diff options
author | Damien Miller <djm@cvs.openbsd.org> | 2008-09-06 12:15:50 +0000 |
---|---|---|
committer | Damien Miller <djm@cvs.openbsd.org> | 2008-09-06 12:15:50 +0000 |
commit | 6fefe70d50993ef1bb98f0f2267226060eaee1a3 (patch) | |
tree | 0eeaca6cad020fb8da7bf9a67aa01fca5b1cda7f | |
parent | 3bb417436e5e74ef710cf04ac10efc8538bf1528 (diff) |
import of OpenSSL 0.9.8h
-rw-r--r-- | lib/libssl/src/doc/apps/x509v3_config.pod | 97 | ||||
-rw-r--r-- | lib/libssl/src/doc/crypto/ASN1_generate_nconf.pod | 7 | ||||
-rw-r--r-- | lib/libssl/src/doc/crypto/BN_BLINDING_new.pod | 22 | ||||
-rw-r--r-- | lib/libssl/src/doc/crypto/ecdsa.pod | 12 |
4 files changed, 30 insertions, 108 deletions
diff --git a/lib/libssl/src/doc/apps/x509v3_config.pod b/lib/libssl/src/doc/apps/x509v3_config.pod index 0450067cf1d..38c46e85c46 100644 --- a/lib/libssl/src/doc/apps/x509v3_config.pod +++ b/lib/libssl/src/doc/apps/x509v3_config.pod @@ -52,7 +52,7 @@ use is defined by the extension code itself: check out the certificate policies extension for an example. If an extension type is unsupported then the I<arbitrary> extension syntax -must be used, see the L<ARBITRARY EXTENSIONS|/"ARBITRARY EXTENSIONS"> section for more details. +must be used, see the L<ARBITRART EXTENSIONS|/"ARBITRARY EXTENSIONS"> section for more details. =head1 STANDARD EXTENSIONS @@ -178,7 +178,7 @@ preceeding the name with a B<+> character. otherName can include arbitrary data associated with an OID: the value should be the OID followed by a semicolon and the content in standard -L<ASN1_generate_nconf(3)|ASN1_generate_nconf(3)> format. +ASN1_generate_nconf() format. Examples: @@ -226,82 +226,21 @@ Example: =head2 CRL distribution points. -This is a multi-valued extension whose options can be either in name:value pair -using the same form as subject alternative name or a single value representing -a section name containing all the distribution point fields. +This is a multi-valued extension that supports all the literal options of +subject alternative name. Of the few software packages that currently interpret +this extension most only interpret the URI option. -For a name:value pair a new DistributionPoint with the fullName field set to -the given value both the cRLissuer and reasons fields are omitted in this case. +Currently each option will set a new DistributionPoint with the fullName +field set to the given value. -In the single option case the section indicated contains values for each -field. In this section: +Other fields like cRLissuer and reasons cannot currently be set or displayed: +at this time no examples were available that used these fields. -If the name is "fullname" the value field should contain the full name -of the distribution point in the same format as subject alternative name. - -If the name is "relativename" then the value field should contain a section -name whose contents represent a DN fragment to be placed in this field. - -The name "CRLIssuer" if present should contain a value for this field in -subject alternative name format. - -If the name is "reasons" the value field should consist of a comma -separated field containing the reasons. Valid reasons are: "keyCompromise", -"CACompromise", "affiliationChanged", "superseded", "cessationOfOperation", -"certificateHold", "privilegeWithdrawn" and "AACompromise". - - -Simple examples: +Examples: crlDistributionPoints=URI:http://myhost.com/myca.crl crlDistributionPoints=URI:http://my.com/my.crl,URI:http://oth.com/my.crl -Full distribution point example: - - crlDistributionPoints=crldp1_section - - [crldp1_section] - - fullname=URI:http://myhost.com/myca.crl - CRLissuer=dirName:issuer_sect - reasons=keyCompromise, CACompromise - - [issuer_sect] - C=UK - O=Organisation - CN=Some Name - -=head2 Issuing Distribution