Merge lp:~sbeattie/ubuntu/oneiric/openssl/lp850608 into lp:ubuntu/oneiric/openssl
- Oneiric (11.10)
- lp850608
- Merge into oneiric
Proposed by
Steve Beattie
Status: | Merged |
---|---|
Merged at revision: | 58 |
Proposed branch: | lp:~sbeattie/ubuntu/oneiric/openssl/lp850608 |
Merge into: | lp:ubuntu/oneiric/openssl |
Diff against target: |
27465 lines (+20613/-1941) 206 files modified
.pc/Bsymbolic-functions.patch/Configure (+2/-1) .pc/aesni.patch/Configure (+2/-1) .pc/aesni.patch/util/libeay.num (+5/-0) .pc/applied-patches (+12/-0) .pc/block_diginotar.patch/crypto/x509/x509_vfy.c (+2219/-0) .pc/c_rehash-multi.patch/tools/c_rehash.in (+192/-0) .pc/config-hurd.patch/config (+4/-0) .pc/dgst_hmac.patch/apps/dgst.c (+632/-0) .pc/dgst_hmac.patch/doc/apps/dgst.pod (+162/-0) .pc/engines-path.patch/Configure (+2/-1) .pc/gnu_source.patch/crypto/dso/dso_dlfcn.c (+1/-0) .pc/libdoc-manpgs-pod-spell.patch/doc/crypto/ASN1_generate_nconf.pod (+265/-0) .pc/libdoc-manpgs-pod-spell.patch/doc/crypto/BN_BLINDING_new.pod (+115/-0) .pc/libdoc-manpgs-pod-spell.patch/doc/crypto/EVP_BytesToKey.pod (+67/-0) .pc/libdoc-manpgs-pod-spell.patch/doc/crypto/EVP_EncryptInit.pod (+511/-0) .pc/libdoc-manpgs-pod-spell.patch/doc/crypto/EVP_PKEY_cmp.pod (+61/-0) .pc/libdoc-manpgs-pod-spell.patch/doc/crypto/X509_STORE_CTX_get_error.pod (+303/-0) .pc/libdoc-manpgs-pod-spell.patch/doc/crypto/pem.pod (+476/-0) .pc/libdoc-manpgs-pod-spell.patch/doc/ssl/SSL_CTX_set_client_CA_list.pod (+94/-0) .pc/libdoc-manpgs-pod-spell.patch/doc/ssl/SSL_CTX_set_verify.pod (+294/-0) .pc/libdoc-manpgs-pod-spell.patch/doc/ssl/SSL_CTX_use_psk_identity_hint.pod (+102/-0) .pc/libdoc-manpgs-pod-spell.patch/doc/ssl/SSL_accept.pod (+76/-0) .pc/libdoc-manpgs-pod-spell.patch/doc/ssl/SSL_connect.pod (+73/-0) .pc/libdoc-manpgs-pod-spell.patch/doc/ssl/SSL_do_handshake.pod (+75/-0) .pc/libdoc-manpgs-pod-spell.patch/doc/ssl/SSL_shutdown.pod (+125/-0) .pc/libssl-misspell.patch/crypto/asn1/asn1_err.c (+329/-0) .pc/openssl-pod-misspell.patch/apps/ca.c (+2985/-0) .pc/openssl-pod-misspell.patch/apps/ecparam.c (+731/-0) .pc/openssl-pod-misspell.patch/crypto/evp/encode.c (+445/-0) .pc/openssl-pod-misspell.patch/doc/apps/config.pod (+279/-0) .pc/openssl-pod-misspell.patch/doc/apps/genpkey.pod (+213/-0) .pc/openssl-pod-misspell.patch/doc/apps/openssl.pod (+422/-0) .pc/openssl-pod-misspell.patch/doc/apps/req.pod (+678/-0) .pc/openssl-pod-misspell.patch/doc/apps/ts.pod (+594/-0) .pc/openssl-pod-misspell.patch/doc/apps/tsget.pod (+194/-0) .pc/openssl-pod-misspell.patch/doc/apps/x509v3_config.pod (+529/-0) .pc/pic.patch/crypto/perlasm/cbc.pl (+0/-2) .pc/pkcs12-doc.patch/doc/apps/pkcs12.pod (+363/-0) .pc/pod_ec.misspell.patch/doc/apps/ec.pod (+190/-0) .pc/pod_pksc12.misspell.patch/doc/apps/pkcs12.pod (+363/-0) .pc/pod_req_misspell2.patch/doc/apps/req.pod (+678/-0) .pc/pod_s_server.misspell.patch/doc/apps/s_server.pod (+355/-0) .pc/pod_x509setflags.misspell.patch/doc/crypto/X509_VERIFY_PARAM_set_flags.pod (+171/-0) .pc/shared-lib-ext.patch/Configure (+2/-1) .pc/version-script.patch/Configure (+2/-1) CHANGES (+42/-1) Configure (+2/-1) FAQ (+1/-1) INSTALL.VMS (+24/-30) Makefile (+1/-1) Makefile.bak (+640/-0) NEWS (+8/-0) README (+1/-1) VMS/install-vms.com (+67/-0) VMS/install.com (+0/-79) VMS/mkshared.com (+163/-99) VMS/openssl_startup.com (+108/-0) VMS/openssl_undo.com (+20/-0) apps/CA.com (+58/-42) apps/apps.c (+6/-0) apps/asn1pars.c (+1/-0) apps/ca.c (+1/-1) apps/dgst.c (+2/-0) apps/ecparam.c (+2/-2) apps/enc.c (+4/-0) apps/install-apps.com (+107/-0) apps/install.com (+0/-65) apps/makeapps.com (+231/-118) apps/openssl.c (+62/-2) apps/pkcs12.c (+1/-1) apps/speed.c (+2/-0) apps/vms_decc_init.c (+188/-0) config (+4/-0) crypto/LPdir_vms.c (+28/-21) crypto/alphacpuid.pl (+3/-5) crypto/asn1/a_object.c (+2/-2) crypto/asn1/asn1_err.c (+1/-1) crypto/asn1/bio_ndef.c (+0/-3) crypto/asn1/x_name.c (+5/-2) crypto/bio/b_sock.c (+28/-1) crypto/bio/bss_dgram.c (+12/-6) crypto/bio/bss_log.c (+29/-3) crypto/bn/asm/alpha-mont.pl (+1/-1) crypto/bn/asm/s390x-mont.pl (+2/-2) crypto/bn/bn.h (+18/-0) crypto/bn/bn_gf2m.c (+1/-0) crypto/bn/bn_mont.c (+1/-1) crypto/bn/bn_nist.c (+36/-28) crypto/conf/conf_api.c (+1/-0) crypto/cryptlib.c (+0/-1) crypto/crypto-lib.com (+241/-129) crypto/dsa/dsa_pmeth.c (+1/-0) crypto/dso/dso_dlfcn.c (+1/-0) crypto/dso/dso_vms.c (+103/-82) crypto/ecdsa/ecdsatest.c (+2/-3) crypto/ecdsa/ecs_ossl.c (+8/-0) crypto/evp/encode.c (+1/-1) crypto/evp/evp_test.c (+1/-0) crypto/hmac/hm_pmeth.c (+2/-0) crypto/install-crypto.com (+196/-0) crypto/install.com (+0/-150) crypto/o_time.c (+14/-8) crypto/ocsp/ocsp_lib.c (+4/-4) crypto/opensslv.h (+3/-3) crypto/perlasm/cbc.pl (+0/-2) crypto/rand/rand_vms.c (+14/-2) crypto/rand/randfile.c (+2/-0) crypto/rsa/rsa_oaep.c (+13/-7) crypto/stack/safestack.h (+25/-25) crypto/vms_rms.h (+51/-0) crypto/x509/x509_vfy.c (+31/-0) debian/changelog (+77/-0) debian/libssl1.0.0.postinst (+5/-1) debian/patches/Bsymbolic-functions.patch (+7/-3) debian/patches/aesni.patch (+29/-14) debian/patches/block_diginotar.patch (+64/-0) debian/patches/c_rehash-multi.patch (+86/-0) debian/patches/debian-targets.patch (+3/-2) debian/patches/dgst_hmac.patch (+51/-0) debian/patches/libdoc-manpgs-pod-spell.patch (+236/-0) debian/patches/libssl-misspell.patch (+11/-0) debian/patches/openssl-pod-misspell.patch (+137/-0) debian/patches/pkcs12-doc.patch (+36/-0) debian/patches/pod_ec.misspell.patch (+11/-0) debian/patches/pod_pksc12.misspell.patch (+11/-0) debian/patches/pod_req_misspell2.patch (+12/-0) debian/patches/pod_s_server.misspell.patch (+11/-0) debian/patches/pod_x509setflags.misspell.patch (+11/-0) debian/patches/rehash_pod.patch (+2/-2) debian/patches/series (+12/-0) debian/patches/version-script.patch (+22/-4) debian/rules (+3/-1) doc/apps/c_rehash.pod (+2/-2) doc/apps/config.pod (+1/-1) doc/apps/dgst.pod (+10/-0) doc/apps/ec.pod (+1/-1) doc/apps/genpkey.pod (+2/-0) doc/apps/openssl.pod (+2/-2) doc/apps/pkcs12.pod (+7/-2) doc/apps/req.pod (+2/-2) doc/apps/s_server.pod (+1/-1) doc/apps/ts.pod (+2/-2) doc/apps/tsget.pod (+1/-1) doc/apps/x509v3_config.pod (+1/-1) doc/crypto/ASN1_generate_nconf.pod (+1/-1) doc/crypto/BN_BLINDING_new.pod (+1/-1) doc/crypto/EVP_BytesToKey.pod (+1/-1) doc/crypto/EVP_EncryptInit.pod (+1/-1) doc/crypto/EVP_PKEY_cmp.pod (+1/-1) doc/crypto/X509_STORE_CTX_get_error.pod (+2/-0) doc/crypto/X509_VERIFY_PARAM_set_flags.pod (+1/-1) doc/crypto/pem.pod (+1/-1) doc/ssl/SSL_CTX_set_client_CA_list.pod (+4/-0) doc/ssl/SSL_CTX_set_verify.pod (+2/-2) doc/ssl/SSL_CTX_use_psk_identity_hint.pod (+8/-0) doc/ssl/SSL_accept.pod (+8/-0) doc/ssl/SSL_connect.pod (+11/-11) doc/ssl/SSL_do_handshake.pod (+8/-0) doc/ssl/SSL_shutdown.pod (+8/-0) doc/ssl/ssl.pod (+1/-1) engines/ccgost/gost_crypt.c (+2/-1) engines/ccgost/openssl.ld (+10/-0) engines/e_capi_err.h (+4/-0) engines/makeengines.com (+215/-111) engines/openssl.ld (+3/-0) install.com (+127/-92) makevms.com (+274/-152) ms/uplink.c (+2/-1) openssl.spec (+1/-1) ssl/bio_ssl.c (+4/-0) ssl/d1_both.c (+10/-18) ssl/d1_clnt.c (+4/-2) ssl/d1_lib.c (+57/-8) ssl/d1_pkt.c (+11/-9) ssl/d1_srvr.c (+19/-7) ssl/install-ssl.com (+136/-0) ssl/install.com (+0/-90) ssl/s3_clnt.c (+2/-0) ssl/s3_lib.c (+6/-0) ssl/s3_pkt.c (+4/-2) ssl/s3_srvr.c (+16/-7) ssl/ssl-lib.com (+213/-115) ssl/ssl_lib.c (+13/-19) test/bntest.com (+7/-0) test/clean_test.com (+35/-0) test/cms-test.pl (+2/-2) test/maketests.com (+210/-111) test/tcrl.com (+10/-7) test/testca.com (+5/-3) test/testenc.com (+8/-5) test/testgen.com (+13/-9) test/tests.com (+65/-38) test/testss.com (+10/-7) test/testssl.com (+12/-8) test/testtsa.com (+38/-35) test/tpkcs7.com (+10/-7) test/tpkcs7d.com (+10/-7) test/treq.com (+10/-7) test/trsa.com (+8/-5) test/tsid.com (+10/-7) test/tverify.com (+6/-4) test/tx509.com (+10/-7) tools/c_rehash.in (+44/-28) util/libeay.num (+6/-1) util/mkdef.pl (+2/-0) util/mkerr.pl (+1/-1) |
To merge this branch: | bzr merge lp:~sbeattie/ubuntu/oneiric/openssl/lp850608 |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Marc Deslauriers | Approve | ||
Ubuntu branches | Pending | ||
Review via email: mp+75477@code.launchpad.net |
Commit message
Description of the change
This branch merges openssl-1.0.0e-2 from Debian unstable to fix security issues. Both the debian changes from 1.0.0d-2 and the upstream release 1.0.0e are bugfix only releases. This merge also includes an added fix for LP: #244250 (reduce spurious reboot warnings on desktop installs) by checking for a running X server to determine whether or not to issue the reboot notification.
To post a comment you must log in.
Preview Diff
[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1 | === modified file '.pc/Bsymbolic-functions.patch/Configure' |
2 | --- .pc/Bsymbolic-functions.patch/Configure 2011-05-01 23:51:53 +0000 |
3 | +++ .pc/Bsymbolic-functions.patch/Configure 2011-09-15 05:17:15 +0000 |
4 | @@ -362,6 +362,7 @@ |
5 | "debian-powerpcspe","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", |
6 | "debian-ppc64","gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", |
7 | "debian-s390","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", |
8 | +"debian-s390x","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", |
9 | "debian-sh3", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", |
10 | "debian-sh4", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", |
11 | "debian-sh3eb", "gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", |
12 | @@ -370,7 +371,7 @@ |
13 | "debian-sparc","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", |
14 | "debian-sparc-v8","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -mcpu=v8 -g -Wall -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", |
15 | "debian-sparc-v9","gcc:-DB_ENDIAN -DTERMIO -O3 -mcpu=v9 -Wa,--noexecstack -Wa,-Av8plus -g -Wall -DULTRASPARC -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", |
16 | -"debian-sparc64","gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall -DULTRASPARC -DBN_DIV2W::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", |
17 | +"debian-sparc64","gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall -DULTRASPARC -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", |
18 | |
19 | #### |
20 | #### Variety of LINUX:-) |
21 | |
22 | === modified file '.pc/aesni.patch/Configure' |
23 | --- .pc/aesni.patch/Configure 2011-05-01 23:51:53 +0000 |
24 | +++ .pc/aesni.patch/Configure 2011-09-15 05:17:15 +0000 |
25 | @@ -362,6 +362,7 @@ |
26 | "debian-powerpcspe","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", |
27 | "debian-ppc64","gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", |
28 | "debian-s390","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", |
29 | +"debian-s390x","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", |
30 | "debian-sh3", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", |
31 | "debian-sh4", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", |
32 | "debian-sh3eb", "gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", |
33 | @@ -370,7 +371,7 @@ |
34 | "debian-sparc","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", |
35 | "debian-sparc-v8","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -mcpu=v8 -g -Wall -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", |
36 | "debian-sparc-v9","gcc:-DB_ENDIAN -DTERMIO -O3 -mcpu=v9 -Wa,--noexecstack -Wa,-Av8plus -g -Wall -DULTRASPARC -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", |
37 | -"debian-sparc64","gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall -DULTRASPARC -DBN_DIV2W::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", |
38 | +"debian-sparc64","gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall -DULTRASPARC -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", |
39 | |
40 | #### |
41 | #### Variety of LINUX:-) |
42 | |
43 | === modified file '.pc/aesni.patch/util/libeay.num' |
44 | --- .pc/aesni.patch/util/libeay.num 2011-05-01 23:51:53 +0000 |
45 | +++ .pc/aesni.patch/util/libeay.num 2011-09-15 05:17:15 +0000 |
46 | @@ -4189,3 +4189,8 @@ |
47 | CRYPTO_cbc128_decrypt 4561 EXIST::FUNCTION: |
48 | CRYPTO_cfb128_encrypt 4562 EXIST::FUNCTION: |
49 | CRYPTO_cfb128_8_encrypt 4563 EXIST::FUNCTION: |
50 | +OPENSSL_strcasecmp 4564 EXIST::FUNCTION: |
51 | +OPENSSL_memcmp 4565 EXIST::FUNCTION: |
52 | +OPENSSL_strncasecmp 4566 EXIST::FUNCTION: |
53 | +OPENSSL_gmtime 4567 EXIST::FUNCTION: |
54 | +OPENSSL_gmtime_adj 4568 EXIST::FUNCTION: |
55 | |
56 | === modified file '.pc/applied-patches' |
57 | --- .pc/applied-patches 2011-05-01 23:51:53 +0000 |
58 | +++ .pc/applied-patches 2011-09-15 05:17:15 +0000 |
59 | @@ -18,6 +18,18 @@ |
60 | version-script.patch |
61 | gnu_source.patch |
62 | c_rehash-compat.patch |
63 | +libdoc-manpgs-pod-spell.patch |
64 | +libssl-misspell.patch |
65 | +openssl-pod-misspell.patch |
66 | +pod_req_misspell2.patch |
67 | +pod_pksc12.misspell.patch |
68 | +pod_s_server.misspell.patch |
69 | +pod_x509setflags.misspell.patch |
70 | +pod_ec.misspell.patch |
71 | +pkcs12-doc.patch |
72 | +dgst_hmac.patch |
73 | +block_diginotar.patch |
74 | +c_rehash-multi.patch |
75 | aesni.patch |
76 | perlpath-quilt.patch |
77 | Bsymbolic-functions.patch |
78 | |
79 | === added directory '.pc/block_diginotar.patch' |
80 | === added directory '.pc/block_diginotar.patch/crypto' |
81 | === added directory '.pc/block_diginotar.patch/crypto/x509' |
82 | === added file '.pc/block_diginotar.patch/crypto/x509/x509_vfy.c' |
83 | --- .pc/block_diginotar.patch/crypto/x509/x509_vfy.c 1970-01-01 00:00:00 +0000 |
84 | +++ .pc/block_diginotar.patch/crypto/x509/x509_vfy.c 2011-09-15 05:17:15 +0000 |
85 | @@ -0,0 +1,2219 @@ |
86 | +/* crypto/x509/x509_vfy.c */ |
87 | +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
88 | + * All rights reserved. |
89 | + * |
90 | + * This package is an SSL implementation written |
91 | + * by Eric Young (eay@cryptsoft.com). |
92 | + * The implementation was written so as to conform with Netscapes SSL. |
93 | + * |
94 | + * This library is free for commercial and non-commercial use as long as |
95 | + * the following conditions are aheared to. The following conditions |
96 | + * apply to all code found in this distribution, be it the RC4, RSA, |
97 | + * lhash, DES, etc., code; not just the SSL code. The SSL documentation |
98 | + * included with this distribution is covered by the same copyright terms |
99 | + * except that the holder is Tim Hudson (tjh@cryptsoft.com). |
100 | + * |
101 | + * Copyright remains Eric Young's, and as such any Copyright notices in |
102 | + * the code are not to be removed. |
103 | + * If this package is used in a product, Eric Young should be given attribution |
104 | + * as the author of the parts of the library used. |
105 | + * This can be in the form of a textual message at program startup or |
106 | + * in documentation (online or textual) provided with the package. |
107 | + * |
108 | + * Redistribution and use in source and binary forms, with or without |
109 | + * modification, are permitted provided that the following conditions |
110 | + * are met: |
111 | + * 1. Redistributions of source code must retain the copyright |
112 | + * notice, this list of conditions and the following disclaimer. |
113 | + * 2. Redistributions in binary form must reproduce the above copyright |
114 | + * notice, this list of conditions and the following disclaimer in the |
115 | + * documentation and/or other materials provided with the distribution. |
116 | + * 3. All advertising materials mentioning features or use of this software |
117 | + * must display the following acknowledgement: |
118 | + * "This product includes cryptographic software written by |
119 | + * Eric Young (eay@cryptsoft.com)" |
120 | + * The word 'cryptographic' can be left out if the rouines from the library |
121 | + * being used are not cryptographic related :-). |
122 | + * 4. If you include any Windows specific code (or a derivative thereof) from |
123 | + * the apps directory (application code) you must include an acknowledgement: |
124 | + * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" |
125 | + * |
126 | + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND |
127 | + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
128 | + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
129 | + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE |
130 | + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
131 | + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
132 | + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
133 | + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
134 | + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
135 | + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
136 | + * SUCH DAMAGE. |
137 | + * |
138 | + * The licence and distribution terms for any publically available version or |
139 | + * derivative of this code cannot be changed. i.e. this code cannot simply be |
140 | + * copied and put under another distribution licence |
141 | + * [including the GNU Public Licence.] |
142 | + */ |
143 | + |
144 | +#include <stdio.h> |
145 | +#include <time.h> |
146 | +#include <errno.h> |
147 | + |
148 | +#include "cryptlib.h" |
149 | +#include <openssl/crypto.h> |
150 | +#include <openssl/lhash.h> |
151 | +#include <openssl/buffer.h> |
152 | +#include <openssl/evp.h> |
153 | +#include <openssl/asn1.h> |
154 | +#include <openssl/x509.h> |
155 | +#include <openssl/x509v3.h> |
156 | +#include <openssl/objects.h> |
157 | + |
158 | +/* CRL score values */ |
159 | + |
160 | +/* No unhandled critical extensions */ |
161 | + |
162 | +#define CRL_SCORE_NOCRITICAL 0x100 |
163 | + |
164 | +/* certificate is within CRL scope */ |
165 | + |
166 | +#define CRL_SCORE_SCOPE 0x080 |
167 | + |
168 | +/* CRL times valid */ |
169 | + |
170 | +#define CRL_SCORE_TIME 0x040 |
171 | + |
172 | +/* Issuer name matches certificate */ |
173 | + |
174 | +#define CRL_SCORE_ISSUER_NAME 0x020 |
175 | + |
176 | +/* If this score or above CRL is probably valid */ |
177 | + |
178 | +#define CRL_SCORE_VALID (CRL_SCORE_NOCRITICAL|CRL_SCORE_TIME|CRL_SCORE_SCOPE) |
179 | + |
180 | +/* CRL issuer is certificate issuer */ |
181 | + |
182 | +#define CRL_SCORE_ISSUER_CERT 0x018 |
183 | + |
184 | +/* CRL issuer is on certificate path */ |
185 | + |
186 | +#define CRL_SCORE_SAME_PATH 0x008 |
187 | + |
188 | +/* CRL issuer matches CRL AKID */ |
189 | + |
190 | +#define CRL_SCORE_AKID 0x004 |
191 | + |
192 | +/* Have a delta CRL with valid times */ |
193 | + |
194 | +#define CRL_SCORE_TIME_DELTA 0x002 |
195 | + |
196 | +static int null_callback(int ok,X509_STORE_CTX *e); |
197 | +static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); |
198 | +static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x); |
199 | +static int check_chain_extensions(X509_STORE_CTX *ctx); |
200 | +static int check_name_constraints(X509_STORE_CTX *ctx); |
201 | +static int check_trust(X509_STORE_CTX *ctx); |
202 | +static int check_revocation(X509_STORE_CTX *ctx); |
203 | +static int check_cert(X509_STORE_CTX *ctx); |
204 | +static int check_policy(X509_STORE_CTX *ctx); |
205 | + |
206 | +static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, |
207 | + unsigned int *preasons, |
208 | + X509_CRL *crl, X509 *x); |
209 | +static int get_crl_delta(X509_STORE_CTX *ctx, |
210 | + X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x); |
211 | +static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pcrl_score, |
212 | + X509_CRL *base, STACK_OF(X509_CRL) *crls); |
213 | +static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, |
214 | + X509 **pissuer, int *pcrl_score); |
215 | +static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score, |
216 | + unsigned int *preasons); |
217 | +static int check_crl_path(X509_STORE_CTX *ctx, X509 *x); |
218 | +static int check_crl_chain(X509_STORE_CTX *ctx, |
219 | + STACK_OF(X509) *cert_path, |
220 | + STACK_OF(X509) *crl_path); |
221 | + |
222 | +static int internal_verify(X509_STORE_CTX *ctx); |
223 | +const char X509_version[]="X.509" OPENSSL_VERSION_PTEXT; |
224 | + |
225 | + |
226 | +static int null_callback(int ok, X509_STORE_CTX *e) |
227 | + { |
228 | + return ok; |
229 | + } |
230 | + |
231 | +#if 0 |
232 | +static int x509_subject_cmp(X509 **a, X509 **b) |
233 | + { |
234 | + return X509_subject_name_cmp(*a,*b); |
235 | + } |
236 | +#endif |
237 | + |
238 | +int X509_verify_cert(X509_STORE_CTX *ctx) |
239 | + { |
240 | + X509 *x,*xtmp,*chain_ss=NULL; |
241 | + X509_NAME *xn; |
242 | + int bad_chain = 0; |
243 | + X509_VERIFY_PARAM *param = ctx->param; |
244 | + int depth,i,ok=0; |
245 | + int num; |
246 | + int (*cb)(int xok,X509_STORE_CTX *xctx); |
247 | + STACK_OF(X509) *sktmp=NULL; |
248 | + if (ctx->cert == NULL) |
249 | + { |
250 | + X509err(X509_F_X509_VERIFY_CERT,X509_R_NO_CERT_SET_FOR_US_TO_VERIFY); |
251 | + return -1; |
252 | + } |
253 | + |
254 | + cb=ctx->verify_cb; |
255 | + |
256 | + /* first we make sure the chain we are going to build is |
257 | + * present and that the first entry is in place */ |
258 | + if (ctx->chain == NULL) |
259 | + { |
260 | + if ( ((ctx->chain=sk_X509_new_null()) == NULL) || |
261 | + (!sk_X509_push(ctx->chain,ctx->cert))) |
262 | + { |
263 | + X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE); |
264 | + goto end; |
265 | + } |
266 | + CRYPTO_add(&ctx->cert->references,1,CRYPTO_LOCK_X509); |
267 | + ctx->last_untrusted=1; |
268 | + } |
269 | + |
270 | + /* We use a temporary STACK so we can chop and hack at it */ |
271 | + if (ctx->untrusted != NULL |
272 | + && (sktmp=sk_X509_dup(ctx->untrusted)) == NULL) |
273 | + { |
274 | + X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE); |
275 | + goto end; |
276 | + } |
277 | + |
278 | + num=sk_X509_num(ctx->chain); |
279 | + x=sk_X509_value(ctx->chain,num-1); |
280 | + depth=param->depth; |
281 | + |
282 | + |
283 | + for (;;) |
284 | + { |
285 | + /* If we have enough, we break */ |
286 | + if (depth < num) break; /* FIXME: If this happens, we should take |
287 | + * note of it and, if appropriate, use the |
288 | + * X509_V_ERR_CERT_CHAIN_TOO_LONG error |
289 | + * code later. |
290 | + */ |
291 | + |
292 | + /* If we are self signed, we break */ |
293 | + xn=X509_get_issuer_name(x); |
294 | + if (ctx->check_issued(ctx, x,x)) break; |
295 | + |
296 | + /* If we were passed a cert chain, use it first */ |
297 | + if (ctx->untrusted != NULL) |
298 | + { |
299 | + xtmp=find_issuer(ctx, sktmp,x); |
300 | + if (xtmp != NULL) |
301 | + { |
302 | + if (!sk_X509_push(ctx->chain,xtmp)) |
303 | + { |
304 | + X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE); |
305 | + goto end; |
306 | + } |
307 | + CRYPTO_add(&xtmp->references,1,CRYPTO_LOCK_X509); |
308 | + (void)sk_X509_delete_ptr(sktmp,xtmp); |
309 | + ctx->last_untrusted++; |
310 | + x=xtmp; |
311 | + num++; |
312 | + /* reparse the full chain for |
313 | + * the next one */ |
314 | + continue; |
315 | + } |
316 | + } |
317 | + break; |
318 | + } |
319 | + |
320 | + /* at this point, chain should contain a list of untrusted |
321 | + * certificates. We now need to add at least one trusted one, |
322 | + * if possible, otherwise we complain. */ |
