Import OpenSSL 1.1.0h

2018-04-13 17:45:41 +00:00
parent f39d324ed3
commit 807cee26df
513 changed files with 11248 additions and 3603 deletions
--- a/doc/apps/asn1parse.pod
+++ b/doc/apps/asn1parse.pod
@@ -2,6 +2,7 @@

 =head1 NAME

+openssl-asn1parse,
 asn1parse - ASN.1 parsing tool

 =head1 SYNOPSIS
--- a/doc/apps/ca.pod
+++ b/doc/apps/ca.pod
@@ -2,6 +2,7 @@

 =head1 NAME

+openssl-ca,
 ca - sample minimal CA application

 =head1 SYNOPSIS
@@ -442,6 +443,10 @@ versions of OpenSSL.  However, to make CA certificate roll-over easier,
 it's recommended to use the value B<no>, especially if combined with
 the B<-selfsign> command line option.

+Note that it is valid in some circumstances for certificates to be created
+without any subject. In the case where there are multiple certificates without
+subjects this does not count as a duplicate.
+
 =item B<serial>

 a text file containing the next serial number to use in hex. Mandatory.
@@ -709,7 +714,7 @@ L<config(5)>, L<x509v3_config(5)>

 =head1 COPYRIGHT

-Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.

 Licensed under the OpenSSL license (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
--- a/doc/apps/ciphers.pod
+++ b/doc/apps/ciphers.pod
@@ -2,6 +2,7 @@

 =head1 NAME

+openssl-ciphers,
 ciphers - SSL cipher display and cipher list tool

 =head1 SYNOPSIS
--- a/doc/apps/cms.pod
+++ b/doc/apps/cms.pod
@@ -2,6 +2,7 @@

 =head1 NAME

+openssl-cms,
 cms - CMS utility

 =head1 SYNOPSIS
@@ -185,7 +186,7 @@ output an error.
 =item B<-EncryptedData_encrypt>

 Encrypt content using supplied symmetric key and algorithm using a CMS
-B<EncrytedData> type and output the content.
+B<EncryptedData> type and output the content.

 =item B<-sign_receipt>

--- a/doc/apps/crl.pod
+++ b/doc/apps/crl.pod
@@ -2,6 +2,7 @@

 =head1 NAME

+openssl-crl,
 crl - CRL utility

 =head1 SYNOPSIS
--- a/doc/apps/crl2pkcs7.pod
+++ b/doc/apps/crl2pkcs7.pod
@@ -2,6 +2,7 @@

 =head1 NAME

+openssl-crl2pkcs7,
 crl2pkcs7 - Create a PKCS#7 structure from a CRL and certificates

 =head1 SYNOPSIS
--- a/doc/apps/dgst.pod
+++ b/doc/apps/dgst.pod
@@ -2,6 +2,7 @@

 =head1 NAME

+openssl-dgst,
 dgst, sha, sha1, mdc2, ripemd160, sha224, sha256, sha384, sha512, md4, md5, blake2b, blake2s - message digests

 =head1 SYNOPSIS
--- a/doc/apps/dhparam.pod
+++ b/doc/apps/dhparam.pod
@@ -2,6 +2,7 @@

 =head1 NAME

+openssl-dhparam,
 dhparam - DH parameter manipulation and generation

 =head1 SYNOPSIS
--- a/doc/apps/dsa.pod
+++ b/doc/apps/dsa.pod
@@ -2,6 +2,7 @@

 =head1 NAME

+openssl-dsa,
 dsa - DSA key processing

 =head1 SYNOPSIS
--- a/doc/apps/dsaparam.pod
+++ b/doc/apps/dsaparam.pod
@@ -2,6 +2,7 @@

 =head1 NAME

+openssl-dsaparam,
 dsaparam - DSA parameter manipulation and generation

 =head1 SYNOPSIS
--- a/doc/apps/ec.pod
+++ b/doc/apps/ec.pod
@@ -2,6 +2,7 @@

 =head1 NAME

+openssl-ec,
 ec - EC key processing

 =head1 SYNOPSIS
--- a/doc/apps/ecparam.pod
+++ b/doc/apps/ecparam.pod
@@ -2,6 +2,7 @@

 =head1 NAME

+openssl-ecparam,
 ecparam - EC parameter manipulation and generation

 =head1 SYNOPSIS
@@ -90,8 +91,8 @@ currently implemented EC parameters names and exit.
 =item B<-conv_form>

 This specifies how the points on the elliptic curve are converted
-into octet strings. Possible values are: B<compressed> (the default
-value), B<uncompressed> and B<hybrid>. For more information regarding
+into octet strings. Possible values are: B<compressed>, B<uncompressed> (the
+default value) and B<hybrid>. For more information regarding
 the point conversion forms please read the X9.62 standard.
 B<Note> Due to patent issues the B<compressed> option is disabled
 by default for binary curves and can be enabled by defining
@@ -175,7 +176,7 @@ L<ec(1)>, L<dsaparam(1)>

 =head1 COPYRIGHT

-Copyright 2003-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2003-2018 The OpenSSL Project Authors. All Rights Reserved.

 Licensed under the OpenSSL license (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
--- a/doc/apps/enc.pod
+++ b/doc/apps/enc.pod
@@ -2,6 +2,7 @@

 =head1 NAME

+openssl-enc,
 enc - symmetric cipher routines

 =head1 SYNOPSIS
--- a/doc/apps/engine.pod
+++ b/doc/apps/engine.pod
@@ -2,6 +2,7 @@

 =head1 NAME

+openssl-engine,
 engine - load and query engines

 =head1 SYNOPSIS
@@ -92,9 +93,19 @@ To list the capabilities of the I<rsax> engine:
  [RSA]
 (dynamic) Dynamic engine loading support

+=head1 ENVIRONMENT
+
+=over 4
+
+=item B<OPENSSL_ENGINES>
+
+The path to the engines directory.
+
+=back
+
 =head1 COPYRIGHT

-Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.

 Licensed under the OpenSSL license (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
--- a/doc/apps/errstr.pod
+++ b/doc/apps/errstr.pod
@@ -2,6 +2,7 @@

 =head1 NAME

+openssl-errstr,
 errstr - lookup error codes

 =head1 SYNOPSIS
--- a/doc/apps/gendsa.pod
+++ b/doc/apps/gendsa.pod
@@ -2,6 +2,7 @@

 =head1 NAME

+openssl-gendsa,
 gendsa - generate a DSA private key from a set of parameters

 =head1 SYNOPSIS
--- a/doc/apps/genpkey.pod
+++ b/doc/apps/genpkey.pod
@@ -2,6 +2,7 @@

 =head1 NAME

+openssl-genpkey,
 genpkey - generate a private key

 =head1 SYNOPSIS
--- a/doc/apps/genrsa.pod
+++ b/doc/apps/genrsa.pod
@@ -2,6 +2,7 @@

 =head1 NAME

+openssl-genrsa,
 genrsa - generate an RSA private key

 =head1 SYNOPSIS
--- a/doc/apps/list.pod
+++ b/doc/apps/list.pod
@@ -2,6 +2,7 @@

 =head1 NAME

+openssl-list,
 list - list algorithms and features

 =head1 SYNOPSIS
--- a/doc/apps/nseq.pod
+++ b/doc/apps/nseq.pod
@@ -2,6 +2,7 @@

 =head1 NAME

+openssl-nseq,
 nseq - create or examine a Netscape certificate sequence

 =head1 SYNOPSIS
--- a/doc/apps/ocsp.pod
+++ b/doc/apps/ocsp.pod
@@ -2,6 +2,7 @@

 =head1 NAME

+openssl-ocsp,
 ocsp - Online Certificate Status Protocol utility

 =head1 SYNOPSIS
--- a/doc/apps/openssl.pod
+++ b/doc/apps/openssl.pod
@@ -182,6 +182,10 @@ PKCS#12 Data Management.

 PKCS#7 Data Management.

+=item L<B<pkcs8>|pkcs8(1)>
+
+PKCS#8 format private key conversion tool.
+
 =item L<B<pkey>|pkey(1)>

 Public and private key management.
@@ -198,6 +202,10 @@ Public key algorithm cryptographic operation utility.

 Generate pseudo-random bytes.

+=item L<B<rehash>|rehash(1)>
+
+Create symbolic links to certificate and CRL files named by the hash values.
+
 =item L<B<req>|req(1)>

 PKCS#10 X.509 Certificate Signing Request (CSR) Management.
@@ -418,17 +426,20 @@ Read the password from standard input.

 =head1 SEE ALSO

-L<asn1parse(1)>, L<ca(1)>, L<config(5)>,
+L<asn1parse(1)>, L<ca(1)>, L<ciphers(1)>, L<cms(1)>, L<config(5)>,
 L<crl(1)>, L<crl2pkcs7(1)>, L<dgst(1)>,
 L<dhparam(1)>, L<dsa(1)>, L<dsaparam(1)>,
-L<enc(1)>, L<engine(1)>, L<gendsa(1)>, L<genpkey(1)>,
-L<genrsa(1)>, L<nseq(1)>, L<openssl(1)>,
+L<ec(1)>, L<ecparam(1)>,
+L<enc(1)>, L<engine(1)>, L<errstr(1)>, L<gendsa(1)>, L<genpkey(1)>,
+L<genrsa(1)>, L<nseq(1)>, L<ocsp(1)>,
 L<passwd(1)>,
 L<pkcs12(1)>, L<pkcs7(1)>, L<pkcs8(1)>,
-L<rand(1)>, L<req(1)>, L<rsa(1)>,
+L<pkey(1)>, L<pkeyparam(1)>, L<pkeyutl(1)>,
+L<rand(1)>, L<rehash(1)>, L<req(1)>, L<rsa(1)>,
 L<rsautl(1)>, L<s_client(1)>,
-L<s_server(1)>, L<s_time(1)>,
-L<smime(1)>, L<spkac(1)>,
+L<s_server(1)>, L<s_time(1)>, L<sess_id(1)>,
+L<smime(1)>, L<speed(1)>, L<spkac(1)>,
+L<ts(1)>,
 L<verify(1)>, L<version(1)>, L<x509(1)>,
 L<crypto(7)>, L<ssl(7)>, L<x509v3_config(5)>

--- a/doc/apps/passwd.pod
+++ b/doc/apps/passwd.pod
@@ -2,6 +2,7 @@

 =head1 NAME

+openssl-passwd,
 passwd - compute password hashes

 =head1 SYNOPSIS
--- a/doc/apps/pkcs12.pod
+++ b/doc/apps/pkcs12.pod
@@ -2,6 +2,7 @@

 =head1 NAME

+openssl-pkcs12,
 pkcs12 - PKCS#12 file utility

 =head1 SYNOPSIS
--- a/doc/apps/pkcs7.pod
+++ b/doc/apps/pkcs7.pod
@@ -2,6 +2,7 @@

 =head1 NAME

+openssl-pkcs7,
 pkcs7 - PKCS#7 utility

 =head1 SYNOPSIS
--- a/doc/apps/pkcs8.pod
+++ b/doc/apps/pkcs8.pod
@@ -2,6 +2,7 @@

 =head1 NAME

+openssl-pkcs8,
 pkcs8 - PKCS#8 format private key conversion tool

 =head1 SYNOPSIS
--- a/doc/apps/pkey.pod
+++ b/doc/apps/pkey.pod
@@ -2,6 +2,7 @@

 =head1 NAME

+openssl-pkey,
 pkey - public or private key processing tool

 =head1 SYNOPSIS
--- a/doc/apps/pkeyparam.pod
+++ b/doc/apps/pkeyparam.pod
@@ -2,6 +2,7 @@

 =head1 NAME

+openssl-pkeyparam,
 pkeyparam - public key algorithm parameter processing tool

 =head1 SYNOPSIS
--- a/doc/apps/pkeyutl.pod
+++ b/doc/apps/pkeyutl.pod
@@ -2,6 +2,7 @@

 =head1 NAME

+openssl-pkeyutl,
 pkeyutl - public key algorithm utility

 =head1 SYNOPSIS
--- a/doc/apps/rand.pod
+++ b/doc/apps/rand.pod
@@ -2,6 +2,7 @@

 =head1 NAME

+openssl-rand,
 rand - generate pseudo-random bytes

 =head1 SYNOPSIS
--- a/doc/apps/rehash.pod
+++ b/doc/apps/rehash.pod
@@ -5,6 +5,7 @@ Original text by James Westby, contributed under the OpenSSL license.

 =head1 NAME

+openssl-c_rehash, openssl-rehash,
 c_rehash, rehash - Create symbolic links to files named by the hash values

 =head1 SYNOPSIS
--- a/doc/apps/req.pod
+++ b/doc/apps/req.pod
@@ -2,6 +2,7 @@

 =head1 NAME

+openssl-req,
 req - PKCS#10 certificate request and certificate generating utility

 =head1 SYNOPSIS
--- a/doc/apps/rsa.pod
+++ b/doc/apps/rsa.pod
@@ -2,6 +2,7 @@

 =head1 NAME

+openssl-rsa,
 rsa - RSA key processing tool

 =head1 SYNOPSIS
--- a/doc/apps/rsautl.pod
+++ b/doc/apps/rsautl.pod
@@ -2,6 +2,7 @@

 =head1 NAME

+openssl-rsautl,
 rsautl - RSA utility

 =head1 SYNOPSIS
@@ -115,7 +116,7 @@ Recover the signed data

 Examine the raw signed data:

- openssl rsautl -verify -in file -inkey key.pem -raw -hexdump
+ openssl rsautl -verify -in sig -inkey key.pem -raw -hexdump

 0000 - 00 01 ff ff ff ff ff ff-ff ff ff ff ff ff ff ff   ................
 0010 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff   ................
--- a/doc/apps/s_client.pod
+++ b/doc/apps/s_client.pod
@@ -2,6 +2,7 @@

 =head1 NAME

+openssl-s_client,
 s_client - SSL/TLS client program

 =head1 SYNOPSIS
@@ -346,12 +347,14 @@ Can be used to override the implicit B<-ign_eof> after B<-quiet>.
 =item B<-psk_identity identity>

 Use the PSK identity B<identity> when using a PSK cipher suite.
+The default value is "Client_identity" (without the quotes).

 =item B<-psk key>

 Use the PSK key B<key> when using a PSK cipher suite. The key is
 given as a hexadecimal number without leading 0x, for example -psk
 1a2b3c4d.
+This option must be provided in order to use a PSK cipher.

 =item B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>

--- a/doc/apps/s_server.pod
+++ b/doc/apps/s_server.pod
@@ -2,6 +2,7 @@

 =head1 NAME

+openssl-s_server,
 s_server - SSL/TLS server program

 =head1 SYNOPSIS
@@ -323,6 +324,7 @@ Use the PSK identity hint B<hint> when using a PSK cipher suite.
 Use the PSK key B<key> when using a PSK cipher suite. The key is
 given as a hexadecimal number without leading 0x, for example -psk
 1a2b3c4d.
+This option must be provided in order to use a PSK cipher.

 =item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-tls1_1>, B<-tls1_2>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>

@@ -574,10 +576,6 @@ a web browser the command:

 can be used for example.

-Most web browsers (in particular Netscape and MSIE) only support RSA cipher
-suites, so they cannot connect to servers which don't use a certificate
-carrying an RSA key or a version of OpenSSL with RSA disabled.
-
 Although specifying an empty list of CAs when requesting a client certificate
 is strictly speaking a protocol violation, some SSL clients interpret this to
 mean any CA is acceptable. This is useful for debugging purposes.
--- a/doc/apps/s_time.pod
+++ b/doc/apps/s_time.pod
@@ -2,6 +2,7 @@

 =head1 NAME

+openssl-s_time,
 s_time - SSL/TLS performance timing program

 =head1 SYNOPSIS
--- a/doc/apps/sess_id.pod
+++ b/doc/apps/sess_id.pod
@@ -2,6 +2,7 @@

 =head1 NAME

+openssl-sess_id,
 sess_id - SSL/TLS session handling utility

 =head1 SYNOPSIS
--- a/doc/apps/smime.pod
+++ b/doc/apps/smime.pod
@@ -2,6 +2,7 @@

 =head1 NAME

+openssl-smime,
 smime - S/MIME utility

 =head1 SYNOPSIS
--- a/doc/apps/speed.pod
+++ b/doc/apps/speed.pod
@@ -2,6 +2,7 @@

 =head1 NAME

+openssl-speed,
 speed - test library performance

 =head1 SYNOPSIS
--- a/doc/apps/spkac.pod
+++ b/doc/apps/spkac.pod
@@ -2,6 +2,7 @@

 =head1 NAME

+openssl-spkac,
 spkac - SPKAC printing and generating utility

 =head1 SYNOPSIS
--- a/doc/apps/ts.pod
+++ b/doc/apps/ts.pod
@@ -2,6 +2,7 @@

 =head1 NAME

+openssl-ts,
 ts - Time Stamping Authority tool (client/server)

 =head1 SYNOPSIS
--- a/doc/apps/tsget.pod
+++ b/doc/apps/tsget.pod
@@ -2,6 +2,7 @@

 =head1 NAME

+openssl-tsget,
 tsget - Time Stamping HTTP/HTTPS client

 =head1 SYNOPSIS
--- a/doc/apps/verify.pod
+++ b/doc/apps/verify.pod
@@ -2,6 +2,7 @@

 =head1 NAME

+openssl-verify,
 verify - Utility to verify certificates

 =head1 SYNOPSIS
--- a/doc/apps/version.pod
+++ b/doc/apps/version.pod
@@ -2,6 +2,7 @@

 =head1 NAME

+openssl-version,
 version - print OpenSSL version information

 =head1 SYNOPSIS
--- a/doc/apps/x509.pod
+++ b/doc/apps/x509.pod
@@ -2,6 +2,7 @@

 =head1 NAME

+openssl-x509,
 x509 - Certificate display and signing utility

 =head1 SYNOPSIS
@@ -230,8 +231,11 @@ non-zero if yes it will expire or zero if not.

 =item B<-fingerprint>

-prints out the digest of the DER encoded version of the whole certificate
-(see digest options).
+Calculates and outputs the digest of the DER encoded version of the entire
+certificate (see digest options).
+This is commonly called a "fingerprint". Because of the nature of message
+digests, the fingerprint of a certificate is unique to that certificate and
+two certificates with the same fingerprint can be considered to be the same.

 =item B<-C>

@@ -686,10 +690,6 @@ supporting UTF8:

 openssl x509 -in cert.pem -noout -subject -nameopt oneline,-esc_msb

-Display the certificate MD5 fingerprint:
-
- openssl x509 -in cert.pem -noout -fingerprint
-
 Display the certificate SHA1 fingerprint:

 openssl x509 -sha1 -in cert.pem -noout -fingerprint
@@ -743,13 +743,6 @@ T61Strings use the ISO8859-1 character set. This is wrong but Netscape
 and MSIE do this as do many certificates. So although this is incorrect
 it is more likely to display the majority of certificates correctly.

-The B<-fingerprint> option takes the digest of the DER encoded certificate.
-This is commonly called a "fingerprint". Because of the nature of message
-digests the fingerprint of a certificate is unique to that certificate and
-two certificates with the same fingerprint can be considered to be the same.
-
-The Netscape fingerprint uses MD5 whereas MSIE uses SHA1.
-
 The B<-email> option searches the subject name and the subject alternative
 name extension. Only unique email addresses will be printed out: it will
 not print the same address more than once.
@@ -895,7 +888,7 @@ the old form must have their links rebuilt using B<c_rehash> or similar.

 =head1 COPYRIGHT

-Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.

 Licensed under the OpenSSL license (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
--- a/doc/apps/x509v3_config.pod
+++ b/doc/apps/x509v3_config.pod
@@ -352,7 +352,7 @@ Example:
 noticeNumbers=1,2,3,4

 The B<ia5org> option changes the type of the I<organization> field. In RFC2459
-it can only be of type DisplayText. In RFC3280 IA5Strring is also permissible.
+it can only be of type DisplayText. In RFC3280 IA5String is also permissible.
 Some software (for example some versions of MSIE) may require ia5org.

 =head2 Policy Constraints