We've found some typos and omissions in the openssl utility documentation
(either builtin messages and pod pages). Following patch fixes some of
these problems. We haven't thoroughly reviewed all the manual pages in
the docs/app, concentrating on those commands which can use GOST
algorithmns via command-line options and commands which perform
certificate verification.
Description of patch
This patch fixes some omission in the documentation and messages
of the openssl utility.
Fixes in the code:
1. apps/dgst.c
Use OBJ_NAME_do_all_sorted to list available digest options instead of
hardcoded list of digests (as it is done for simmetric ciphers in the
enc command). This allows to pick up digests, provided by engines
(such as md_gost94) and also ensures that digests, excluded during
compilation (such as mdc2) wouldn't be listed.
Added missing options -opt, -mac and -macopt to the usage message.
2. apps/pkeyparam.c
Fixed typo in the error message
3. apps/pkeyutl.c
Fixed incorrect option name (-signature instead of -sigfile) in the
usage message.
4. apps/req.c
Make search for digest last option (it was before -extensions and
-reqext)
Fixes in the manual page
1. -engine option description of most commands incorrectly referred to
req command, rather than command described.
2. Removed explicit and incomplete list of ciphers from smime and cms
commands and added reference to enc command for full list of ciphers
3. Added list of certificate verification options supported by
args_verify function in the apps/app.c to the man pages of smime and
cms commands (which use this function) with reference to verify man
page, where these options briefly described (description taken from
comments in crypto/x509/x509_vfy.h)
4. Documentend -keyform, -engine, -sigopt, -mac and -macopt options of
the dgst command
5. Documented options -base64 -salt, -nosalt, -z -md, -none and -engine
for enc command
6. Described working with engine-provided ciphers in the enc command
7. Added ciphers, provided by ccgost engine to the list of supported
ciphers (marking them as engine-provided)
8. Added manual page for engine command (which was missing)
9. Added section about GOST algorithm parameters to the genpkey manpage
10. Make list of manual pages for individual commands in openssl(1) man
page correspond to list of actual commands displayed by openssl running
without arguments
11. Documented -engine and -passin for pkeyutl command
12. Removed hardcoded list of digests from req manual
13. Expanded and clarified description of req -newkey
14. Documented briefly -keygen_engine, -no-asn1-kudge, -reqopt, -subject
and -subj options for req command.
15. Documented -crl_check and -crl_check_all options for s_client
command (they are already documetned for s_server)
? crypto/des/des_enc-sparc.S
? doc/apps/engine.pod
Index: Makefile.shared
===================================================================
RCS file: /cvs-openssl/openssl/Makefile.shared,v
retrieving revision 1.72
diff -u -r1.72 Makefile.shared
--- Makefile.shared 2 Jan 2009 09:02:27 -0000 1.72
+++ Makefile.shared 2 Apr 2009 10:25:30 -0000
@@ -70,7 +70,7 @@
# The rest is private to this makefile.
SET_X=:
-#SET_X=set -x
+SET_X=set -x
top:
echo "Trying to use this makefile interactively? Don't."
Index: apps/Makefile
===================================================================
RCS file: /cvs-openssl/openssl/apps/Makefile,v
retrieving revision 1.33
diff -u -r1.33 Makefile
--- apps/Makefile 2 Dec 2008 01:21:34 -0000 1.33
+++ apps/Makefile 2 Apr 2009 10:25:30 -0000
@@ -939,14 +939,13 @@
speed.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
speed.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
speed.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
-speed.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
-speed.o: ../include/openssl/safestack.h ../include/openssl/seed.h
-speed.o: ../include/openssl/sha.h ../include/openssl/stack.h
-speed.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
-speed.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
-speed.o: ../include/openssl/whrlpool.h ../include/openssl/x509.h
-speed.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
-speed.o: speed.c testdsa.h testrsa.h
+speed.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+speed.o: ../include/openssl/seed.h ../include/openssl/sha.h
+speed.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+speed.o: ../include/openssl/txt_db.h ../include/openssl/ui.h
+speed.o: ../include/openssl/ui_compat.h ../include/openssl/whrlpool.h
+speed.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+speed.o: ../include/openssl/x509v3.h apps.h speed.c testdsa.h testrsa.h
spkac.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
spkac.o: ../include/openssl/buffer.h ../include/openssl/conf.h
spkac.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
Index: apps/dgst.c
===================================================================
RCS file: /cvs-openssl/openssl/apps/dgst.c,v
retrieving revision 1.54
diff -u -r1.54 dgst.c
--- apps/dgst.c 31 Mar 2009 19:54:51 -0000 1.54
+++ apps/dgst.c 2 Apr 2009 10:25:30 -0000
@@ -67,13 +67,25 @@
#include <openssl/x509.h>
#include <openssl/pem.h>
#include <openssl/hmac.h>
-
+#include <ctype.h>
#undef BUFSIZE
#define BUFSIZE 1024*8
#undef PROG
#define PROG dgst_main
+static void show_digests(const OBJ_NAME *name,void *bio_)
+ {
+ BIO *bio = bio_;
+ /* Filter out digest aliases */
+ EVP_MD *md = EVP_get_digestbyname(name->name);
+ if (!islower((unsigned char )*name->name))
+ return;
+ if (strcasecmp(EVP_MD_name(md),name->name))
+ return;
+ BIO_printf(bio,"-%-14s to use the %s message digest algorithm\n",
+ name->name,name->name);
+ }
int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
EVP_PKEY *key, unsigned char *sigin, int siglen,
const char *sig_name, const char *md_name,
@@ -249,43 +261,18 @@
BIO_printf(bio_err,"-verify file verify a signature using public key in file\n");
BIO_printf(bio_err,"-prverify file verify a signature using private key in file\n");
BIO_printf(bio_err,"-keyform arg key file format (PEM or ENGINE)\n");
+ BIO_printf(bio_err,"-out filename output to filename rather then stdout\n");
BIO_printf(bio_err,"-signature file signature to verify\n");
BIO_printf(bio_err,"-sigopt nm:v signature parameter\n");
BIO_printf(bio_err,"-hmac key create hashed MAC with key\n");
+ BIO_printf(bio_err,"-mac algorithm create MAC (not neccessary HMAC)\n");
+ BIO_printf(bio_err,"-macopt nm:v MAC algorithm parameters/key\n");
#ifndef OPENSSL_NO_ENGINE
BIO_printf(bio_err,"-engine e use engine e, possibly a hardware device.\n");
#endif
-