323 | + |
324 | + /* Examine last certificate in chain and see if it |
325 | + * is self signed. |
326 | + */ |
327 | + |
328 | + i=sk_X509_num(ctx->chain); |
329 | + x=sk_X509_value(ctx->chain,i-1); |
330 | + xn = X509_get_subject_name(x); |
331 | + if (ctx->check_issued(ctx, x, x)) |
332 | + { |
333 | + /* we have a self signed certificate */ |
334 | + if (sk_X509_num(ctx->chain) == 1) |
335 | + { |
336 | + /* We have a single self signed certificate: see if |
337 | + * we can find it in the store. We must have an exact |
338 | + * match to avoid possible impersonation. |
339 | + */ |
340 | + ok = ctx->get_issuer(&xtmp, ctx, x); |
341 | + if ((ok <= 0) || X509_cmp(x, xtmp)) |
342 | + { |
343 | + ctx->error=X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT; |
344 | + ctx->current_cert=x; |
345 | + ctx->error_depth=i-1; |
346 | + if (ok == 1) X509_free(xtmp); |
347 | + bad_chain = 1; |
348 | + ok=cb(0,ctx); |
349 | + if (!ok) goto end; |
350 | + } |
351 | + else |
352 | + { |
353 | + /* We have a match: replace certificate with store version |
354 | + * so we get any trust settings. |
355 | + */ |
356 | + X509_free(x); |
357 | + x = xtmp; |
358 | + (void)sk_X509_set(ctx->chain, i - 1, x); |
359 | + ctx->last_untrusted=0; |
360 | + } |
361 | + } |
362 | + else |
363 | + { |
364 | + /* extract and save self signed certificate for later use */ |
365 | + chain_ss=sk_X509_pop(ctx->chain); |
366 | + ctx->last_untrusted--; |
367 | + num--; |
368 | + x=sk_X509_value(ctx->chain,num-1); |
369 | + } |
370 | + } |
371 | + |
372 | + /* We now lookup certs from the certificate store */ |
373 | + for (;;) |
374 | + { |
375 | + /* If we have enough, we break */ |
376 | + if (depth < num) break; |
377 | + |
378 | + /* If we are self signed, we break */ |
379 | + xn=X509_get_issuer_name(x); |
380 | + if (ctx->check_issued(ctx,x,x)) break; |
381 | + |
382 | + ok = ctx->get_issuer(&xtmp, ctx, x); |
383 | + |
384 | + if (ok < 0) return ok; |
385 | + if (ok == 0) break; |
386 | + |
387 | + x = xtmp; |
388 | + if (!sk_X509_push(ctx->chain,x)) |
389 | + { |
390 | + X509_free(xtmp); |
391 | + X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE); |
392 | + return 0; |
393 | + } |
394 | + num++; |
395 | + } |
396 | + |
397 | + /* we now have our chain, lets check it... */ |
398 | + xn=X509_get_issuer_name(x); |
399 | + |
400 | + /* Is last certificate looked up self signed? */ |
401 | + if (!ctx->check_issued(ctx,x,x)) |
402 | + { |
403 | + if ((chain_ss == NULL) || !ctx->check_issued(ctx, x, chain_ss)) |
404 | + { |
405 | + if (ctx->last_untrusted >= num) |
406 | + ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY; |
407 | + else |
408 | + ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT; |
409 | + ctx->current_cert=x; |
410 | + } |
411 | + else |
412 | + { |
413 | + |
414 | + sk_X509_push(ctx->chain,chain_ss); |
415 | + num++; |
416 | + ctx->last_untrusted=num; |
417 | + ctx->current_cert=chain_ss; |
418 | + ctx->error=X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN; |
419 | + chain_ss=NULL; |
420 | + } |
421 | + |
422 | + ctx->error_depth=num-1; |
423 | + bad_chain = 1; |
424 | + ok=cb(0,ctx); |
425 | + if (!ok) goto end; |
426 | + } |
427 | + |
428 | + /* We have the chain complete: now we need to check its purpose */ |
429 | + ok = check_chain_extensions(ctx); |
430 | + |
431 | + if (!ok) goto end; |
432 | + |
433 | + /* Check name constraints */ |
434 | + |
435 | + ok = check_name_constraints(ctx); |
436 | + |
437 | + if (!ok) goto end; |
438 | + |
439 | + /* The chain extensions are OK: check trust */ |
440 | + |
441 | + if (param->trust > 0) ok = check_trust(ctx); |
442 | + |
443 | + if (!ok) goto end; |
444 | + |
445 | + /* We may as well copy down any DSA parameters that are required */ |
446 | + X509_get_pubkey_parameters(NULL,ctx->chain); |
447 | + |
448 | + /* Check revocation status: we do this after copying parameters |
449 | + * because they may be needed for CRL signature verification. |
450 | + */ |
451 | + |
452 | + ok = ctx->check_revocation(ctx); |
453 | + if(!ok) goto end; |
454 | + |
455 | + /* At this point, we have a chain and need to verify it */ |
456 | + if (ctx->verify != NULL) |
457 | + ok=ctx->verify(ctx); |
458 | + else |
459 | + ok=internal_verify(ctx); |
460 | + if(!ok) goto end; |
461 | + |
462 | +#ifndef OPENSSL_NO_RFC3779 |
463 | + /* RFC 3779 path validation, now that CRL check has been done */ |
464 | + ok = v3_asid_validate_path(ctx); |
465 | + if (!ok) goto end; |
466 | + ok = v3_addr_validate_path(ctx); |
467 | + if (!ok) goto end; |
468 | +#endif |
469 | + |
470 | + /* If we get this far evaluate policies */ |
471 | + if (!bad_chain && (ctx->param->flags & X509_V_FLAG_POLICY_CHECK)) |
472 | + ok = ctx->check_policy(ctx); |
473 | + if(!ok) goto end; |
474 | + if (0) |
475 | + { |
476 | +end: |
477 | + X509_get_pubkey_parameters(NULL,ctx->chain); |
478 | + } |
479 | + if (sktmp != NULL) sk_X509_free(sktmp); |
480 | + if (chain_ss != NULL) X509_free(chain_ss); |
481 | + return ok; |
482 | + } |
483 | + |
484 | + |
485 | +/* Given a STACK_OF(X509) find the issuer of cert (if any) |
486 | + */ |
487 | + |
488 | +static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x) |
489 | +{ |
490 | + int i; |
491 | + X509 *issuer; |
492 | + for (i = 0; i < sk_X509_num(sk); i++) |
493 | + { |
494 | + issuer = sk_X509_value(sk, i); |
495 | + if (ctx->check_issued(ctx, x, issuer)) |
496 | + return issuer; |
497 | + } |
498 | + return NULL; |
499 | +} |
500 | + |
501 | +/* Given a possible certificate and issuer check them */ |
502 | + |
503 | +static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer) |
504 | +{ |
505 | + int ret; |
506 | + ret = X509_check_issued(issuer, x); |
507 | + if (ret == X509_V_OK) |
508 | + return 1; |
509 | + /* If we haven't asked for issuer errors don't set ctx */ |
510 | + if (!(ctx->param->flags & X509_V_FLAG_CB_ISSUER_CHECK)) |
511 | + return 0; |
512 | + |
513 | + ctx->error = ret; |
514 | + ctx->current_cert = x; |
515 | + ctx->current_issuer = issuer; |
516 | + return ctx->verify_cb(0, ctx); |
517 | + return 0; |
518 | +} |
519 | + |
520 | +/* Alternative lookup method: look from a STACK stored in other_ctx */ |
521 | + |
522 | +static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) |
523 | +{ |
524 | + *issuer = find_issuer(ctx, ctx->other_ctx, x); |
525 | + if (*issuer) |
526 | + { |
527 | + CRYPTO_add(&(*issuer)->references,1,CRYPTO_LOCK_X509); |
528 | + return 1; |
529 | + } |
530 | + else |
531 | + return 0; |
532 | +} |
533 | + |
534 | + |
535 | +/* Check a certificate chains extensions for consistency |
536 | + * with the supplied purpose |
537 | + */ |
538 | + |
539 | +static int check_chain_extensions(X509_STORE_CTX *ctx) |
540 | +{ |
541 | +#ifdef OPENSSL_NO_CHAIN_VERIFY |
542 | + return 1; |
543 | +#else |
544 | + int i, ok=0, must_be_ca, plen = 0; |
545 | + X509 *x; |
546 | + int (*cb)(int xok,X509_STORE_CTX *xctx); |
547 | + int proxy_path_length = 0; |
548 | + int purpose; |
549 | + int allow_proxy_certs; |
550 | + cb=ctx->verify_cb; |
551 | + |
552 | + /* must_be_ca can have 1 of 3 values: |
553 | + -1: we accept both CA and non-CA certificates, to allow direct |
554 | + use of self-signed certificates (which are marked as CA). |
555 | + 0: we only accept non-CA certificates. This is currently not |
556 | + used, but the possibility is present for future extensions. |
557 | + 1: we only accept CA certificates. This is currently used for |
558 | + all certificates in the chain except the leaf certificate. |
559 | + */ |
560 | + must_be_ca = -1; |
561 | + |
562 | + /* CRL path validation */ |
563 | + if (ctx->parent) |
564 | + { |
565 | + allow_proxy_certs = 0; |
566 | + purpose = X509_PURPOSE_CRL_SIGN; |
567 | + } |
568 | + else |
569 | + { |
570 | + allow_proxy_certs = |
571 | + !!(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS); |
572 | + /* A hack to keep people who don't want to modify their |
573 | + software happy */ |
574 | + if (getenv("OPENSSL_ALLOW_PROXY_CERTS")) |
575 | + allow_proxy_certs = 1; |
576 | + purpose = ctx->param->purpose; |
577 | + } |
578 | + |
579 | + /* Check all untrusted certificates */ |
580 | + for (i = 0; i < ctx->last_untrusted; i++) |
581 | + { |
582 | + int ret; |
583 | + x = sk_X509_value(ctx->chain, i); |
584 | + if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) |
585 | + && (x->ex_flags & EXFLAG_CRITICAL)) |
586 | + { |
587 | + ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION; |
588 | + ctx->error_depth = i; |
589 | + ctx->current_cert = x; |
590 | + ok=cb(0,ctx); |
591 | + if (!ok) goto end; |
592 | + } |
593 | + if (!allow_proxy_certs && (x->ex_flags & EXFLAG_PROXY)) |
594 | + { |
595 | + ctx->error = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED; |
596 | + ctx->error_depth = i; |
597 | + ctx->current_cert = x; |
598 | + ok=cb(0,ctx); |
599 | + if (!ok) goto end; |
600 | + } |
601 | + ret = X509_check_ca(x); |
602 | + switch(must_be_ca) |
603 | + { |
604 | + case -1: |
605 | + if ((ctx->param->flags & X509_V_FLAG_X509_STRICT) |
606 | + && (ret != 1) && (ret != 0)) |
607 | + { |
608 | + ret = 0; |
609 | + ctx->error = X509_V_ERR_INVALID_CA; |
610 | + } |
611 | + else |
612 | + ret = 1; |
613 | + break; |
614 | + case 0: |
615 | + if (ret != 0) |
616 | + { |
617 | + ret = 0; |
618 | + ctx->error = X509_V_ERR_INVALID_NON_CA; |
619 | + } |
620 | + else |
621 | + ret = 1; |
622 | + break; |
623 | + default: |
624 | + if ((ret == 0) |
625 | + || ((ctx->param->flags & X509_V_FLAG_X509_STRICT) |
626 | + && (ret != 1))) |
627 | + { |
628 | + ret = 0; |
629 | + ctx->error = X509_V_ERR_INVALID_CA; |
630 | + } |
631 | + else |
632 | + ret = 1; |
633 | + break; |
634 | + } |
635 | + if (ret == 0) |
636 | + { |
637 | + ctx->error_depth = i; |
638 | + ctx->current_cert = x; |
639 | + ok=cb(0,ctx); |
640 | + if (!ok) goto end; |
641 | + } |
642 | + if (ctx->param->purpose > 0) |
643 | + { |
644 | + ret = X509_check_purpose(x, purpose, must_be_ca > 0); |
645 | + if ((ret == 0) |
646 | + || ((ctx->param->flags & X509_V_FLAG_X509_STRICT) |
647 | + && (ret != 1))) |
648 | + { |
649 | + ctx->error = X509_V_ERR_INVALID_PURPOSE; |
650 | + ctx->error_depth = i; |
651 | + ctx->current_cert = x; |
652 | + ok=cb(0,ctx); |
653 | + if (!ok) goto end; |
654 | + } |
655 | + } |
656 | + /* Check pathlen if not self issued */ |
657 | + if ((i > 1) && !(x->ex_flags & EXFLAG_SI) |
658 | + && (x->ex_pathlen != -1) |
659 | + && (plen > (x->ex_pathlen + proxy_path_length + 1))) |
660 | + { |
661 | + ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED; |
662 | + ctx->error_depth = i; |
663 | + ctx->current_cert = x; |
664 | + ok=cb(0,ctx); |
665 | + if (!ok) goto end; |
666 | + } |
667 | + /* Increment path length if not self issued */ |
668 | + if (!(x->ex_flags & EXFLAG_SI)) |
669 | + plen++; |
670 | + /* If this certificate is a proxy certificate, the next |
671 | + certificate must be another proxy certificate or a EE |
672 | + certificate. If not, the next certificate must be a |
673 | + CA certificate. */ |
674 | + if (x->ex_flags & EXFLAG_PROXY) |
675 | + { |
676 | + if (x->ex_pcpathlen != -1 && i > x->ex_pcpathlen) |
677 | + { |
678 | + ctx->error = |
679 | + X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED; |
680 | + ctx->error_depth = i; |
681 | + ctx->current_cert = x; |
682 | + ok=cb(0,ctx); |
683 | + if (!ok) goto end; |
684 | + } |
685 | + proxy_path_length++; |
686 | + must_be_ca = 0; |
687 | + } |
688 | + else |
689 | + must_be_ca = 1; |
690 | + } |
691 | + ok = 1; |
692 | + end: |
693 | + return ok; |
694 | +#endif |
695 | +} |
696 | + |
697 | +static int check_name_constraints(X509_STORE_CTX *ctx) |
698 | + { |
699 | + X509 *x; |
700 | + int i, j, rv; |
701 | + /* Check name constraints for all certificates */ |
702 | + for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--) |
703 | + { |
704 | + x = sk_X509_value(ctx->chain, i); |
705 | + /* Ignore self issued certs unless last in chain */ |
706 | + if (i && (x->ex_flags & EXFLAG_SI)) |
707 | + continue; |
708 | + /* Check against constraints for all certificates higher in |
709 | + * chain including trust anchor. Trust anchor not strictly |
710 | + * speaking needed but if it includes constraints it is to be |
711 | + * assumed it expects them to be obeyed. |
712 | + */ |
713 | + for (j = sk_X509_num(ctx->chain) - 1; j > i; j--) |
714 | + { |
715 | + NAME_CONSTRAINTS *nc = sk_X509_value(ctx->chain, j)->nc; |
716 | + if (nc) |
717 | + { |
718 | + rv = NAME_CONSTRAINTS_check(x, nc); |
719 | + if (rv != X509_V_OK) |
720 | + { |
721 | + ctx->error = rv; |
722 | + ctx->error_depth = i; |
723 | + ctx->current_cert = x; |
724 | + if (!ctx->verify_cb(0,ctx)) |
725 | + return 0; |
726 | + } |
727 | + } |
728 | + } |
729 | + } |
730 | + return 1; |
731 | + } |
732 | + |
733 | +static int check_trust(X509_STORE_CTX *ctx) |
734 | +{ |
735 | +#ifdef OPENSSL_NO_CHAIN_VERIFY |
736 | + return 1; |
737 | +#else |
738 | + int i, ok; |
739 | + X509 *x; |
740 | + int (*cb)(int xok,X509_STORE_CTX *xctx); |
741 | + cb=ctx->verify_cb; |
742 | +/* For now just check the last certificate in the chain */ |
743 | + i = sk_X509_num(ctx->chain) - 1; |
744 | + x = sk_X509_value(ctx->chain, i); |
745 | + ok = X509_check_trust(x, ctx->param->trust, 0); |
746 | + if (ok == X509_TRUST_TRUSTED) |
747 | + return 1; |
748 | + ctx->error_depth = i; |
749 | + ctx->current_cert = x; |
750 | + if (ok == X509_TRUST_REJECTED) |
751 | + ctx->error = X509_V_ERR_CERT_REJECTED; |
752 | + else |
753 | + ctx->error = X509_V_ERR_CERT_UNTRUSTED; |
754 | + ok = cb(0, ctx); |
755 | + return ok; |
756 | +#endif |
757 | +} |
758 | + |
759 | +static int check_revocation(X509_STORE_CTX *ctx) |
760 | + { |
761 | + int i, last, ok; |
762 | + if (!(ctx->param->flags & X509_V_FLAG_CRL_CHECK)) |
763 | + return 1; |
764 | + if (ctx->param->flags & X509_V_FLAG_CRL_CHECK_ALL) |
765 | + last = sk_X509_num(ctx->chain) - 1; |
766 | + else |
767 | + { |
768 | + /* If checking CRL paths this isn't the EE certificate */ |
769 | + if (ctx->parent) |
770 | + return 1; |
771 | + last = 0; |
772 | + } |
773 | + for(i = 0; i <= last; i++) |
774 | + { |
775 | + ctx->error_depth = i; |
776 | + ok = check_cert(ctx); |
777 | + if (!ok) return ok; |
778 | + } |
779 | + return 1; |
780 | + } |
781 | + |
782 | +static int check_cert(X509_STORE_CTX *ctx) |
783 | + { |
784 | + X509_CRL *crl = NULL, *dcrl = NULL; |
785 | + X509 *x; |
786 | + int ok, cnum; |
787 | + cnum = ctx->error_depth; |
788 | + x = sk_X509_value(ctx->chain, cnum); |
789 | + ctx->current_cert = x; |
790 | + ctx->current_issuer = NULL; |
791 | + ctx->current_crl_score = 0; |
792 | + ctx->current_reasons = 0; |
793 | + while (ctx->current_reasons != CRLDP_ALL_REASONS) |
794 | + { |
795 | + /* Try to retrieve relevant CRL */ |
796 | + if (ctx->get_crl) |
797 | + ok = ctx->get_crl(ctx, &crl, x); |
798 | + else |
799 | + ok = get_crl_delta(ctx, &crl, &dcrl, x); |
800 | + /* If error looking up CRL, nothing we can do except |
801 | + * notify callback |
802 | + */ |
803 | + if(!ok) |
804 | + { |
805 | + ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL; |
806 | + ok = ctx->verify_cb(0, ctx); |
807 | + goto err; |
808 | + } |
809 | + ctx->current_crl = crl; |
810 | + ok = ctx->check_crl(ctx, crl); |
811 | + if (!ok) |
812 | + goto err; |
813 | + |
814 | + if (dcrl) |
815 | + { |
816 | + ok = ctx->check_crl(ctx, dcrl); |
817 | + if (!ok) |
818 | + goto err; |
819 | + ok = ctx->cert_crl(ctx, dcrl, x); |
820 | + if (!ok) |
821 | + goto err; |
822 | + } |
823 | + else |
824 | + ok = 1; |
825 | + |
826 | + /* Don't look in full CRL if delta reason is removefromCRL */ |
827 | + if (ok != 2) |
828 | + { |
829 | + ok = ctx->cert_crl(ctx, crl, x); |
830 | + if (!ok) |
831 | + goto err; |
832 | + } |
833 | + |
834 | + X509_CRL_free(crl); |
835 | + X509_CRL_free(dcrl); |
836 | + crl = NULL; |
837 | + dcrl = NULL; |
838 | + } |
839 | + err: |
840 | + X509_CRL_free(crl); |
841 | + X509_CRL_free(dcrl); |
842 | + |
843 | + ctx->current_crl = NULL; |
844 | + return ok; |
845 | + |
846 | + } |
847 | + |
848 | +/* Check CRL times against values in X509_STORE_CTX */ |
849 | + |
850 | +static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify) |
851 | + { |
852 | + time_t *ptime; |
853 | + int i; |
854 | + if (notify) |
855 | + ctx->current_crl = crl; |
856 | + if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME) |
857 | + ptime = &ctx->param->check_time; |
858 | + else |
859 | + ptime = NULL; |
860 | + |
861 | + i=X509_cmp_time(X509_CRL_get_lastUpdate(crl), ptime); |
862 | + if (i == 0) |
863 | + { |
864 | + if (!notify) |
865 | + return 0; |
866 | + ctx->error=X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD; |
867 | + if (!ctx->verify_cb(0, ctx)) |
868 | + return 0; |
869 | + } |
870 | + |
871 | + if (i > 0) |
872 | + { |
873 | + if (!notify) |
874 | + return 0; |
875 | + ctx->error=X509_V_ERR_CRL_NOT_YET_VALID; |
876 | + if (!ctx->verify_cb(0, ctx)) |
877 | + return 0; |
878 | + } |
879 | + |
880 | + if(X509_CRL_get_nextUpdate(crl)) |
881 | + { |
882 | + i=X509_cmp_time(X509_CRL_get_nextUpdate(crl), ptime); |
883 | + |
884 | + if (i == 0) |
885 | + { |
886 | + if (!notify) |
887 | + return 0; |
888 | + ctx->error=X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD; |
889 | + if (!ctx->verify_cb(0, ctx)) |
890 | + return 0; |
891 | + } |
892 | + /* Ignore expiry of base CRL is delta is valid */ |
893 | + if ((i < 0) && !(ctx->current_crl_score & CRL_SCORE_TIME_DELTA)) |
894 | + { |
895 | + if (!notify) |
896 | + return 0; |
897 | + ctx->error=X509_V_ERR_CRL_HAS_EXPIRED; |
898 | + if (!ctx->verify_cb(0, ctx)) |
899 | + return 0; |
900 | + } |
901 | + } |
902 | + |
903 | + if (notify) |
904 | + ctx->current_crl = NULL; |
905 | + |
906 | + return 1; |
907 | + } |
908 | + |
909 | +static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl, |
910 | + X509 **pissuer, int *pscore, unsigned int *preasons, |
911 | + STACK_OF(X509_CRL) *crls) |
912 | + { |
913 | + int i, crl_score, best_score = *pscore; |
914 | + unsigned int reasons, best_reasons = 0; |
915 | + X509 *x = ctx->current_cert; |
916 | + X509_CRL *crl, *best_crl = NULL; |
917 | + X509 *crl_issuer = NULL, *best_crl_issuer = NULL; |
918 | + |
919 | + for (i = 0; i < sk_X509_CRL_num(crls); i++) |
920 | + { |
921 | + crl = sk_X509_CRL_value(crls, i); |
922 | + reasons = *preasons; |
923 | + crl_score = get_crl_score(ctx, &crl_issuer, &reasons, crl, x); |
924 | + |
925 | + if (crl_score > best_score) |
926 | + { |
927 | + best_crl = crl; |
928 | + best_crl_issuer = crl_issuer; |
929 | + best_score = crl_score; |
930 | + best_reasons = reasons; |
931 | + } |
932 | + } |
933 | + |
934 | + if (best_crl) |
935 | + { |
936 | + if (*pcrl) |
937 | + X509_CRL_free(*pcrl); |
938 | + *pcrl = best_crl; |
939 | + *pissuer = best_crl_issuer; |
940 | + *pscore = best_score; |
941 | + *preasons = best_reasons; |
942 | + CRYPTO_add(&best_crl->references, 1, CRYPTO_LOCK_X509_CRL); |
943 | + if (*pdcrl) |
944 | + { |
945 | + X509_CRL_free(*pdcrl); |
946 | + *pdcrl = NULL; |
947 | + } |
948 | + get_delta_sk(ctx, pdcrl, pscore, best_crl, crls); |
949 | + } |
950 | + |
951 | + if (best_score >= CRL_SCORE_VALID) |
952 | + return 1; |
953 | + |
954 | + return 0; |
955 | + } |
956 | + |
957 | +/* Compare two CRL extensions for delta checking purposes. They should be |
958 | + * both present or both absent. If both present all fields must be identical. |
959 | + */ |
960 | + |
961 | +static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid) |
962 | + { |
963 | + ASN1_OCTET_STRING *exta, *extb; |
964 | + int i; |
965 | + i = X509_CRL_get_ext_by_NID(a, nid, 0); |
966 | + if (i >= 0) |
967 | + { |
968 | + /* Can't have multiple occurrences */ |
969 | + if (X509_CRL_get_ext_by_NID(a, nid, i) != -1) |
970 | + return 0; |
971 | + exta = X509_EXTENSION_get_data(X509_CRL_get_ext(a, i)); |
972 | + } |
973 | + else |
974 | + exta = NULL; |
975 | + |
976 | + i = X509_CRL_get_ext_by_NID(b, nid, 0); |
977 | + |
978 | + if (i >= 0) |
979 | + { |
980 | + |
981 | + if (X509_CRL_get_ext_by_NID(b, nid, i) != -1) |
982 | + return 0; |
983 | + extb = X509_EXTENSION_get_data(X509_CRL_get_ext(b, i)); |
984 | + } |
985 | + else |
986 | + extb = NULL; |
987 | + |
988 | + if (!exta && !extb) |
989 | + return 1; |
990 | + |
991 | + if (!exta || !extb) |
992 | + return 0; |
993 | + |
994 | + |
995 | + if (ASN1_OCTET_STRING_cmp(exta, extb)) |
996 | + return 0; |
997 | + |
998 | + return 1; |
999 | + } |
1000 | + |
1001 | +/* See if a base and delta are compatible */ |
1002 | + |
1003 | +static int check_delta_base(X509_CRL *delta, X509_CRL *base) |
1004 | + { |
1005 | + /* Delta CRL must be a delta */ |
1006 | + if (!delta->base_crl_number) |
1007 | + return 0; |
1008 | + /* Base must have a CRL number */ |
1009 | + if (!base->crl_number) |
1010 | + return 0; |
1011 | + /* Issuer names must match */ |
1012 | + if (X509_NAME_cmp(X509_CRL_get_issuer(base), |
1013 | + X509_CRL_get_issuer(delta))) |
1014 | + return 0; |
1015 | + /* AKID and IDP must match */ |
1016 | + if (!crl_extension_match(delta, base, NID_authority_key_identifier)) |
1017 | + return 0; |
1018 | + if (!crl_extension_match(delta, base, NID_issuing_distribution_point)) |
1019 | + return 0; |
1020 | + /* Delta CRL base number must not exceed Full CRL number. */ |
1021 | + if (ASN1_INTEGER_cmp(delta->base_crl_number, base->crl_number) > 0) |
1022 | + return 0; |
1023 | + /* Delta CRL number must exceed full CRL number */ |
1024 | + if (ASN1_INTEGER_cmp(delta->crl_number, base->crl_number) > 0) |
1025 | + return 1; |
1026 | + return 0; |
1027 | + } |
1028 | + |
1029 | +/* For a given base CRL find a delta... maybe extend to delta scoring |
1030 | + * or retrieve a chain of deltas... |
1031 | + */ |
1032 | + |
1033 | +static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pscore, |
1034 | + X509_CRL *base, STACK_OF(X509_CRL) *crls) |
1035 | + { |
1036 | + X509_CRL *delta; |
1037 | + int i; |
1038 | + if (!(ctx->param->flags & X509_V_FLAG_USE_DELTAS)) |
1039 | + return; |
1040 | + if (!((ctx->current_cert->ex_flags | base->flags) & EXFLAG_FRESHEST)) |
1041 | + return; |
1042 | + for (i = 0; i < sk_X509_CRL_num(crls); i++) |
1043 | + { |
1044 | + delta = sk_X509_CRL_value(crls, i); |
1045 | + if (check_delta_base(delta, base)) |
1046 | + { |
1047 | + if (check_crl_time(ctx, delta, 0)) |
1048 | + *pscore |= CRL_SCORE_TIME_DELTA; |
1049 | + CRYPTO_add(&delta->references, 1, CRYPTO_LOCK_X509_CRL); |
1050 | + *dcrl = delta; |
1051 | + return; |
1052 | + } |
1053 | + } |
1054 | + *dcrl = NULL; |
1055 | + } |
1056 | + |
1057 | +/* For a given CRL return how suitable it is for the supplied certificate 'x'. |
1058 | + * The return value is a mask of several criteria. |
1059 | + * If the issuer is not the certificate issuer this is returned in *pissuer. |
1060 | + * The reasons mask is also used to determine if the CRL is suitable: if |
1061 | + * no new reasons the CRL is rejected, otherwise reasons is updated. |
1062 | + */ |
1063 | + |
1064 | +static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, |
1065 | + unsigned int *preasons, |
