fixup! fixup! APPS/pkeyutl: -digest implies -rawin and can only be us…

…ed with -sign and -verify
siemens · Oct 30, 2024 · 44a1637 · 44a1637
1 parent cd41d93
commit 44a1637
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 6 deletions.
diff --git a/CHANGES.md b/CHANGES.md
@@ -43,6 +43,13 @@ OpenSSL 3.4
 
    *Małgorzata Olszówka*
 
+ * The `-rawin` option of the `pkeyutl` command is now implied (and thus no
+   longer required) when using `-digest` or when signing or verifying with an
+   Ed25519 or Ed448 key.
+   The `-digest` and `-rawin` option may only be given with `-sign` or `verify`.
+
+   *David von Oheimb*
+
  * Optionally allow the FIPS provider to use the `JITTER` entropy source.
    Note that using this option will require the resulting FIPS provider
    to undergo entropy source validation [ESV] by the [CMVP], without this
@@ -208,12 +215,6 @@ OpenSSL 3.4
 
    *Damian Hobson-Garcia*
 
- * The `-rawin` option of the `pkeyutl` command is now implied (and thus no longer
-   required) when using `-digest` or when signing or verifying with an Ed25519
-   or Ed448 key. The `-digest` option may only be given with `-sign` or `verify`.
-
-   *David von Oheimb*
-
  * Added support to build Position Independent Executables (PIE). Configuration
    option `enable-pie` configures the cflag '-fPIE' and ldflag '-pie' to
    support Address Space Layout Randomization (ASLR) in the openssl executable,

diff --git a/doc/man1/openssl-pkeyutl.pod.in b/doc/man1/openssl-pkeyutl.pod.in
@@ -475,6 +475,10 @@ L<EVP_PKEY_CTX_set_tls1_prf_md(3)>,
 
 =head1 HISTORY
 
+Since OpenSSL 3.5,
+the B<-digest> option implies B<-rawin>, and these two options are
+no longer required when signing or verifying with an Ed25519 or Ed448 key.
+
 The B<-engine> option was deprecated in OpenSSL 3.0.
 
 =head1 COPYRIGHT