Point - -This extension should only appear in CRLs. It is a multi valued extension -whose syntax is similar to the "section" pointed to by the CRL distribution -points extension with a few differences. - -The names "reasons" and "CRLissuer" are not recognized. - -The name "onlysomereasons" is accepted which sets this field. The value is -in the same format as the CRL distribution point "reasons" field. - -The names "onlyuser", "onlyCA", "onlyAA" and "indirectCRL" are also accepted -the values should be a boolean value (TRUE or FALSE) to indicate the value of -the corresponding field. - -Example: - - issuingDistributionPoint=critical, @idp_section - - [idp_section] - - fullname=URI:http://myhost.com/myca.crl - indirectCRL=TRUE - onlysomereasons=keyCompromise, CACompromise - - [issuer_sect] - C=UK - O=Organisation - CN=Some Name - - =head2 Certificate Policies. This is a I<raw> extension. All the fields of this extension can be set by @@ -390,16 +329,6 @@ Examples: nameConstraints=permitted;email:.somedomain.com nameConstraints=excluded;email:.com -issuingDistributionPoint = idp_section - -=head2 OCSP No Check - -The OCSP No Check extension is a string extension but its value is ignored. - -Example: - - noCheck = ignored - =head1 DEPRECATED EXTENSIONS @@ -441,8 +370,7 @@ the data is formatted correctly for the given extension type. There are two ways to encode arbitrary extensions. The first way is to use the word ASN1 followed by the extension content -using the same syntax as L<ASN1_generate_nconf(3)|ASN1_generate_nconf(3)>. -For example: +using the same syntax as ASN1_generate_nconf(). For example: 1.2.3.4=critical,ASN1:UTF8String:Some random data @@ -522,8 +450,7 @@ for arbitrary extensions was added in OpenSSL 0.9.8 =head1 SEE ALSO -L<req(1)|req(1)>, L<ca(1)|ca(1)>, L<x509(1)|x509(1)>, -L<ASN1_generate_nconf(3)|ASN1_generate_nconf(3)> +L<req(1)|req(1)>, L<ca(1)|ca(1)>, L<x509(1)|x509(1)> =cut diff --git a/lib/libssl/src/doc/crypto/ASN1_generate_nconf.pod b/lib/libssl/src/doc/crypto/ASN1_generate_nconf.pod index 542fd1579ab..1157cff510d 100644 --- a/lib/libssl/src/doc/crypto/ASN1_generate_nconf.pod +++ b/lib/libssl/src/doc/crypto/ASN1_generate_nconf.pod @@ -6,8 +6,6 @@ ASN1_generate_nconf, ASN1_generate_v3 - ASN1 generation functions =head1 SYNOPSIS - #include <openssl/asn1.h> - ASN1_TYPE *ASN1_generate_nconf(char *str, CONF *nconf); ASN1_TYPE *ASN1_generate_v3(char *str, X509V3_CTX *cnf); @@ -103,8 +101,7 @@ bits is set to zero. =item B<UNIVERSALSTRING>, B<UNIV>, B<IA5>, B<IA5STRING>, B<UTF8>, B<UTF8String>, B<BMP>, B<BMPSTRING>, B<VISIBLESTRING>, B<VISIBLE>, B<PRINTABLESTRING>, B<PRINTABLE>, B<T61>, -B<T61STRING>, B<TELETEXSTRING>, B<GeneralString>, B<NUMERICSTRING>, -B<NUMERIC> +B<T61STRING>, B<TELETEXSTRING>, B<GeneralString> These encode the corresponding string types. B<value> represents the contents of this structure. The format can be B<ASCII> or B<UTF8>. @@ -178,7 +175,7 @@ An IA5String explicitly tagged using APPLICATION tagging: A BITSTRING with bits 1 and 5 set and all others zero: - FORMAT:BITLIST,BITSTRING:1,5 + FORMAT=BITLIST,BITSTRING:1,5 A more complex example using a config file to produce a SEQUENCE consiting of a BOOL an OID and a UTF8String: diff --git a/lib/libssl/src/doc/crypto/BN_BLINDING_new.pod b/lib/libssl/src/doc/crypto/BN_BLINDING_new.pod index da06e444612..7b087f7288f 100644 --- a/lib/libssl/src/doc/crypto/BN_BLINDING_new.pod +++ b/lib/libssl/src/doc/crypto/BN_BLINDING_new.pod @@ -22,11 +22,8 @@ functions. BN_CTX *ctx); int BN_BLINDING_invert_ex(BIGNUM *n, const BIGNUM *r, BN_BLINDING *b, BN_CTX *ctx); - #ifndef OPENSSL_NO_DEPRECATED unsigned long BN_BLINDING_get_thread_id(const BN_BLINDING *); void BN_BLINDING_set_thread_id(BN_BLINDING *, unsigned long); - #endif - CRYPTO_THREADID *BN_BLINDING_thread_id(BN_BLINDING *); unsigned long BN_BLINDING_get_flags(const BN_BLINDING *); void BN_BLINDING_set_flags(BN_BLINDING *, unsigned long); BN_BLINDING *BN_BLINDING_create_param(BN_BLINDING *b, @@ -48,7 +45,7 @@ necessary parameters are set, by re-creating the blinding parameters. BN_BLINDING_convert_ex() multiplies B<n> with the blinding factor B<A>. If B<r> is not NULL a copy the inverse blinding factor B<Ai> will be -returned in B<r> (this is useful if a B<RSA> object is shared among +returned in B<r> (this is useful if a B<RSA> object is shared amoung several threads). BN_BLINDING_invert_ex() multiplies B<n> with the inverse blinding factor B<Ai>. If B<r> is not NULL it will be used as the inverse blinding. @@ -57,11 +54,11 @@ BN_BLINDING_convert() and BN_BLINDING_invert() are wrapper functions for BN_BLINDING_convert_ex() and BN_BLINDING_invert_ex() with B<r> set to NULL. -BN_BLINDING_thread_id() provides access to the B<CRYPTO_THREADID> -object within the B<BN_BLINDING> structure. This is to help users -provide proper locking if needed for multi-threaded use. The "thread -id" object of a newly allocated B<BN_BLINDING> structure is -initialised to the thread id in which BN_BLINDING_new() was called. +BN_BLINDING_set_thread_id() and BN_BLINDING_get_thread_id() +set and get the "thread id" value of the B<BN_BLINDING> structure, +a field provided to users of B<BN_BLINDING> structure to help them +provide proper locking if needed for multi-threaded use. The +"thread id" of a newly allocated B<BN_BLINDING> structure is zero. BN_BLINDING_get_flags() returns the BN_BLINDING flags. Currently there are two supported flags: B<BN_BLINDING_NO_UPDATE> and @@ -86,8 +83,8 @@ BN_BLINDING_update(), BN_BLINDING_convert(), BN_BLINDING_invert(), BN_BLINDING_convert_ex() and BN_BLINDING_invert_ex() return 1 on success and 0 if an error occured. -BN_BLINDING_thread_id() returns a pointer to the thread id object -within a B<BN_BLINDING> object. +BN_BLINDING_get_thread_id() returns the thread id (a B<unsigned long> +value) or 0 if not set. BN_BLINDING_get_flags() returns the currently set B<BN_BLINDING> flags (a B<unsigned long> value). @@ -101,9 +98,6 @@ L<bn(3)|bn(3)> =head1 HISTORY -BN_BLINDING_thread_id was first introduced in OpenSSL 1.0.0, and it -deprecates BN_BLINDING_set_thread_id and BN_BLINDING_get_thread_id. - BN_BLINDING_convert_ex, BN_BLINDIND_invert_ex, BN_BLINDING_get_thread_id, BN_BLINDING_set_thread_id, BN_BLINDING_set_flags, BN_BLINDING_get_flags and BN_BLINDING_create_param were first introduced in OpenSSL 0.9.8 diff --git a/lib/libssl/src/doc/crypto/ecdsa.pod b/lib/libssl/src/doc/crypto/ecdsa.pod index 59a5916de12..49b10f22499 100644 --- a/lib/libssl/src/doc/crypto/ecdsa.pod +++ b/lib/libssl/src/doc/crypto/ecdsa.pod @@ -95,7 +95,7 @@ is ignored. ECDSA_verify() verifies that the signature in B<sig> of size B<siglen> is a valid ECDSA signature of the hash value -B<dgst> of size B<dgstlen> using the public key B<eckey>. +value B<dgst> of size B<dgstlen> using the public key B<eckey>. The parameter B<type> is ignored. ECDSA_do_sign() is wrapper function for ECDSA_do_sign_ex with B<kinv> @@ -114,7 +114,7 @@ using the public key B<eckey>. ECDSA_size() returns the maximum length signature or 0 on error. -ECDSA_sign_setup() and ECDSA_sign() return 1 if successful or 0 +ECDSA_sign_setup() and ECDSA_sign() return 1 if successful or -1 on error. ECDSA_verify() and ECDSA_do_verify() return 1 for a valid @@ -131,12 +131,16 @@ specific) int ret; ECDSA_SIG *sig; - EC_KEY *eckey; - eckey = EC_KEY_new_by_curve_name(NID_secp192k1); + EC_KEY *eckey = EC_KEY_new(); if (eckey == NULL) { /* error */ } + key->group = EC_GROUP_new_by_nid(NID_secp192k1); + if (key->group == NULL) + { + /* error */ + } if (!EC_KEY_generate_key(eckey)) { /* error */ |