- BIO_printf(bio_err,"-%-14s to use the %s message digest algorithm (default)\n",
- LN_md5,LN_md5);
- BIO_printf(bio_err,"-%-14s to use the %s message digest algorithm\n",
- LN_md4,LN_md4);
- BIO_printf(bio_err,"-%-14s to use the %s message digest algorithm\n",
- LN_md2,LN_md2);
-#ifndef OPENSSL_NO_SHA
- BIO_printf(bio_err,"-%-14s to use the %s message digest algorithm\n",
- LN_sha1,LN_sha1);
-#ifndef OPENSSL_NO_SHA256
- BIO_printf(bio_err,"-%-14s to use the %s message digest algorithm\n",
- LN_sha224,LN_sha224);
- BIO_printf(bio_err,"-%-14s to use the %s message digest algorithm\n",
- LN_sha256,LN_sha256);
-#endif
-#ifndef OPENSSL_NO_SHA512
- BIO_printf(bio_err,"-%-14s to use the %s message digest algorithm\n",
- LN_sha384,LN_sha384);
- BIO_printf(bio_err,"-%-14s to use the %s message digest algorithm\n",
- LN_sha512,LN_sha512);
-#endif
-#endif
- BIO_printf(bio_err,"-%-14s to use the %s message digest algorithm\n",
- LN_mdc2,LN_mdc2);
- BIO_printf(bio_err,"-%-14s to use the %s message digest algorithm\n",
- LN_ripemd160,LN_ripemd160);
-#ifndef OPENSSL_NO_WHIRLPOOL
- BIO_printf(bio_err,"-%-14s to use the %s message digest algorithm\n",
- SN_whirlpool,SN_whirlpool);
-#endif
+ OBJ_NAME_do_all_sorted(OBJ_NAME_TYPE_MD_METH,
+ show_digests,
+ bio_err);
goto end;
}
Index: apps/pkeyparam.c
===================================================================
RCS file: /cvs-openssl/openssl/apps/pkeyparam.c,v
retrieving revision 1.4
diff -u -r1.4 pkeyparam.c
--- apps/pkeyparam.c 20 Dec 2008 17:04:37 -0000 1.4
+++ apps/pkeyparam.c 2 Apr 2009 10:25:30 -0000
@@ -179,7 +179,7 @@
pkey = PEM_read_bio_Parameters(in, NULL);
if (!pkey)
{
- BIO_printf(bio_err, "Error reading paramters\n");
+ BIO_printf(bio_err, "Error reading parameters\n");
ERR_print_errors(bio_err);
goto end;
}
Index: apps/pkeyutl.c
===================================================================
RCS file: /cvs-openssl/openssl/apps/pkeyutl.c,v
retrieving revision 1.17
diff -u -r1.17 pkeyutl.c
--- apps/pkeyutl.c 5 Nov 2008 18:38:51 -0000 1.17
+++ apps/pkeyutl.c 2 Apr 2009 10:25:30 -0000
@@ -390,7 +390,7 @@
BIO_printf(bio_err, "Usage: pkeyutl [options]\n");
BIO_printf(bio_err, "-in file input file\n");
BIO_printf(bio_err, "-out file output file\n");
- BIO_printf(bio_err, "-signature file signature file (verify operation only)\n");
+ BIO_printf(bio_err, "-sigfile file signature file (verify operation only)\n");
BIO_printf(bio_err, "-inkey file input key\n");
BIO_printf(bio_err, "-keyform arg private key format - default PEM\n");
BIO_printf(bio_err, "-pubin input is a public key\n");
Index: apps/req.c
===================================================================
RCS file: /cvs-openssl/openssl/apps/req.c,v
retrieving revision 1.139
diff -u -r1.139 req.c
--- apps/req.c 7 Oct 2008 22:55:25 -0000 1.139
+++ apps/req.c 2 Apr 2009 10:25:30 -0000
@@ -365,11 +365,6 @@
serial = s2i_ASN1_INTEGER(NULL, *(++argv));
if (!serial) goto bad;
}
- else if ((md_alg=EVP_get_digestbyname(&((*argv)[1]))) != NULL)
- {
- /* ok */
- digest=md_alg;
- }
else if (strcmp(*argv,"-extensions") == 0)
{
if (--argc < 1) goto bad;
@@ -380,6 +375,11 @@
if (--argc < 1) goto bad;
req_exts = *(++argv);
}
+ else if ((md_alg=EVP_get_digestbyname(&((*argv)[1]))) != NULL)
+ {
+ /* ok */
+ digest=md_alg;
+ }
else
{
BIO_printf(bio_err,"unknown option %s\n",*argv);
Index: crypto/evp/Makefile
===================================================================
RCS file: /cvs-openssl/openssl/crypto/evp/Makefile,v
retrieving revision 1.22
diff -u -r1.22 Makefile
--- crypto/evp/Makefile 2 Dec 2008 01:21:37 -0000 1.22
+++ crypto/evp/Makefile 2 Apr 2009 10:25:30 -0000
@@ -495,20 +495,13 @@
m_null.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
m_null.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
m_null.o: ../../include/openssl/x509_vfy.h ../cryptlib.h m_null.c
-m_ripemd.o: ../../e_os.h ../../include/openssl/asn1.h
-m_ripemd.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
-m_ripemd.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
-m_ripemd.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h
-m_ripemd.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h
-m_ripemd.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h
-m_ripemd.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h
-m_ripemd.o: ../../include/openssl/opensslconf.h
+m_ripemd.o: ../../e_os.h ../../include/openssl/bio.h
+m_ripemd.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
+m_ripemd.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
+m_ripemd.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
m_ripemd.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
-m_ripemd.o: ../../include/openssl/pkcs7.h ../../include/openssl/ripemd.h
-m_ripemd.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
-m_ripemd.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
-m_ripemd.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-m_ripemd.o: ../../include/openssl/x509_vfy.h ../cryptlib.h m_ripemd.c
+m_ripemd.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+m_ripemd.o: ../../include/openssl/symhacks.h ../cryptlib.h m_ripemd.c
m_sha.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
m_sha.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
m_sha.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
Index: doc/apps/ca.pod
===================================================================
RCS file: /cvs-openssl/openssl/doc/apps/ca.pod,v
retrieving revision 1.27
diff -u -r1.27 ca.pod
--- doc/apps/ca.pod 7 Nov 2006 13:13:14 -0000 1.27
+++ doc/apps/ca.pod 2 Apr 2009 10:25:30 -0000
@@ -217,7 +217,7 @@
=item B<-engine id>
-specifying an engine (by it's unique B<id> string) will cause B<req>
+specifying an engine (by it's unique B<id> string) will cause B<ca>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
Index: doc/apps/ciphers.pod
===================================================================
RCS file: /cvs-openssl/openssl/doc/apps/ciphers.pod,v
retrieving revision 1.14
diff -u -r1.14 ciphers.pod
--- doc/apps/ciphers.pod 23 Apr 2007 23:48:50 -0000 1.14
+++ doc/apps/ciphers.pod 2 Apr 2009 10:25:30 -0000
@@ -251,6 +251,33 @@
cipher suites using SHA1.
+=item B<aGOST>
+
+cipher suites using GOST R 34.10 (either 2001 or 94) for
+authenticaction. (require some
+engine that provide GOST algorithms)
+
+=item B<aGOST01>
+
+cipher suites using GOST R 34.10-2001 authentication
+=item B<aGOST94>
+
+cipher suites using GOST R 34.10-94 authentication (note that R 34.10-94
+standar has been expired. Use GOST R 34.10-2001)
+
+=item B<kGOST>
+
+cipher suites, using VKO 34.10 key exchange, specified in the RFC 4357.