1066 | + X509_CRL *crl, X509 *x) |
1067 | + { |
1068 | + |
1069 | + int crl_score = 0; |
1070 | + unsigned int tmp_reasons = *preasons, crl_reasons; |
1071 | + |
1072 | + /* First see if we can reject CRL straight away */ |
1073 | + |
1074 | + /* Invalid IDP cannot be processed */ |
1075 | + if (crl->idp_flags & IDP_INVALID) |
1076 | + return 0; |
1077 | + /* Reason codes or indirect CRLs need extended CRL support */ |
1078 | + if (!(ctx->param->flags & X509_V_FLAG_EXTENDED_CRL_SUPPORT)) |
1079 | + { |
1080 | + if (crl->idp_flags & (IDP_INDIRECT | IDP_REASONS)) |
1081 | + return 0; |
1082 | + } |
1083 | + else if (crl->idp_flags & IDP_REASONS) |
1084 | + { |
1085 | + /* If no new reasons reject */ |
1086 | + if (!(crl->idp_reasons & ~tmp_reasons)) |
1087 | + return 0; |
1088 | + } |
1089 | + /* Don't process deltas at this stage */ |
1090 | + else if (crl->base_crl_number) |
1091 | + return 0; |
1092 | + /* If issuer name doesn't match certificate need indirect CRL */ |
1093 | + if (X509_NAME_cmp(X509_get_issuer_name(x), X509_CRL_get_issuer(crl))) |
1094 | + { |
1095 | + if (!(crl->idp_flags & IDP_INDIRECT)) |
1096 | + return 0; |
1097 | + } |
1098 | + else |
1099 | + crl_score |= CRL_SCORE_ISSUER_NAME; |
1100 | + |
1101 | + if (!(crl->flags & EXFLAG_CRITICAL)) |
1102 | + crl_score |= CRL_SCORE_NOCRITICAL; |
1103 | + |
1104 | + /* Check expiry */ |
1105 | + if (check_crl_time(ctx, crl, 0)) |
1106 | + crl_score |= CRL_SCORE_TIME; |
1107 | + |
1108 | + /* Check authority key ID and locate certificate issuer */ |
1109 | + crl_akid_check(ctx, crl, pissuer, &crl_score); |
1110 | + |
1111 | + /* If we can't locate certificate issuer at this point forget it */ |
1112 | + |
1113 | + if (!(crl_score & CRL_SCORE_AKID)) |
1114 | + return 0; |
1115 | + |
1116 | + /* Check cert for matching CRL distribution points */ |
1117 | + |
1118 | + if (crl_crldp_check(x, crl, crl_score, &crl_reasons)) |
1119 | + { |
1120 | + /* If no new reasons reject */ |
1121 | + if (!(crl_reasons & ~tmp_reasons)) |
1122 | + return 0; |
1123 | + tmp_reasons |= crl_reasons; |
1124 | + crl_score |= CRL_SCORE_SCOPE; |
1125 | + } |
1126 | + |
1127 | + *preasons = tmp_reasons; |
1128 | + |
1129 | + return crl_score; |
1130 | + |
1131 | + } |
1132 | + |
1133 | +static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, |
1134 | + X509 **pissuer, int *pcrl_score) |
1135 | + { |
1136 | + X509 *crl_issuer = NULL; |
1137 | + X509_NAME *cnm = X509_CRL_get_issuer(crl); |
1138 | + int cidx = ctx->error_depth; |
1139 | + int i; |
1140 | + |
1141 | + if (cidx != sk_X509_num(ctx->chain) - 1) |
1142 | + cidx++; |
1143 | + |
1144 | + crl_issuer = sk_X509_value(ctx->chain, cidx); |
1145 | + |
1146 | + if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) |
1147 | + { |
1148 | + if (*pcrl_score & CRL_SCORE_ISSUER_NAME) |
1149 | + { |
1150 | + *pcrl_score |= CRL_SCORE_AKID|CRL_SCORE_ISSUER_CERT; |
1151 | + *pissuer = crl_issuer; |
1152 | + return; |
1153 | + } |
1154 | + } |
1155 | + |
1156 | + for (cidx++; cidx < sk_X509_num(ctx->chain); cidx++) |
1157 | + { |
1158 | + crl_issuer = sk_X509_value(ctx->chain, cidx); |
1159 | + if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm)) |
1160 | + continue; |
1161 | + if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) |
1162 | + { |
1163 | + *pcrl_score |= CRL_SCORE_AKID|CRL_SCORE_SAME_PATH; |
1164 | + *pissuer = crl_issuer; |
1165 | + return; |
1166 | + } |
1167 | + } |
1168 | + |
1169 | + /* Anything else needs extended CRL support */ |
1170 | + |
1171 | + if (!(ctx->param->flags & X509_V_FLAG_EXTENDED_CRL_SUPPORT)) |
1172 | + return; |
1173 | + |
1174 | + /* Otherwise the CRL issuer is not on the path. Look for it in the |
1175 | + * set of untrusted certificates. |
1176 | + */ |
1177 | + for (i = 0; i < sk_X509_num(ctx->untrusted); i++) |
1178 | + { |
1179 | + crl_issuer = sk_X509_value(ctx->untrusted, i); |
1180 | + if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm)) |
1181 | + continue; |
1182 | + if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) |
1183 | + { |
1184 | + *pissuer = crl_issuer; |
1185 | + *pcrl_score |= CRL_SCORE_AKID; |
1186 | + return; |
1187 | + } |
1188 | + } |
1189 | + } |
1190 | + |
1191 | +/* Check the path of a CRL issuer certificate. This creates a new |
1192 | + * X509_STORE_CTX and populates it with most of the parameters from the |
1193 | + * parent. This could be optimised somewhat since a lot of path checking |
1194 | + * will be duplicated by the parent, but this will rarely be used in |
1195 | + * practice. |
1196 | + */ |
1197 | + |
1198 | +static int check_crl_path(X509_STORE_CTX *ctx, X509 *x) |
1199 | + { |
1200 | + X509_STORE_CTX crl_ctx; |
1201 | + int ret; |
1202 | + /* Don't allow recursive CRL path validation */ |
1203 | + if (ctx->parent) |
1204 | + return 0; |
1205 | + if (!X509_STORE_CTX_init(&crl_ctx, ctx->ctx, x, ctx->untrusted)) |
1206 | + return -1; |
1207 | + |
1208 | + crl_ctx.crls = ctx->crls; |
1209 | + /* Copy verify params across */ |
1210 | + X509_STORE_CTX_set0_param(&crl_ctx, ctx->param); |
1211 | + |
1212 | + crl_ctx.parent = ctx; |
1213 | + crl_ctx.verify_cb = ctx->verify_cb; |
1214 | + |
1215 | + /* Verify CRL issuer */ |
1216 | + ret = X509_verify_cert(&crl_ctx); |
1217 | + |
1218 | + if (ret <= 0) |
1219 | + goto err; |
1220 | + |
1221 | + /* Check chain is acceptable */ |
1222 | + |
1223 | + ret = check_crl_chain(ctx, ctx->chain, crl_ctx.chain); |
1224 | + err: |
1225 | + X509_STORE_CTX_cleanup(&crl_ctx); |
1226 | + return ret; |
1227 | + } |
1228 | + |
1229 | +/* RFC3280 says nothing about the relationship between CRL path |
1230 | + * and certificate path, which could lead to situations where a |
1231 | + * certificate could be revoked or validated by a CA not authorised |
1232 | + * to do so. RFC5280 is more strict and states that the two paths must |
1233 | + * end in the same trust anchor, though some discussions remain... |
1234 | + * until this is resolved we use the RFC5280 version |
1235 | + */ |
1236 | + |
1237 | +static int check_crl_chain(X509_STORE_CTX *ctx, |
1238 | + STACK_OF(X509) *cert_path, |
1239 | + STACK_OF(X509) *crl_path) |
1240 | + { |
1241 | + X509 *cert_ta, *crl_ta; |
1242 | + cert_ta = sk_X509_value(cert_path, sk_X509_num(cert_path) - 1); |
1243 | + crl_ta = sk_X509_value(crl_path, sk_X509_num(crl_path) - 1); |
1244 | + if (!X509_cmp(cert_ta, crl_ta)) |
1245 | + return 1; |
1246 | + return 0; |
1247 | + } |
1248 | + |
1249 | +/* Check for match between two dist point names: three separate cases. |
1250 | + * 1. Both are relative names and compare X509_NAME types. |
1251 | + * 2. One full, one relative. Compare X509_NAME to GENERAL_NAMES. |
1252 | + * 3. Both are full names and compare two GENERAL_NAMES. |
1253 | + * 4. One is NULL: automatic match. |
1254 | + */ |
1255 | + |
1256 | + |
1257 | +static int idp_check_dp(DIST_POINT_NAME *a, DIST_POINT_NAME *b) |
1258 | + { |
1259 | + X509_NAME *nm = NULL; |
1260 | + GENERAL_NAMES *gens = NULL; |
1261 | + GENERAL_NAME *gena, *genb; |
1262 | + int i, j; |
1263 | + if (!a || !b) |
1264 | + return 1; |
1265 | + if (a->type == 1) |
1266 | + { |
1267 | + if (!a->dpname) |
1268 | + return 0; |
1269 | + /* Case 1: two X509_NAME */ |
1270 | + if (b->type == 1) |
1271 | + { |
1272 | + if (!b->dpname) |
1273 | + return 0; |
1274 | + if (!X509_NAME_cmp(a->dpname, b->dpname)) |
1275 | + return 1; |
1276 | + else |
1277 | + return 0; |
1278 | + } |
1279 | + /* Case 2: set name and GENERAL_NAMES appropriately */ |
1280 | + nm = a->dpname; |
1281 | + gens = b->name.fullname; |
1282 | + } |
1283 | + else if (b->type == 1) |
1284 | + { |
1285 | + if (!b->dpname) |
1286 | + return 0; |
1287 | + /* Case 2: set name and GENERAL_NAMES appropriately */ |
1288 | + gens = a->name.fullname; |
1289 | + nm = b->dpname; |
1290 | + } |
1291 | + |
1292 | + /* Handle case 2 with one GENERAL_NAMES and one X509_NAME */ |
1293 | + if (nm) |
1294 | + { |
1295 | + for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) |
1296 | + { |
1297 | + gena = sk_GENERAL_NAME_value(gens, i); |
1298 | + if (gena->type != GEN_DIRNAME) |
1299 | + continue; |
1300 | + if (!X509_NAME_cmp(nm, gena->d.directoryName)) |
1301 | + return 1; |
1302 | + } |
1303 | + return 0; |
1304 | + } |
1305 | + |
1306 | + /* Else case 3: two GENERAL_NAMES */ |
1307 | + |
1308 | + for (i = 0; i < sk_GENERAL_NAME_num(a->name.fullname); i++) |
1309 | + { |
1310 | + gena = sk_GENERAL_NAME_value(a->name.fullname, i); |
1311 | + for (j = 0; j < sk_GENERAL_NAME_num(b->name.fullname); j++) |
1312 | + { |
1313 | + genb = sk_GENERAL_NAME_value(b->name.fullname, j); |
1314 | + if (!GENERAL_NAME_cmp(gena, genb)) |
1315 | + return 1; |
1316 | + } |
1317 | + } |
1318 | + |
1319 | + return 0; |
1320 | + |
1321 | + } |
1322 | + |
1323 | +static int crldp_check_crlissuer(DIST_POINT *dp, X509_CRL *crl, int crl_score) |
1324 | + { |
1325 | + int i; |
1326 | + X509_NAME *nm = X509_CRL_get_issuer(crl); |
1327 | + /* If no CRLissuer return is successful iff don't need a match */ |
1328 | + if (!dp->CRLissuer) |
1329 | + return !!(crl_score & CRL_SCORE_ISSUER_NAME); |
1330 | + for (i = 0; i < sk_GENERAL_NAME_num(dp->CRLissuer); i++) |
1331 | + { |
1332 | + GENERAL_NAME *gen = sk_GENERAL_NAME_value(dp->CRLissuer, i); |
1333 | + if (gen->type != GEN_DIRNAME) |
1334 | + continue; |
1335 | + if (!X509_NAME_cmp(gen->d.directoryName, nm)) |
1336 | + return 1; |
1337 | + } |
1338 | + return 0; |
1339 | + } |
1340 | + |
1341 | +/* Check CRLDP and IDP */ |
1342 | + |
1343 | +static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score, |
1344 | + unsigned int *preasons) |
1345 | + { |
1346 | + int i; |
1347 | + if (crl->idp_flags & IDP_ONLYATTR) |
1348 | + return 0; |
1349 | + if (x->ex_flags & EXFLAG_CA) |
1350 | + { |
1351 | + if (crl->idp_flags & IDP_ONLYUSER) |
1352 | + return 0; |
1353 | + } |
1354 | + else |
1355 | + { |
1356 | + if (crl->idp_flags & IDP_ONLYCA) |
1357 | + return 0; |
1358 | + } |
1359 | + *preasons = crl->idp_reasons; |
1360 | + for (i = 0; i < sk_DIST_POINT_num(x->crldp); i++) |
1361 | + { |
1362 | + DIST_POINT *dp = sk_DIST_POINT_value(x->crldp, i); |
1363 | + if (crldp_check_crlissuer(dp, crl, crl_score)) |
1364 | + { |
1365 | + if (!crl->idp || |
1366 | + idp_check_dp(dp->distpoint, crl->idp->distpoint)) |
1367 | + { |
1368 | + *preasons &= dp->dp_reasons; |
1369 | + return 1; |
1370 | + } |
1371 | + } |
1372 | + } |
1373 | + if ((!crl->idp || !crl->idp->distpoint) && (crl_score & CRL_SCORE_ISSUER_NAME)) |
1374 | + return 1; |
1375 | + return 0; |
1376 | + } |
1377 | + |
1378 | +/* Retrieve CRL corresponding to current certificate. |
1379 | + * If deltas enabled try to find a delta CRL too |
1380 | + */ |
1381 | + |
1382 | +static int get_crl_delta(X509_STORE_CTX *ctx, |
1383 | + X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x) |
1384 | + { |
1385 | + int ok; |
1386 | + X509 *issuer = NULL; |
1387 | + int crl_score = 0; |
1388 | + unsigned int reasons; |
1389 | + X509_CRL *crl = NULL, *dcrl = NULL; |
1390 | + STACK_OF(X509_CRL) *skcrl; |
1391 | + X509_NAME *nm = X509_get_issuer_name(x); |
1392 | + reasons = ctx->current_reasons; |
1393 | + ok = get_crl_sk(ctx, &crl, &dcrl, |
1394 | + &issuer, &crl_score, &reasons, ctx->crls); |
1395 | + |
1396 | + if (ok) |
1397 | + goto done; |
1398 | + |
1399 | + /* Lookup CRLs from store */ |
1400 | + |
1401 | + skcrl = ctx->lookup_crls(ctx, nm); |
1402 | + |
1403 | + /* If no CRLs found and a near match from get_crl_sk use that */ |
1404 | + if (!skcrl && crl) |
1405 | + goto done; |
1406 | + |
1407 | + get_crl_sk(ctx, &crl, &dcrl, &issuer, &crl_score, &reasons, skcrl); |
1408 | + |
1409 | + sk_X509_CRL_pop_free(skcrl, X509_CRL_free); |
1410 | + |
1411 | + done: |
1412 | + |
1413 | + /* If we got any kind of CRL use it and return success */ |
1414 | + if (crl) |
1415 | + { |
1416 | + ctx->current_issuer = issuer; |
1417 | + ctx->current_crl_score = crl_score; |
1418 | + ctx->current_reasons = reasons; |
1419 | + *pcrl = crl; |
1420 | + *pdcrl = dcrl; |
1421 | + return 1; |
1422 | + } |
1423 | + |
1424 | + return 0; |
1425 | + } |
1426 | + |
1427 | +/* Check CRL validity */ |
1428 | +static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl) |
1429 | + { |
1430 | + X509 *issuer = NULL; |
1431 | + EVP_PKEY *ikey = NULL; |
1432 | + int ok = 0, chnum, cnum; |
1433 | + cnum = ctx->error_depth; |
1434 | + chnum = sk_X509_num(ctx->chain) - 1; |
1435 | + /* if we have an alternative CRL issuer cert use that */ |
1436 | + if (ctx->current_issuer) |
1437 | + issuer = ctx->current_issuer; |
1438 | + |
1439 | + /* Else find CRL issuer: if not last certificate then issuer |
1440 | + * is next certificate in chain. |
1441 | + */ |
1442 | + else if (cnum < chnum) |
1443 | + issuer = sk_X509_value(ctx->chain, cnum + 1); |
1444 | + else |
1445 | + { |
1446 | + issuer = sk_X509_value(ctx->chain, chnum); |
1447 | + /* If not self signed, can't check signature */ |
1448 | + if(!ctx->check_issued(ctx, issuer, issuer)) |
1449 | + { |
1450 | + ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER; |
1451 | + ok = ctx->verify_cb(0, ctx); |
1452 | + if(!ok) goto err; |
1453 | + } |
1454 | + } |
1455 | + |
1456 | + if(issuer) |
1457 | + { |
1458 | + /* Skip most tests for deltas because they have already |
1459 | + * been done |
1460 | + */ |
1461 | + if (!crl->base_crl_number) |
1462 | + { |
1463 | + /* Check for cRLSign bit if keyUsage present */ |
1464 | + if ((issuer->ex_flags & EXFLAG_KUSAGE) && |
1465 | + !(issuer->ex_kusage & KU_CRL_SIGN)) |
1466 | + { |
1467 | + ctx->error = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN; |
1468 | + ok = ctx->verify_cb(0, ctx); |
1469 | + if(!ok) goto err; |
1470 | + } |
1471 | + |
1472 | + if (!(ctx->current_crl_score & CRL_SCORE_SCOPE)) |
1473 | + { |
1474 | + ctx->error = X509_V_ERR_DIFFERENT_CRL_SCOPE; |
1475 | + ok = ctx->verify_cb(0, ctx); |
1476 | + if(!ok) goto err; |
1477 | + } |
1478 | + |
1479 | + if (!(ctx->current_crl_score & CRL_SCORE_SAME_PATH)) |
1480 | + { |
1481 | + if (check_crl_path(ctx, ctx->current_issuer) <= 0) |
1482 | + { |
1483 | + ctx->error = X509_V_ERR_CRL_PATH_VALIDATION_ERROR; |
1484 | + ok = ctx->verify_cb(0, ctx); |
1485 | + if(!ok) goto err; |
1486 | + } |
1487 | + } |
1488 | + |
1489 | + if (crl->idp_flags & IDP_INVALID) |
1490 | + { |
1491 | + ctx->error = X509_V_ERR_INVALID_EXTENSION; |
1492 | + ok = ctx->verify_cb(0, ctx); |
1493 | + if(!ok) goto err; |
1494 | + } |
1495 | + |
1496 | + |
1497 | + } |
1498 | + |
1499 | + if (!(ctx->current_crl_score & CRL_SCORE_TIME)) |
1500 | + { |
1501 | + ok = check_crl_time(ctx, crl, 1); |
1502 | + if (!ok) |
1503 | + goto err; |
1504 | + } |
1505 | + |
1506 | + /* Attempt to get issuer certificate public key */ |
1507 | + ikey = X509_get_pubkey(issuer); |
1508 | + |
1509 | + if(!ikey) |
1510 | + { |
1511 | + ctx->error=X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY; |
1512 | + ok = ctx->verify_cb(0, ctx); |
1513 | + if (!ok) goto err; |
1514 | + } |
1515 | + else |
1516 | + { |
1517 | + /* Verify CRL signature */ |
1518 | + if(X509_CRL_verify(crl, ikey) <= 0) |
1519 | + { |
1520 | + ctx->error=X509_V_ERR_CRL_SIGNATURE_FAILURE; |
1521 | + ok = ctx->verify_cb(0, ctx); |
1522 | + if (!ok) goto err; |
1523 | + } |
1524 | + } |
1525 | + } |
1526 | + |
1527 | + ok = 1; |
1528 | + |
1529 | + err: |
1530 | + EVP_PKEY_free(ikey); |
1531 | + return ok; |
1532 | + } |
1533 | + |
1534 | +/* Check certificate against CRL */ |
1535 | +static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x) |
1536 | + { |
1537 | + int ok; |
1538 | + X509_REVOKED *rev; |
1539 | + /* The rules changed for this... previously if a CRL contained |
1540 | + * unhandled critical extensions it could still be used to indicate |
1541 | + * a certificate was revoked. This has since been changed since |
1542 | + * critical extension can change the meaning of CRL entries. |
1543 | + */ |
1544 | + if (crl->flags & EXFLAG_CRITICAL) |
1545 | + { |
1546 | + if (ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) |
1547 | + return 1; |
1548 | + ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION; |
1549 | + ok = ctx->verify_cb(0, ctx); |
1550 | + if(!ok) |
1551 | + return 0; |
1552 | + } |
1553 | + /* Look for serial number of certificate in CRL |
1554 | + * If found make sure reason is not removeFromCRL. |
1555 | + */ |
1556 | + if (X509_CRL_get0_by_cert(crl, &rev, x)) |
1557 | + { |
1558 | + if (rev->reason == CRL_REASON_REMOVE_FROM_CRL) |
1559 | + return 2; |
1560 | + ctx->error = X509_V_ERR_CERT_REVOKED; |
1561 | + ok = ctx->verify_cb(0, ctx); |
1562 | + if (!ok) |
1563 | + return 0; |
1564 | + } |
1565 | + |
1566 | + return 1; |
1567 | + } |
1568 | + |
1569 | +static int check_policy(X509_STORE_CTX *ctx) |
1570 | + { |
1571 | + int ret; |
1572 | + if (ctx->parent) |
1573 | + return 1; |
1574 | + ret = X509_policy_check(&ctx->tree, &ctx->explicit_policy, ctx->chain, |
1575 | + ctx->param->policies, ctx->param->flags); |
1576 | + if (ret == 0) |
1577 | + { |
1578 | + X509err(X509_F_CHECK_POLICY,ERR_R_MALLOC_FAILURE); |
1579 | + return 0; |
1580 | + } |
1581 | + /* Invalid or inconsistent extensions */ |
1582 | + if (ret == -1) |
1583 | + { |
1584 | + /* Locate certificates with bad extensions and notify |
1585 | + * callback. |
1586 | + */ |
1587 | + X509 *x; |
1588 | + int i; |
1589 | + for (i = 1; i < sk_X509_num(ctx->chain); i++) |
1590 | + { |
1591 | + x = sk_X509_value(ctx->chain, i); |
1592 | + if (!(x->ex_flags & EXFLAG_INVALID_POLICY)) |
1593 | + continue; |
1594 | + ctx->current_cert = x; |
1595 | + ctx->error = X509_V_ERR_INVALID_POLICY_EXTENSION; |
1596 | + if(!ctx->verify_cb(0, ctx)) |
1597 | + return 0; |
1598 | + } |
1599 | + return 1; |
1600 | + } |
1601 | + if (ret == -2) |
1602 | + { |
1603 | + ctx->current_cert = NULL; |
1604 | + ctx->error = X509_V_ERR_NO_EXPLICIT_POLICY; |
1605 | + return ctx->verify_cb(0, ctx); |
1606 | + } |
1607 | + |
1608 | + if (ctx->param->flags & X509_V_FLAG_NOTIFY_POLICY) |
1609 | + { |
1610 | + ctx->current_cert = NULL; |
1611 | + ctx->error = X509_V_OK; |
1612 | + if (!ctx->verify_cb(2, ctx)) |
1613 | + return 0; |
1614 | + } |
1615 | + |
1616 | + return 1; |
1617 | + } |
1618 | + |
1619 | +static int check_cert_time(X509_STORE_CTX *ctx, X509 *x) |
1620 | + { |
1621 | + time_t *ptime; |
1622 | + int i; |
1623 | + |
1624 | + if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME) |
1625 | + ptime = &ctx->param->check_time; |
1626 | + else |
1627 | + ptime = NULL; |
1628 | + |
1629 | + i=X509_cmp_time(X509_get_notBefore(x), ptime); |
1630 | + if (i == 0) |
1631 | + { |
1632 | + ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD; |
1633 | + ctx->current_cert=x; |
1634 | + if (!ctx->verify_cb(0, ctx)) |
1635 | + return 0; |
1636 | + } |
1637 | + |
1638 | + if (i > 0) |
1639 | + { |
1640 | + ctx->error=X509_V_ERR_CERT_NOT_YET_VALID; |
1641 | + ctx->current_cert=x; |
1642 | + if (!ctx->verify_cb(0, ctx)) |
1643 | + return 0; |
1644 | + } |
1645 | + |
1646 | + i=X509_cmp_time(X509_get_notAfter(x), ptime); |
1647 | + if (i == 0) |
1648 | + { |
1649 | + ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD; |
1650 | + ctx->current_cert=x; |
1651 | + if (!ctx->verify_cb(0, ctx)) |
1652 | + return 0; |
1653 | + } |
1654 | + |
1655 | + if (i < 0) |
1656 | + { |
1657 | + ctx->error=X509_V_ERR_CERT_HAS_EXPIRED; |
1658 | + ctx->current_cert=x; |
1659 | + if (!ctx->verify_cb(0, ctx)) |
1660 | + return 0; |
1661 | + } |
1662 | + |
1663 | + return 1; |
1664 | + } |
1665 | + |
1666 | +static int internal_verify(X509_STORE_CTX *ctx) |
1667 | + { |
1668 | + int ok=0,n; |
1669 | + X509 *xs,*xi; |
1670 | + EVP_PKEY *pkey=NULL; |
1671 | + int (*cb)(int xok,X509_STORE_CTX *xctx); |
1672 | + |
1673 | + cb=ctx->verify_cb; |
1674 | + |
1675 | + n=sk_X509_num(ctx->chain); |
1676 | + ctx->error_depth=n-1; |
1677 | + n--; |
1678 | + xi=sk_X509_value(ctx->chain,n); |
1679 | + |
1680 | + if (ctx->check_issued(ctx, xi, xi)) |
1681 | + xs=xi; |
1682 | + else |
1683 | + { |
1684 | + if (n <= 0) |
1685 | + { |
1686 | + ctx->error=X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE; |
1687 | + ctx->current_cert=xi; |
1688 | + ok=cb(0,ctx); |
1689 | + goto end; |
1690 | + } |
1691 | + else |
1692 | + { |
1693 | + n--; |
1694 | + ctx->error_depth=n; |
1695 | + xs=sk_X509_value(ctx->chain,n); |
1696 | + } |
1697 | + } |
1698 | + |
1699 | +/* ctx->error=0; not needed */ |
1700 | + while (n >= 0) |
1701 | + { |
1702 | + ctx->error_depth=n; |
1703 | + |
1704 | + /* Skip signature check for self signed certificates unless |
1705 | + * explicitly asked for. It doesn't add any security and |
1706 | + * just wastes time. |
1707 | + */ |
1708 | + if (!xs->valid && (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE))) |
1709 | + { |
1710 | + if ((pkey=X509_get_pubkey(xi)) == NULL) |
1711 | + { |
1712 | + ctx->error=X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY; |
1713 | + ctx->current_cert=xi; |
1714 | + ok=(*cb)(0,ctx); |
1715 | + if (!ok) goto end; |
1716 | + } |
1717 | + else if (X509_verify(xs,pkey) <= 0) |
1718 | + { |
1719 | + ctx->error=X509_V_ERR_CERT_SIGNATURE_FAILURE; |
1720 | + ctx->current_cert=xs; |
1721 | + ok=(*cb)(0,ctx); |
1722 | + if (!ok) |
1723 | + { |
1724 | + EVP_PKEY_free(pkey); |
1725 | + goto end; |
1726 | + } |
1727 | + } |
1728 | + EVP_PKEY_free(pkey); |
1729 | + pkey=NULL; |
1730 | + } |
1731 | + |
1732 | + xs->valid = 1; |
1733 | + |
1734 | + ok = check_cert_time(ctx, xs); |
1735 | + if (!ok) |
1736 | + goto end; |
1737 | + |
1738 | + /* The last error (if any) is still in the error value */ |
1739 | + ctx->current_issuer=xi; |
1740 | + ctx->current_cert=xs; |
1741 | + ok=(*cb)(1,ctx); |
1742 | + if (!ok) goto end; |
1743 | + |
1744 | + n--; |
1745 | + if (n >= 0) |
1746 | + { |
1747 | + xi=xs; |
1748 | + xs=sk_X509_value(ctx->chain,n); |
1749 | + } |
1750 | + } |
1751 | + ok=1; |
1752 | +end: |
1753 | + return ok; |
1754 | + } |
1755 | + |
1756 | +int X509_cmp_current_time(const ASN1_TIME *ctm) |
1757 | +{ |
1758 | + return X509_cmp_time(ctm, NULL); |
1759 | +} |
1760 | + |
1761 | +int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time) |
1762 | + { |
1763 | + char *str; |
1764 | + ASN1_TIME atm; |
1765 | + long offset; |
1766 | + char buff1[24],buff2[24],*p; |
1767 | + int i,j; |
1768 | + |
1769 | + p=buff1; |
1770 | + i=ctm->length; |
1771 | + str=(char *)ctm->data; |
1772 | + if (ctm->type == V_ASN1_UTCTIME) |
1773 | + { |
1774 | + if ((i < 11) || (i > 17)) return 0; |
1775 | + memcpy(p,str,10); |
1776 | + p+=10; |
1777 | + str+=10; |
1778 | + } |
1779 | + else |
1780 | + { |
1781 | + if (i < 13) return 0; |
1782 | + memcpy(p,str,12); |
1783 | + p+=12; |
1784 | + str+=12; |
1785 | + } |
1786 | + |
1787 | + if ((*str == 'Z') || (*str == '-') || (*str == '+')) |
1788 | + { *(p++)='0'; *(p++)='0'; } |
1789 | + else |
1790 | + { |
1791 | + *(p++)= *(str++); |
1792 | + *(p++)= *(str++); |
1793 | + /* Skip any fractional seconds... */ |
1794 | + if (*str == '.') |
1795 | + { |
1796 | + str++; |
1797 | + while ((*str >= '0') && (*str <= '9')) str++; |
1798 | + } |
1799 | + |
1800 | + } |
1801 | + *(p++)='Z'; |
1802 | + *(p++)='\0'; |
1803 | + |
1804 | + if (*str == 'Z') |
1805 | + offset=0; |
1806 | + else |
1807 | + { |
1808 | + if ((*str != '+') && (*str != '-')) |
1809 | + return 0; |
1810 | + offset=((str[1]-'0')*10+(str[2]-'0'))*60; |
1811 | + offset+=(str[3]-'0')*10+(str[4]-'0'); |
1812 | + if (*str == '-') |
1813 | + offset= -offset; |
1814 | + } |
1815 | + atm.type=ctm->type; |
1816 | + atm.flags = 0; |
1817 | + atm.length=sizeof(buff2); |
1818 | + atm.data=(unsigned char *)buff2; |
1819 | + |
1820 | + if (X509_time_adj(&atm,-offset*60, cmp_time) == NULL) |
1821 | + return 0; |
1822 | + |
1823 | + if (ctm->type == V_ASN1_UTCTIME) |
1824 | + { |
1825 | + i=(buff1[0]-'0')*10+(buff1[1]-'0'); |
1826 | + if (i < 50) i+=100; /* cf. RFC 2459 */ |
1827 | + j=(buff2[0]-'0')*10+(buff2[1]-'0'); |
1828 | + if (j < 50) j+=100; |
1829 | + |
1830 | + if (i < j) return -1; |
1831 | + if (i > j) return 1; |
1832 | + } |
1833 | + i=strcmp(buff1,buff2); |
1834 | + if (i == 0) /* wait a second then return younger :-) */ |
1835 | + return -1; |
1836 | + else |
1837 | + return i; |
1838 | + } |
1839 | + |
1840 | +ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj) |
1841 | +{ |
1842 | + return X509_time_adj(s, adj, NULL); |
1843 | +} |
1844 | + |
1845 | +ASN1_TIME *X509_time_adj(ASN1_TIME *s, long offset_sec, time_t *in_tm) |
1846 | + { |
1847 | + return X509_time_adj_ex(s, 0, offset_sec, in_tm); |
1848 | + } |
1849 | + |
1850 | +ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s, |
1851 | + int offset_day, long offset_sec, time_t *in_tm) |
1852 | + { |
1853 | + time_t t; |
1854 | + |
1855 | + if (in_tm) t = *in_tm; |
1856 | + else time(&t); |
1857 | + |
1858 | + if (s && !(s->flags & ASN1_STRING_FLAG_MSTRING)) |
1859 | + { |
1860 | + if (s->type == V_ASN1_UTCTIME) |
1861 | + return ASN1_UTCTIME_adj(s,t, offset_day, offset_sec); |
1862 | + if (s->type == V_ASN1_GENERALIZEDTIME) |
1863 | + return ASN1_GENERALIZEDTIME_adj(s, t, offset_day, |
1864 | + offset_sec); |
1865 | + } |
1866 | + return ASN1_TIME_adj(s, t, offset_day, offset_sec); |
1867 | + } |
1868 | + |
1869 | +int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain) |
1870 | + { |
1871 | + EVP_PKEY *ktmp=NULL,*ktmp2; |
1872 | + int i,j; |
1873 | + |
1874 | + if ((pkey != NULL) && !EVP_PKEY_missing_parameters(pkey)) return 1; |
1875 | + |
1876 | + for (i=0; i<sk_X509_num(chain); i++) |
1877 | + { |
1878 | + ktmp=X509_get_pubkey(sk_X509_value(chain,i)); |
1879 | + if (ktmp == NULL) |
1880 | + { |
1881 | + X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY); |
1882 | + return 0; |
1883 | + } |
1884 | + if (!EVP_PKEY_missing_parameters(ktmp)) |
1885 | + break; |
1886 | + else |
1887 | + { |
1888 | + EVP_PKEY_free(ktmp); |
1889 | + ktmp=NULL; |
1890 | + } |
1891 | + } |
1892 | + if (ktmp == NULL) |
1893 | + { |
1894 | + X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN); |
1895 | + return 0; |
1896 | + } |
1897 | + |
1898 | + /* first, populate the other certs */ |
1899 | + for (j=i-1; j >= 0; j--) |
1900 | + { |
1901 | + ktmp2=X509_get_pubkey(sk_X509_value(chain,j)); |
1902 | + EVP_PKEY_copy_parameters(ktmp2,ktmp); |
1903 | + EVP_PKEY_free(ktmp2); |
1904 | + } |
1905 | + |
1906 | + if (pkey != NULL) EVP_PKEY_copy_parameters(pkey,ktmp); |
1907 | + EVP_PKEY_free(ktmp); |
1908 | + return 1; |
1909 | + } |
1910 | + |
1911 | +int X509_STORE_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, |
1912 | + CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func) |
1913 | + { |
1914 | + /* This function is (usually) called only once, by |
1915 | + * SSL_get_ex_data_X509_STORE_CTX_idx (ssl/ssl_cert.c). */ |
1916 | + return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_X509_STORE_CTX, argl, argp, |
1917 | + new_func, dup_func, free_func); |
1918 | + } |
1919 | + |
1920 | +int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, void *data) |
1921 | + { |
1922 | + return CRYPTO_set_ex_data(&ctx->ex_data,idx,data); |
1923 | + } |
1924 | + |
1925 | +void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx) |
1926 | + { |
1927 | + return CRYPTO_get_ex_data(&ctx->ex_data,idx); |
1928 | + } |
1929 | + |
1930 | +int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx) |
1931 | + { |
1932 | + return ctx->error; |
1933 | + } |
1934 | + |
1935 | +void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int err) |
1936 | + { |
1937 | + ctx->error=err; |
1938 | + } |
1939 | + |
1940 | +int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx) |
1941 | + { |
1942 | + return ctx->error_depth; |
1943 | + } |
1944 | + |
1945 | +X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx) |
1946 | + { |
1947 | + return ctx->current_cert; |
1948 | + } |
1949 | + |
1950 | +STACK_OF(X509) *X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx) |
1951 | + { |
1952 | + return ctx->chain; |
1953 | + } |
1954 | + |
1955 | +STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx) |
1956 | + { |
1957 | + int i; |
1958 | + X509 *x; |
1959 | + STACK_OF(X509) *chain; |
1960 | + if (!ctx->chain || !(chain = sk_X509_dup(ctx->chain))) return NULL; |
1961 | + for (i = 0; i < sk_X509_num(chain); i++) |
1962 | + { |
1963 | + x = sk_X509_value(chain, i); |
1964 | + CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509); |
1965 | + } |
1966 | + return chain; |
1967 | + } |
1968 | + |
1969 | +X509 *X509_STORE_CTX_get0_current_issuer(X509_STORE_CTX *ctx) |
1970 | + { |
1971 | + return ctx->current_issuer; |
1972 | + } |
1973 | + |
1974 | +X509_CRL *X509_STORE_CTX_get0_current_crl(X509_STORE_CTX *ctx) |
1975 | + { |
1976 | + return ctx->current_crl; |
1977 | + } |
1978 | + |
1979 | +X509_STORE_CTX *X509_STORE_CTX_get0_parent_ctx(X509_STORE_CTX *ctx) |
1980 | + { |
1981 | + return ctx->parent; |
1982 | + } |
1983 | + |
1984 | +void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *x) |
1985 | + { |
1986 | + ctx->cert=x; |
1987 | + } |
1988 | + |
1989 | +void X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) |
1990 | + { |
1991 | + ctx->untrusted=sk; |
1992 | + } |
1993 | + |
1994 | +void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk) |
1995 | + { |
1996 | + ctx->crls=sk; |
1997 | + } |
1998 | + |
1999 | +int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose) |
2000 | + { |
2001 | + return X509_STORE_CTX_purpose_inherit(ctx, 0, purpose, 0); |
2002 | + } |
2003 | + |
2004 | +int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust) |
2005 | + { |
2006 | + return X509_STORE_CTX_purpose_inherit(ctx, 0, 0, trust); |
2007 | + } |
2008 | + |
2009 | +/* This function is used to set the X509_STORE_CTX purpose and trust |
2010 | + * values. This is intended to be used when another structure has its |
2011 | + * own trust and purpose values which (if set) will be inherited by |
2012 | + * the ctx. If they aren't set then we will usually have a default |
2013 | + * purpose in mind which should then be used to set the trust value. |
2014 | + * An example of this is SSL use: an SSL structure will have its own |
2015 | + * purpose and trust settings which the application can set: if they |
2016 | + * aren't set then we use the default of SSL client/server. |
2017 | + */ |
2018 | + |
2019 | +int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose, |
2020 | + int purpose, int trust) |
2021 | +{ |
2022 | + int idx; |
2023 | + /* If purpose not set use default */ |
2024 | + if (!purpose) purpose = def_purpose; |
2025 | + /* If we have a purpose then check it is valid */ |
2026 | + if (purpose) |
2027 | + { |
2028 | + X509_PURPOSE *ptmp; |
2029 | + idx = X509_PURPOSE_get_by_id(purpose); |
2030 | + if (idx == -1) |
2031 | + { |
2032 | + X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT, |
2033 | + X509_R_UNKNOWN_PURPOSE_ID); |
2034 | + return 0; |
2035 | + } |
2036 | + ptmp = X509_PURPOSE_get0(idx); |
2037 | + if (ptmp->trust == X509_TRUST_DEFAULT) |
2038 | + { |
2039 | + idx = X509_PURPOSE_get_by_id(def_purpose); |
2040 | + if (idx == -1) |
2041 | + { |
2042 | + X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT, |
2043 | + X509_R_UNKNOWN_PURPOSE_ID); |
2044 | + return 0; |
2045 | + } |
2046 | + ptmp = X509_PURPOSE_get0(idx); |
2047 | + } |
2048 | + /* If trust not set then get from purpose default */ |
2049 | + if (!trust) trust = ptmp->trust; |
2050 | + } |
2051 | + if (trust) |
2052 | + { |
2053 | + idx = X509_TRUST_get_by_id(trust); |
2054 | + if (idx == -1) |
2055 | + { |
2056 | + X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT, |
2057 | + X509_R_UNKNOWN_TRUST_ID); |
2058 | + return 0; |
2059 | + } |
2060 | + } |
2061 | + |
2062 | + if (purpose && !ctx->param->purpose) ctx->param->purpose = purpose; |
2063 | + if (trust && !ctx->param->trust) ctx->param->trust = trust; |
2064 | + return 1; |
2065 | +} |
2066 | + |
2067 | +X509_STORE_CTX *X509_STORE_CTX_new(void) |
2068 | +{ |
2069 | + X509_STORE_CTX *ctx; |
2070 | + ctx = (X509_STORE_CTX *)OPENSSL_malloc(sizeof(X509_STORE_CTX)); |
2071 | + if (!ctx) |
2072 | + { |
2073 | + X509err(X509_F_X509_STORE_CTX_NEW,ERR_R_MALLOC_FAILURE); |
2074 | + return NULL; |
2075 | + } |
2076 | + memset(ctx, 0, sizeof(X509_STORE_CTX)); |
2077 | + return ctx; |
2078 | +} |
2079 | + |
2080 | +void X509_STORE_CTX_free(X509_STORE_CTX *ctx) |
2081 | +{ |
2082 | + X509_STORE_CTX_cleanup(ctx); |
2083 | + OPENSSL_free(ctx); |
2084 | +} |
2085 | + |
2086 | +int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, |
2087 | + STACK_OF(X509) *chain) |
2088 | + { |
2089 | + int ret = 1; |
2090 | + ctx->ctx=store; |
2091 | + ctx->current_method=0; |
2092 | + ctx->cert=x509; |
2093 | + ctx->untrusted=chain; |
2094 | + ctx->crls = NULL; |
2095 | + ctx->last_untrusted=0; |
2096 | + ctx->other_ctx=NULL; |
2097 | + ctx->valid=0; |
2098 | + ctx->chain=NULL; |
2099 | + ctx->error=0; |
2100 | + ctx->explicit_policy=0; |
2101 | + ctx->error_depth=0; |
2102 | + ctx->current_cert=NULL; |
2103 | + ctx->current_issuer=NULL; |
2104 | + ctx->current_crl=NULL; |
2105 | + ctx->current_crl_score=0; |
2106 | + ctx->current_reasons=0; |
2107 | + ctx->tree = NULL; |
2108 | + ctx->parent = NULL; |
2109 | + |
2110 | + ctx->param = X509_VERIFY_PARAM_new(); |
2111 | + |
2112 | + if (!ctx->param) |
2113 | + { |
2114 | + X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE); |
2115 | + return 0; |
2116 | + } |
2117 | + |
2118 | + /* Inherit callbacks and flags from X509_STORE if not set |
2119 | + * use defaults. |
2120 | + */ |
2121 | + |
2122 | + |
2123 | + if (store) |
2124 | + ret = X509_VERIFY_PARAM_inherit(ctx->param, store->param); |
2125 | + else |
2126 | + ctx->param->inh_flags |= X509_VP_FLAG_DEFAULT|X509_VP_FLAG_ONCE; |
2127 | + |
2128 | + if (store) |
2129 | + { |
2130 | + ctx->verify_cb = store->verify_cb; |
2131 | + ctx->cleanup = store->cleanup; |
2132 | + } |
2133 | + else |
2134 | + ctx->cleanup = 0; |
2135 | + |
2136 | + if (ret) |
2137 | + ret = X509_VERIFY_PARAM_inherit(ctx->param, |
2138 | + X509_VERIFY_PARAM_lookup("default")); |
2139 | + |
2140 | + if (ret == 0) |
2141 | + { |
2142 | + X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE); |
2143 | + return 0; |
2144 | + } |
2145 | + |
2146 | + if (store && store->check_issued) |
2147 | + ctx->check_issued = store->check_issued; |
2148 | + else |
2149 | + ctx->check_issued = check_issued; |
2150 | + |
2151 | + if (store && store->get_issuer) |
2152 | + ctx->get_issuer = store->get_issuer; |
2153 | + else |
2154 | + ctx->get_issuer = X509_STORE_CTX_get1_issuer; |
2155 | + |
2156 | + if (store && store->verify_cb) |
2157 | + ctx->verify_cb = store->verify_cb; |
2158 | + else |
2159 | + ctx->verify_cb = null_callback; |
2160 | + |
2161 | + if (store && store->verify) |
2162 | + ctx->verify = store->verify; |
2163 | + else |
2164 | + ctx->verify = internal_verify; |
2165 | + |
2166 | + if (store && store->check_revocation) |
2167 | + ctx->check_revocation = store->check_revocation; |
2168 | + else |
2169 | + ctx->check_revocation = check_revocation; |
2170 | + |
2171 | + if (store && store->get_crl) |
2172 | + ctx->get_crl = store->get_crl; |
2173 | + else |
2174 | + ctx->get_crl = NULL; |
2175 | + |
2176 | + if (store && store->check_crl) |
2177 | + ctx->check_crl = store->check_crl; |
2178 | + else |
2179 | + ctx->check_crl = check_crl; |
2180 | + |
2181 | + if (store && store->cert_crl) |
2182 | + ctx->cert_crl = store->cert_crl; |
2183 | + else |
2184 | + ctx->cert_crl = cert_crl; |
2185 | + |
2186 | + if (store && store->lookup_certs) |
2187 | + ctx->lookup_certs = store->lookup_certs; |
2188 | + else |
2189 | + ctx->lookup_certs = X509_STORE_get1_certs; |
2190 | + |
2191 | + if (store && store->lookup_crls) |
2192 | + ctx->lookup_crls = store->lookup_crls; |
2193 | + else |
2194 | + ctx->lookup_crls = X509_STORE_get1_crls; |
2195 | + |
2196 | + ctx->check_policy = check_policy; |
2197 | + |
2198 | + |
2199 | + /* This memset() can't make any sense anyway, so it's removed. As |
2200 | + * X509_STORE_CTX_cleanup does a proper "free" on the ex_data, we put a |
2201 | + * corresponding "new" here and remove this bogus initialisation. */ |
2202 | + /* memset(&(ctx->ex_data),0,sizeof(CRYPTO_EX_DATA)); */ |
2203 | + if(!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx, |
2204 | + &(ctx->ex_data))) |
2205 | + { |
2206 | + OPENSSL_free(ctx); |
2207 | + X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE); |
2208 | + return 0; |
2209 | + } |
2210 | + return 1; |
2211 | + } |
2212 | + |
2213 | +/* Set alternative lookup method: just a STACK of trusted certificates. |
2214 | + * This avoids X509_STORE nastiness where it isn't needed. |
2215 | + */ |
2216 | + |
2217 | +void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) |
2218 | +{ |
2219 | + ctx->other_ctx = sk; |
2220 | + ctx->get_issuer = get_issuer_sk; |
2221 | +} |
2222 | + |
2223 | +void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx) |
2224 | + { |
2225 | + if (ctx->cleanup) ctx->cleanup(ctx); |
2226 | + if (ctx->param != NULL) |
2227 | + { |
2228 | + if (ctx->parent == NULL) |
2229 | + X509_VERIFY_PARAM_free(ctx->param); |
2230 | + ctx->param=NULL; |
2231 | + } |
2232 | + if (ctx->tree != NULL) |
2233 | + { |
2234 | + X509_policy_tree_free(ctx->tree); |
2235 | + ctx->tree=NULL; |
2236 | + } |
2237 | + if (ctx->chain != NULL) |
2238 | + { |
2239 | + sk_X509_pop_free(ctx->chain,X509_free); |
2240 | + ctx->chain=NULL; |
2241 | + } |
2242 | + CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx, &(ctx->ex_data)); |
2243 | + memset(&ctx->ex_data,0,sizeof(CRYPTO_EX_DATA)); |
2244 | + } |
2245 | + |
2246 | +void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth) |
2247 | + { |
2248 | + X509_VERIFY_PARAM_set_depth(ctx->param, depth); |
2249 | + } |
2250 | + |
2251 | +void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, unsigned long flags) |
2252 | + { |
2253 | + X509_VERIFY_PARAM_set_flags(ctx->param, flags); |
2254 | + } |
2255 | + |
2256 | +void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags, time_t t) |
2257 | + { |
2258 | + X509_VERIFY_PARAM_set_time(ctx->param, t); |
2259 | + } |
2260 | + |
2261 | +void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx, |
2262 | + int (*verify_cb)(int, X509_STORE_CTX *)) |
2263 | + { |
2264 | + ctx->verify_cb=verify_cb; |
2265 | + } |
2266 | + |
2267 | +X509_POLICY_TREE *X509_STORE_CTX_get0_policy_tree(X509_STORE_CTX *ctx) |
2268 | + { |
2269 | + return ctx->tree; |
2270 | + } |
2271 | + |
2272 | +int X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx) |
2273 | + { |
2274 | + return ctx->explicit_policy; |
2275 | + } |
2276 | + |
2277 | +int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name) |
2278 | + { |
2279 | + const X509_VERIFY_PARAM *param; |
2280 | + param = X509_VERIFY_PARAM_lookup(name); |
2281 | + if (!param) |
2282 | + return 0; |
2283 | + return X509_VERIFY_PARAM_inherit(ctx->param, param); |
2284 | + } |
2285 | + |
2286 | +X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx) |
2287 | + { |
2288 | + return ctx->param; |
2289 | + } |
2290 | + |
2291 | +void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param) |
2292 | + { |
2293 | + if (ctx->param) |
2294 | + X509_VERIFY_PARAM_free(ctx->param); |
2295 | + ctx->param = param; |
2296 | + } |
2297 | + |
2298 | +IMPLEMENT_STACK_OF(X509) |
2299 | +IMPLEMENT_ASN1_SET_OF(X509) |
2300 | + |
2301 | +IMPLEMENT_STACK_OF(X509_NAME) |
2302 | + |
2303 | +IMPLEMENT_STACK_OF(X509_ATTRIBUTE) |
2304 | +IMPLEMENT_ASN1_SET_OF(X509_ATTRIBUTE) |
2305 | |
2306 | === added directory '.pc/c_rehash-multi.patch' |
2307 | === added directory '.pc/c_rehash-multi.patch/tools' |
2308 | === added file '.pc/c_rehash-multi.patch/tools/c_rehash.in' |
2309 | --- .pc/c_rehash-multi.patch/tools/c_rehash.in 1970-01-01 00:00:00 +0000 |
2310 | +++ .pc/c_rehash-multi.patch/tools/c_rehash.in 2011-09-15 05:17:15 +0000 |
2311 | @@ -0,0 +1,192 @@ |
2312 | +#!/usr/local/bin/perl |
2313 | + |
2314 | + |
2315 | +# Perl c_rehash script, scan all files in a directory |
2316 | +# and add symbolic links to their hash values. |
2317 | + |
2318 | +my $openssl; |
2319 | + |
2320 | +my $dir; |
2321 | +my $prefix; |
2322 | + |
2323 | +if(defined $ENV{OPENSSL}) { |
2324 | + $openssl = $ENV{OPENSSL}; |
2325 | +} else { |
2326 | + $openssl = "openssl"; |
2327 | + $ENV{OPENSSL} = $openssl; |
2328 | +} |
2329 | + |
2330 | +my $pwd; |
2331 | +eval "require Cwd"; |
2332 | +if (defined(&Cwd::getcwd)) { |
2333 | + $pwd=Cwd::getcwd(); |
2334 | +} else { |
2335 | + $pwd=`pwd`; chomp($pwd); |
2336 | +} |
2337 | +my $path_delim = ($pwd =~ /^[a-z]\:/i) ? ';' : ':'; # DOS/Win32 or Unix delimiter? |
2338 | + |
2339 | +$ENV{PATH} = "$prefix/bin" . ($ENV{PATH} ? $path_delim . $ENV{PATH} : ""); # prefix our path |
2340 | + |
2341 | +if(! -x $openssl) { |
2342 | + my $found = 0; |
2343 | + foreach (split /$path_delim/, $ENV{PATH}) { |
2344 | + if(-x "$_/$openssl") { |
2345 | + $found = 1; |
2346 | + $openssl = "$_/$openssl"; |
2347 | + last; |
2348 | + } |
2349 | + } |
2350 | + if($found == 0) { |
2351 | + print STDERR "c_rehash: rehashing skipped ('openssl' program not available)\n"; |
2352 | + exit 0; |
2353 | + } |
2354 | +} |
2355 | + |
2356 | +if(@ARGV) { |
2357 | + @dirlist = @ARGV; |
2358 | +} elsif($ENV{SSL_CERT_DIR}) { |
2359 | + @dirlist = split /$path_delim/, $ENV{SSL_CERT_DIR}; |
2360 | +} else { |
2361 | + $dirlist[0] = "$dir/certs"; |
2362 | +} |
2363 | + |
2364 | +if (-d $dirlist[0]) { |
2365 | + chdir $dirlist[0]; |
2366 | + $openssl="$pwd/$openssl" if (!-x $openssl); |
2367 | + chdir $pwd; |
2368 | +} |
2369 | + |
2370 | +foreach (@dirlist) { |
2371 | + if(-d $_ and -w $_) { |
2372 | + hash_dir($_); |
2373 | + } |
2374 | +} |
2375 | + |
2376 | +sub hash_dir { |
2377 | + my %hashlist; |
2378 | + print "Doing $_[0]\n"; |
2379 | + chdir $_[0]; |
2380 | + opendir(DIR, "."); |
2381 | + my @flist = readdir(DIR); |
2382 | + # Delete any existing symbolic links |
2383 | + foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) { |
2384 | + if(-l $_) { |
2385 | + unlink $_; |
2386 | + } |
2387 | + } |
2388 | + closedir DIR; |
2389 | + FILE: foreach $fname (grep {/\.pem$|\.crt$/} @flist) { |
2390 | + # Check to see if certificates and/or CRLs present. |
2391 | + my ($cert, $crl) = check_file($fname); |
2392 | + if(!$cert && !$crl) { |
2393 | + ($cert, $crl) = check_file("$openssl x509 -in \"$fname\" -inform der -outform pem | "); |
2394 | + if(!$cert && !$crl) { |
2395 | + print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n"; |
2396 | + next; |
2397 | + } |
2398 | + } |
2399 | + link_hash_cert($fname) if($cert); |
2400 | + link_hash_cert_old($fname) if($cert); |
2401 | + link_hash_crl($fname) if($crl); |
2402 | + } |
2403 | +} |
2404 | + |
2405 | +sub check_file { |
2406 | + my ($is_cert, $is_crl) = (0,0); |
2407 | + my $fname = $_[0]; |
2408 | + open IN, $fname; |
2409 | + while(<IN>) { |
2410 | + if(/^-----BEGIN (.*)-----/) { |
2411 | + my $hdr = $1; |
2412 | + if($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) { |
2413 | + $is_cert = 1; |
2414 | + last if($is_crl); |
2415 | + } elsif($hdr eq "X509 CRL") { |
2416 | + $is_crl = 1; |
2417 | + last if($is_cert); |
2418 | + } |
2419 | + } |
2420 | + } |
2421 | + close IN; |
2422 | + return ($is_cert, $is_crl); |
2423 | +} |
2424 | + |
2425 | + |
2426 | +# Link a certificate to its subject name hash value, each hash is of |
2427 | +# the form <hash>.<n> where n is an integer. If the hash value already exists |
2428 | +# then we need to up the value of n, unless its a duplicate in which |
2429 | +# case we skip the link. We check for duplicates by comparing the |
2430 | +# certificate fingerprints |
2431 | + |
2432 | +sub link_hash_cert { |
2433 | + my $fname = $_[0]; |
2434 | + my $hashopt = $_[1] || '-subject_hash'; |
2435 | + $fname =~ s/'/'\\''/g; |
2436 | + my ($hash, $fprint) = `"$openssl" x509 $hashopt -fingerprint -noout -in "$fname"`; |
2437 | + chomp $hash; |
2438 | + chomp $fprint; |
2439 | + $fprint =~ s/^.*=//; |
2440 | + $fprint =~ tr/://d; |
2441 | + my $suffix = 0; |
2442 | + # Search for an unused hash filename |
2443 | + while(exists $hashlist{"$hash.$suffix"}) { |
2444 | + # Hash matches: if fingerprint matches its a duplicate cert |
2445 | + if($hashlist{"$hash.$suffix"} eq $fprint) { |
2446 | + print STDERR "WARNING: Skipping duplicate certificate $fname\n"; |
2447 | + return; |
2448 | + } |
2449 | + $suffix++; |
2450 | + } |
2451 | + $hash .= ".$suffix"; |
2452 | + print "$fname => $hash\n"; |
2453 | + $symlink_exists=eval {symlink("",""); 1}; |
2454 | + if ($symlink_exists) { |
2455 | + symlink $fname, $hash; |
2456 | + } else { |
2457 | + open IN,"<$fname" or die "can't open $fname for read"; |
2458 | + open OUT,">$hash" or die "can't open $hash for write"; |
2459 | + print OUT <IN>; # does the job for small text files |
2460 | + close OUT; |
2461 | + close IN; |
2462 | + } |
2463 | + $hashlist{$hash} = $fprint; |
2464 | +} |
2465 | + |
2466 | +sub link_hash_cert_old { |
2467 | + link_hash_cert($_[0], '-subject_hash_old'); |
2468 | +} |
2469 | + |
2470 | +# Same as above except for a CRL. CRL links are of the form <hash>.r<n> |
2471 | + |
2472 | +sub link_hash_crl { |
2473 | + my $fname = $_[0]; |
2474 | + $fname =~ s/'/'\\''/g; |
2475 | + my ($hash, $fprint) = `"$openssl" crl -hash -fingerprint -noout -in '$fname'`; |
2476 | + if(!$hash || !fprint) { |
2477 | + ($hash, $fprint) = `"$openssl" crl -hash -fingerprint -noout -in '$fname' -inform der`; |
2478 | + } |
2479 | + chomp $hash; |
2480 | + chomp $fprint; |
2481 | + $fprint =~ s/^.*=//; |
2482 | + $fprint =~ tr/://d; |
2483 | + my $suffix = 0; |
2484 | + # Search for an unused hash filename |
2485 | + while(exists $hashlist{"$hash.r$suffix"}) { |
2486 | + # Hash matches: if fingerprint matches its a duplicate cert |
2487 | + if($hashlist{"$hash.r$suffix"} eq $fprint) { |
2488 | + print STDERR "WARNING: Skipping duplicate CRL $fname\n"; |
2489 | + return; |
2490 | + } |
2491 | + $suffix++; |
2492 | + } |
2493 | + $hash .= ".r$suffix"; |
2494 | + print "$fname => $hash\n"; |
2495 | + $symlink_exists=eval {symlink("",""); 1}; |
2496 | + if ($symlink_exists) { |
2497 | + symlink $fname, $hash; |
2498 | + } else { |
2499 | + system ("cp", $fname, $hash); |
2500 | + } |
2501 | + $hashlist{$hash} = $fprint; |
