OpenSSL CVS Repository
http://cvs.openssl.org/
____________________________________________________________
________________
Server: cvs.openssl.org Name: Dr.
Stephen Henson
Root: /v/openssl/cvs Email: steve openssl.org
Module: openssl Date:
12-Jul-2006 14:31:31
Branch: HEAD Handle:
2006071213312802
Added files:
openssl/doc/crypto EVP_DigestSignInit.pod
EVP_DigestVerifyInit.pod
Modified files:
openssl/crypto/evp bio_md.c evp.h
openssl/doc/crypto BIO_f_md.pod EVP_PKEY_verify.pod
EVP_SignInit.pod
EVP_VerifyInit.pod
Log:
New docs for EVP_Digest{Sign,Verify}*() function. Update
existing
docs.
Summary:
Revision Changes Path
1.14 +3 -7 openssl/crypto/evp/bio_md.c
1.166 +2 -5 openssl/crypto/evp/evp.h
1.8 +6 -0 openssl/doc/crypto/BIO_f_md.pod
1.1 +87 -0
openssl/doc/crypto/EVP_DigestSignInit.pod
1.1 +82 -0
openssl/doc/crypto/EVP_DigestVerifyInit.pod
1.3 +5 -5
openssl/doc/crypto/EVP_PKEY_verify.pod
1.7 +9 -0
openssl/doc/crypto/EVP_SignInit.pod
1.6 +9 -0
openssl/doc/crypto/EVP_VerifyInit.pod
____________________________________________________________
________________
patch -p0 <<' .'
Index: openssl/crypto/evp/bio_md.c
============================================================
================
$ cvs diff -u -r1.13 -r1.14 bio_md.c
--- openssl/crypto/evp/bio_md.c 22 Mar 2005 17:55:18
-0000 1.13
+++ openssl/crypto/evp/bio_md.c 12 Jul 2006 12:31:28
-0000 1.14
-192,13 +192,9
ret=0;
break;
case BIO_C_GET_MD_CTX:
- if (b->init)
- {
- pctx=ptr;
- *pctx=ctx;
- }
- else
- ret=0;
+ pctx=ptr;
+ *pctx=ctx;
+ b->init = 1;
break;
case BIO_C_DO_STATE_MACHINE:
BIO_clear_retry_flags(b);
.
patch -p0 <<' .'
Index: openssl/crypto/evp/evp.h
============================================================
================
$ cvs diff -u -r1.165 -r1.166 evp.h
--- openssl/crypto/evp/evp.h 10 Jul 2006 18:36:52
-0000 1.165
+++ openssl/crypto/evp/evp.h 12 Jul 2006 12:31:28
-0000 1.166
-453,11 +453,8
#define EVP_VerifyUpdate(a,b,c) EVP_DigestUpdate(a,b,c)
#define
EVP_OpenUpdate(a,b,c,d,e) EVP_DecryptUpdate(a,b,c,d,e)
#define
EVP_SealUpdate(a,b,c,d,e) EVP_EncryptUpdate(a,b,c,d,e)
-#define
EVP_SignDigestUpdate(a,b,c) EVP_DigestUpdate(a,b,c)
-#define
EVP_VerifyDigestUpdate(a,b,c) EVP_DigestUpdate(a,b,c)
-
-#define
EVP_DigestSignUpdate(a,b,c) EVP_DigestUpdate(a,b,c)
-#define
EVP_DigestVerifyUpdate(a,b,c) EVP_DigestUpdate(a,b,c)
+#define
EVP_DigestSignUpdate(a,b,c) EVP_DigestUpdate(a,b,c)
+#define
EVP_DigestVerifyUpdate(a,b,c) EVP_DigestUpdate(a,b,c)
#ifdef CONST_STRICT
void BIO_set_md(BIO *,const EVP_MD *md);
.
patch -p0 <<' .'
Index: openssl/doc/crypto/BIO_f_md.pod
============================================================
================
$ cvs diff -u -r1.7 -r1.8 BIO_f_md.pod
--- openssl/doc/crypto/BIO_f_md.pod 7 Sep 2001 06:13:37
-0000 1.7
+++ openssl/doc/crypto/BIO_f_md.pod 12 Jul 2006 12:31:29
-0000 1.8
-58,6 +58,12
a chain containing digest BIOs then this can be done by
prepending
a buffering BIO.
