Merge main trunk to engine branch, all conflicts resolved.

doc/apps/CA.pl.pod

@@ -72,6 +72,13 @@ to be in the file "newreq.pem". The new certificate is written to the file
 "newcert.pem" except in the case of the B<-xsign> option when it is written
 to standard output.
 
+
+=item B<-signCA>
+
+this option is the same as the B<-signreq> option except it uses the configuration
+file section B<v3_ca> and so makes the signed request a valid CA certificate. This
+is useful when creating intermediate CA from a root CA.
+
 =item B<-signcert>
 
 this option is the same as B<-sign> except it expects a self signed certificate

doc/apps/ca.pod

@@ -23,6 +23,7 @@ B<openssl> B<ca>
 [B<-policy arg>]
 [B<-keyfile arg>]
 [B<-key arg>]
+[B<-passin arg>]
 [B<-cert file>]
 [B<-in file>]
 [B<-out file>]
@@ -99,6 +100,10 @@ the password used to encrypt the private key. Since on some
 systems the command line arguments are visible (e.g. Unix with
 the 'ps' utility) this option should be used with caution.
 
+=item B<-passin arg>
+
+the key password source. For more information about the format of B<arg>
+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
 =item B<-verbose>
 
 this prints extra details about the operations being performed.
@@ -342,6 +347,10 @@ Sign a certificate request:
 
  openssl ca -in req.pem -out newcert.pem
 
+Sign a certificate request, using CA extensions:
+
+ openssl ca -in req.pem -extensions v3_ca -out newcert.pem
+
 Generate a CRL
 
  openssl ca -gencrl -out crl.pem

doc/apps/dgst.pod

@@ -2,25 +2,32 @@
 
 =head1 NAME
 
-dgst, md5, md2, sha1, sha, mdc2, ripemd160 - message digests
+dgst, md5, md4, md2, sha1, sha, mdc2, ripemd160 - message digests
 
 =head1 SYNOPSIS
 
 B<openssl> B<dgst> 
-[B<-md5|-md2|-sha1|-sha|mdc2|-ripemd160>]
+[B<-md5|-md4|-md2|-sha1|-sha|-mdc2|-ripemd160|-dss1>]
 [B<-c>]
 [B<-d>]
+[B<-hex>]
+[B<-binary>]
+[B<-out filename>]
+[B<-sign filename>]
+[B<-verify filename>]
+[B<-prverify filename>]
+[B<-signature filename>]
 [B<file...>]
 
-[B<md5|md2|sha1|sha|mdc2|ripemd160>]
+[B<md5|md4|md2|sha1|sha|mdc2|ripemd160>]
 [B<-c>]
 [B<-d>]
 [B<file...>]
 
 =head1 DESCRIPTION
 
-The digest functions print out the message digest of a supplied file or files
-in hexadecimal form.
+The digest functions output the message digest of a supplied file or files
+in hexadecimal form. They can also be used for digital signing and verification.
 
 =head1 OPTIONS
 
@@ -28,12 +35,51 @@ in hexadecimal form.
 
 =item B<-c>
 
-print out the digest in two digit groups separated by colons.
+print out the digest in two digit groups separated by colons, only relevant if
+B<hex> format output is used.
 
 =item B<-d>
 
 print out BIO debugging information.
 
+=item B<-hex>
+
+digest is to be output as a hex dump. This is the default case for a "normal"
+digest as opposed to a digital signature.
+
+=item B<-binary>
+
+output the digest or signature in binary form.
+
+=item B<-out filename>
+
+filename to output to, or standard output by default.
+
+=item B<-sign filename>
+
+digitally sign the digest using the private key in "filename".
+
+=item B<-verify filename>
+
+verify the signature using the the public key in "filename".
+The output is either "Verification OK" or "Verification Failure".
+
+=item B<-prverify filename>
+
+verify the signature using the  the private key in "filename".
+
+=item B<-signature filename>
+
+the actual signature to verify.
+
+=item B<-rand file(s)>
+
+a file or files containing random data used to seed the random number
+generator, or an EGD socket (see L<RAND_egd(3)|RAND_egd(3)>).
+Multiple files can be specified separated by a OS-dependent character.
+The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
+all others. 
+
 =item B<file...>
 
 file or files to digest. If no files are specified then standard input is
@@ -46,4 +92,13 @@ used.
 The digest of choice for all new applications is SHA1. Other digests are
 however still widely used.
 