2502 | +} |
2503 | + |
2504 | |
2505 | === modified file '.pc/config-hurd.patch/config' |
2506 | --- .pc/config-hurd.patch/config 2010-12-12 15:37:21 +0000 |
2507 | +++ .pc/config-hurd.patch/config 2011-09-15 05:17:15 +0000 |
2508 | @@ -825,6 +825,10 @@ |
2509 | # options="$options -DATALLA" |
2510 | #fi |
2511 | |
2512 | +($CC -Wa,--help -c -o /dev/null -x assembler /dev/null 2>&1 | \ |
2513 | + grep \\--noexecstack) 2>&1 > /dev/null && \ |
2514 | + options="$options -Wa,--noexecstack" |
2515 | + |
2516 | # gcc < 2.8 does not support -march=ultrasparc |
2517 | if [ "$OUT" = solaris-sparcv9-gcc -a $GCCVER -lt 28 ] |
2518 | then |
2519 | |
2520 | === added directory '.pc/dgst_hmac.patch' |
2521 | === added directory '.pc/dgst_hmac.patch/apps' |
2522 | === added file '.pc/dgst_hmac.patch/apps/dgst.c' |
2523 | --- .pc/dgst_hmac.patch/apps/dgst.c 1970-01-01 00:00:00 +0000 |
2524 | +++ .pc/dgst_hmac.patch/apps/dgst.c 2011-09-15 05:17:15 +0000 |
2525 | @@ -0,0 +1,632 @@ |
2526 | +/* apps/dgst.c */ |
2527 | +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
2528 | + * All rights reserved. |
2529 | + * |
2530 | + * This package is an SSL implementation written |
2531 | + * by Eric Young (eay@cryptsoft.com). |
2532 | + * The implementation was written so as to conform with Netscapes SSL. |
2533 | + * |
2534 | + * This library is free for commercial and non-commercial use as long as |
2535 | + * the following conditions are aheared to. The following conditions |
2536 | + * apply to all code found in this distribution, be it the RC4, RSA, |
2537 | + * lhash, DES, etc., code; not just the SSL code. The SSL documentation |
2538 | + * included with this distribution is covered by the same copyright terms |
2539 | + * except that the holder is Tim Hudson (tjh@cryptsoft.com). |
2540 | + * |
2541 | + * Copyright remains Eric Young's, and as such any Copyright notices in |
2542 | + * the code are not to be removed. |
2543 | + * If this package is used in a product, Eric Young should be given attribution |
2544 | + * as the author of the parts of the library used. |
2545 | + * This can be in the form of a textual message at program startup or |
2546 | + * in documentation (online or textual) provided with the package. |
2547 | + * |
2548 | + * Redistribution and use in source and binary forms, with or without |
2549 | + * modification, are permitted provided that the following conditions |
2550 | + * are met: |
2551 | + * 1. Redistributions of source code must retain the copyright |
2552 | + * notice, this list of conditions and the following disclaimer. |
2553 | + * 2. Redistributions in binary form must reproduce the above copyright |
2554 | + * notice, this list of conditions and the following disclaimer in the |
2555 | + * documentation and/or other materials provided with the distribution. |
2556 | + * 3. All advertising materials mentioning features or use of this software |
2557 | + * must display the following acknowledgement: |
2558 | + * "This product includes cryptographic software written by |
2559 | + * Eric Young (eay@cryptsoft.com)" |
2560 | + * The word 'cryptographic' can be left out if the rouines from the library |
2561 | + * being used are not cryptographic related :-). |
2562 | + * 4. If you include any Windows specific code (or a derivative thereof) from |
2563 | + * the apps directory (application code) you must include an acknowledgement: |
2564 | + * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" |
2565 | + * |
2566 | + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND |
2567 | + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
2568 | + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
2569 | + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE |
2570 | + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
2571 | + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
2572 | + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
2573 | + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
2574 | + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
2575 | + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
2576 | + * SUCH DAMAGE. |
2577 | + * |
2578 | + * The licence and distribution terms for any publically available version or |
2579 | + * derivative of this code cannot be changed. i.e. this code cannot simply be |
2580 | + * copied and put under another distribution licence |
2581 | + * [including the GNU Public Licence.] |
2582 | + */ |
2583 | + |
2584 | +#include <stdio.h> |
2585 | +#include <string.h> |
2586 | +#include <stdlib.h> |
2587 | +#include "apps.h" |
2588 | +#include <openssl/bio.h> |
2589 | +#include <openssl/err.h> |
2590 | +#include <openssl/evp.h> |
2591 | +#include <openssl/objects.h> |
2592 | +#include <openssl/x509.h> |
2593 | +#include <openssl/pem.h> |
2594 | +#include <openssl/hmac.h> |
2595 | + |
2596 | +#undef BUFSIZE |
2597 | +#define BUFSIZE 1024*8 |
2598 | + |
2599 | +#undef PROG |
2600 | +#define PROG dgst_main |
2601 | + |
2602 | +int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout, |
2603 | + EVP_PKEY *key, unsigned char *sigin, int siglen, |
2604 | + const char *sig_name, const char *md_name, |
2605 | + const char *file,BIO *bmd); |
2606 | + |
2607 | +static void list_md_fn(const EVP_MD *m, |
2608 | + const char *from, const char *to, void *arg) |
2609 | + { |
2610 | + const char *mname; |
2611 | + /* Skip aliases */ |
2612 | + if (!m) |
2613 | + return; |
2614 | + mname = OBJ_nid2ln(EVP_MD_type(m)); |
2615 | + /* Skip shortnames */ |
2616 | + if (strcmp(from, mname)) |
2617 | + return; |
2618 | + /* Skip clones */ |
2619 | + if (EVP_MD_flags(m) & EVP_MD_FLAG_PKEY_DIGEST) |
2620 | + return; |
2621 | + if (strchr(mname, ' ')) |
2622 | + mname= EVP_MD_name(m); |
2623 | + BIO_printf(arg, "-%-14s to use the %s message digest algorithm\n", |
2624 | + mname, mname); |
2625 | + } |
2626 | + |
2627 | +int MAIN(int, char **); |
2628 | + |
2629 | +int MAIN(int argc, char **argv) |
2630 | + { |
2631 | + ENGINE *e = NULL; |
2632 | + unsigned char *buf=NULL; |
2633 | + int i,err=1; |
2634 | + const EVP_MD *md=NULL,*m; |
2635 | + BIO *in=NULL,*inp; |
2636 | + BIO *bmd=NULL; |
2637 | + BIO *out = NULL; |
2638 | +#define PROG_NAME_SIZE 39 |
2639 | + char pname[PROG_NAME_SIZE+1]; |
2640 | + int separator=0; |
2641 | + int debug=0; |
2642 | + int keyform=FORMAT_PEM; |
2643 | + const char *outfile = NULL, *keyfile = NULL; |
2644 | + const char *sigfile = NULL, *randfile = NULL; |
2645 | + int out_bin = -1, want_pub = 0, do_verify = 0; |
2646 | + EVP_PKEY *sigkey = NULL; |
2647 | + unsigned char *sigbuf = NULL; |
2648 | + int siglen = 0; |
2649 | + char *passargin = NULL, *passin = NULL; |
2650 | +#ifndef OPENSSL_NO_ENGINE |
2651 | + char *engine=NULL; |
2652 | +#endif |
2653 | + char *hmac_key=NULL; |
2654 | + char *mac_name=NULL; |
2655 | + STACK_OF(OPENSSL_STRING) *sigopts = NULL, *macopts = NULL; |
2656 | + |
2657 | + apps_startup(); |
2658 | + |
2659 | + if ((buf=(unsigned char *)OPENSSL_malloc(BUFSIZE)) == NULL) |
2660 | + { |
2661 | + BIO_printf(bio_err,"out of memory\n"); |
2662 | + goto end; |
2663 | + } |
2664 | + if (bio_err == NULL) |
2665 | + if ((bio_err=BIO_new(BIO_s_file())) != NULL) |
2666 | + BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT); |
2667 | + |
2668 | + if (!load_config(bio_err, NULL)) |
2669 | + goto end; |
2670 | + |
2671 | + /* first check the program name */ |
2672 | + program_name(argv[0],pname,sizeof pname); |
2673 | + |
2674 | + md=EVP_get_digestbyname(pname); |
2675 | + |
2676 | + argc--; |
2677 | + argv++; |
2678 | + while (argc > 0) |
2679 | + { |
2680 | + if ((*argv)[0] != '-') break; |
2681 | + if (strcmp(*argv,"-c") == 0) |
2682 | + separator=1; |
2683 | + else if (strcmp(*argv,"-r") == 0) |
2684 | + separator=2; |
2685 | + else if (strcmp(*argv,"-rand") == 0) |
2686 | + { |
2687 | + if (--argc < 1) break; |
2688 | + randfile=*(++argv); |
2689 | + } |
2690 | + else if (strcmp(*argv,"-out") == 0) |
2691 | + { |
2692 | + if (--argc < 1) break; |
2693 | + outfile=*(++argv); |
2694 | + } |
2695 | + else if (strcmp(*argv,"-sign") == 0) |
2696 | + { |
2697 | + if (--argc < 1) break; |
2698 | + keyfile=*(++argv); |
2699 | + } |
2700 | + else if (!strcmp(*argv,"-passin")) |
2701 | + { |
2702 | + if (--argc < 1) |
2703 | + break; |
2704 | + passargin=*++argv; |
2705 | + } |
2706 | + else if (strcmp(*argv,"-verify") == 0) |
2707 | + { |
2708 | + if (--argc < 1) break; |
2709 | + keyfile=*(++argv); |
2710 | + want_pub = 1; |
2711 | + do_verify = 1; |
2712 | + } |
2713 | + else if (strcmp(*argv,"-prverify") == 0) |
2714 | + { |
2715 | + if (--argc < 1) break; |
2716 | + keyfile=*(++argv); |
2717 | + do_verify = 1; |
2718 | + } |
2719 | + else if (strcmp(*argv,"-signature") == 0) |
2720 | + { |
2721 | + if (--argc < 1) break; |
2722 | + sigfile=*(++argv); |
2723 | + } |
2724 | + else if (strcmp(*argv,"-keyform") == 0) |
2725 | + { |
2726 | + if (--argc < 1) break; |
2727 | + keyform=str2fmt(*(++argv)); |
2728 | + } |
2729 | +#ifndef OPENSSL_NO_ENGINE |
2730 | + else if (strcmp(*argv,"-engine") == 0) |
2731 | + { |
2732 | + if (--argc < 1) break; |
2733 | + engine= *(++argv); |
2734 | + e = setup_engine(bio_err, engine, 0); |
2735 | + } |
2736 | +#endif |
2737 | + else if (strcmp(*argv,"-hex") == 0) |
2738 | + out_bin = 0; |
2739 | + else if (strcmp(*argv,"-binary") == 0) |
2740 | + out_bin = 1; |
2741 | + else if (strcmp(*argv,"-d") == 0) |
2742 | + debug=1; |
2743 | + else if (!strcmp(*argv,"-hmac")) |
2744 | + { |
2745 | + if (--argc < 1) |
2746 | + break; |
2747 | + hmac_key=*++argv; |
2748 | + } |
2749 | + else if (!strcmp(*argv,"-mac")) |
2750 | + { |
2751 | + if (--argc < 1) |
2752 | + break; |
2753 | + mac_name=*++argv; |
2754 | + } |
2755 | + else if (strcmp(*argv,"-sigopt") == 0) |
2756 | + { |
2757 | + if (--argc < 1) |
2758 | + break; |
2759 | + if (!sigopts) |
2760 | + sigopts = sk_OPENSSL_STRING_new_null(); |
2761 | + if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, *(++argv))) |
2762 | + break; |
2763 | + } |
2764 | + else if (strcmp(*argv,"-macopt") == 0) |
2765 | + { |
2766 | + if (--argc < 1) |
2767 | + break; |
2768 | + if (!macopts) |
2769 | + macopts = sk_OPENSSL_STRING_new_null(); |
2770 | + if (!macopts || !sk_OPENSSL_STRING_push(macopts, *(++argv))) |
2771 | + break; |
2772 | + } |
2773 | + else if ((m=EVP_get_digestbyname(&((*argv)[1]))) != NULL) |
2774 | + md=m; |
2775 | + else |
2776 | + break; |
2777 | + argc--; |
2778 | + argv++; |
2779 | + } |
2780 | + |
2781 | + |
2782 | + if(do_verify && !sigfile) { |
2783 | + BIO_printf(bio_err, "No signature to verify: use the -signature option\n"); |
2784 | + goto end; |
2785 | + } |
2786 | + |
2787 | + if ((argc > 0) && (argv[0][0] == '-')) /* bad option */ |
2788 | + { |
2789 | + BIO_printf(bio_err,"unknown option '%s'\n",*argv); |
2790 | + BIO_printf(bio_err,"options are\n"); |
2791 | + BIO_printf(bio_err,"-c to output the digest with separating colons\n"); |
2792 | + BIO_printf(bio_err,"-r to output the digest in coreutils format\n"); |
2793 | + BIO_printf(bio_err,"-d to output debug info\n"); |
2794 | + BIO_printf(bio_err,"-hex output as hex dump\n"); |
2795 | + BIO_printf(bio_err,"-binary output in binary form\n"); |
2796 | + BIO_printf(bio_err,"-sign file sign digest using private key in file\n"); |
2797 | + BIO_printf(bio_err,"-verify file verify a signature using public key in file\n"); |
2798 | + BIO_printf(bio_err,"-prverify file verify a signature using private key in file\n"); |
2799 | + BIO_printf(bio_err,"-keyform arg key file format (PEM or ENGINE)\n"); |
2800 | + BIO_printf(bio_err,"-out filename output to filename rather than stdout\n"); |
2801 | + BIO_printf(bio_err,"-signature file signature to verify\n"); |
2802 | + BIO_printf(bio_err,"-sigopt nm:v signature parameter\n"); |
2803 | + BIO_printf(bio_err,"-hmac key create hashed MAC with key\n"); |
2804 | + BIO_printf(bio_err,"-mac algorithm create MAC (not neccessarily HMAC)\n"); |
2805 | + BIO_printf(bio_err,"-macopt nm:v MAC algorithm parameters or key\n"); |
2806 | +#ifndef OPENSSL_NO_ENGINE |
2807 | + BIO_printf(bio_err,"-engine e use engine e, possibly a hardware device.\n"); |
2808 | +#endif |
2809 | + |
2810 | + EVP_MD_do_all_sorted(list_md_fn, bio_err); |
2811 | + goto end; |
2812 | + } |
2813 | + |
2814 | + in=BIO_new(BIO_s_file()); |
2815 | + bmd=BIO_new(BIO_f_md()); |
2816 | + if (debug) |
2817 | + { |
2818 | + BIO_set_callback(in,BIO_debug_callback); |
2819 | + /* needed for windows 3.1 */ |
2820 | + BIO_set_callback_arg(in,(char *)bio_err); |
2821 | + } |
2822 | + |
2823 | + if(!app_passwd(bio_err, passargin, NULL, &passin, NULL)) |
2824 | + { |
2825 | + BIO_printf(bio_err, "Error getting password\n"); |
2826 | + goto end; |
2827 | + } |
2828 | + |
2829 | + if ((in == NULL) || (bmd == NULL)) |
2830 | + { |
2831 | + ERR_print_errors(bio_err); |
2832 | + goto end; |
2833 | + } |
2834 | + |
2835 | + if(out_bin == -1) { |
2836 | + if(keyfile) |
2837 | + out_bin = 1; |
2838 | + else |
2839 | + out_bin = 0; |
2840 | + } |
2841 | + |
2842 | + if(randfile) |
2843 | + app_RAND_load_file(randfile, bio_err, 0); |
2844 | + |
2845 | + if(outfile) { |
2846 | + if(out_bin) |
2847 | + out = BIO_new_file(outfile, "wb"); |
2848 | + else out = BIO_new_file(outfile, "w"); |
2849 | + } else { |
2850 | + out = BIO_new_fp(stdout, BIO_NOCLOSE); |
2851 | +#ifdef OPENSSL_SYS_VMS |
2852 | + { |
2853 | + BIO *tmpbio = BIO_new(BIO_f_linebuffer()); |
2854 | + out = BIO_push(tmpbio, out); |
2855 | + } |
2856 | +#endif |
2857 | + } |
2858 | + |
2859 | + if(!out) { |
2860 | + BIO_printf(bio_err, "Error opening output file %s\n", |
2861 | + outfile ? outfile : "(stdout)"); |
2862 | + ERR_print_errors(bio_err); |
2863 | + goto end; |
2864 | + } |
2865 | + if ((!!mac_name + !!keyfile + !!hmac_key) > 1) |
2866 | + { |
2867 | + BIO_printf(bio_err, "MAC and Signing key cannot both be specified\n"); |
2868 | + goto end; |
2869 | + } |
2870 | + |
2871 | + if(keyfile) |
2872 | + { |
2873 | + if (want_pub) |
2874 | + sigkey = load_pubkey(bio_err, keyfile, keyform, 0, NULL, |
2875 | + e, "key file"); |
2876 | + else |
2877 | + sigkey = load_key(bio_err, keyfile, keyform, 0, passin, |
2878 | + e, "key file"); |
2879 | + if (!sigkey) |
2880 | + { |
2881 | + /* load_[pub]key() has already printed an appropriate |
2882 | + message */ |
2883 | + goto end; |
2884 | + } |
2885 | + } |
2886 | + |
2887 | + if (mac_name) |
2888 | + { |
2889 | + EVP_PKEY_CTX *mac_ctx = NULL; |
2890 | + int r = 0; |
2891 | + if (!init_gen_str(bio_err, &mac_ctx, mac_name,e, 0)) |
2892 | + goto mac_end; |
2893 | + if (macopts) |
2894 | + { |
2895 | + char *macopt; |
2896 | + for (i = 0; i < sk_OPENSSL_STRING_num(macopts); i++) |
2897 | + { |
2898 | + macopt = sk_OPENSSL_STRING_value(macopts, i); |
2899 | + if (pkey_ctrl_string(mac_ctx, macopt) <= 0) |
2900 | + { |
2901 | + BIO_printf(bio_err, |
2902 | + "MAC parameter error \"%s\"\n", |
2903 | + macopt); |
2904 | + ERR_print_errors(bio_err); |
2905 | + goto mac_end; |
2906 | + } |
2907 | + } |
2908 | + } |
2909 | + if (EVP_PKEY_keygen(mac_ctx, &sigkey) <= 0) |
2910 | + { |
2911 | + BIO_puts(bio_err, "Error generating key\n"); |
2912 | + ERR_print_errors(bio_err); |
2913 | + goto mac_end; |
2914 | + } |
2915 | + r = 1; |
2916 | + mac_end: |
2917 | + if (mac_ctx) |
2918 | + EVP_PKEY_CTX_free(mac_ctx); |
2919 | + if (r == 0) |
2920 | + goto end; |
2921 | + } |
2922 | + |
2923 | + if (hmac_key) |
2924 | + { |
2925 | + sigkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, e, |
2926 | + (unsigned char *)hmac_key, -1); |
2927 | + if (!sigkey) |
2928 | + goto end; |
2929 | + } |
2930 | + |
2931 | + if (sigkey) |
2932 | + { |
2933 | + EVP_MD_CTX *mctx = NULL; |
2934 | + EVP_PKEY_CTX *pctx = NULL; |
2935 | + int r; |
2936 | + if (!BIO_get_md_ctx(bmd, &mctx)) |
2937 | + { |
2938 | + BIO_printf(bio_err, "Error getting context\n"); |
2939 | + ERR_print_errors(bio_err); |
2940 | + goto end; |
2941 | + } |
2942 | + if (do_verify) |
2943 | + r = EVP_DigestVerifyInit(mctx, &pctx, md, e, sigkey); |
2944 | + else |
2945 | + r = EVP_DigestSignInit(mctx, &pctx, md, e, sigkey); |
2946 | + if (!r) |
2947 | + { |
2948 | + BIO_printf(bio_err, "Error setting context\n"); |
2949 | + ERR_print_errors(bio_err); |
2950 | + goto end; |
2951 | + } |
2952 | + if (sigopts) |
2953 | + { |
2954 | + char *sigopt; |
2955 | + for (i = 0; i < sk_OPENSSL_STRING_num(sigopts); i++) |
2956 | + { |
2957 | + sigopt = sk_OPENSSL_STRING_value(sigopts, i); |
2958 | + if (pkey_ctrl_string(pctx, sigopt) <= 0) |
2959 | + { |
2960 | + BIO_printf(bio_err, |
2961 | + "parameter error \"%s\"\n", |
2962 | + sigopt); |
2963 | + ERR_print_errors(bio_err); |
2964 | + goto end; |
2965 | + } |
2966 | + } |
2967 | + } |
2968 | + } |
2969 | + /* we use md as a filter, reading from 'in' */ |
2970 | + else |
2971 | + { |
2972 | + if (md == NULL) |
2973 | + md = EVP_md5(); |
2974 | + if (!BIO_set_md(bmd,md)) |
2975 | + { |
2976 | + BIO_printf(bio_err, "Error setting digest %s\n", pname); |
2977 | + ERR_print_errors(bio_err); |
2978 | + goto end; |
2979 | + } |
2980 | + } |
2981 | + |
2982 | + if(sigfile && sigkey) { |
2983 | + BIO *sigbio; |
2984 | + sigbio = BIO_new_file(sigfile, "rb"); |
2985 | + siglen = EVP_PKEY_size(sigkey); |
2986 | + sigbuf = OPENSSL_malloc(siglen); |
2987 | + if(!sigbio) { |
2988 | + BIO_printf(bio_err, "Error opening signature file %s\n", |
2989 | + sigfile); |
2990 | + ERR_print_errors(bio_err); |
2991 | + goto end; |
2992 | + } |
2993 | + siglen = BIO_read(sigbio, sigbuf, siglen); |
2994 | + BIO_free(sigbio); |
2995 | + if(siglen <= 0) { |
2996 | + BIO_printf(bio_err, "Error reading signature file %s\n", |
2997 | + sigfile); |
2998 | + ERR_print_errors(bio_err); |
2999 | + goto end; |
3000 | + } |
3001 | + } |
3002 | + inp=BIO_push(bmd,in); |
3003 | + |
3004 | + if (md == NULL) |
3005 | + { |
3006 | + EVP_MD_CTX *tctx; |
3007 | + BIO_get_md_ctx(bmd, &tctx); |
3008 | + md = EVP_MD_CTX_md(tctx); |
3009 | + } |
3010 | + |
3011 | + if (argc == 0) |
3012 | + { |
3013 | + BIO_set_fp(in,stdin,BIO_NOCLOSE); |
3014 | + err=do_fp(out, buf,inp,separator, out_bin, sigkey, sigbuf, |
3015 | + siglen,NULL,NULL,"stdin",bmd); |
3016 | + } |
3017 | + else |
3018 | + { |
3019 | + const char *md_name = NULL, *sig_name = NULL; |
3020 | + if(!out_bin) |
3021 | + { |
3022 | + if (sigkey) |
3023 | + { |
3024 | + const EVP_PKEY_ASN1_METHOD *ameth; |
3025 | + ameth = EVP_PKEY_get0_asn1(sigkey); |
3026 | + if (ameth) |
3027 | + EVP_PKEY_asn1_get0_info(NULL, NULL, |
3028 | + NULL, NULL, &sig_name, ameth); |
3029 | + } |
3030 | + md_name = EVP_MD_name(md); |
3031 | + } |
3032 | + err = 0; |
3033 | + for (i=0; i<argc; i++) |
3034 | + { |
3035 | + int r; |
3036 | + if (BIO_read_filename(in,argv[i]) <= 0) |
3037 | + { |
3038 | + perror(argv[i]); |
3039 | + err++; |
3040 | + continue; |
3041 | + } |
3042 | + else |
3043 | + r=do_fp(out,buf,inp,separator,out_bin,sigkey,sigbuf, |
3044 | + siglen,sig_name,md_name, argv[i],bmd); |
3045 | + if(r) |
3046 | + err=r; |
3047 | + (void)BIO_reset(bmd); |
3048 | + } |
3049 | + } |
3050 | +end: |
3051 | + if (buf != NULL) |
3052 | + { |
3053 | + OPENSSL_cleanse(buf,BUFSIZE); |
3054 | + OPENSSL_free(buf); |
3055 | + } |
3056 | + if (in != NULL) BIO_free(in); |
3057 | + if (passin) |
3058 | + OPENSSL_free(passin); |
3059 | + BIO_free_all(out); |
3060 | + EVP_PKEY_free(sigkey); |
3061 | + if (sigopts) |
3062 | + sk_OPENSSL_STRING_free(sigopts); |
3063 | + if (macopts) |
3064 | + sk_OPENSSL_STRING_free(macopts); |
3065 | + if(sigbuf) OPENSSL_free(sigbuf); |
3066 | + if (bmd != NULL) BIO_free(bmd); |
3067 | + apps_shutdown(); |
3068 | + OPENSSL_EXIT(err); |
3069 | + } |
3070 | + |
3071 | +int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout, |
3072 | + EVP_PKEY *key, unsigned char *sigin, int siglen, |
3073 | + const char *sig_name, const char *md_name, |
3074 | + const char *file,BIO *bmd) |
3075 | + { |
3076 | + size_t len; |
3077 | + int i; |
3078 | + |
3079 | + for (;;) |
3080 | + { |
3081 | + i=BIO_read(bp,(char *)buf,BUFSIZE); |
3082 | + if(i < 0) |
3083 | + { |
3084 | + BIO_printf(bio_err, "Read Error in %s\n",file); |
3085 | + ERR_print_errors(bio_err); |
3086 | + return 1; |
3087 | + } |
3088 | + if (i == 0) break; |
3089 | + } |
3090 | + if(sigin) |
3091 | + { |
3092 | + EVP_MD_CTX *ctx; |
3093 | + BIO_get_md_ctx(bp, &ctx); |
3094 | + i = EVP_DigestVerifyFinal(ctx, sigin, (unsigned int)siglen); |
3095 | + if(i > 0) |
3096 | + BIO_printf(out, "Verified OK\n"); |
3097 | + else if(i == 0) |
3098 | + { |
3099 | + BIO_printf(out, "Verification Failure\n"); |
3100 | + return 1; |
3101 | + } |
3102 | + else |
3103 | + { |
3104 | + BIO_printf(bio_err, "Error Verifying Data\n"); |
3105 | + ERR_print_errors(bio_err); |
3106 | + return 1; |
3107 | + } |
3108 | + return 0; |
3109 | + } |
3110 | + if(key) |
3111 | + { |
3112 | + EVP_MD_CTX *ctx; |
3113 | + BIO_get_md_ctx(bp, &ctx); |
3114 | + len = BUFSIZE; |
3115 | + if(!EVP_DigestSignFinal(ctx, buf, &len)) |
3116 | + { |
3117 | + BIO_printf(bio_err, "Error Signing Data\n"); |
3118 | + ERR_print_errors(bio_err); |
3119 | + return 1; |
3120 | + } |
3121 | + } |
3122 | + else |
3123 | + { |
3124 | + len=BIO_gets(bp,(char *)buf,BUFSIZE); |
3125 | + if ((int)len <0) |
3126 | + { |
3127 | + ERR_print_errors(bio_err); |
3128 | + return 1; |
3129 | + } |
3130 | + } |
3131 | + |
3132 | + if(binout) BIO_write(out, buf, len); |
3133 | + else if (sep == 2) |
3134 | + { |
3135 | + for (i=0; i<(int)len; i++) |
3136 | + BIO_printf(out, "%02x",buf[i]); |
3137 | + BIO_printf(out, " *%s\n", file); |
3138 | + } |
3139 | + else |
3140 | + { |
3141 | + if (sig_name) |
3142 | + BIO_printf(out, "%s-%s(%s)= ", sig_name, md_name, file); |
3143 | + else if (md_name) |
3144 | + BIO_printf(out, "%s(%s)= ", md_name, file); |
3145 | + else |
3146 | + BIO_printf(out, "(%s)= ", file); |
3147 | + for (i=0; i<(int)len; i++) |
3148 | + { |
3149 | + if (sep && (i != 0)) |
3150 | + BIO_printf(out, ":"); |
3151 | + BIO_printf(out, "%02x",buf[i]); |
3152 | + } |
3153 | + BIO_printf(out, "\n"); |
3154 | + } |
3155 | + return 0; |
3156 | + } |
3157 | + |
3158 | |
3159 | === added directory '.pc/dgst_hmac.patch/doc' |
3160 | === added directory '.pc/dgst_hmac.patch/doc/apps' |
3161 | === added file '.pc/dgst_hmac.patch/doc/apps/dgst.pod' |
3162 | --- .pc/dgst_hmac.patch/doc/apps/dgst.pod 1970-01-01 00:00:00 +0000 |
3163 | +++ .pc/dgst_hmac.patch/doc/apps/dgst.pod 2011-09-15 05:17:15 +0000 |
3164 | @@ -0,0 +1,162 @@ |
3165 | +=pod |
3166 | + |
3167 | +=head1 NAME |
3168 | + |
3169 | +dgst, md5, md4, md2, sha1, sha, mdc2, ripemd160 - message digests |
3170 | + |
3171 | +=head1 SYNOPSIS |
3172 | + |
3173 | +B<openssl> B<dgst> |
3174 | +[B<-md5|-md4|-md2|-sha1|-sha|-mdc2|-ripemd160|-dss1>] |
3175 | +[B<-c>] |
3176 | +[B<-d>] |
3177 | +[B<-hex>] |
3178 | +[B<-binary>] |
3179 | +[B<-out filename>] |
3180 | +[B<-sign filename>] |
3181 | +[B<-keyform arg>] |
3182 | +[B<-passin arg>] |
3183 | +[B<-verify filename>] |
3184 | +[B<-prverify filename>] |
3185 | +[B<-signature filename>] |
3186 | +[B<-hmac key>] |
3187 | +[B<file...>] |
3188 | + |
3189 | +[B<md5|md4|md2|sha1|sha|mdc2|ripemd160>] |
3190 | +[B<-c>] |
3191 | +[B<-d>] |
3192 | +[B<file...>] |
3193 | + |
3194 | +=head1 DESCRIPTION |
3195 | + |
3196 | +The digest functions output the message digest of a supplied file or files |
3197 | +in hexadecimal form. They can also be used for digital signing and verification. |
3198 | + |
3199 | +=head1 OPTIONS |
3200 | + |
3201 | +=over 4 |
3202 | + |
3203 | +=item B<-c> |
3204 | + |
3205 | +print out the digest in two digit groups separated by colons, only relevant if |
3206 | +B<hex> format output is used. |
3207 | + |
3208 | +=item B<-d> |
3209 | + |
3210 | +print out BIO debugging information. |
3211 | + |
3212 | +=item B<-hex> |
3213 | + |
3214 | +digest is to be output as a hex dump. This is the default case for a "normal" |
3215 | +digest as opposed to a digital signature. |
3216 | + |
3217 | +=item B<-binary> |
3218 | + |
3219 | +output the digest or signature in binary form. |
3220 | + |
3221 | +=item B<-out filename> |
3222 | + |
3223 | +filename to output to, or standard output by default. |
3224 | + |
3225 | +=item B<-sign filename> |
3226 | + |
3227 | +digitally sign the digest using the private key in "filename". |
3228 | + |
3229 | +=item B<-keyform arg> |
3230 | + |
3231 | +Specifies the key format to sign digest with. Only PEM and ENGINE |
3232 | +formats are supported by the B<dgst> command. |
3233 | + |
3234 | +=item B<-engine id> |
3235 | + |
3236 | +Use engine B<id> for operations (including private key storage). |
3237 | +This engine is not used as source for digest algorithms, unless it is |
3238 | +also specified in the configuration file. |
3239 | + |
3240 | +=item B<-sigopt nm:v> |
3241 | + |
3242 | +Pass options to the signature algorithm during sign or verify operations. |
3243 | +Names and values of these options are algorithm-specific. |
3244 | + |
3245 | + |
3246 | +=item B<-passin arg> |
3247 | + |
3248 | +the private key password source. For more information about the format of B<arg> |
3249 | +see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>. |
3250 | + |
3251 | +=item B<-verify filename> |
3252 | + |
3253 | +verify the signature using the the public key in "filename". |
3254 | +The output is either "Verification OK" or "Verification Failure". |
3255 | + |
3256 | +=item B<-prverify filename> |
3257 | + |
3258 | +verify the signature using the the private key in "filename". |
3259 | + |
3260 | +=item B<-signature filename> |
3261 | + |
3262 | +the actual signature to verify. |
3263 | + |
3264 | +=item B<-hmac key> |
3265 | + |
3266 | +create a hashed MAC using "key". |
3267 | + |
3268 | +=item B<-mac alg> |
3269 | + |
3270 | +create MAC (keyed Message Authentication Code). The most popular MAC |
3271 | +algorithm is HMAC (hash-based MAC), but there are other MAC algorithms |
3272 | +which are not based on hash, for instance B<gost-mac> algorithm, |
3273 | +supported by B<ccgost> engine. MAC keys and other options should be set |
3274 | +via B<-macopt> parameter. |
3275 | + |
3276 | +=item B<-macopt nm:v> |
3277 | + |
3278 | +Passes options to MAC algorithm, specified by B<-mac> key. |
3279 | +Following options are supported by both by B<HMAC> and B<gost-mac>: |
3280 | + |
3281 | +=over 8 |
3282 | + |
3283 | +=item B<key:string> |
3284 | + |
3285 | +Specifies MAC key as alphnumeric string (use if key contain printable |
3286 | +characters only). String length must conform to any restrictions of |
3287 | +the MAC algorithm for example exactly 32 chars for gost-mac. |
3288 | + |
3289 | +=item B<hexkey:string> |
3290 | + |
3291 | +Specifies MAC key in hexadecimal form (two hex digits per byte). |
3292 | +Key length must conform to any restrictions of the MAC algorithm |
3293 | +for example exactly 32 chars for gost-mac. |
3294 | + |
3295 | +=back |
3296 | + |
3297 | +=item B<-rand file(s)> |
3298 | + |
3299 | +a file or files containing random data used to seed the random number |
3300 | +generator, or an EGD socket (see L<RAND_egd(3)|RAND_egd(3)>). |
3301 | +Multiple files can be specified separated by a OS-dependent character. |
3302 | +The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for |
3303 | +all others. |
3304 | + |
3305 | +=item B<file...> |
3306 | + |
3307 | +file or files to digest. If no files are specified then standard input is |
3308 | +used. |
3309 | + |
3310 | +=back |
3311 | + |
3312 | +=head1 NOTES |
3313 | + |
3314 | +The digest of choice for all new applications is SHA1. Other digests are |
3315 | +however still widely used. |
3316 | + |
3317 | +If you wish to sign or verify data using the DSA algorithm then the dss1 |
3318 | +digest must be used. |
3319 | + |
3320 | +A source of random numbers is required for certain signing algorithms, in |
3321 | +particular DSA. |
3322 | + |
3323 | +The signing and verify options should only be used if a single file is |
3324 | +being signed or verified. |
3325 | + |
3326 | +=cut |
3327 | |
3328 | === modified file '.pc/engines-path.patch/Configure' |
3329 | --- .pc/engines-path.patch/Configure 2010-12-19 16:24:16 +0000 |
3330 | +++ .pc/engines-path.patch/Configure 2011-09-15 05:17:15 +0000 |
3331 | @@ -362,6 +362,7 @@ |
3332 | "debian-powerpcspe","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", |
3333 | "debian-ppc64","gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", |
3334 | "debian-s390","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", |
3335 | +"debian-s390x","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", |
3336 | "debian-sh3", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", |
3337 | "debian-sh4", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", |
3338 | "debian-sh3eb", "gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", |
3339 | @@ -370,7 +371,7 @@ |
3340 | "debian-sparc","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", |
3341 | "debian-sparc-v8","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -mcpu=v8 -g -Wall -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", |
3342 | "debian-sparc-v9","gcc:-DB_ENDIAN -DTERMIO -O3 -mcpu=v9 -Wa,--noexecstack -Wa,-Av8plus -g -Wall -DULTRASPARC -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", |
3343 | -"debian-sparc64","gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall -DULTRASPARC -DBN_DIV2W::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", |
3344 | +"debian-sparc64","gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall -DULTRASPARC -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", |
3345 | |
3346 | #### |
3347 | #### Variety of LINUX:-) |
3348 | |
3349 | === modified file '.pc/gnu_source.patch/crypto/dso/dso_dlfcn.c' |
3350 | --- .pc/gnu_source.patch/crypto/dso/dso_dlfcn.c 2010-12-19 16:24:16 +0000 |
3351 | +++ .pc/gnu_source.patch/crypto/dso/dso_dlfcn.c 2011-09-15 05:17:15 +0000 |
3352 | @@ -85,6 +85,7 @@ |
3353 | # define HAVE_DLINFO 1 |
3354 | # if defined(_AIX) || defined(__CYGWIN__) || \ |
3355 | defined(__SCO_VERSION__) || defined(_SCO_ELF) || \ |
3356 | + (defined(__osf__) && !defined(RTLD_NEXT)) || \ |
3357 | (defined(__OpenBSD__) && !defined(RTLD_SELF)) |
3358 | # undef HAVE_DLINFO |
3359 | # endif |
3360 | |
3361 | === added directory '.pc/libdoc-manpgs-pod-spell.patch' |
3362 | === added directory '.pc/libdoc-manpgs-pod-spell.patch/doc' |
3363 | === added directory '.pc/libdoc-manpgs-pod-spell.patch/doc/crypto' |
3364 | === added file '.pc/libdoc-manpgs-pod-spell.patch/doc/crypto/ASN1_generate_nconf.pod' |
3365 | --- .pc/libdoc-manpgs-pod-spell.patch/doc/crypto/ASN1_generate_nconf.pod 1970-01-01 00:00:00 +0000 |
3366 | +++ .pc/libdoc-manpgs-pod-spell.patch/doc/crypto/ASN1_generate_nconf.pod 2011-09-15 05:17:15 +0000 |
3367 | @@ -0,0 +1,265 @@ |
3368 | +=pod |
3369 | + |
3370 | +=head1 NAME |
3371 | + |
3372 | +ASN1_generate_nconf, ASN1_generate_v3 - ASN1 generation functions |
3373 | + |
3374 | +=head1 SYNOPSIS |
3375 | + |
3376 | + #include <openssl/asn1.h> |
3377 | + |
3378 | + ASN1_TYPE *ASN1_generate_nconf(char *str, CONF *nconf); |
3379 | + ASN1_TYPE *ASN1_generate_v3(char *str, X509V3_CTX *cnf); |
3380 | + |
3381 | +=head1 DESCRIPTION |
3382 | + |
3383 | +These functions generate the ASN1 encoding of a string |
3384 | +in an B<ASN1_TYPE> structure. |
3385 | + |
3386 | +B<str> contains the string to encode B<nconf> or B<cnf> contains |
3387 | +the optional configuration information where additional strings |
3388 | +will be read from. B<nconf> will typically come from a config |
3389 | +file wherease B<cnf> is obtained from an B<X509V3_CTX> structure |
3390 | +which will typically be used by X509 v3 certificate extension |
3391 | +functions. B<cnf> or B<nconf> can be set to B<NULL> if no additional |
3392 | +configuration will be used. |
3393 | + |
3394 | +=head1 GENERATION STRING FORMAT |
3395 | + |
3396 | +The actual data encoded is determined by the string B<str> and |
3397 | +the configuration information. The general format of the string |
3398 | +is: |
3399 | + |
3400 | +=over 2 |
3401 | + |
3402 | +=item B<[modifier,]type[:value]> |
3403 | + |
3404 | +=back |
3405 | + |
3406 | +That is zero or more comma separated modifiers followed by a type |
3407 | +followed by an optional colon and a value. The formats of B<type>, |
3408 | +B<value> and B<modifier> are explained below. |
3409 | + |
3410 | +=head2 SUPPORTED TYPES |
3411 | + |
3412 | +The supported types are listed below. Unless otherwise specified |
3413 | +only the B<ASCII> format is permissible. |
3414 | + |
3415 | +=over 2 |
3416 | + |
3417 | +=item B<BOOLEAN>, B<BOOL> |
3418 | + |
3419 | +This encodes a boolean type. The B<value> string is mandatory and |
3420 | +should be B<TRUE> or B<FALSE>. Additionally B<TRUE>, B<true>, B<Y>, |
3421 | +B<y>, B<YES>, B<yes>, B<FALSE>, B<false>, B<N>, B<n>, B<NO> and B<no> |
3422 | +are acceptable. |
3423 | + |
3424 | +=item B<NULL> |
3425 | + |
3426 | +Encode the B<NULL> type, the B<value> string must not be present. |
3427 | + |
3428 | +=item B<INTEGER>, B<INT> |
3429 | + |
3430 | +Encodes an ASN1 B<INTEGER> type. The B<value> string represents |
3431 | +the value of the integer, it can be preceeded by a minus sign and |
3432 | +is normally interpreted as a decimal value unless the prefix B<0x> |
3433 | +is included. |
3434 | + |
3435 | +=item B<ENUMERATED>, B<ENUM> |
3436 | + |
3437 | +Encodes the ASN1 B<ENUMERATED> type, it is otherwise identical to |
3438 | +B<INTEGER>. |
3439 | + |
3440 | +=item B<OBJECT>, B<OID> |
3441 | + |
3442 | +Encodes an ASN1 B<OBJECT IDENTIFIER>, the B<value> string can be |
3443 | +a short name, a long name or numerical format. |
3444 | + |
3445 | +=item B<UTCTIME>, B<UTC> |
3446 | + |
3447 | +Encodes an ASN1 B<UTCTime> structure, the value should be in |
3448 | +the format B<YYMMDDHHMMSSZ>. |
3449 | + |
3450 | +=item B<GENERALIZEDTIME>, B<GENTIME> |
3451 | + |
3452 | +Encodes an ASN1 B<GeneralizedTime> structure, the value should be in |
3453 | +the format B<YYYYMMDDHHMMSSZ>. |
3454 | + |
3455 | +=item B<OCTETSTRING>, B<OCT> |
3456 | + |
3457 | +Encodes an ASN1 B<OCTET STRING>. B<value> represents the contents |
3458 | +of this structure, the format strings B<ASCII> and B<HEX> can be |
3459 | +used to specify the format of B<value>. |
3460 | + |
3461 | +=item B<BITSTRING>, B<BITSTR> |
3462 | + |
3463 | +Encodes an ASN1 B<BIT STRING>. B<value> represents the contents |
3464 | +of this structure, the format strings B<ASCII>, B<HEX> and B<BITLIST> |
3465 | +can be used to specify the format of B<value>. |
3466 | + |
3467 | +If the format is anything other than B<BITLIST> the number of unused |
3468 | +bits is set to zero. |
3469 | + |
3470 | +=item B<UNIVERSALSTRING>, B<UNIV>, B<IA5>, B<IA5STRING>, B<UTF8>, |
3471 | +B<UTF8String>, B<BMP>, B<BMPSTRING>, B<VISIBLESTRING>, |
3472 | +B<VISIBLE>, B<PRINTABLESTRING>, B<PRINTABLE>, B<T61>, |
3473 | +B<T61STRING>, B<TELETEXSTRING>, B<GeneralString>, B<NUMERICSTRING>, |
3474 | +B<NUMERIC> |
3475 | + |
3476 | +These encode the corresponding string types. B<value> represents the |
3477 | +contents of this structure. The format can be B<ASCII> or B<UTF8>. |
3478 | + |
3479 | +=item B<SEQUENCE>, B<SEQ>, B<SET> |
3480 | + |
3481 | +Formats the result as an ASN1 B<SEQUENCE> or B<SET> type. B<value> |
3482 | +should be a section name which will contain the contents. The |
3483 | +field names in the section are ignored and the values are in the |
3484 | +generated string format. If B<value> is absent then an empty SEQUENCE |
3485 | +will be encoded. |
3486 | + |
3487 | +=back |
3488 | + |
3489 | +=head2 MODIFIERS |
3490 | + |
3491 | +Modifiers affect the following structure, they can be used to |
3492 | +add EXPLICIT or IMPLICIT tagging, add wrappers or to change |
3493 | +the string format of the final type and value. The supported |
3494 | +formats are documented below. |
3495 | + |
3496 | +=over 2 |
3497 | + |
3498 | +=item B<EXPLICIT>, B<EXP> |
3499 | + |
3500 | +Add an explicit tag to the following structure. This string |
3501 | +should be followed by a colon and the tag value to use as a |
3502 | +decimal value. |
3503 | + |
3504 | +By following the number with B<U>, B<A>, B<P> or B<C> UNIVERSAL, |
3505 | +APPLICATION, PRIVATE or CONTEXT SPECIFIC tagging can be used, |
3506 | +the default is CONTEXT SPECIFIC. |
3507 | + |
3508 | +=item B<IMPLICIT>, B<IMP> |
3509 | + |
3510 | +This is the same as B<EXPLICIT> except IMPLICIT tagging is used |
3511 | +instead. |
3512 | + |
3513 | +=item B<OCTWRAP>, B<SEQWRAP>, B<SETWRAP>, B<BITWRAP> |
3514 | + |
3515 | +The following structure is surrounded by an OCTET STRING, a SEQUENCE, |
3516 | +a SET or a BIT STRING respectively. For a BIT STRING the number of unused |
3517 | +bits is set to zero. |
3518 | + |
3519 | +=item B<FORMAT> |
3520 | + |
3521 | +This specifies the format of the ultimate value. It should be followed |
3522 | +by a colon and one of the strings B<ASCII>, B<UTF8>, B<HEX> or B<BITLIST>. |
3523 | + |
3524 | +If no format specifier is included then B<ASCII> is used. If B<UTF8> is |
3525 | +specified then the value string must be a valid B<UTF8> string. For B<HEX> the |
3526 | +output must be a set of hex digits. B<BITLIST> (which is only valid for a BIT |
3527 | +STRING) is a comma separated list of the indices of the set bits, all other |
3528 | +bits are zero. |
3529 | + |
3530 | +=back |
3531 | + |
3532 | +=head1 EXAMPLES |
3533 | + |
3534 | +A simple IA5String: |
3535 | + |
3536 | + IA5STRING:Hello World |
3537 | + |
3538 | +An IA5String explicitly tagged: |
3539 | + |
3540 | + EXPLICIT:0,IA5STRING:Hello World |
3541 | + |
3542 | +An IA5String explicitly tagged using APPLICATION tagging: |
3543 | + |
3544 | + EXPLICIT:0A,IA5STRING:Hello World |
3545 | + |
3546 | +A BITSTRING with bits 1 and 5 set and all others zero: |
3547 | + |
3548 | + FORMAT:BITLIST,BITSTRING:1,5 |
3549 | + |
3550 | +A more complex example using a config file to produce a |
3551 | +SEQUENCE consiting of a BOOL an OID and a UTF8String: |
3552 | + |
3553 | + asn1 = SEQUENCE:seq_section |
3554 | + |
3555 | + [seq_section] |
3556 | + |
3557 | + field1 = BOOLEAN:TRUE |
3558 | + field2 = OID:commonName |
3559 | + field3 = UTF8:Third field |
3560 | + |
3561 | +This example produces an RSAPrivateKey structure, this is the |
3562 | +key contained in the file client.pem in all OpenSSL distributions |
3563 | +(note: the field names such as 'coeff' are ignored and are present just |
3564 | +for clarity): |
3565 | + |
3566 | + asn1=SEQUENCE:private_key |
3567 | + [private_key] |
3568 | + version=INTEGER:0 |
3569 | + |
3570 | + n=INTEGER:0xBB6FE79432CC6EA2D8F970675A5A87BFBE1AFF0BE63E879F2AFFB93644\ |
3571 | + D4D2C6D000430DEC66ABF47829E74B8C5108623A1C0EE8BE217B3AD8D36D5EB4FCA1D9 |
3572 | + |
3573 | + e=INTEGER:0x010001 |
3574 | + |
3575 | + d=INTEGER:0x6F05EAD2F27FFAEC84BEC360C4B928FD5F3A9865D0FCAAD291E2A52F4A\ |
3576 | + F810DC6373278C006A0ABBA27DC8C63BF97F7E666E27C5284D7D3B1FFFE16B7A87B51D |
3577 | + |
3578 | + p=INTEGER:0xF3929B9435608F8A22C208D86795271D54EBDFB09DDEF539AB083DA912\ |
3579 | + D4BD57 |
3580 | + |
3581 | + q=INTEGER:0xC50016F89DFF2561347ED1186A46E150E28BF2D0F539A1594BBD7FE467\ |
3582 | + 46EC4F |
3583 | + |
3584 | + exp1=INTEGER:0x9E7D4326C924AFC1DEA40B45650134966D6F9DFA3A7F9D698CD4ABEA\ |
3585 | + 9C0A39B9 |
3586 | + |
3587 | + exp2=INTEGER:0xBA84003BB95355AFB7C50DF140C60513D0BA51D637272E355E397779\ |
3588 | + E7B2458F |
3589 | + |
3590 | + coeff=INTEGER:0x30B9E4F2AFA5AC679F920FC83F1F2DF1BAF1779CF989447FABC2F5\ |
3591 | + 628657053A |
3592 | + |
3593 | +This example is the corresponding public key in a SubjectPublicKeyInfo |
3594 | +structure: |
3595 | + |
3596 | + # Start with a SEQUENCE |
3597 | + asn1=SEQUENCE:pubkeyinfo |
3598 | + |
3599 | + # pubkeyinfo contains an algorithm identifier and the public key wrapped |
3600 | + # in a BIT STRING |
3601 | + [pubkeyinfo] |
3602 | + algorithm=SEQUENCE:rsa_alg |
3603 | + pubkey=BITWRAP,SEQUENCE:rsapubkey |
3604 | + |
3605 | + # algorithm ID for RSA is just an OID and a NULL |
3606 | + [rsa_alg] |
3607 | + algorithm=OID:rsaEncryption |
3608 | + parameter=NULL |
3609 | + |
3610 | + # Actual public key: modulus and exponent |
3611 | + [rsapubkey] |
3612 | + n=INTEGER:0xBB6FE79432CC6EA2D8F970675A5A87BFBE1AFF0BE63E879F2AFFB93644\ |
3613 | + D4D2C6D000430DEC66ABF47829E74B8C5108623A1C0EE8BE217B3AD8D36D5EB4FCA1D9 |
3614 | + |
3615 | + e=INTEGER:0x010001 |
3616 | + |
3617 | +=head1 RETURN VALUES |
3618 | + |
3619 | +ASN1_generate_nconf() and ASN1_generate_v3() return the encoded |
3620 | +data as an B<ASN1_TYPE> structure or B<NULL> if an error occurred. |
3621 | + |
3622 | +The error codes that can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>. |
3623 | + |
3624 | +=head1 SEE ALSO |
3625 | + |
3626 | +L<ERR_get_error(3)|ERR_get_error(3)> |
3627 | + |
3628 | +=head1 HISTORY |
3629 | + |
3630 | +ASN1_generate_nconf() and ASN1_generate_v3() were added to OpenSSL 0.9.8 |
3631 | + |
3632 | +=cut |
3633 | |
3634 | === added file '.pc/libdoc-manpgs-pod-spell.patch/doc/crypto/BN_BLINDING_new.pod' |
3635 | --- .pc/libdoc-manpgs-pod-spell.patch/doc/crypto/BN_BLINDING_new.pod 1970-01-01 00:00:00 +0000 |
3636 | +++ .pc/libdoc-manpgs-pod-spell.patch/doc/crypto/BN_BLINDING_new.pod 2011-09-15 05:17:15 +0000 |
3637 | @@ -0,0 +1,115 @@ |
3638 | +=pod |
3639 | + |
3640 | +=head1 NAME |
3641 | + |
3642 | +BN_BLINDING_new, BN_BLINDING_free, BN_BLINDING_update, BN_BLINDING_convert, |
3643 | +BN_BLINDING_invert, BN_BLINDING_convert_ex, BN_BLINDING_invert_ex, |
3644 | +BN_BLINDING_get_thread_id, BN_BLINDING_set_thread_id, BN_BLINDING_get_flags, |
3645 | +BN_BLINDING_set_flags, BN_BLINDING_create_param - blinding related BIGNUM |
3646 | +functions. |
3647 | + |
3648 | +=head1 SYNOPSIS |
3649 | + |
3650 | + #include <openssl/bn.h> |
3651 | + |
3652 | + BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai, |
3653 | + BIGNUM *mod); |
3654 | + void BN_BLINDING_free(BN_BLINDING *b); |
3655 | + int BN_BLINDING_update(BN_BLINDING *b,BN_CTX *ctx); |
3656 | + int BN_BLINDING_convert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx); |
3657 | + int BN_BLINDING_invert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx); |
3658 | + int BN_BLINDING_convert_ex(BIGNUM *n, BIGNUM *r, BN_BLINDING *b, |
3659 | + BN_CTX *ctx); |
3660 | + int BN_BLINDING_invert_ex(BIGNUM *n, const BIGNUM *r, BN_BLINDING *b, |
3661 | + BN_CTX *ctx); |
3662 | + #ifndef OPENSSL_NO_DEPRECATED |
3663 | + unsigned long BN_BLINDING_get_thread_id(const BN_BLINDING *); |
3664 | + void BN_BLINDING_set_thread_id(BN_BLINDING *, unsigned long); |
3665 | + #endif |
3666 | + CRYPTO_THREADID *BN_BLINDING_thread_id(BN_BLINDING *); |
3667 | + unsigned long BN_BLINDING_get_flags(const BN_BLINDING *); |
3668 | + void BN_BLINDING_set_flags(BN_BLINDING *, unsigned long); |
3669 | + BN_BLINDING *BN_BLINDING_create_param(BN_BLINDING *b, |
3670 | + const BIGNUM *e, BIGNUM *m, BN_CTX *ctx, |
3671 | + int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, |
3672 | + const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx), |
3673 | + BN_MONT_CTX *m_ctx); |
3674 | + |
3675 | +=head1 DESCRIPTION |
3676 | + |
3677 | +BN_BLINDING_new() allocates a new B<BN_BLINDING> structure and copies |
3678 | +the B<A> and B<Ai> values into the newly created B<BN_BLINDING> object. |
3679 | + |
3680 | +BN_BLINDING_free() frees the B<BN_BLINDING> structure. |
3681 | + |
3682 | +BN_BLINDING_update() updates the B<BN_BLINDING> parameters by squaring |
3683 | +the B<A> and B<Ai> or, after specific number of uses and if the |
3684 | +necessary parameters are set, by re-creating the blinding parameters. |
3685 | + |
3686 | +BN_BLINDING_convert_ex() multiplies B<n> with the blinding factor B<A>. |
3687 | +If B<r> is not NULL a copy the inverse blinding factor B<Ai> will be |
3688 | +returned in B<r> (this is useful if a B<RSA> object is shared amoung |
3689 | +several threads). BN_BLINDING_invert_ex() multiplies B<n> with the |
3690 | +inverse blinding factor B<Ai>. If B<r> is not NULL it will be used as |
3691 | +the inverse blinding. |
3692 | + |
3693 | +BN_BLINDING_convert() and BN_BLINDING_invert() are wrapper |
3694 | +functions for BN_BLINDING_convert_ex() and BN_BLINDING_invert_ex() |
3695 | +with B<r> set to NULL. |
3696 | + |
3697 | +BN_BLINDING_thread_id() provides access to the B<CRYPTO_THREADID> |
3698 | +object within the B<BN_BLINDING> structure. This is to help users |
3699 | +provide proper locking if needed for multi-threaded use. The "thread |
3700 | +id" object of a newly allocated B<BN_BLINDING> structure is |
3701 | +initialised to the thread id in which BN_BLINDING_new() was called. |
3702 | + |
3703 | +BN_BLINDING_get_flags() returns the BN_BLINDING flags. Currently |
3704 | +there are two supported flags: B<BN_BLINDING_NO_UPDATE> and |
3705 | +B<BN_BLINDING_NO_RECREATE>. B<BN_BLINDING_NO_UPDATE> inhibits the |
3706 | +automatic update of the B<BN_BLINDING> parameters after each use |
3707 | +and B<BN_BLINDING_NO_RECREATE> inhibits the automatic re-creation |
3708 | +of the B<BN_BLINDING> parameters after a fixed number of uses (currently |
3709 | +32). In newly allocated B<BN_BLINDING> objects no flags are set. |
3710 | +BN_BLINDING_set_flags() sets the B<BN_BLINDING> parameters flags. |
3711 | + |
3712 | +BN_BLINDING_create_param() creates new B<BN_BLINDING> parameters |
3713 | +using the exponent B<e> and the modulus B<m>. B<bn_mod_exp> and |
3714 | +B<m_ctx> can be used to pass special functions for exponentiation |
3715 | +(normally BN_mod_exp_mont() and B<BN_MONT_CTX>). |
3716 | + |
3717 | +=head1 RETURN VALUES |
3718 | + |
3719 | +BN_BLINDING_new() returns the newly allocated B<BN_BLINDING> structure |
3720 | +or NULL in case of an error. |
3721 | + |
3722 | +BN_BLINDING_update(), BN_BLINDING_convert(), BN_BLINDING_invert(), |
3723 | +BN_BLINDING_convert_ex() and BN_BLINDING_invert_ex() return 1 on |
3724 | +success and 0 if an error occured. |
3725 | + |
3726 | +BN_BLINDING_thread_id() returns a pointer to the thread id object |
3727 | +within a B<BN_BLINDING> object. |
3728 | + |
3729 | +BN_BLINDING_get_flags() returns the currently set B<BN_BLINDING> flags |
3730 | +(a B<unsigned long> value). |
3731 | + |
3732 | +BN_BLINDING_create_param() returns the newly created B<BN_BLINDING> |
3733 | +parameters or NULL on error. |
3734 | + |
3735 | +=head1 SEE ALSO |
3736 | + |
3737 | +L<bn(3)|bn(3)> |
3738 | + |
3739 | +=head1 HISTORY |
3740 | + |
3741 | +BN_BLINDING_thread_id was first introduced in OpenSSL 1.0.0, and it |
3742 | +deprecates BN_BLINDING_set_thread_id and BN_BLINDING_get_thread_id. |
3743 | + |
3744 | +BN_BLINDING_convert_ex, BN_BLINDIND_invert_ex, BN_BLINDING_get_thread_id, |
3745 | +BN_BLINDING_set_thread_id, BN_BLINDING_set_flags, BN_BLINDING_get_flags |
3746 | +and BN_BLINDING_create_param were first introduced in OpenSSL 0.9.8 |
3747 | + |
3748 | +=head1 AUTHOR |
3749 | + |
3750 | +Nils Larsch for the OpenSSL project (http://www.openssl.org). |
3751 | + |
3752 | +=cut |
3753 | |
3754 | === added file '.pc/libdoc-manpgs-pod-spell.patch/doc/crypto/EVP_BytesToKey.pod' |
3755 | --- .pc/libdoc-manpgs-pod-spell.patch/doc/crypto/EVP_BytesToKey.pod 1970-01-01 00:00:00 +0000 |
3756 | +++ .pc/libdoc-manpgs-pod-spell.patch/doc/crypto/EVP_BytesToKey.pod 2011-09-15 05:17:15 +0000 |
3757 | @@ -0,0 +1,67 @@ |
3758 | +=pod |
3759 | + |
3760 | +=head1 NAME |
3761 | + |
3762 | +EVP_BytesToKey - password based encryption routine |
3763 | + |
3764 | +=head1 SYNOPSIS |
3765 | + |
3766 | + #include <openssl/evp.h> |
3767 | + |
3768 | + int EVP_BytesToKey(const EVP_CIPHER *type,const EVP_MD *md, |
3769 | + const unsigned char *salt, |
3770 | + const unsigned char *data, int datal, int count, |
3771 | + unsigned char *key,unsigned char *iv); |
3772 | + |
3773 | +=head1 DESCRIPTION |
3774 | + |
3775 | +EVP_BytesToKey() derives a key and IV from various parameters. B<type> is |
3776 | +the cipher to derive the key and IV for. B<md> is the message digest to use. |
3777 | +The B<salt> paramter is used as a salt in the derivation: it should point to |
3778 | +an 8 byte buffer or NULL if no salt is used. B<data> is a buffer containing |
3779 | +B<datal> bytes which is used to derive the keying data. B<count> is the |
3780 | +iteration count to use. The derived key and IV will be written to B<key> |
3781 | +and B<iv> respectively. |
3782 | + |
3783 | +=head1 NOTES |
3784 | + |
3785 | +A typical application of this function is to derive keying material for an |
3786 | +encryption algorithm from a password in the B<data> parameter. |
3787 | + |
3788 | +Increasing the B<count> parameter slows down the algorithm which makes it |
3789 | +harder for an attacker to peform a brute force attack using a large number |
3790 | +of candidate passwords. |
3791 | + |
3792 | +If the total key and IV length is less than the digest length and |
3793 | +B<MD5> is used then the derivation algorithm is compatible with PKCS#5 v1.5 |
3794 | +otherwise a non standard extension is used to derive the extra data. |
3795 | + |
3796 | +Newer applications should use more standard algorithms such as PKCS#5 |
3797 | +v2.0 for key derivation. |
3798 | + |
3799 | +=head1 KEY DERIVATION ALGORITHM |
3800 | + |
3801 | +The key and IV is derived by concatenating D_1, D_2, etc until |
3802 | +enough data is available for the key and IV. D_i is defined as: |
3803 | + |
3804 | + D_i = HASH^count(D_(i-1) || data || salt) |
3805 | + |
3806 | +where || denotes concatentaion, D_0 is empty, HASH is the digest |
3807 | +algorithm in use, HASH^1(data) is simply HASH(data), HASH^2(data) |
3808 | +is HASH(HASH(data)) and so on. |
3809 | + |
3810 | +The initial bytes are used for the key and the subsequent bytes for |
3811 | +the IV. |
3812 | + |
3813 | +=head1 RETURN VALUES |
3814 | + |
3815 | +EVP_BytesToKey() returns the size of the derived key in bytes. |
3816 | + |
3817 | +=head1 SEE ALSO |
3818 | + |
3819 | +L<evp(3)|evp(3)>, L<rand(3)|rand(3)>, |
3820 | +L<EVP_EncryptInit(3)|EVP_EncryptInit(3)> |
3821 | + |
3822 | +=head1 HISTORY |
3823 | + |
3824 | +=cut |
3825 | |
3826 | === added file '.pc/libdoc-manpgs-pod-spell.patch/doc/crypto/EVP_EncryptInit.pod' |
3827 | --- .pc/libdoc-manpgs-pod-spell.patch/doc/crypto/EVP_EncryptInit.pod 1970-01-01 00:00:00 +0000 |
3828 | +++ .pc/libdoc-manpgs-pod-spell.patch/doc/crypto/EVP_EncryptInit.pod 2011-09-15 05:17:15 +0000 |
3829 | @@ -0,0 +1,511 @@ |
3830 | +=pod |
3831 | + |
3832 | +=head1 NAME |
3833 | + |
3834 | +EVP_CIPHER_CTX_init, EVP_EncryptInit_ex, EVP_EncryptUpdate, |
3835 | +EVP_EncryptFinal_ex, EVP_DecryptInit_ex, EVP_DecryptUpdate, |
3836 | +EVP_DecryptFinal_ex, EVP_CipherInit_ex, EVP_CipherUpdate, |
3837 | +EVP_CipherFinal_ex, EVP_CIPHER_CTX_set_key_length, |
3838 | +EVP_CIPHER_CTX_ctrl, EVP_CIPHER_CTX_cleanup, EVP_EncryptInit, |
3839 | +EVP_EncryptFinal, EVP_DecryptInit, EVP_DecryptFinal, |
3840 | +EVP_CipherInit, EVP_CipherFinal, EVP_get_cipherbyname, |
3841 | +EVP_get_cipherbynid, EVP_get_cipherbyobj, EVP_CIPHER_nid, |
3842 | +EVP_CIPHER_block_size, EVP_CIPHER_key_length, EVP_CIPHER_iv_length, |
3843 | +EVP_CIPHER_flags, EVP_CIPHER_mode, EVP_CIPHER_type, EVP_CIPHER_CTX_cipher, |
3844 | +EVP_CIPHER_CTX_nid, EVP_CIPHER_CTX_block_size, EVP_CIPHER_CTX_key_length, |
3845 | +EVP_CIPHER_CTX_iv_length, EVP_CIPHER_CTX_get_app_data, |
3846 | +EVP_CIPHER_CTX_set_app_data, EVP_CIPHER_CTX_type, EVP_CIPHER_CTX_flags, |
3847 | +EVP_CIPHER_CTX_mode, EVP_CIPHER_param_to_asn1, EVP_CIPHER_asn1_to_param, |
3848 | +EVP_CIPHER_CTX_set_padding - EVP cipher routines |
3849 | + |
3850 | +=head1 SYNOPSIS |
3851 | + |
3852 | + #include <openssl/evp.h> |
3853 | + |
3854 | + void EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *a); |
3855 | + |
3856 | + int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, |
3857 | + ENGINE *impl, unsigned char *key, unsigned char *iv); |
3858 | + int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, |
3859 | + int *outl, unsigned char *in, int inl); |
3860 | + int EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, |
3861 | + int *outl); |
3862 | + |
3863 | + int EVP_DecryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, |
3864 | + ENGINE *impl, unsigned char *key, unsigned char *iv); |
3865 | + int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, |
3866 | + int *outl, unsigned char *in, int inl); |
3867 | + int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm, |
3868 | + int *outl); |
3869 | + |
3870 | + int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, |
3871 | + ENGINE *impl, unsigned char *key, unsigned char *iv, int enc); |
3872 | + int EVP_CipherUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, |
3873 | + int *outl, unsigned char *in, int inl); |
3874 | + int EVP_CipherFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm, |
3875 | + int *outl); |
3876 | + |
3877 | + int EVP_EncryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, |
3878 | + unsigned char *key, unsigned char *iv); |
3879 | + int EVP_EncryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, |
3880 | + int *outl); |
3881 | + |
3882 | + int EVP_DecryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, |
3883 | + unsigned char *key, unsigned char *iv); |
3884 | + int EVP_DecryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *outm, |
3885 | + int *outl); |
3886 | + |
3887 | + int EVP_CipherInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, |
3888 | + unsigned char *key, unsigned char *iv, int enc); |
3889 | + int EVP_CipherFinal(EVP_CIPHER_CTX *ctx, unsigned char *outm, |
3890 | + int *outl); |
3891 | + |
3892 | + int EVP_CIPHER_CTX_set_padding(EVP_CIPHER_CTX *x, int padding); |
3893 | + int EVP_CIPHER_CTX_set_key_length(EVP_CIPHER_CTX *x, int keylen); |
3894 | + int EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr); |
3895 | + int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *a); |
3896 | + |
3897 | + const EVP_CIPHER *EVP_get_cipherbyname(const char *name); |
3898 | + #define EVP_get_cipherbynid(a) EVP_get_cipherbyname(OBJ_nid2sn(a)) |
3899 | + #define EVP_get_cipherbyobj(a) EVP_get_cipherbynid(OBJ_obj2nid(a)) |
3900 | + |
3901 | + #define EVP_CIPHER_nid(e) ((e)->nid) |
3902 | + #define EVP_CIPHER_block_size(e) ((e)->block_size) |
3903 | + #define EVP_CIPHER_key_length(e) ((e)->key_len) |
3904 | + #define EVP_CIPHER_iv_length(e) ((e)->iv_len) |
3905 | + #define EVP_CIPHER_flags(e) ((e)->flags) |
3906 | + #define EVP_CIPHER_mode(e) ((e)->flags) & EVP_CIPH_MODE) |
3907 | + int EVP_CIPHER_type(const EVP_CIPHER *ctx); |
3908 | + |
3909 | + #define EVP_CIPHER_CTX_cipher(e) ((e)->cipher) |
3910 | + #define EVP_CIPHER_CTX_nid(e) ((e)->cipher->nid) |
3911 | + #define EVP_CIPHER_CTX_block_size(e) ((e)->cipher->block_size) |
3912 | + #define EVP_CIPHER_CTX_key_length(e) ((e)->key_len) |
3913 | + #define EVP_CIPHER_CTX_iv_length(e) ((e)->cipher->iv_len) |
3914 | + #define EVP_CIPHER_CTX_get_app_data(e) ((e)->app_data) |
3915 | + #define EVP_CIPHER_CTX_set_app_data(e,d) ((e)->app_data=(char *)(d)) |
3916 | + #define EVP_CIPHER_CTX_type(c) EVP_CIPHER_type(EVP_CIPHER_CTX_cipher(c)) |
3917 | + #define EVP_CIPHER_CTX_flags(e) ((e)->cipher->flags) |
3918 | + #define EVP_CIPHER_CTX_mode(e) ((e)->cipher->flags & EVP_CIPH_MODE) |
3919 | + |
3920 | + int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type); |
3921 | + int EVP_CIPHER_asn1_to_param(EVP_CIPHER_CTX *c, ASN1_TYPE *type); |
3922 | + |
3923 | +=head1 DESCRIPTION |
3924 | + |
3925 | +The EVP cipher routines are a high level interface to certain |
3926 | +symmetric ciphers. |
3927 | + |
3928 | +EVP_CIPHER_CTX_init() initializes cipher contex B<ctx>. |
3929 | + |
3930 | +EVP_EncryptInit_ex() sets up cipher context B<ctx> for encryption |
3931 | +with cipher B<type> from ENGINE B<impl>. B<ctx> must be initialized |
3932 | +before calling this function. B<type> is normally supplied |
3933 | +by a function such as EVP_des_cbc(). If B<impl> is NULL then the |
3934 | +default implementation is used. B<key> is the symmetric key to use |
3935 | +and B<iv> is the IV to use (if necessary), the actual number of bytes |
3936 | +used for the key and IV depends on the cipher. It is possible to set |
3937 | +all parameters to NULL except B<type> in an initial call and supply |
3938 | +the remaining parameters in subsequent calls, all of which have B<type> |
3939 | +set to NULL. This is done when the default cipher parameters are not |
3940 | +appropriate. |
3941 | + |
3942 | +EVP_EncryptUpdate() encrypts B<inl> bytes from the buffer B<in> and |
3943 | +writes the encrypted version to B<out>. This function can be called |
3944 | +multiple times to encrypt successive blocks of data. The amount |
3945 | +of data written depends on the block alignment of the encrypted data: |
3946 | +as a result the amount of data written may be anything from zero bytes |
3947 | +to (inl + cipher_block_size - 1) so B<outl> should contain sufficient |
3948 | +room. The actual number of bytes written is placed in B<outl>. |
3949 | + |
3950 | +If padding is enabled (the default) then EVP_EncryptFinal_ex() encrypts |
3951 | +the "final" data, that is any data that remains in a partial block. |
3952 | +It uses L<standard block padding|/NOTES> (aka PKCS padding). The encrypted |
3953 | +final data is written to B<out> which should have sufficient space for |
3954 | +one cipher block. The number of bytes written is placed in B<outl>. After |
3955 | +this function is called the encryption operation is finished and no further |
3956 | +calls to EVP_EncryptUpdate() should be made. |
3957 | + |
3958 | +If padding is disabled then EVP_EncryptFinal_ex() will not encrypt any more |
3959 | +data and it will return an error if any data remains in a partial block: |
3960 | +that is if the total data length is not a multiple of the block size. |
3961 | + |
3962 | +EVP_DecryptInit_ex(), EVP_DecryptUpdate() and EVP_DecryptFinal_ex() are the |
3963 | +corresponding decryption operations. EVP_DecryptFinal() will return an |
3964 | +error code if padding is enabled and the final block is not correctly |
3965 | +formatted. The parameters and restrictions are identical to the encryption |
3966 | +operations except that if padding is enabled the decrypted data buffer B<out> |
3967 | +passed to EVP_DecryptUpdate() should have sufficient room for |
3968 | +(B<inl> + cipher_block_size) bytes unless the cipher block size is 1 in |
3969 | +which case B<inl> bytes is sufficient. |
3970 | + |
3971 | +EVP_CipherInit_ex(), EVP_CipherUpdate() and EVP_CipherFinal_ex() are |
3972 | +functions that can be used for decryption or encryption. The operation |
3973 | +performed depends on the value of the B<enc> parameter. It should be set |
3974 | +to 1 for encryption, 0 for decryption and -1 to leave the value unchanged |
3975 | +(the actual value of 'enc' being supplied in a previous call). |
3976 | + |
3977 | +EVP_CIPHER_CTX_cleanup() clears all information from a cipher context |
3978 | +and free up any allocated memory associate with it. It should be called |
3979 | +after all operations using a cipher are complete so sensitive information |
3980 | +does not remain in memory. |
3981 | + |
3982 | +EVP_EncryptInit(), EVP_DecryptInit() and EVP_CipherInit() behave in a |
3983 | +similar way to EVP_EncryptInit_ex(), EVP_DecryptInit_ex and |
3984 | +EVP_CipherInit_ex() except the B<ctx> paramter does not need to be |
3985 | +initialized and they always use the default cipher implementation. |
3986 | + |
3987 | +EVP_EncryptFinal(), EVP_DecryptFinal() and EVP_CipherFinal() behave in a |
3988 | +similar way to EVP_EncryptFinal_ex(), EVP_DecryptFinal_ex() and |
3989 | +EVP_CipherFinal_ex() except B<ctx> is automatically cleaned up |
3990 | +after the call. |
3991 | + |
3992 | +EVP_get_cipherbyname(), EVP_get_cipherbynid() and EVP_get_cipherbyobj() |
3993 | +return an EVP_CIPHER structure when passed a cipher name, a NID or an |
3994 | +ASN1_OBJECT structure. |
3995 | + |
3996 | +EVP_CIPHER_nid() and EVP_CIPHER_CTX_nid() return the NID of a cipher when |
3997 | +passed an B<EVP_CIPHER> or B<EVP_CIPHER_CTX> structure. The actual NID |
3998 | +value is an internal value which may not have a corresponding OBJECT |
3999 | +IDENTIFIER. |
4000 | + |
4001 | +EVP_CIPHER_CTX_set_padding() enables or disables padding. By default |
4002 | +encryption operations are padded using standard block padding and the |
4003 | +padding is checked and removed when decrypting. If the B<pad> parameter |
4004 | +is zero then no padding is performed, the total amount of data encrypted |
4005 | +or decrypted must then be a multiple of the block size or an error will |
4006 | +occur. |
4007 | + |
4008 | +EVP_CIPHER_key_length() and EVP_CIPHER_CTX_key_length() return the key |
4009 | +length of a cipher when passed an B<EVP_CIPHER> or B<EVP_CIPHER_CTX> |
4010 | +structure. The constant B<EVP_MAX_KEY_LENGTH> is the maximum key length |
4011 | +for all ciphers. Note: although EVP_CIPHER_key_length() is fixed for a |
4012 | +given cipher, the value of EVP_CIPHER_CTX_key_length() may be different |
4013 | +for variable key length ciphers. |
4014 | + |
4015 | +EVP_CIPHER_CTX_set_key_length() sets the key length of the cipher ctx. |
4016 | +If the cipher is a fixed length cipher then attempting to set the key |
4017 | +length to any value other than the fixed value is an error. |
4018 | + |
4019 | +EVP_CIPHER_iv_length() and EVP_CIPHER_CTX_iv_length() return the IV |
4020 | +length of a cipher when passed an B<EVP_CIPHER> or B<EVP_CIPHER_CTX>. |
4021 | +It will return zero if the cipher does not use an IV. The constant |
4022 | +B<EVP_MAX_IV_LENGTH> is the maximum IV length for all ciphers. |
4023 | + |
4024 | +EVP_CIPHER_block_size() and EVP_CIPHER_CTX_block_size() return the block |
4025 | +size of a cipher when passed an B<EVP_CIPHER> or B<EVP_CIPHER_CTX> |
4026 | +structure. The constant B<EVP_MAX_IV_LENGTH> is also the maximum block |
4027 | +length for all ciphers. |
4028 | + |
4029 | +EVP_CIPHER_type() and EVP_CIPHER_CTX_type() return the type of the passed |
4030 | +cipher or context. This "type" is the actual NID of the cipher OBJECT |
4031 | +IDENTIFIER as such it ignores the cipher parameters and 40 bit RC2 and |
4032 | +128 bit RC2 have the same NID. If the cipher does not have an object |
4033 | +identifier or does not have ASN1 support this function will return |
4034 | +B<NID_undef>. |
4035 | + |
4036 | +EVP_CIPHER_CTX_cipher() returns the B<EVP_CIPHER> structure when passed |
4037 | +an B<EVP_CIPHER_CTX> structure. |
4038 | + |
4039 | +EVP_CIPHER_mode() and EVP_CIPHER_CTX_mode() return the block cipher mode: |
4040 | +EVP_CIPH_ECB_MODE, EVP_CIPH_CBC_MODE, EVP_CIPH_CFB_MODE or |
4041 | +EVP_CIPH_OFB_MODE. If the cipher is a stream cipher then |
4042 | +EVP_CIPH_STREAM_CIPHER is returned. |
4043 | + |
4044 | +EVP_CIPHER_param_to_asn1() sets the AlgorithmIdentifier "parameter" based |
4045 | +on the passed cipher. This will typically include any parameters and an |
4046 | +IV. The cipher IV (if any) must be set when this call is made. This call |
4047 | +should be made before the cipher is actually "used" (before any |
4048 | +EVP_EncryptUpdate(), EVP_DecryptUpdate() calls for example). This function |
4049 | +may fail if the cipher does not have any ASN1 support. |
4050 | + |
4051 | +EVP_CIPHER_asn1_to_param() sets the cipher parameters based on an ASN1 |
4052 | +AlgorithmIdentifier "parameter". The precise effect depends on the cipher |
4053 | +In the case of RC2, for example, it will set the IV and effective key length. |
4054 | +This function should be called after the base cipher type is set but before |
4055 | +the key is set. For example EVP_CipherInit() will be called with the IV and |
4056 | +key set to NULL, EVP_CIPHER_asn1_to_param() will be called and finally |
4057 | +EVP_CipherInit() again with all parameters except the key set to NULL. It is |
4058 | +possible for this function to fail if the cipher does not have any ASN1 support |
4059 | +or the parameters cannot be set (for example the RC2 effective key length |
4060 | +is not supported. |
4061 | + |
4062 | +EVP_CIPHER_CTX_ctrl() allows various cipher specific parameters to be determined |
4063 | +and set. Currently only the RC2 effective key length and the number of rounds of |
4064 | +RC5 can be set. |
4065 | + |
4066 | +=head1 RETURN VALUES |
4067 | + |
4068 | +EVP_EncryptInit_ex(), EVP_EncryptUpdate() and EVP_EncryptFinal_ex() |
4069 | +return 1 for success and 0 for failure. |
4070 | + |
4071 | +EVP_DecryptInit_ex() and EVP_DecryptUpdate() return 1 for success and 0 for failure. |
4072 | +EVP_DecryptFinal_ex() returns 0 if the decrypt failed or 1 for success. |
4073 | + |
4074 | +EVP_CipherInit_ex() and EVP_CipherUpdate() return 1 for success and 0 for failure. |
4075 | +EVP_CipherFinal_ex() returns 0 for a decryption failure or 1 for success. |
4076 | + |
4077 | +EVP_CIPHER_CTX_cleanup() returns 1 for success and 0 for failure. |
4078 | + |
4079 | +EVP_get_cipherbyname(), EVP_get_cipherbynid() and EVP_get_cipherbyobj() |
4080 | +return an B<EVP_CIPHER> structure or NULL on error. |
4081 | + |
4082 | +EVP_CIPHER_nid() and EVP_CIPHER_CTX_nid() return a NID. |
4083 | + |
4084 | +EVP_CIPHER_block_size() and EVP_CIPHER_CTX_block_size() return the block |
4085 | +size. |
4086 | + |
4087 | +EVP_CIPHER_key_length() and EVP_CIPHER_CTX_key_length() return the key |
4088 | +length. |
4089 | + |
4090 | +EVP_CIPHER_CTX_set_padding() always returns 1. |
4091 | + |
4092 | +EVP_CIPHER_iv_length() and EVP_CIPHER_CTX_iv_length() return the IV |
4093 | +length or zero if the cipher does not use an IV. |
4094 | + |
4095 | +EVP_CIPHER_type() and EVP_CIPHER_CTX_type() return the NID of the cipher's |
4096 | +OBJECT IDENTIFIER or NID_undef if it has no defined OBJECT IDENTIFIER. |
4097 | + |
4098 | +EVP_CIPHER_CTX_cipher() returns an B<EVP_CIPHER> structure. |
4099 | + |
4100 | +EVP_CIPHER_param_to_asn1() and EVP_CIPHER_asn1_to_param() return 1 for |
4101 | +success or zero for failure. |
4102 | + |
4103 | +=head1 CIPHER LISTING |
4104 | + |
4105 | +All algorithms have a fixed key length unless otherwise stated. |
4106 | + |
4107 | +=over 4 |
4108 | + |
4109 | +=item EVP_enc_null() |
4110 | + |
4111 | +Null cipher: does nothing. |
4112 | + |
4113 | +=item EVP_des_cbc(void), EVP_des_ecb(void), EVP_des_cfb(void), EVP_des_ofb(void) |
4114 | + |
4115 | +DES in CBC, ECB, CFB and OFB modes respectively. |
4116 | + |
4117 | +=item EVP_des_ede_cbc(void), EVP_des_ede(), EVP_des_ede_ofb(void), EVP_des_ede_cfb(void) |
4118 | + |
4119 | +Two key triple DES in CBC, ECB, CFB and OFB modes respectively. |
4120 | + |
4121 | +=item EVP_des_ede3_cbc(void), EVP_des_ede3(), EVP_des_ede3_ofb(void), EVP_des_ede3_cfb(void) |
4122 | + |
4123 | +Three key triple DES in CBC, ECB, CFB and OFB modes respectively. |
4124 | + |
4125 | +=item EVP_desx_cbc(void) |
4126 | + |
4127 | +DESX algorithm in CBC mode. |
4128 | + |
4129 | +=item EVP_rc4(void) |
4130 | + |
4131 | +RC4 stream cipher. This is a variable key length cipher with default key length 128 bits. |
4132 | + |
4133 | +=item EVP_rc4_40(void) |
4134 | + |
4135 | +RC4 stream cipher with 40 bit key length. This is obsolete and new code should use EVP_rc4() |
4136 | +and the EVP_CIPHER_CTX_set_key_length() function. |
4137 | + |
4138 | +=item EVP_idea_cbc() EVP_idea_ecb(void), EVP_idea_cfb(void), EVP_idea_ofb(void), EVP_idea_cbc(void) |
4139 | + |
4140 | +IDEA encryption algorithm in CBC, ECB, CFB and OFB modes respectively. |
4141 | + |
4142 | +=item EVP_rc2_cbc(void), EVP_rc2_ecb(void), EVP_rc2_cfb(void), EVP_rc2_ofb(void) |
4143 | + |
4144 | +RC2 encryption algorithm in CBC, ECB, CFB and OFB modes respectively. This is a variable key |
4145 | +length cipher with an additional parameter called "effective key bits" or "effective key length". |
4146 | +By default both are set to 128 bits. |
4147 | + |
4148 | +=item EVP_rc2_40_cbc(void), EVP_rc2_64_cbc(void) |
4149 | + |
4150 | +RC2 algorithm in CBC mode with a default key length and effective key length of 40 and 64 bits. |
4151 | +These are obsolete and new code should use EVP_rc2_cbc(), EVP_CIPHER_CTX_set_key_length() and |
4152 | +EVP_CIPHER_CTX_ctrl() to set the key length and effective key length. |
4153 | + |
4154 | +=item EVP_bf_cbc(void), EVP_bf_ecb(void), EVP_bf_cfb(void), EVP_bf_ofb(void); |
4155 | + |
4156 | +Blowfish encryption algorithm in CBC, ECB, CFB and OFB modes respectively. This is a variable key |
4157 | +length cipher. |
4158 | + |
4159 | +=item EVP_cast5_cbc(void), EVP_cast5_ecb(void), EVP_cast5_cfb(void), EVP_cast5_ofb(void) |
4160 | + |
4161 | +CAST encryption algorithm in CBC, ECB, CFB and OFB modes respectively. This is a variable key |
4162 | +length cipher. |
4163 | + |
4164 | +=item EVP_rc5_32_12_16_cbc(void), EVP_rc5_32_12_16_ecb(void), EVP_rc5_32_12_16_cfb(void), EVP_rc5_32_12_16_ofb(void) |
4165 | + |
4166 | +RC5 encryption algorithm in CBC, ECB, CFB and OFB modes respectively. This is a variable key length |
4167 | +cipher with an additional "number of rounds" parameter. By default the key length is set to 128 |
4168 | +bits and 12 rounds. |
4169 | + |
4170 | +=back |
4171 | + |
4172 | +=head1 NOTES |
4173 | + |
4174 | +Where possible the B<EVP> interface to symmetric ciphers should be used in |
4175 | +preference to the low level interfaces. This is because the code then becomes |
4176 | +transparent to the cipher used and much more flexible. |