+Before OpenSSL 0.9.9 the call to BIO_get_md_ctx() would
only work if the BIO
+had been initialized for example by calling BIO_set_md()
). In OpenSSL
+0.9.9 and later the context is always returned and the
BIO is state is set
+to initialized. This allows applications to initialize
the context externally
+if the standard calls such as BIO_set_md() are not
sufficiently flexible.
+
=head1 RETURN VALUES
BIO_f_md() returns the digest BIO method.
.
patch -p0 <<' .'
Index: openssl/doc/crypto/EVP_DigestSignInit.pod
============================================================
================
$ cvs diff -u -r0 -r1.1 EVP_DigestSignInit.pod
--- /dev/null 2006-07-12 14:31:29 +0200
+++ EVP_DigestSignInit.pod 2006-07-12 14:31:31 +0200
-0,0 +1,87
+=pod
+
+=head1 NAME
+
+EVP_DigestSignInit, EVP_DigestSignUpdate,
EVP_DigestSignFinal - EVP signing functions
+
+=head1 SYNOPSIS
+
+ #include <openssl/evp.h>
+
+ int EVP_DigestSignInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX
**pctx,
+ const EVP_MD *type, ENGINE *e, EVP_PKEY *pkey);
+ int EVP_DigestSignUpdate(EVP_MD_CTX *ctx, const void *d,
unsigned int cnt);
+ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char
*sig, size_t *siglen);
+
+=head1 DESCRIPTION
+
+The EVP signature routines are a high level interface to
digital signatures.
+
+EVP_DigestSignInit() sets up signing context B<ctx>
to use digest B<type> from
+ENGINE B<impl> and private key B<pkey>.
B<ctx> must be initialized with
+EVP_MD_CTX_init() before calling this function. If
B<pctx> is not NULL the
+EVP_PKEY_CTX of the signing operation will be written to
B<*pctx>: this can
+be used to set alternative signing options.
+
+EVP_DigestSignUpdate() hashes B<cnt> bytes of data
at B<d> into the
+signature context B<ctx>. This function can be
called several times on the
+same B<ctx> to include additional data. This
function is currently implemented
+usig a macro.
+
+EVP_DigestSignFinal() signs the data in B<ctx>
places the signature in B<sig>.
+If B<sig> is B<NULL> then the maximum size of
the output buffer is written to
+the B<siglen> parameter. If B<sig> is not
B<NULL> then before the call the
+B<siglen> parameter should contain the length of
the B<sig> buffer, if the
+call is successful the signature is written to
B<sig> and the amount of data
+written to B<siglen>.
+
+=head1 RETURN VALUES
+
+EVP_DigestSignInit() EVP_DigestSignUpdate() and
EVP_DigestSignaFinal() return
+1 for success and 0 or a negative value for failure. In
particular a return
+value of -2 indicates the operation is not supported by
the public key
+algorithm.
+
+The error codes can be obtained from
L<ERR_get_error(3)|ERR_get_error(3)>.
+
+=head1 NOTES
+
+The B<EVP> interface to digital signatures should
almost always be used in
+preference to the low level interfaces. This is because
the code then becomes
+transparent to the algorithm used and much more flexible.
+
+In previous versions of OpenSSL there was a link between
message digest types
+and public key algorithms. This meant that
"clone" digests such as EVP_dss1()
+needed to be used to sign using SHA1 and DSA. This is no
longer necessary and
+the use of clone digest is now discouraged.
+
+For some key types and parameters the random number
generator must be seeded
+or the operation will fail.
+
+The call to EVP_DigestSignFinal() internally finalizes a
copy of the digest
+context. This means that calls to EVP_DigestSignUpdate()
and
+EVP_DigestSignFinal() can be called later to digest and
sign additional data.
+
+Since only a copy of the digest context is ever finalized
the context must
+be cleaned up after use by calling EVP_MD_CTX_cleanup()
or a memory leak
+will occur.
+
+The use of EVP_PKEY_size() with these functions is
discouraged because some
+signature operations may have a signature length which
depends on the
+parameters set. As a result EVP_PKEY_size() would have to
return a value
+which indicates the maximum possible signature for any
set of parameters.