+If you wish to sign or verify data using the DSA algorithm then the dss1
+digest must be used.
+
+A source of random numbers is required for certain signing algorithms, in
+particular DSA.
+
+The signing and verify options should only be used if a single file is
+being signed or verified.
+
 =cut

doc/apps/openssl.pod

@@ -141,6 +141,10 @@ X.509 Certificate Signing Request (CSR) Management.
 
 RSA Data Management.
 
+=item L<B<rsautl>|rsautl(1)>
+
+RSA utility for signing, verification, encryption, and decryption.
+
 =item L<B<s_client>|s_client(1)>
 
 This implements a generic SSL/TLS client which can establish a transparent
@@ -315,7 +319,8 @@ L<enc(1)|enc(1)>, L<gendsa(1)|gendsa(1)>,
 L<genrsa(1)|genrsa(1)>, L<nseq(1)|nseq(1)>, L<openssl(1)|openssl(1)>,
 L<passwd(1)|passwd(1)>,
 L<pkcs12(1)|pkcs12(1)>, L<pkcs7(1)|pkcs7(1)>, L<pkcs8(1)|pkcs8(1)>,
-L<rand(1)|rand(1)>, L<req(1)|req(1)>, L<rsa(1)|rsa(1)>, L<s_client(1)|s_client(1)>,
+L<rand(1)|rand(1)>, L<req(1)|req(1)>, L<rsa(1)|rsa(1)>,
+L<rsautl(1)|rsautl(1)>, L<s_client(1)|s_client(1)>,
 L<s_server(1)|s_server(1)>, L<smime(1)|smime(1)>, L<spkac(1)|spkac(1)>,
 L<verify(1)|verify(1)>, L<version(1)|version(1)>, L<x509(1)|x509(1)>,
 L<crypto(3)|crypto(3)>, L<ssl(3)|ssl(3)> 

doc/apps/verify.pod

@@ -2,7 +2,7 @@
 
 =head1 NAME
 
-pkcs7 - PKCS#7 utility
+verify - Utility to verify certificates.
 
 =head1 SYNOPSIS
 

doc/apps/x509.pod

@@ -382,7 +382,7 @@ and a space character at the beginning or end of a string.
 
 =item B<esc_ctrl>
 
-escape and control characters. That is those with ASCII values less than
+escape control characters. That is those with ASCII values less than
 0x20 (space) and the delete (0x7f) character. They are escaped using the
 RFC2253 \XX notation (where XX are two hex digits representing the
 character value).
@@ -456,7 +456,7 @@ indents the fields by four characters.
 =item B<dn_rev>
 
 reverse the fields of the DN. This is required by RFC2253. As a side
-effect this also reveress the order of multiple AVAs but this is
+effect this also reverses the order of multiple AVAs but this is
 permissible.
 
 =item B<nofname>, B<sname>, B<lname>, B<oid>
@@ -519,13 +519,13 @@ Convert a certificate to a certificate request:
 Convert a certificate request into a self signed certificate using
 extensions for a CA:
 
- openssl x509 -req -in careq.pem -config openssl.cnf -extensions v3_ca \
+ openssl x509 -req -in careq.pem -extfile openssl.cnf -extensions v3_ca \
 	-signkey key.pem -out cacert.pem
 
 Sign a certificate request using the CA certificate above and add user
 certificate extensions:
 
- openssl x509 -req -in req.pem -config openssl.cnf -extensions v3_usr \
+ openssl x509 -req -in req.pem -extfile openssl.cnf -extensions v3_usr \
 	-CA cacert.pem -CAkey key.pem -CAcreateserial
 
 

doc/crypto/crypto.pod

@@ -40,8 +40,9 @@ L<x509(3)|x509(3)>, L<x509v3(3)|x509v3(3)>
 
 =item AUTHENTICATION CODES, HASH FUNCTIONS
 
-L<hmac(3)|hmac(3)>, L<md2(3)|md2(3)>, L<md5(3)|md5(3)>, L<mdc2(3)|mdc2(3)>,
-L<ripemd(3)|ripemd(3)>, L<sha(3)|sha(3)> 
+L<hmac(3)|hmac(3)>, L<md2(3)|md2(3)>, L<md4(3)|md4(3)>,
+L<md5(3)|md5(3)>, L<mdc2(3)|mdc2(3)>, L<ripemd(3)|ripemd(3)>,
+L<sha(3)|sha(3)>
 
 =item AUXILIARY FUNCTIONS
 

doc/crypto/md5.pod

@@ -2,8 +2,8 @@
 
 =head1 NAME
 
-MD2, MD5, MD2_Init, MD2_Update, MD2_Final, MD5_Init, MD5_Update,
-MD5_Final - MD2 and MD5 hash functions
+MD2, MD4, MD5, MD2_Init, MD2_Update, MD2_Final, MD4_Init, MD4_Update,
+MD4_Final, MD5_Init, MD5_Update, MD5_Final - MD2, MD4, and MD5 hash functions
 