+
+=item B<GOST94>
+
+cipher suites, using HMAC based on GOST R 34.11-94.
+
+=item B<GOST89MAC>
+
+cipher suites using GOST 28147-89 MAC B<instead of> HMAC.
+
+
=back
=head1 CIPHER SUITE NAMES
@@ -376,6 +403,17 @@
TLS_DH_anon_WITH_SEED_CBC_SHA ADH-SEED-SHA
+=head2 GOST ciphersuites from draft-chudov-cryptopro-cptls, extending TLS v1.0
+
+Note: these ciphers require some engine which provides GOST
+cryptoalgorithms, such as B<ccgost> engine, included in the OpenSSL
+distribution.
+
+ TLS_GOSTR341094_WITH_28147_CNT_IMIT GOST94-GOST89-GOST89
+ TLS_GOSTR341001_WITH_28147_CNT_IMIT GOST2001-GOST89-GOST89
+ TLS_GOSTR341094_WITH_NULL_GOSTR3411 GOST94-NULL-GOST94
+ TLS_GOSTR341001_WITH_NULL_GOSTR3411 GOST2001-NULL-GOST94
+
=head2 Additional Export 1024 and other cipher suites
Note: these ciphers can also be used in SSL v3.
Index: doc/apps/cms.pod
===================================================================
RCS file: /cvs-openssl/openssl/doc/apps/cms.pod,v
retrieving revision 1.4
diff -u -r1.4 cms.pod
--- doc/apps/cms.pod 1 May 2008 23:35:36 -0000 1.4
+++ doc/apps/cms.pod 2 Apr 2009 10:25:30 -0000
@@ -36,17 +36,7 @@
[B<-CAfile file>]
[B<-CApath dir>]
[B<-md digest>]
-[B<-des>]
-[B<-des3>]
-[B<-rc2-40>]
-[B<-rc2-64>]
-[B<-rc2-128>]
-[B<-aes128>]
-[B<-aes192>]
-[B<-aes256>]
-[B<-camellia128>]
-[B<-camellia192>]
-[B<-camellia256>]
+[B<-[cipher]>]
[B<-nointern>]
[B<-no_signer_cert_verify>]
[B<-nocerts>]
@@ -253,13 +243,13 @@
digest algorithm to use when signing or resigning. If not present then the
default digest algorithm for the signing key will be used (usually SHA1).
-=item B<-des -des3 -rc2-40 -rc2-64 -rc2-128 -aes128 -aes192 -aes256 -camellia128 -camellia192 -camellia256>
+=item B<-[cipher]>
-the encryption algorithm to use. DES (56 bits), triple DES (168 bits), 40, 64
-or 128 bit RC2, 128, 192 or 256 bit AES, or 128, 192 or 256 bit Camellia
-respectively. Any other cipher name (as recognized by the
+the encryption algorithm to use. For example DES (56 bits) - B<-des>,
+triple DES (168 bits) - B<-des3>,
EVP_get_cipherbyname() function) can also be used preceded by a dash, for
-example B<-aes_128_cbc>.
+example B<-aes_128_cbc>. See L<B<enc>|enc(1)> for list of ciphers
+supported by your version of OpenSSL.
If not specified triple DES is used. Only used with B<-encrypt> and
B<-EncryptedData_create> commands.
@@ -411,6 +401,11 @@
then many S/MIME mail clients check the signers certificate's email
address matches that specified in the From: address.
+=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy>
+
+Set various options of certificate chain verification. See
+L<B<verify>|verify(1)> manual page for details.
+
=back
=head1 NOTES
Index: doc/apps/dgst.pod
===================================================================
RCS file: /cvs-openssl/openssl/doc/apps/dgst.pod,v
retrieving revision 1.6
diff -u -r1.6 dgst.pod
--- doc/apps/dgst.pod 19 May 2008 07:43:34 -0000 1.6
+++ doc/apps/dgst.pod 2 Apr 2009 10:25:30 -0000
@@ -14,6 +14,7 @@
[B<-binary>]
[B<-out filename>]
[B<-sign filename>]
+[B<-keyform arg>]
[B<-passin arg>]
[B<-verify filename>]
[B<-prverify filename>]
@@ -61,6 +62,23 @@
digitally sign the digest using the private key in "filename".
+=item B<-keyform arg>
+
+Specifies key format for key to sign digest with. Only PEM and ENGINE
+formats are supported by B<dgst> command.
+
+=item B<-engine id>
+
+Use engine B<id> for operations (including private key storage).
+This engine is not used as source for digest algorithms, unless it is
+also specified in the configuration file.
+
+=item B<-sigopt nm:v>
+
+Pass options to the signature algorithm during sign or verify operations.
+Names and values of these options are algorithm-specific.
+
+
=item B<-passin arg>
the private key password source. For more information about the format of B<arg>
@@ -83,6 +101,35 @@
create a hashed MAC using "key".
+=item B<-mac alg>
+
+create MAC (keyed Message Authentication Code). Most popular MAC
+algorithm is HMAC (hash-based MAC), but there are other MAC algorithms
+which are not based on hash, for instance B<gost-mac> algorithm,
+supported by B<ccgost> engine. MAC keys and other options should be set
+via B<-macopt> parameter.
+
+=item B<-macopt nm:v>
+
+Passes options to MAC algorithm, specified by B<-mac> key.
+Following options are supported by both by B<HMAC> and B<gost-mac>:
+
+=over 8
+
+=item B<key:string>
+
+Specifies MAC key as alphnumeric string (use if key contain prinable
+characters only). String length must be equal to the length of used
+digest for HMAC and be exactly 32 chars for gost-mac
+
+=item B<hexkey:string>
+
+Specifies MAC key in hexadecimal form (two hex digits per byte).
+Key for HMAC should be same length as digest used for HMAC and be
+exactly 64 digits (32bytes) for gost-mac.
+
+=back
+
=item B<-rand file(s)>
a file or files containing random data used to seed the random number
Index: doc/apps/dhparam.pod
===================================================================
RCS file: /cvs-openssl/openssl/doc/apps/dhparam.pod,v
retrieving revision 1.6
diff -u -r1.6 dhparam.pod
--- doc/apps/dhparam.pod 30 Jan 2003 22:02:27 -0000 1.6
+++ doc/apps/dhparam.pod 2 Apr 2009 10:25:30 -0000
@@ -99,7 +99,7 @@
=item B<-engine id>
-specifying an engine (by it's unique B<id> string) will cause B<req>
+specifying an engine (by it's unique B<id> string) will cause B<dhparam>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
Index: doc/apps/dsa.pod
===================================================================
RCS file: /cvs-openssl/openssl/doc/apps/dsa.pod,v
retrieving revision 1.6
diff -u -r1.6 dsa.pod
--- doc/apps/dsa.pod 30 Jan 2003 22:02:27 -0000 1.6
+++ doc/apps/dsa.pod 2 Apr 2009 10:25:30 -0000
@@ -109,7 +109,7 @@
=item B<-engine id>
-specifying an engine (by it's unique B<id> string) will cause B<req>
+specifying an engine (by it's unique B<id> string) will cause B<dsa>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
Index: doc/apps/dsaparam.pod
===================================================================
RCS file: /cvs-openssl/openssl/doc/apps/dsaparam.pod,v
retrieving revision 1.5
diff -u -r1.5 dsaparam.pod
--- doc/apps/dsaparam.pod 30 Jan 2003 22:02:27 -0000 1.5
+++ doc/apps/dsaparam.pod 2 Apr 2009 10:25:30 -0000
@@ -85,7 +85,7 @@
=item B<-engine id>
-specifying an engine (by it's unique B<id> string) will cause B<req>
+specifying an engine (by it's unique B<id> string) will cause B<dsaparam>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
Index: doc/apps/ec.pod
===================================================================
RCS file: /cvs-openssl/openssl/doc/apps/ec.pod,v
retrieving revision 1.1
diff -u -r1.1 ec.pod
--- doc/apps/ec.pod 21 Jul 2003 13:40:02 -0000 1.1
+++ doc/apps/ec.pod 2 Apr 2009 10:25:30 -0000
@@ -130,7 +130,7 @@
=item B<-engine id>
-specifying an engine (by it's unique B<id> string) will cause B<req>
+specifying an engine (by it's unique B<id> string) will cause B<ec>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
Index: doc/apps/ecparam.pod
===================================================================
RCS file: /cvs-openssl/openssl/doc/apps/ecparam.pod,v
retrieving revision 1.2
diff -u -r1.2 ecparam.pod
--- doc/apps/ecparam.pod 17 Dec 2004 05:42:00 -0000 1.2
+++ doc/apps/ecparam.pod 2 Apr 2009 10:25:30 -0000
@@ -121,7 +121,7 @@
=item B<-engine id>
-specifying an engine (by it's unique B<id> string) will cause B<req>
+specifying an engine (by it's unique B<id> string) will cause B<ecparam>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
Index: doc/apps/enc.pod
===================================================================
RCS file: /cvs-openssl/openssl/doc/apps/enc.pod,v
retrieving revision 1.9
diff -u -r1.9 enc.pod
--- doc/apps/enc.pod 17 Sep 2007 16:42:35 -0000 1.9
+++ doc/apps/enc.pod 2 Apr 2009 10:25:30 -0000
@@ -12,17 +12,24 @@
[B<-pass arg>]
[B<-e>]
[B<-d>]
-[B<-a>]
+[B<-a/-base64>]
[B<-A>]
[B<-k password>]
[B<-kfile filename>]
[B<-K key>]
[B<-iv IV>]
+[B<-S salt>]
+[B<-salt>]
+[B<-nosalt>]
+[B<-z>]
+[B<-md>]
[B<-p>]
[B<-P>]
[B<-bufsize number>]
[B<-nopad>]
[B<-debug>]
+[B<-none>]
+[B<-engine id>]
=head1 DESCRIPTION
@@ -74,6 +81,10 @@
the data is base64 encoded after encryption. If decryption is set then
the input data is base64 decoded before being decrypted.
+=item B<-base64>
+
+sinonym of B<-a>
+
=item B<-A>
if the B<-a> option is set then base64 process the data on one line.
@@ -89,6 +100,15 @@
This is for compatibility with previous versions of OpenSSL. Superseded by
the B<-pass> argument.
+=item B<-nosalt>
+
+do not use salt
+
+=item B<-salt>
+
+use salt (randomly generated or provide with B<-S> option) when
+encrypting.
+
=item B<-S salt>
the actual salt to use: this must be represented as a string comprised only
@@ -131,12 +151,36 @@
debug the BIOs used for I/O.
+=item B<-z>
+
+Compress/decompress clear text using zlib before encryption/after
+decryption. This option exists only if OpenSSL with compiled with zlib
+or zlib-dynamic option.
+
+=item B<-none>
+
+This is actually a cipher command. It specifies NULL cipher (no
+transformation of input).
+
=back
=head1 NOTES
The program can be called either as B<openssl ciphername> or
-B<openssl enc -ciphername>.
+B<openssl enc -ciphername>. But first syntax doesn't work with
+engine-provided ciphers, because configuration file is read only and
+engine-provided ciphers are initialized only when command is actually
+invoked.
+
+Engines which provide entirely new encryption algorithms (such as ccgost
+engine which provides gost89 algorithm) should be configured in the
+configuration file. Engines, specified in the command line using -engine
+options can only be used for hadrware-assisted implementations of
+ciphers, which are supported by OpenSSL core or other engine, specified
+in the configuration file.
+
+When enc command lists supported ciphers, ciphers provided by engines,
+specified in the configuration files, would be listed too.
A password will be prompted for to derive the key and IV if necessary.
@@ -169,6 +213,14 @@
=head1 SUPPORTED CIPHERS
+Note that some of these ciphers can be disabled during compile time
+configurations, and some are available only if some engine is configured
+in the configuration file. Output of B<enc> command run with unsupported
+options (for example B<openssl enc -help>) would give actual list of
+ciphers, supported by your OpenSSL, including ones, provided by
+configured engines.
+
+
base64 Base 64
bf-cbc Blowfish in CBC mode
@@ -203,6 +255,9 @@
desx DESX algorithm.
+ gost89 GOST 28147-89 in CFB mode (provided by ccgost engine)
+ gost89-cnt `GOST 28147-89 in CNT mode (provided by ccgost engine)
+
idea-cbc IDEA algorithm in CBC mode
idea same as idea-cbc
idea-cfb IDEA in CFB mode
Index: doc/apps/gendsa.pod
===================================================================
RCS file: /cvs-openssl/openssl/doc/apps/gendsa.pod,v
retrieving revision 1.5
diff -u -r1.5 gendsa.pod
--- doc/apps/gendsa.pod 30 Jan 2003 22:02:27 -0000 1.5
+++ doc/apps/gendsa.pod 2 Apr 2009 10:25:30 -0000
@@ -40,7 +40,7 @@
=item B<-engine id>
-specifying an engine (by it's unique B<id> string) will cause B<req>
+specifying an engine (by it's unique B<id> string) will cause B<gendsa>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
Index: doc/apps/genpkey.pod
===================================================================
RCS file: /cvs-openssl/openssl/doc/apps/genpkey.pod,v
retrieving revision 1.4
diff -u -r1.4 genpkey.pod
--- doc/apps/genpkey.pod 12 Jul 2006 13:28:44 -0000 1.4
+++ doc/apps/genpkey.pod 2 Apr 2009 10:25:30 -0000
@@ -47,7 +47,7 @@
=item B<-engine id>
-specifying an engine (by it's unique B<id> string) will cause B<req>
+specifying an engine (by it's unique B<id> string) will cause B<genpkey>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms. If used this option should precede all other
@@ -138,6 +138,37 @@
=back
+=head1 GOST2001 KEY GENERATION AND PARAMETER OPTIONS
+
+Gost 2001 support is not enabled by default. To enable this algorithm,
+one should initialize ccgost engine in the OpenSSL configuration file.