+
+=head1 SEE ALSO
+
+L<EVP_DigestVerifyInit(3)|EVP_DigestVerifyInit(3)>,
+L<EVP_DigestInit(3)|EVP_DigestInit(3)>,
L<err(3)|err(3)>,
+L<evp(3)|evp(3)>, L<hmac(3)|hmac(3)>,
L<md2(3)|md2(3)>,
+L<md5(3)|md5(3)>, L<mdc2(3)|mdc2(3)>,
L<ripemd(3)|ripemd(3)>,
+L<sha(3)|sha(3)>, L<dgst(1)|dgst(1)>
+
+=head1 HISTORY
+
+EVP_DigestSignInit(), EVP_DigestSignUpdate() and
EVP_DigestSignFinal()
+were first added to OpenSSL 0.9.9.
+
+=cut
.
patch -p0 <<' .'
Index: openssl/doc/crypto/EVP_DigestVerifyInit.pod
============================================================
================
$ cvs diff -u -r0 -r1.1 EVP_DigestVerifyInit.pod
--- /dev/null 2006-07-12 14:31:29 +0200
+++ EVP_DigestVerifyInit.pod 2006-07-12 14:31:31 +0200
-0,0 +1,82
+=pod
+
+=head1 NAME
+
+EVP_DigestVerifyInit, EVP_DigestVerifyUpdate,
EVP_DigestVerifyFinal - EVP signature verification functions
+
+=head1 SYNOPSIS
+
+ #include <openssl/evp.h>
+
+ int EVP_DigestVerifyInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX
**pctx,
+ const EVP_MD *type, ENGINE *e, EVP_PKEY *pkey);
+ int EVP_DigestVerifyUpdate(EVP_MD_CTX *ctx, const void
*d, unsigned int cnt);
+ int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, unsigned char
*sig, size_t siglen);
+
+=head1 DESCRIPTION
+
+The EVP signature routines are a high level interface to
digital signatures.
+
+EVP_DigestVerifyInit() sets up verification context
B<ctx> to use digest
+B<type> from ENGINE B<impl> and public key
B<pkey>. B<ctx> must be initialized
+with EVP_MD_CTX_init() before calling this function. If
B<pctx> is not NULL the
+EVP_PKEY_CTX of the verification operation will be
written to B<*pctx>: this
+can be used to set alternative verification options.
+
+EVP_DigestVerifyUpdate() hashes B<cnt> bytes of
data at B<d> into the
+verification context B<ctx>. This function can be
called several times on the
+same B<ctx> to include additional data. This
function is currently implemented
+using a macro.
+
+EVP_DigestVerifyFinal() verifies the data in B<ctx>
against the signature in
+B<sig> of length B<siglen>.
+
+=head1 RETURN VALUES
+
+EVP_DigestVerifyInit() and EVP_DigestVerifyUpdate()
return 1 for success and 0
+or a negative value for failure. In particular a return
value of -2 indicates
+the operation is not supported by the public key
algorithm.
+
+Unlike other functions the return value 0 from
EVP_DigestVerifyFinal() only
+indicates that the signature did not not verify
successfully (that is tbs did
+not match the original data or the signature was of
invalid form) it is not an
+indication of a more serious error.
+
+The error codes can be obtained from
L<ERR_get_error(3)|ERR_get_error(3)>.
+
+=head1 NOTES
+
+The B<EVP> interface to digital signatures should
almost always be used in
+preference to the low level interfaces. This is because
the code then becomes
+transparent to the algorithm used and much more flexible.
+
+In previous versions of OpenSSL there was a link between
message digest types
+and public key algorithms. This meant that
"clone" digests such as EVP_dss1()
+needed to be used to sign using SHA1 and DSA. This is no
longer necessary and
+the use of clone digest is now discouraged.
+
+For some key types and parameters the random number
generator must be seeded
+or the operation will fail.
+
+The call to EVP_DigestVerifyFinal() internally finalizes
a copy of the digest
+context. This means that calls to EVP_VerifyUpdate() and
EVP_VerifyFinal() can
+be called later to digest and verify additional data.
+
+Since only a copy of the digest context is ever finalized
the context must
+be cleaned up after use by calling EVP_MD_CTX_cleanup()
or a memory leak
+will occur.
+
+=head1 SEE ALSO
+
+L<EVP_DigestSignInit(3)|EVP_DigestSignInit(3)>,
+L<EVP_DigestInit(3)|EVP_DigestInit(3)>,
L<err(3)|err(3)>,
+L<evp(3)|evp(3)>, L<hmac(3)|hmac(3)>,
L<md2(3)|md2(3)>,
+L<md5(3)|md5(3)>, L<mdc2(3)|mdc2(3)>,
L<ripemd(3)|ripemd(3)>,
+L<sha(3)|sha(3)>, L<dgst(1)|dgst(1)>
+
+=head1 HISTORY
+
+EVP_DigestVerifyInit(), EVP_DigestVerifyUpdate() and
EVP_DigestVerifyFinal()
+were first added to OpenSSL 0.9.9.
+
+=cut
.
patch -p0 <<' .'
Index: openssl/doc/crypto/EVP_PKEY_verify.pod
============================================================
================
$ cvs diff -u -r1.2 -r1.3 EVP_PKEY_verify.pod
--- openssl/doc/crypto/EVP_PKEY_verify.pod 8 Jul 2006
12:46:51 -0000 1.2
+++ openssl/doc/crypto/EVP_PKEY_verify.pod 12 Jul 2006
12:31:29 -0000 1.3
-34,11 +34,11
=head1 RETURN VALUES
-EVP_PKEY_verify_init() and EVP_PKEY_verify() return 1 if
the verification
-was successful and 0 if it failed. Unlike other functions
the return value
-0 only indicates that the signature did not not verify
successfully (that is
-tbs did not match the original data or the signature was
of invalid form)
-it is not an indication of a more serious error.
+EVP_PKEY_verify_init() and EVP_PKEY_verify() return 1 if
the verification was
+successful and 0 if it failed. Unlike other functions the
return value 0 from
+EVP_PKEY_verify() only indicates that the signature did
not not verify
+successfully (that is tbs did not match the original data
or the signature was
+of invalid form) it is not an indication of a more
serious error.
A negative value indicates an error other that signature
verification failure.
In particular a return value of -2 indicates the
operation is not supported by
.
patch -p0 <<' .'
Index: openssl/doc/crypto/EVP_SignInit.pod
============================================================
================
$ cvs diff -u -r1.6 -r1.7 EVP_SignInit.pod
--- openssl/doc/crypto/EVP_SignInit.pod 22 Mar 2005
17:55:33 -0000 1.6
+++ openssl/doc/crypto/EVP_SignInit.pod 12 Jul 2006
12:31:29 -0000 1.7
-77,6 +77,15
Older versions of this documentation wrongly stated that
calls to
EVP_SignUpdate() could not be made after calling
EVP_SignFinal().
+Since the private key is passed in the call to
EVP_SignFinal() any error
+relating to the private key (for example an unsuitable
key and digest
+combination) will not be indicated until after
potentially large amounts of
+data have been passed through EVP_SignUpdate().
+
+It is not possible to change the signing parameters using
these function.
+
+The previous two bugs are fixed in the newer
EVP_SignDigest*() function.
+
=head1 SEE ALSO
L<EVP_VerifyInit(3)|EVP_VerifyInit(3)>,
.
patch -p0 <<' .'
Index: openssl/doc/crypto/EVP_VerifyInit.pod
============================================================
================
$ cvs diff -u -r1.5 -r1.6 EVP_VerifyInit.pod
--- openssl/doc/crypto/EVP_VerifyInit.pod 10 Jul 2002
19:35:46 -0000 1.5
+++ openssl/doc/crypto/EVP_VerifyInit.pod 12 Jul 2006
12:31:30 -0000 1.6
-67,6 +67,15
Older versions of this documentation wrongly stated that
calls to
EVP_VerifyUpdate() could not be made after calling
EVP_VerifyFinal().
+Since the public key is passed in the call to
EVP_SignFinal() any error
+relating to the private key (for example an unsuitable
key and digest
+combination) will not be indicated until after
potentially large amounts of
+data have been passed through EVP_SignUpdate().
+
+It is not possible to change the signing parameters using
these function.
+
+The previous two bugs are fixed in the newer
EVP_VerifyDigest*() function.
+
=head1 SEE ALSO
L<evp(3)|evp(3)>,
.
____________________________________________________________
__________
OpenSSL Project http://www.openssl.org
CVS Repository Commit List
openssl-cvsopenssl.org
Automated List Manager
majordomoopenssl.org
|