 =head1 SYNOPSIS
 
@@ -18,6 +18,17 @@ MD5_Final - MD2 and MD5 hash functions
  void MD2_Final(unsigned char *md, MD2_CTX *c);
 
 
+ #include <openssl/md4.h>
+
+ unsigned char *MD4(const unsigned char *d, unsigned long n,
+                  unsigned char *md);
+
+ void MD4_Init(MD4_CTX *c);
+ void MD4_Update(MD4_CTX *c, const void *data,
+                  unsigned long len);
+ void MD4_Final(unsigned char *md, MD4_CTX *c);
+
+
  #include <openssl/md5.h>
 
  unsigned char *MD5(const unsigned char *d, unsigned long n,
@@ -30,12 +41,13 @@ MD5_Final - MD2 and MD5 hash functions
 
 =head1 DESCRIPTION
 
-MD2 and MD5 are cryptographic hash functions with a 128 bit output.
+MD2, MD4, and MD5 are cryptographic hash functions with a 128 bit output.
 
-MD2() and MD5() compute the MD2 and MD5 message digest of the B<n>
-bytes at B<d> and place it in B<md> (which must have space for
-MD2_DIGEST_LENGTH == MD5_DIGEST_LENGTH == 16 bytes of output). If
-B<md> is NULL, the digest is placed in a static array.
+MD2(), MD4(), and MD5() compute the MD2, MD4, and MD5 message digest
+of the B<n> bytes at B<d> and place it in B<md> (which must have space
+for MD2_DIGEST_LENGTH == MD4_DIGEST_LENGTH == MD5_DIGEST_LENGTH == 16
+bytes of output). If B<md> is NULL, the digest is placed in a static
+array.
 
 The following functions may be used if the message is not completely
 stored in memory:
@@ -48,8 +60,8 @@ be hashed (B<len> bytes at B<data>).
 MD2_Final() places the message digest in B<md>, which must have space
 for MD2_DIGEST_LENGTH == 16 bytes of output, and erases the B<MD2_CTX>.
 
-MD5_Init(), MD5_Update() and MD5_Final() are analogous using an
-B<MD5_CTX> structure.
+MD4_Init(), MD4_Update(), MD4_Final(), MD5_Init(), MD5_Update(), and
+MD5_Final() are analogous using an B<MD4_CTX> and B<MD5_CTX> structure.
 
 Applications should use the higher level functions
 L<EVP_DigestInit(3)|EVP_DigestInit(3)>
@@ -57,20 +69,21 @@ etc. instead of calling the hash functions directly.
 
 =head1 NOTE
 
-MD2 and MD5 are recommended only for compatibility with existing
+MD2, MD4, and MD5 are recommended only for compatibility with existing
 applications. In new applications, SHA-1 or RIPEMD-160 should be
 preferred.
 
 =head1 RETURN VALUES
 
-MD2() and MD5() return pointers to the hash value. 
+MD2(), MD4(), and MD5() return pointers to the hash value. 
 
-MD2_Init(), MD2_Update() MD2_Final(), MD5_Init(), MD5_Update() and
-MD5_Final() do not return values.
+MD2_Init(), MD2_Update(), MD2_Final(), MD4_Init(), MD4_Update(),
+MD4_Final(), MD5_Init(), MD5_Update(), and MD5_Final() do not return
+values.
 
 =head1 CONFORMING TO
 
-RFC 1319, RFC 1321
+RFC 1319, RFC 1320, RFC 1321
 
 =head1 SEE ALSO
 
@@ -82,4 +95,7 @@ MD2(), MD2_Init(), MD2_Update() MD2_Final(), MD5(), MD5_Init(),
 MD5_Update() and MD5_Final() are available in all versions of SSLeay
 and OpenSSL.
 
+MD4(), MD4_Init(), and MD4_Update() are available in OpenSSL 0.9.6 and
+above.
+
 =cut

doc/ssl/SSL_get_error.pod

@@ -41,7 +41,9 @@ if and only if B<ret E<gt> 0>.
 The SSL connection has been closed.  If the protocol version is SSL 3.0
 or TLS 1.0, this result code is returned only if a closure
 alert has occurred in the protocol, i.e. if the connection has been
-closed cleanly.
+closed cleanly. Note that in this case B<SSL_ERROR_ZERO_RETURN>
+does not necessarily indicate that the underlying transport
+has been closed.
 
 =item SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE