEY_CTX_set0_rsa_oaep_label, EVP_PKEY_CTX_get0_rsa_oaep_label, EVP_PKEY_CTX_set_dsa_paramgen_bits, +EVP_PKEY_CTX_set_dsa_paramgen_q_bits, +EVP_PKEY_CTX_set_dsa_paramgen_md, EVP_PKEY_CTX_set_dh_paramgen_prime_len, EVP_PKEY_CTX_set_dh_paramgen_subprime_len, EVP_PKEY_CTX_set_dh_paramgen_generator, @@ -93,6 +95,8 @@ EVP_PKEY_CTX_set1_id, EVP_PKEY_CTX_get1_id, EVP_PKEY_CTX_get1_id_len #include <openssl/dsa.h> int EVP_PKEY_CTX_set_dsa_paramgen_bits(EVP_PKEY_CTX *ctx, int nbits); + int EVP_PKEY_CTX_set_dsa_paramgen_q_bits(EVP_PKEY_CTX *ctx, int qbits); + int EVP_PKEY_CTX_set_dsa_paramgen_md(EVP_PKEY_CTX *ctx, const EVP_MD *md); #include <openssl/dh.h> @@ -255,7 +259,17 @@ by the library and should not be freed by the caller. =head2 DSA parameters The EVP_PKEY_CTX_set_dsa_paramgen_bits() macro sets the number of bits used -for DSA parameter generation to B<bits>. If not specified 1024 is used. +for DSA parameter generation to B<nbits>. If not specified, 1024 is used. + +The EVP_PKEY_CTX_set_dsa_paramgen_q_bits() macro sets the number of bits in the +subprime parameter B<q> for DSA parameter generation to B<qbits>. If not +specified, 160 is used. If a digest function is specified below, this parameter +is ignored and instead, the number of bits in B<q> matches the size of the +digest. + +The EVP_PKEY_CTX_set_dsa_paramgen_md() macro sets the digest function used for +DSA parameter generation to B<md>. If not specified, one of SHA-1, SHA-224, or +SHA-256 is selected to match the bit length of B<q> above. =head2 DH parameters diff --git a/doc/man3/d2i_X509.pod b/doc/man3/d2i_X509.pod index e36270f739..075f87295a 100644 --- a/doc/man3/d2i_X509.pod +++ b/doc/man3/d2i_X509.pod @@ -307,7 +307,6 @@ i2d_POLICYQUALINFO, i2d_PROFESSION_INFO, i2d_PROXY_CERT_INFO_EXTENSION, i2d_PROXY_POLICY, -i2d_PublicKey, i2d_RSAPrivateKey, i2d_RSAPrivateKey_bio, i2d_RSAPrivateKey_fp, diff --git a/include/openssl/dsa.h b/include/openssl/dsa.h index 822eff347a..6d8a18a4ad 100644 --- a/include/openssl/dsa.h +++ b/include/openssl/dsa.h @@ -162,6 +162,12 @@ DH *DSA_dup_DH(const DSA *r); # define EVP_PKEY_CTX_set_dsa_paramgen_bits(ctx, nbits) \ EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DSA, EVP_PKEY_OP_PARAMGEN, \ EVP_PKEY_CTRL_DSA_PARAMGEN_BITS, nbits, NULL) +# define EVP_PKEY_CTX_set_dsa_paramgen_q_bits(ctx, qbits) \ + EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DSA, EVP_PKEY_OP_PARAMGEN, \ + EVP_PKEY_CTRL_DSA_PARAMGEN_Q_BITS, qbits, NULL) +# define EVP_PKEY_CTX_set_dsa_paramgen_md(ctx, md) \ + EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DSA, EVP_PKEY_OP_PARAMGEN, \ + EVP_PKEY_CTRL_DSA_PARAMGEN_MD, 0, (void *)(md)) # define EVP_PKEY_CTRL_DSA_PARAMGEN_BITS (EVP_PKEY_ALG_CTRL + 1) # define EVP_PKEY_CTRL_DSA_PARAMGEN_Q_BITS (EVP_PKEY_ALG_CTRL + 2) diff --git a/include/openssl/ocsp.h b/include/openssl/ocsp.h index 8582fe1ee1..4d759a49de 