+See README.gost file in the engines/ccgost directiry of the source
+distribution.
+
+Usage of parameter file for GOST R 34.10 algorithm is optional.
+Parameters can be specified during key generation directly as well as
+during generation of parameter file.
+
+=over 4
+
+=item B<paramset:name>
+
+Specifies GOST R 34.10-2001 parameter set according to RFC 4357.
+Parameter set can be specified using abbreviated name, object short name or
+numeric OID. Following parameter sets are supported:
+
+ paramset OID Usage
+ A 1.2.643.2.2.35.1 Signature
+ B 1.2.643.2.2.35.2 Signature
+ C 1.2.643.2.2.35.3 Signature
+ XA 1.2.643.2.2.36.0 Key exchange
+ XB 1.2.643.2.2.36.1 Key exchange
+ test 1.2.643.2.2.35.0 Test purposes
+
+=back
+
+
+
=head1 NOTES
The use of the genpkey program is encouraged over the algorithm specific
Index: doc/apps/genrsa.pod
===================================================================
RCS file: /cvs-openssl/openssl/doc/apps/genrsa.pod,v
retrieving revision 1.8
diff -u -r1.8 genrsa.pod
--- doc/apps/genrsa.pod 30 Jan 2003 22:02:27 -0000 1.8
+++ doc/apps/genrsa.pod 2 Apr 2009 10:25:30 -0000
@@ -57,7 +57,7 @@
=item B<-engine id>
-specifying an engine (by it's unique B<id> string) will cause B<req>
+specifying an engine (by it's unique B<id> string) will cause B<genrsa>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
Index: doc/apps/openssl.pod
===================================================================
RCS file: /cvs-openssl/openssl/doc/apps/openssl.pod,v
retrieving revision 1.22
diff -u -r1.22 openssl.pod
--- doc/apps/openssl.pod 17 Sep 2007 15:56:55 -0000 1.22
+++ doc/apps/openssl.pod 2 Apr 2009 10:25:30 -0000
@@ -81,6 +81,10 @@
Cipher Suite Description Determination.
+=item L<B<cms>|cms(1)>
+
+CMS (Cryptographic Message Syntax) utility
+
=item L<B<crl>|crl(1)>
Certificate Revocation List (CRL) Management.
@@ -98,6 +102,12 @@
Diffie-Hellman Parameter Management.
Obsoleted by L<B<dhparam>|dhparam(1)>.
+=item L<B<dhparam>|dhparam(1)>
+
+Generation and Management of Diffie-Hellman Parameters. Superseded by
+L<B<genpkey>|genpkey(1)> and L<B<pkeyparam>|pkeyparam(1)>
+
+
=item L<B<dsa>|dsa(1)>
DSA Data Management.
@@ -107,18 +117,25 @@
DSA Parameter Generation and Management. Superseded by
L<B<genpkey>|genpkey(1)> and L<B<pkeyparam>|pkeyparam(1)>
+=item L<B<ec>|ec(1)>
+
+EC (Elliptic curve) key processing
+
+=item L<B<ecparam>|ecparam(1)>
+
+EC parameter manipulation and generation
+
=item L<B<enc>|enc(1)>
Encoding with Ciphers.
-=item L<B<errstr>|errstr(1)>
+=item L<B<engine>|engine(1)>
-Error Number to Error String Conversion.
+Engine (loadble module) information and manipulation.
-=item L<B<dhparam>|dhparam(1)>
+=item L<B<errstr>|errstr(1)>
-Generation and Management of Diffie-Hellman Parameters. Superseded by
-L<B<genpkey>|genpkey(1)> and L<B<pkeyparam>|pkeyparam(1)>
+Error Number to Error String Conversion.
=item B<gendh>
@@ -138,6 +155,10 @@
Generation of RSA Private Key. Superceded by L<B<genpkey>|genpkey(1)>.
+=item L<B<nseq>|nseq(1)
+
+Create or examine a netscape certificate sequence
+
=item L<B<ocsp>|ocsp(1)>
Online Certificate Status Protocol utility.
@@ -158,14 +179,14 @@
Public and private key management.
-=item L<B<pkeyutl>|pkeyutl(1)>
-
-Public key algorithm cryptographic operation utility.
-
=item L<B<pkeyparam>|pkeyparam(1)>
Public key algorithm parameter management.
+=item L<B<pkeyutl>|pkeyutl(1)>
+
+Public key algorithm cryptographic operation utility.
+
=item L<B<rand>|rand(1)>
Generate pseudo-random bytes.
@@ -178,6 +199,7 @@
RSA key management.
+
=item L<B<rsautl>|rsautl(1)>
RSA utility for signing, verification, encryption, and decryption. Superseded
@@ -215,6 +237,10 @@
Algorithm Speed Measurement.
+=item L<B<spkac>|spkac(1)>
+
+SPKAC printing and generating utility
+
=item L<B<ts>|ts(1)>
Time Stamping Authority tool (client/server)
Index: doc/apps/pkcs7.pod
===================================================================
RCS file: /cvs-openssl/openssl/doc/apps/pkcs7.pod,v
retrieving revision 1.5
diff -u -r1.5 pkcs7.pod
--- doc/apps/pkcs7.pod 30 Jan 2003 22:02:27 -0000 1.5
+++ doc/apps/pkcs7.pod 2 Apr 2009 10:25:30 -0000
@@ -62,7 +62,7 @@
=item B<-engine id>
-specifying an engine (by it's unique B<id> string) will cause B<req>
+specifying an engine (by it's unique B<id> string) will cause B<pkcs7>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
Index: doc/apps/pkcs8.pod
===================================================================
RCS file: /cvs-openssl/openssl/doc/apps/pkcs8.pod,v
retrieving revision 1.6
diff -u -r1.6 pkcs8.pod
--- doc/apps/pkcs8.pod 30 Jan 2003 22:02:27 -0000 1.6
+++ doc/apps/pkcs8.pod 2 Apr 2009 10:25:30 -0000
@@ -125,7 +125,7 @@
=item B<-engine id>
-specifying an engine (by it's unique B<id> string) will cause B<req>
+specifying an engine (by it's unique B<id> string) will cause B<pkcs8>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
Index: doc/apps/pkey.pod
===================================================================
RCS file: /cvs-openssl/openssl/doc/apps/pkey.pod,v
retrieving revision 1.1
diff -u -r1.1 pkey.pod
--- doc/apps/pkey.pod 8 Jul 2006 00:24:47 -0000 1.1
+++ doc/apps/pkey.pod 2 Apr 2009 10:25:30 -0000
@@ -94,7 +94,7 @@
=item B<-engine id>
-specifying an engine (by it's unique B<id> string) will cause B<req>
+specifying an engine (by it's unique B<id> string) will cause B<pkey>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
Index: doc/apps/pkeyparam.pod
===================================================================
RCS file: /cvs-openssl/openssl/doc/apps/pkeyparam.pod,v
retrieving revision 1.1
diff -u -r1.1 pkeyparam.pod
--- doc/apps/pkeyparam.pod 10 Jul 2006 23:10:26 -0000 1.1
+++ doc/apps/pkeyparam.pod 2 Apr 2009 10:25:30 -0000
@@ -43,7 +43,7 @@
=item B<-engine id>
-specifying an engine (by it's unique B<id> string) will cause B<req>
+specifying an engine (by it's unique B<id> string) will cause B<pkeyparam>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
Index: doc/apps/pkeyutl.pod
===================================================================
RCS file: /cvs-openssl/openssl/doc/apps/pkeyutl.pod,v
retrieving revision 1.4
diff -u -r1.4 pkeyutl.pod
--- doc/apps/pkeyutl.pod 9 Jul 2006 16:05:43 -0000 1.4
+++ doc/apps/pkeyutl.pod 2 Apr 2009 10:25:30 -0000
@@ -12,6 +12,7 @@
[B<-sigfile file>]
[B<-inkey file>]
[B<-keyform PEM|DER>]
+[B<-passin arg>]
[B<-peerkey file>]
[B<-peerform PEM|DER>]
[B<-pubin>]
@@ -26,6 +27,7 @@
[B<-pkeyopt opt:value>]
[B<-hexdump>]
[B<-asn1parse>]
+[B<-engine id>]
=head1 DESCRIPTION
@@ -52,7 +54,13 @@
=item B<-keyform PEM|DER>
-the key format PEM or DER.
+the key format PEM, DER or ENGINE.
+
+=item B<-passin arg>
+
+the input key password source. For more information about the format of B<arg>
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
+
=item B<-peerkey file>
@@ -60,7 +68,15 @@
=item B<-peerform PEM|DER>
-the peer key format PEM or DER.
+the peer key format PEM, DER or ENGINE.
+
+=item B<-engine id>
+
+specifying an engine (by it's unique B<id> string) will cause B<pkeyutl>
+to attempt to obtain a functional reference to the specified engine,
+thus initialising it if needed. The engine will then be set as the default
+for all available algorithms.
+
=item B<-pubin>
Index: doc/apps/req.pod
===================================================================
RCS file: /cvs-openssl/openssl/doc/apps/req.pod,v
retrieving revision 1.20
diff -u -r1.20 req.pod
--- doc/apps/req.pod 7 Nov 2006 12:51:27 -0000 1.20
+++ doc/apps/req.pod 2 Apr 2009 10:25:30 -0000
@@ -22,13 +22,13 @@
[B<-new>]
[B<-rand file(s)>]
[B<-newkey rsa:bits>]
-[B<-newkey dsa:file>]
[B<-newkey alg:file>]
[B<-nodes>]
[B<-key filename>]
[B<-keyform PEM|DER>]
[B<-keyout filename>]
-[B<-[md5|sha1|md2|mdc2]>]
+[B<-keygen_engine id>]
+[B<-[digest]>]
[B<-config filename>]
[B<-subj arg>]
[B<-multivalue-rdn>]
@@ -36,11 +36,15 @@
[B<-days n>]
[B<-set_serial n>]
[B<-asn1-kludge>]
+[B<-no-asn1-kludge>]
[B<-newhdr>]
[B<-extensions section>]
[B<-reqexts section>]
[B<-utf8>]
[B<-nameopt>]
+[B<-reqopt>]
+[B<-subject>]
+[B<-subj arg>]
[B<-batch>]
[B<-verbose>]
[B<-engine id>]
@@ -92,6 +96,11 @@
prints out the certificate request in text form.
+=item B<-subject>
+
+prints out the request subject (or certificate subject if B<-x509> is
+specified)
+
=item B<-pubkey>
outputs the public key.
@@ -119,6 +128,13 @@
If the B<-key> option is not used it will generate a new RSA private
key using information specified in the configuration file.
+=item B<-subj arg>
+
+Replaces subject field of input request with specified data and outputs
+modified request. The arg must be formatted as
+I</type0=value0/type1=value1/type2=...>,
+characters may be escaped by \ (backslash), no spaces are skipped.
+
=item B<-rand file(s)>
a file or files containing random data used to seed the random number
@@ -132,12 +148,27 @@
this option creates a new certificate request and a new private
key. The argument takes one of several forms. B<rsa:nbits>, where
B<nbits> is the number of bits, generates an RSA key B<nbits>
-in size. B<dsa:filename> generates a DSA key using the parameters
-in the file B<filename>. B<param:file> generates a key using the
-parameter file B<file>, the algorithm is determined by the
+in size. If B<nbits> is omitted, i.e. B<-newkey rsa> specified,
+default key size, specified in the configuration file would be used.
+
+All other algorithms support form B<-newkey alg:file>, where file may be
+algorithm parameter file, created by B<genpkey -genparam> command or
+X.509 certificate for key with approriate algorithm.
+
+B<param:file> generates a key using the
+parameter file or certificate B<file>, the algorithm is determined by the
parameters. B<algname:file> use algorithm B<algname> and parameter file
B<file> the two algorithms must match or an error occurs. B<algname> just
-uses algorithm B<algname>.
+uses algorithm B<algname>, and parameters, if neccessary should be
+specified via B<-pkeyopt> parameter.
+
+B<dsa:filename> generates a DSA key using the parameters
+in the file B<filename>. B<ec:filename> generates EC key (usable both with
+ECDSA or ECDH algorithms), B<gost2001:filename> generates GOST R
+34.10-2001 key (requires B<ccgost> engine configured in the configuration
+file). If just B<gost2001> is specified, parameter set should be
+specified by B<-pkeyopt paramset:X>
+
=item B<-pkeyopt opt:value>
@@ -167,11 +198,15 @@
if this option is specified then if a private key is created it
will not be encrypted.
-=item B<-[md5|sha1|md2|mdc2]>
+=item B<-[digest]>
-this specifies the message digest to sign the request with. This
+this specifies the message digest to sign the request with (such as
+B<-md5>, B<-sha1>). This
overrides the digest algorithm specified in the configuration file.
-This option is ignored for DSA requests: they always use SHA1.
+
+Some public key algorithms may override this choice. For instance, DSA
+signatures always use SHA1, GOST R 34.10 signatures always use
+GOST R 34.11-94 (B<-md_gost94>).
=item B<-config filename>
@@ -239,6 +274,15 @@
commas. Alternatively the B<-nameopt> switch may be used more than once to
set multiple options. See the L<x509(1)|x509(1)> manual page for details.
+=item B<-reqopt>
+
+customise the output format used with B<-text>. The B<option> argument can be
+a single option or multiple options separated by commas.
+
+See discission of the B<-certopt> parameter in the L<B<x509>|x509(1)>
+command.
+
+
=item B<-asn1-kludge>
by default the B<req> command outputs certificate requests containing
@@ -254,6 +298,10 @@
It should be noted that very few CAs still require the use of this option.
+=item B<-no-asn1-kludge>
+
+Reverses effect of B<-asn1-kludge>
+
=item B<-newhdr>
Adds the word B<NEW> to the PEM file header and footer lines on the outputed
@@ -274,6 +322,11 @@
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
+=item B<-keygen_engine id>
+
+specifies an engine (by it's unique B<id> string) which would be used
+for key generation operations.
+
=back
=head1 CONFIGURATION FILE FORMAT
Index: doc/apps/rsa.pod
===================================================================
RCS file: /cvs-openssl/openssl/doc/apps/rsa.pod,v
retrieving revision 1.9
diff -u -r1.9 rsa.pod
--- doc/apps/rsa.pod 30 Jan 2003 22:02:27 -0000 1.9
+++ doc/apps/rsa.pod 2 Apr 2009 10:25:30 -0000
@@ -120,7 +120,7 @@
=item B<-engine id>
-specifying an engine (by it's unique B<id> string) will cause B<req>
+specifying an engine (by it's unique B<id> string) will cause B<rsa>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
Index: doc/apps/s_client.pod
===================================================================
RCS file: /cvs-openssl/openssl/doc/apps/s_client.pod,v
retrieving revision 1.16
diff -u -r1.16 s_client.pod
--- doc/apps/s_client.pod 23 Aug 2007 11:34:48 -0000 1.16
+++ doc/apps/s_client.pod 2 Apr 2009 10:25:30 -0000
@@ -17,6 +17,8 @@
[B<-pass arg>]
[B<-CApath directory>]
[B<-CAfile filename>]
+[B<-crl_check>]
+[B<-crl_check_all>]
[B<-reconnect>]
[B<-pause>]
[B<-showcerts>]
@@ -101,6 +103,19 @@
A file containing trusted certificates to use during server authentication
and to use when attempting to build the client certificate chain.
+=item B<-crl_check>
+
+Enable lookup of server certificate in CRL. If this option used, than
+certificate storage specified by B<-CApath> or B<-CAfile> options should
+contain valid and actual CRLs for all CAs. Otherwise certificate, issued
+by CA which CRL is not present, would be considered invalid.
+
+=item B<-crl_check_all>
+
+Enable lookup of all certificates (server and all intermediate CAs if
+any) in the CRLs of their respective issuers.
+
+
=item B<-reconnect>
reconnects to the same server 5 times using the same session ID, this can
Index: doc/apps/smime.pod
===================================================================
RCS file: /cvs-openssl/openssl/doc/apps/smime.pod,v
retrieving revision 1.15
diff -u -r1.15 smime.pod
--- doc/apps/smime.pod 11 May 2007 12:08:38 -0000 1.15
+++ doc/apps/smime.pod 2 Apr 2009 10:25:30 -0000
@@ -13,17 +13,7 @@
[B<-resign>]
[B<-verify>]
[B<-pk7out>]
-[B<-des>]
-[B<-des3>]
-[B<-rc2-40>]
-[B<-rc2-64>]
-[B<-rc2-128>]
-[B<-aes128>]
-[B<-aes192>]
-[B<-aes256>]
-[B<-camellia128>]
-[B<-camellia192>]
-[B<-camellia256>]
+[B<-[cipher]>]
[B<-in file>]
[B<-certfile file>]
[B<-signer file>]
@@ -161,13 +151,13 @@
digest algorithm to use when signing or resigning. If not present then the
default digest algorithm for the signing key will be used (usually SHA1).
-=item B<-des -des3 -rc2-40 -rc2-64 -rc2-128 -aes128 -aes192 -aes256 -camellia128 -camellia192 -camellia256>
+=item B<-[cipher]>
-the encryption algorithm to use. DES (56 bits), triple DES (168 bits), 40, 64
-or 128 bit RC2, 128, 192 or 256 bit AES, or 128, 192 or 256 bit Camellia
-respectively. Any other cipher name (as recognized by the
+the encryption algorithm to use. For example DES (56 bits) - B<-des>,
+triple DES (168 bits) - B<-des3>,
EVP_get_cipherbyname() function) can also be used preceded by a dash, for
-example B<-aes_128_cbc>.
+example B<-aes_128_cbc>. See L<B<enc>|enc(1)> for list of ciphers
+supported by your version of OpenSSL.
If not specified 40 bit RC2 is used. Only used with B<-encrypt>.
@@ -269,6 +259,11 @@
then many S/MIME mail clients check the signers certificate's email
address matches that specified in the From: address.
+=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy>
+
+Set various options of certificate chain verification. See
+L<B<verify>|verify(1)> manual page for details.
+
=back
=head1 NOTES
Index: doc/apps/spkac.pod
===================================================================
RCS file: /cvs-openssl/openssl/doc/apps/spkac.pod,v
retrieving revision 1.6
diff -u -r1.6 spkac.pod
--- doc/apps/spkac.pod 30 Jan 2003 22:02:27 -0000 1.6
+++ doc/apps/spkac.pod 2 Apr 2009 10:25:30 -0000
@@ -81,7 +81,7 @@
=item B<-engine id>
-specifying an engine (by it's unique B<id> string) will cause B<req>
+specifying an engine (by it's unique B<id> string) will cause B<spkac>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
Index: doc/apps/verify.pod
===================================================================
RCS file: /cvs-openssl/openssl/doc/apps/verify.pod,v
retrieving revision 1.7
diff -u -r1.7 verify.pod
--- doc/apps/verify.pod 13 Jul 2008 14:25:36 -0000 1.7
+++ doc/apps/verify.pod 2 Apr 2009 10:25:30 -0000
@@ -10,6 +10,18 @@
[B<-CApath directory>]
[B<-CAfile file>]
[B<-purpose purpose>]
+[B<-policy arg>]
+[B<-ignore_critical>]
+[B<-crl_check>]
+[B<-crl_check_all>]
+[B<-policy_check>]
+[B<-explicit_policy>]
+[B<-inhibit_any>]
+[B<-inhibit_map>]
+[B<-x509_strict>]
+[B<-extended_crl>]
+[B<-use_deltas>]
+[B<-policy_print>]
[B<-untrusted file>]
[B<-help>]
[B<-issuer_checks>]
@@ -66,6 +78,58 @@
does not itself imply that anything is wrong: during the normal
verify process several rejections may take place.
+=item B<-policy arg>
+
+Sets certitifcate verification policy. Policy should be specified as
+object name or numeric OID, known by OpenSSL
+
+=item B<-crl_check>
+
+Forces lookup of the leaf certificate in the certificate revocation list
+(CRL). If this option is set, than CRLs for all CA in the certificate
+chain must present in the certificate storage, specified by B<-CApath>
+or B<-CAfile> option. Certificate, signed by CA which doesn't have valid
+CRL would be considered invalid.