100644 --- a/include/openssl/ocsp.h +++ b/include/openssl/ocsp.h @@ -123,7 +123,7 @@ typedef struct ocsp_service_locator_st OCSP_SERVICELOC; (char *(*)())d2i_OCSP_REQUEST,PEM_STRING_OCSP_REQUEST, \ bp,(char **)(x),cb,NULL) -# define PEM_read_bio_OCSP_RESPONSE(bp,x,cb)(OCSP_RESPONSE *)PEM_ASN1_read_bio(\ +# define PEM_read_bio_OCSP_RESPONSE(bp,x,cb) (OCSP_RESPONSE *)PEM_ASN1_read_bio(\ (char *(*)())d2i_OCSP_RESPONSE,PEM_STRING_OCSP_RESPONSE, \ bp,(char **)(x),cb,NULL) diff --git a/test/README b/test/README index 37722e79f3..ebe7784605 100644 --- a/test/README +++ b/test/README @@ -114,7 +114,7 @@ Generic form of C test executables int observed; observed = function(); /* Call the code under test */ - if (!TEST_int_equal(observed, 2)) /* Check the result is correct */ + if (!TEST_int_eq(observed, 2)) /* Check the result is correct */ goto end; /* Exit on failure - optional */ testresult = 1; /* Mark the test case a success */ diff --git a/util/find-doc-nits b/util/find-doc-nits index 699887a267..f2fd85ce8e 100755 --- a/util/find-doc-nits +++ b/util/find-doc-nits @@ -35,7 +35,7 @@ Find small errors (nits) in documentation. Options: -l Print bogus links -n Print nits in POD pages -p Warn if non-public name documented (implies -n) - -u List undocumented functions + -u Count undocumented functions -h Print this help message -c List undocumented commands and options EOF @@ -294,6 +294,7 @@ my %docced; sub checkmacros() { my $count = 0; + my %seen; print "# Checking macros (approximate)\n"; foreach my $f ( glob('include/openssl/*.h') ) { @@ -305,7 +306,7 @@ sub checkmacros() while ( <IN> ) { next unless /^#\s*define\s*(\S+)\(/; my $macro = $1; - next if $docced{$macro}; + next if $docced{$macro} || defined $seen{$macro}; next if $macro =~ /i2d_/ || $macro =~ /d2i_/ || $macro =~ /DEPRECATEDIN/ @@ -313,6 +314,7 @@ sub checkmacros() || $macro =~ /DECLARE_/; print "$f:$macro\n" if $opt_d; $count++; + $seen{$macro} = 1; } close(IN); } @@ -324,15 +326,17 @@ sub printem() my $libname = shift; my $numfile = shift; my $count = 0; + my %seen; foreach my $func ( &parsenum($numfile) ) { - next if $docced{$func}; + next if $docced{$func} || defined $seen{$func}; # Skip ASN1 utilities next if $func =~ /^ASN1_/; print "$libname:$func\n" if $opt_d; $count++; + $seen{$func} = 1; } print "# Found $count missing from $numfile\n\n"; } diff --git a/util/private.num b/util/private.num index a6ef44e4a6..ecf00bb3fe 100644 --- a/util/private.num +++ b/util/private.num @@ -228,6 +228,8 @@ EVP_PKEY_CTX_set_dh_pad define EVP_PKEY_CTX_set_dh_rfc5114 define EVP_PKEY_CTX_set_dhx_rfc5114 define EVP_PKEY_CTX_set_dsa_paramgen_bits define +EVP_PKEY_CTX_set_dsa_paramgen_q_bits define +EVP_PKEY_CTX_set_dsa_paramgen_md define EVP_PKEY_CTX_set_ec_param_enc define EVP_PKEY_CTX_set_ec_paramgen_curve_nid define EVP_PKEY_CTX_set_ecdh_cofactor_mode define