+
+=item B<-crl_check_all>
+
+Forces lookup of all intermediate CA certificates in the CRLs of their
+respective issuers.
+
+=item B<-ignore_critical>
+
+Ignore certificate extensions, which are marked critical in the
+certificate, but are not known to OpenSSL.
+
+=item B<-x509_strict>
+
+Disable workarounds for broken certificates
+
+=item B<-explicit_policy>
+
+Set policy variable require-explicit-policy
+
+=item B<-inhibit_any>
+
+Set policy variable inhibit-any-policy
+
+=item B<-inhibit_map>
+
+Set policy variable inhibit-policy-mapping
+
+=item B<-policy_print>
+
+Print out diagnostics, related to policy checking
+
+=item B<-extended_crl>
+
+Enable extended CRL features such as indirect CRLs, alternate CRL
+signing keys
+
+=item B<-use_deltas>
+
+Enable support for delta CRLs.
+
=item B<->
marks the last option. All arguments following this are assumed to be
Index: doc/apps/x509.pod
===================================================================
RCS file: /cvs-openssl/openssl/doc/apps/x509.pod,v
retrieving revision 1.30
diff -u -r1.30 x509.pod
--- doc/apps/x509.pod 12 Mar 2009 17:13:15 -0000 1.30
+++ doc/apps/x509.pod 2 Apr 2009 10:25:30 -0000
@@ -103,7 +103,7 @@
=item B<-engine id>
-specifying an engine (by it's unique B<id> string) will cause B<req>
+specifying an engine (by it's unique B<id> string) will cause B<x509>
to attempt to obtain a functional reference to the specified engine,
thus initialising it if needed. The engine will then be set as the default
for all available algorithms.
Index: engines/ccgost/e_gost_err.c
===================================================================
RCS file: /cvs-openssl/openssl/engines/ccgost/e_gost_err.c,v
retrieving revision 1.8
diff -u -r1.8 e_gost_err.c
--- engines/ccgost/e_gost_err.c 17 Mar 2009 15:38:34 -0000 1.8
+++ engines/ccgost/e_gost_err.c 2 Apr 2009 10:25:30 -0000
@@ -86,6 +86,7 @@
{ERR_FUNC(GOST_F_GOST_DO_SIGN), "GOST_DO_SIGN"},
{ERR_FUNC(GOST_F_GOST_DO_VERIFY), "GOST_DO_VERIFY"},
{ERR_FUNC(GOST_F_GOST_IMIT_CTRL), "GOST_IMIT_CTRL"},
+{ERR_FUNC(GOST_F_GOST_IMIT_FINAL), "GOST_IMIT_FINAL"},
{ERR_FUNC(GOST_F_GOST_IMIT_UPDATE), "GOST_IMIT_UPDATE"},
{ERR_FUNC(GOST_F_PARAM_COPY_GOST01), "PARAM_COPY_GOST01"},
{ERR_FUNC(GOST_F_PARAM_COPY_GOST94), "PARAM_COPY_GOST94"},
Index: engines/ccgost/e_gost_err.h
===================================================================
RCS file: /cvs-openssl/openssl/engines/ccgost/e_gost_err.h,v
retrieving revision 1.9
diff -u -r1.9 e_gost_err.h
--- engines/ccgost/e_gost_err.h 17 Mar 2009 15:38:34 -0000 1.9
+++ engines/ccgost/e_gost_err.h 2 Apr 2009 10:25:30 -0000
@@ -87,6 +87,7 @@
#define GOST_F_GOST_DO_SIGN 112
#define GOST_F_GOST_DO_VERIFY 113
#define GOST_F_GOST_IMIT_CTRL 114
+#define GOST_F_GOST_IMIT_FINAL 140
#define GOST_F_GOST_IMIT_UPDATE 115
#define GOST_F_PARAM_COPY_GOST01 116
#define GOST_F_PARAM_COPY_GOST94 117
Index: engines/ccgost/gost_crypt.c
===================================================================
RCS file: /cvs-openssl/openssl/engines/ccgost/gost_crypt.c,v
retrieving revision 1.14
diff -u -r1.14 gost_crypt.c
--- engines/ccgost/gost_crypt.c 16 Feb 2009 21:52:01 -0000 1.14
+++ engines/ccgost/gost_crypt.c 2 Apr 2009 10:25:30 -0000
@@ -550,7 +550,10 @@
int gost_imit_final(EVP_MD_CTX *ctx,unsigned char *md)
{
struct ossl_gost_imit_ctx *c = ctx->md_data;
- if (!c->key_set) return 0;
+ if (!c->key_set) {
+ GOSTerr(GOST_F_GOST_IMIT_FINAL, GOST_R_MAC_KEY_NOT_SET);
+ return 0;
+ }
if (c->bytes_left)
{
int i;
Index: test/Makefile
===================================================================
RCS file: /cvs-openssl/openssl/test/Makefile,v
retrieving revision 1.33
diff -u -r1.33 Makefile
--- test/Makefile 16 Dec 2008 10:54:27 -0000 1.33
+++ test/Makefile 2 Apr 2009 10:25:30 -0000
@@ -573,7 +573,11 @@
igetest.o: ../include/openssl/aes.h ../include/openssl/e_os2.h
igetest.o: ../include/openssl/opensslconf.h ../include/openssl/ossl_typ.h
igetest.o: ../include/openssl/rand.h igetest.c
-jpaketest.o: ../include/openssl/opensslconf.h jpaketest.c
+jpaketest.o: ../include/openssl/buffer.h ../include/openssl/crypto.h
+jpaketest.o: ../include/openssl/e_os2.h ../include/openssl/opensslconf.h
+jpaketest.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+jpaketest.o: ../include/openssl/safestack.h ../include/openssl/stack.h
+jpaketest.o: ../include/openssl/symhacks.h jpaketest.c
md2test.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
md2test.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
md2test.o: ../include/openssl/evp.h ../include/openssl/md2.h
@@ -613,13 +617,8 @@
rc5test.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
rc5test.o: ../include/openssl/safestack.h ../include/openssl/stack.h
rc5test.o: ../include/openssl/symhacks.h rc5test.c
-rmdtest.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-rmdtest.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
-rmdtest.o: ../include/openssl/evp.h ../include/openssl/obj_mac.h
-rmdtest.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-rmdtest.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-rmdtest.o: ../include/openssl/ripemd.h ../include/openssl/safestack.h
-rmdtest.o: ../include/openssl/stack.h ../include/openssl/symhacks.h rmdtest.c
+rmdtest.o: ../e_os.h ../include/openssl/e_os2.h
+rmdtest.o: ../include/openssl/opensslconf.h rmdtest.c
rsa_test.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
rsa_test.o: ../include/openssl/bn.h ../include/openssl/crypto.h
rsa_test.o: ../include/openssl/e_os2.h ../include/openssl/err.h