4177 | + |
4178 | +PKCS padding works by adding B<n> padding bytes of value B<n> to make the total |
4179 | +length of the encrypted data a multiple of the block size. Padding is always |
4180 | +added so if the data is already a multiple of the block size B<n> will equal |
4181 | +the block size. For example if the block size is 8 and 11 bytes are to be |
4182 | +encrypted then 5 padding bytes of value 5 will be added. |
4183 | + |
4184 | +When decrypting the final block is checked to see if it has the correct form. |
4185 | + |
4186 | +Although the decryption operation can produce an error if padding is enabled, |
4187 | +it is not a strong test that the input data or key is correct. A random block |
4188 | +has better than 1 in 256 chance of being of the correct format and problems with |
4189 | +the input data earlier on will not produce a final decrypt error. |
4190 | + |
4191 | +If padding is disabled then the decryption operation will always succeed if |
4192 | +the total amount of data decrypted is a multiple of the block size. |
4193 | + |
4194 | +The functions EVP_EncryptInit(), EVP_EncryptFinal(), EVP_DecryptInit(), |
4195 | +EVP_CipherInit() and EVP_CipherFinal() are obsolete but are retained for |
4196 | +compatibility with existing code. New code should use EVP_EncryptInit_ex(), |
4197 | +EVP_EncryptFinal_ex(), EVP_DecryptInit_ex(), EVP_DecryptFinal_ex(), |
4198 | +EVP_CipherInit_ex() and EVP_CipherFinal_ex() because they can reuse an |
4199 | +existing context without allocating and freeing it up on each call. |
4200 | + |
4201 | +=head1 BUGS |
4202 | + |
4203 | +For RC5 the number of rounds can currently only be set to 8, 12 or 16. This is |
4204 | +a limitation of the current RC5 code rather than the EVP interface. |
4205 | + |
4206 | +EVP_MAX_KEY_LENGTH and EVP_MAX_IV_LENGTH only refer to the internal ciphers with |
4207 | +default key lengths. If custom ciphers exceed these values the results are |
4208 | +unpredictable. This is because it has become standard practice to define a |
4209 | +generic key as a fixed unsigned char array containing EVP_MAX_KEY_LENGTH bytes. |
4210 | + |
4211 | +The ASN1 code is incomplete (and sometimes inaccurate) it has only been tested |
4212 | +for certain common S/MIME ciphers (RC2, DES, triple DES) in CBC mode. |
4213 | + |
4214 | +=head1 EXAMPLES |
4215 | + |
4216 | +Get the number of rounds used in RC5: |
4217 | + |
4218 | + int nrounds; |
4219 | + EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GET_RC5_ROUNDS, 0, &nrounds); |
4220 | + |
4221 | +Get the RC2 effective key length: |
4222 | + |
4223 | + int key_bits; |
4224 | + EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GET_RC2_KEY_BITS, 0, &key_bits); |
4225 | + |
4226 | +Set the number of rounds used in RC5: |
4227 | + |
4228 | + int nrounds; |
4229 | + EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_SET_RC5_ROUNDS, nrounds, NULL); |
4230 | + |
4231 | +Set the effective key length used in RC2: |
4232 | + |
4233 | + int key_bits; |
4234 | + EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_SET_RC2_KEY_BITS, key_bits, NULL); |
4235 | + |
4236 | +Encrypt a string using blowfish: |
4237 | + |
4238 | + int do_crypt(char *outfile) |
4239 | + { |
4240 | + unsigned char outbuf[1024]; |
4241 | + int outlen, tmplen; |
4242 | + /* Bogus key and IV: we'd normally set these from |
4243 | + * another source. |
4244 | + */ |
4245 | + unsigned char key[] = {0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15}; |
4246 | + unsigned char iv[] = {1,2,3,4,5,6,7,8}; |
4247 | + char intext[] = "Some Crypto Text"; |
4248 | + EVP_CIPHER_CTX ctx; |
4249 | + FILE *out; |
4250 | + EVP_CIPHER_CTX_init(&ctx); |
4251 | + EVP_EncryptInit_ex(&ctx, EVP_bf_cbc(), NULL, key, iv); |
4252 | + |
4253 | + if(!EVP_EncryptUpdate(&ctx, outbuf, &outlen, intext, strlen(intext))) |
4254 | + { |
4255 | + /* Error */ |
4256 | + return 0; |
4257 | + } |
4258 | + /* Buffer passed to EVP_EncryptFinal() must be after data just |
4259 | + * encrypted to avoid overwriting it. |
4260 | + */ |
4261 | + if(!EVP_EncryptFinal_ex(&ctx, outbuf + outlen, &tmplen)) |
4262 | + { |
4263 | + /* Error */ |
4264 | + return 0; |
4265 | + } |
4266 | + outlen += tmplen; |
4267 | + EVP_CIPHER_CTX_cleanup(&ctx); |
4268 | + /* Need binary mode for fopen because encrypted data is |
4269 | + * binary data. Also cannot use strlen() on it because |
4270 | + * it wont be null terminated and may contain embedded |
4271 | + * nulls. |
4272 | + */ |
4273 | + out = fopen(outfile, "wb"); |
4274 | + fwrite(outbuf, 1, outlen, out); |
4275 | + fclose(out); |
4276 | + return 1; |
4277 | + } |
4278 | + |
4279 | +The ciphertext from the above example can be decrypted using the B<openssl> |
4280 | +utility with the command line: |
4281 | + |
4282 | + S<openssl bf -in cipher.bin -K 000102030405060708090A0B0C0D0E0F -iv 0102030405060708 -d> |
4283 | + |
4284 | +General encryption, decryption function example using FILE I/O and RC2 with an |
4285 | +80 bit key: |
4286 | + |
4287 | + int do_crypt(FILE *in, FILE *out, int do_encrypt) |
4288 | + { |
4289 | + /* Allow enough space in output buffer for additional block */ |
4290 | + inbuf[1024], outbuf[1024 + EVP_MAX_BLOCK_LENGTH]; |
4291 | + int inlen, outlen; |
4292 | + /* Bogus key and IV: we'd normally set these from |
4293 | + * another source. |
4294 | + */ |
4295 | + unsigned char key[] = "0123456789"; |
4296 | + unsigned char iv[] = "12345678"; |
4297 | + /* Don't set key or IV because we will modify the parameters */ |
4298 | + EVP_CIPHER_CTX_init(&ctx); |
4299 | + EVP_CipherInit_ex(&ctx, EVP_rc2(), NULL, NULL, NULL, do_encrypt); |
4300 | + EVP_CIPHER_CTX_set_key_length(&ctx, 10); |
4301 | + /* We finished modifying parameters so now we can set key and IV */ |
4302 | + EVP_CipherInit_ex(&ctx, NULL, NULL, key, iv, do_encrypt); |
4303 | + |
4304 | + for(;;) |
4305 | + { |
4306 | + inlen = fread(inbuf, 1, 1024, in); |
4307 | + if(inlen <= 0) break; |
4308 | + if(!EVP_CipherUpdate(&ctx, outbuf, &outlen, inbuf, inlen)) |
4309 | + { |
4310 | + /* Error */ |
4311 | + EVP_CIPHER_CTX_cleanup(&ctx); |
4312 | + return 0; |
4313 | + } |
4314 | + fwrite(outbuf, 1, outlen, out); |
4315 | + } |
4316 | + if(!EVP_CipherFinal_ex(&ctx, outbuf, &outlen)) |
4317 | + { |
4318 | + /* Error */ |
4319 | + EVP_CIPHER_CTX_cleanup(&ctx); |
4320 | + return 0; |
4321 | + } |
4322 | + fwrite(outbuf, 1, outlen, out); |
4323 | + |
4324 | + EVP_CIPHER_CTX_cleanup(&ctx); |
4325 | + return 1; |
4326 | + } |
4327 | + |
4328 | + |
4329 | +=head1 SEE ALSO |
4330 | + |
4331 | +L<evp(3)|evp(3)> |
4332 | + |
4333 | +=head1 HISTORY |
4334 | + |
4335 | +EVP_CIPHER_CTX_init(), EVP_EncryptInit_ex(), EVP_EncryptFinal_ex(), |
4336 | +EVP_DecryptInit_ex(), EVP_DecryptFinal_ex(), EVP_CipherInit_ex(), |
4337 | +EVP_CipherFinal_ex() and EVP_CIPHER_CTX_set_padding() appeared in |
4338 | +OpenSSL 0.9.7. |
4339 | + |
4340 | +=cut |
4341 | |
4342 | === added file '.pc/libdoc-manpgs-pod-spell.patch/doc/crypto/EVP_PKEY_cmp.pod' |
4343 | --- .pc/libdoc-manpgs-pod-spell.patch/doc/crypto/EVP_PKEY_cmp.pod 1970-01-01 00:00:00 +0000 |
4344 | +++ .pc/libdoc-manpgs-pod-spell.patch/doc/crypto/EVP_PKEY_cmp.pod 2011-09-15 05:17:15 +0000 |
4345 | @@ -0,0 +1,61 @@ |
4346 | +=pod |
4347 | + |
4348 | +=head1 NAME |
4349 | + |
4350 | +EVP_PKEY_copy_parameters, EVP_PKEY_missing_parameters, EVP_PKEY_cmp_parameters, EVP_PKEY_cmp - public key parameter and comparison functions |
4351 | + |
4352 | +=head1 SYNOPSIS |
4353 | + |
4354 | + #include <openssl/evp.h> |
4355 | + |
4356 | + int EVP_PKEY_missing_parameters(const EVP_PKEY *pkey); |
4357 | + int EVP_PKEY_copy_parameters(EVP_PKEY *to, const EVP_PKEY *from); |
4358 | + |
4359 | + int EVP_PKEY_cmp_parameters(const EVP_PKEY *a, const EVP_PKEY *b); |
4360 | + int EVP_PKEY_cmp(const EVP_PKEY *a, const EVP_PKEY *b); |
4361 | + |
4362 | +=head1 DESCRIPTION |
4363 | + |
4364 | +The function EVP_PKEY_missing_parameters() returns 1 if the public key |
4365 | +parameters of B<pkey> are missing and 0 if they are present or the algorithm |
4366 | +doesn't use parameters. |
4367 | + |
4368 | +The function EVP_PKEY_copy_parameters() copies the parameters from key |
4369 | +B<from> to key B<to>. |
4370 | + |
4371 | +The funcion EVP_PKEY_cmp_parameters() compares the parameters of keys |
4372 | +B<a> and B<b>. |
4373 | + |
4374 | +The funcion EVP_PKEY_cmp() compares the public key components and paramters |
4375 | +(if present) of keys B<a> and B<b>. |
4376 | + |
4377 | +=head1 NOTES |
4378 | + |
4379 | +The main purpose of the functions EVP_PKEY_missing_parameters() and |
4380 | +EVP_PKEY_copy_parameters() is to handle public keys in certificates where the |
4381 | +parameters are sometimes omitted from a public key if they are inherited from |
4382 | +the CA that signed it. |
4383 | + |
4384 | +Since OpenSSL private keys contain public key components too the function |
4385 | +EVP_PKEY_cmp() can also be used to determine if a private key matches |
4386 | +a public key. |
4387 | + |
4388 | +=head1 RETURN VALUES |
4389 | + |
4390 | +The function EVP_PKEY_missing_parameters() returns 1 if the public key |
4391 | +parameters of B<pkey> are missing and 0 if they are present or the algorithm |
4392 | +doesn't use parameters. |
4393 | + |
4394 | +These functions EVP_PKEY_copy_parameters() returns 1 for success and 0 for |
4395 | +failure. |
4396 | + |
4397 | +The function EVP_PKEY_cmp_parameters() and EVP_PKEY_cmp() return 1 if the |
4398 | +keys match, 0 if they don't match, -1 if the key types are different and |
4399 | +-2 if the operation is not supported. |
4400 | + |
4401 | +=head1 SEE ALSO |
4402 | + |
4403 | +L<EVP_PKEY_CTX_new(3)|EVP_PKEY_CTX_new(3)>, |
4404 | +L<EVP_PKEY_keygen(3)|EVP_PKEY_keygen(3)> |
4405 | + |
4406 | +=cut |
4407 | |
4408 | === added file '.pc/libdoc-manpgs-pod-spell.patch/doc/crypto/X509_STORE_CTX_get_error.pod' |
4409 | --- .pc/libdoc-manpgs-pod-spell.patch/doc/crypto/X509_STORE_CTX_get_error.pod 1970-01-01 00:00:00 +0000 |
4410 | +++ .pc/libdoc-manpgs-pod-spell.patch/doc/crypto/X509_STORE_CTX_get_error.pod 2011-09-15 05:17:15 +0000 |
4411 | @@ -0,0 +1,303 @@ |
4412 | +=pod |
4413 | + |
4414 | +=head1 NAME |
4415 | + |
4416 | +X509_STORE_CTX_get_error, X509_STORE_CTX_set_error, X509_STORE_CTX_get_error_depth, X509_STORE_CTX_get_current_cert, X509_STORE_CTX_get1_chain, X509_verify_cert_error_string - get or set certificate verification status information |
4417 | + |
4418 | +=head1 SYNOPSIS |
4419 | + |
4420 | + #include <openssl/x509.h> |
4421 | + #include <openssl/x509_vfy.h> |
4422 | + |
4423 | + int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx); |
4424 | + void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx,int s); |
4425 | + int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx); |
4426 | + X509 * X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx); |
4427 | + |
4428 | + STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx); |
4429 | + |
4430 | + const char *X509_verify_cert_error_string(long n); |
4431 | + |
4432 | +=head1 DESCRIPTION |
4433 | + |
4434 | +These functions are typically called after X509_verify_cert() has indicated |
4435 | +an error or in a verification callback to determine the nature of an error. |
4436 | + |
4437 | +X509_STORE_CTX_get_error() returns the error code of B<ctx>, see |
4438 | +the B<ERROR CODES> section for a full description of all error codes. |
4439 | + |
4440 | +X509_STORE_CTX_set_error() sets the error code of B<ctx> to B<s>. For example |
4441 | +it might be used in a verification callback to set an error based on additional |
4442 | +checks. |
4443 | + |
4444 | +X509_STORE_CTX_get_error_depth() returns the B<depth> of the error. This is a |
4445 | +non-negative integer representing where in the certificate chain the error |
4446 | +occurred. If it is zero it occured in the end entity certificate, one if |
4447 | +it is the certificate which signed the end entity certificate and so on. |
4448 | + |
4449 | +X509_STORE_CTX_get_current_cert() returns the certificate in B<ctx> which |
4450 | +caused the error or B<NULL> if no certificate is relevant. |
4451 | + |
4452 | +X509_STORE_CTX_get1_chain() returns a complete validate chain if a previous |
4453 | +call to X509_verify_cert() is successful. If the call to X509_verify_cert() |
4454 | +is B<not> successful the returned chain may be incomplete or invalid. The |
4455 | +returned chain persists after the B<ctx> structure is freed, when it is |
4456 | +no longer needed it should be free up using: |
4457 | + |
4458 | + sk_X509_pop_free(chain, X509_free); |
4459 | + |
4460 | +X509_verify_cert_error_string() returns a human readable error string for |
4461 | +verification error B<n>. |
4462 | + |
4463 | +=head1 RETURN VALUES |
4464 | + |
4465 | +X509_STORE_CTX_get_error() returns B<X509_V_OK> or an error code. |
4466 | + |
4467 | +X509_STORE_CTX_get_error_depth() returns a non-negative error depth. |
4468 | + |
4469 | +X509_STORE_CTX_get_current_cert() returns the cerificate which caused the |
4470 | +error or B<NULL> if no certificate is relevant to the error. |
4471 | + |
4472 | +X509_verify_cert_error_string() returns a human readable error string for |
4473 | +verification error B<n>. |
4474 | + |
4475 | +=head1 ERROR CODES |
4476 | + |
4477 | +A list of error codes and messages is shown below. Some of the |
4478 | +error codes are defined but currently never returned: these are described as |
4479 | +"unused". |
4480 | + |
4481 | +=over 4 |
4482 | + |
4483 | +=item B<X509_V_OK: ok> |
4484 | + |
4485 | +the operation was successful. |
4486 | + |
4487 | +=item B<X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: unable to get issuer certificate> |
4488 | + |
4489 | +the issuer certificate could not be found: this occurs if the issuer certificate |
4490 | +of an untrusted certificate cannot be found. |
4491 | + |
4492 | +=item B<X509_V_ERR_UNABLE_TO_GET_CRL: unable to get certificate CRL> |
4493 | + |
4494 | +the CRL of a certificate could not be found. |
4495 | + |
4496 | +=item B<X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: unable to decrypt certificate's signature> |
4497 | + |
4498 | +the certificate signature could not be decrypted. This means that the actual |
4499 | +signature value could not be determined rather than it not matching the |
4500 | +expected value, this is only meaningful for RSA keys. |
4501 | + |
4502 | +=item B<X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: unable to decrypt CRL's signature> |
4503 | + |
4504 | +the CRL signature could not be decrypted: this means that the actual signature |
4505 | +value could not be determined rather than it not matching the expected value. |
4506 | +Unused. |
4507 | + |
4508 | +=item B<X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: unable to decode issuer public key> |
4509 | + |
4510 | +the public key in the certificate SubjectPublicKeyInfo could not be read. |
4511 | + |
4512 | +=item B<X509_V_ERR_CERT_SIGNATURE_FAILURE: certificate signature failure> |
4513 | + |
4514 | +the signature of the certificate is invalid. |
4515 | + |
4516 | +=item B<X509_V_ERR_CRL_SIGNATURE_FAILURE: CRL signature failure> |
4517 | + |
4518 | +the signature of the certificate is invalid. |
4519 | + |
4520 | +=item B<X509_V_ERR_CERT_NOT_YET_VALID: certificate is not yet valid> |
4521 | + |
4522 | +the certificate is not yet valid: the notBefore date is after the current time. |
4523 | + |
4524 | +=item B<X509_V_ERR_CERT_HAS_EXPIRED: certificate has expired> |
4525 | + |
4526 | +the certificate has expired: that is the notAfter date is before the current time. |
4527 | + |
4528 | +=item B<X509_V_ERR_CRL_NOT_YET_VALID: CRL is not yet valid> |
4529 | + |
4530 | +the CRL is not yet valid. |
4531 | + |
4532 | +=item B<X509_V_ERR_CRL_HAS_EXPIRED: CRL has expired> |
4533 | + |
4534 | +the CRL has expired. |
4535 | + |
4536 | +=item B<X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: format error in certificate's notBefore field> |
4537 | + |
4538 | +the certificate notBefore field contains an invalid time. |
4539 | + |
4540 | +=item B<X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: format error in certificate's notAfter field> |
4541 | + |
4542 | +the certificate notAfter field contains an invalid time. |
4543 | + |
4544 | +=item B<X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: format error in CRL's lastUpdate field> |
4545 | + |
4546 | +the CRL lastUpdate field contains an invalid time. |
4547 | + |
4548 | +=item B<X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: format error in CRL's nextUpdate field> |
4549 | + |
4550 | +the CRL nextUpdate field contains an invalid time. |
4551 | + |
4552 | +=item B<X509_V_ERR_OUT_OF_MEM: out of memory> |
4553 | + |
4554 | +an error occurred trying to allocate memory. This should never happen. |
4555 | + |
4556 | +=item B<X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: self signed certificate> |
4557 | + |
4558 | +the passed certificate is self signed and the same certificate cannot be found |
4559 | +in the list of trusted certificates. |
4560 | + |
4561 | +=item B<X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: self signed certificate in certificate chain> |
4562 | + |
4563 | +the certificate chain could be built up using the untrusted certificates but |
4564 | +the root could not be found locally. |
4565 | + |
4566 | +=item B<X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer certificate> |
4567 | + |
4568 | +the issuer certificate of a locally looked up certificate could not be found. |
4569 | +This normally means the list of trusted certificates is not complete. |
4570 | + |
4571 | +=item B<X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: unable to verify the first certificate> |
4572 | + |
4573 | +no signatures could be verified because the chain contains only one certificate |
4574 | +and it is not self signed. |
4575 | + |
4576 | +=item B<X509_V_ERR_CERT_CHAIN_TOO_LONG: certificate chain too long> |
4577 | + |
4578 | +the certificate chain length is greater than the supplied maximum depth. Unused. |
4579 | + |
4580 | +=item B<X509_V_ERR_CERT_REVOKED: certificate revoked> |
4581 | + |
4582 | +the certificate has been revoked. |
4583 | + |
4584 | +=item B<X509_V_ERR_INVALID_CA: invalid CA certificate> |
4585 | + |
4586 | +a CA certificate is invalid. Either it is not a CA or its extensions are not |
4587 | +consistent with the supplied purpose. |
4588 | + |
4589 | +=item B<X509_V_ERR_PATH_LENGTH_EXCEEDED: path length constraint exceeded> |
4590 | + |
4591 | +the basicConstraints pathlength parameter has been exceeded. |
4592 | + |
4593 | +=item B<X509_V_ERR_INVALID_PURPOSE: unsupported certificate purpose> |
4594 | + |
4595 | +the supplied certificate cannot be used for the specified purpose. |
4596 | + |
4597 | +=item B<X509_V_ERR_CERT_UNTRUSTED: certificate not trusted> |
4598 | + |
4599 | +the root CA is not marked as trusted for the specified purpose. |
4600 | + |
4601 | +=item B<X509_V_ERR_CERT_REJECTED: certificate rejected> |
4602 | + |
4603 | +the root CA is marked to reject the specified purpose. |
4604 | + |
4605 | +=item B<X509_V_ERR_SUBJECT_ISSUER_MISMATCH: subject issuer mismatch> |
4606 | + |
4607 | +the current candidate issuer certificate was rejected because its subject name |
4608 | +did not match the issuer name of the current certificate. This is only set |
4609 | +if issuer check debugging is enabled it is used for status notification and |
4610 | +is B<not> in itself an error. |
4611 | + |
4612 | +=item B<X509_V_ERR_AKID_SKID_MISMATCH: authority and subject key identifier mismatch> |
4613 | + |
4614 | +the current candidate issuer certificate was rejected because its subject key |
4615 | +identifier was present and did not match the authority key identifier current |
4616 | +certificate. This is only set if issuer check debugging is enabled it is used |
4617 | +for status notification and is B<not> in itself an error. |
4618 | + |
4619 | +=item B<X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH: authority and issuer serial number mismatch> |
4620 | + |
4621 | +the current candidate issuer certificate was rejected because its issuer name |
4622 | +and serial number was present and did not match the authority key identifier of |
4623 | +the current certificate. This is only set if issuer check debugging is enabled |
4624 | +it is used for status notification and is B<not> in itself an error. |
4625 | + |
4626 | +=item B<X509_V_ERR_KEYUSAGE_NO_CERTSIGN:key usage does not include certificate signing> |
4627 | + |
4628 | +the current candidate issuer certificate was rejected because its keyUsage |
4629 | +extension does not permit certificate signing. This is only set if issuer check |
4630 | +debugging is enabled it is used for status notification and is B<not> in itself |
4631 | +an error. |
4632 | + |
4633 | +=item B<X509_V_ERR_INVALID_EXTENSION: invalid or inconsistent certificate extension> |
4634 | + |
4635 | +A certificate extension had an invalid value (for example an incorrect |
4636 | +encoding) or some value inconsistent with other extensions. |
4637 | + |
4638 | + |
4639 | +=item B<X509_V_ERR_INVALID_POLICY_EXTENSION: invalid or inconsistent certificate policy extension> |
4640 | + |
4641 | +A certificate policies extension had an invalid value (for example an incorrect |
4642 | +encoding) or some value inconsistent with other extensions. This error only |
4643 | +occurs if policy processing is enabled. |
4644 | + |
4645 | +=item B<X509_V_ERR_NO_EXPLICIT_POLICY: no explicit policy> |
4646 | + |
4647 | +The verification flags were set to require and explicit policy but none was |
4648 | +present. |
4649 | + |
4650 | +=item B<X509_V_ERR_DIFFERENT_CRL_SCOPE: Different CRL scope> |
4651 | + |
4652 | +The only CRLs that could be found did not match the scope of the certificate. |
4653 | + |
4654 | +=item B<X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE: Unsupported extension feature> |
4655 | + |
4656 | +Some feature of a certificate extension is not supported. Unused. |
4657 | + |
4658 | +=item B<X509_V_ERR_PERMITTED_VIOLATION: permitted subtree violation> |
4659 | + |
4660 | +A name constraint violation occured in the permitted subtrees. |
4661 | + |
4662 | +=item B<X509_V_ERR_EXCLUDED_VIOLATION: excluded subtree violation> |
4663 | + |
4664 | +A name constraint violation occured in the excluded subtrees. |
4665 | + |
4666 | +=item B<X509_V_ERR_SUBTREE_MINMAX: name constraints minimum and maximum not supported> |
4667 | + |
4668 | +A certificate name constraints extension included a minimum or maximum field: |
4669 | +this is not supported. |
4670 | + |
4671 | +=item B<X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE: unsupported name constraint type> |
4672 | + |
4673 | +An unsupported name constraint type was encountered. OpenSSL currently only |
4674 | +supports directory name, DNS name, email and URI types. |
4675 | + |
4676 | +=item B<X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX: unsupported or invalid name constraint syntax> |
4677 | + |
4678 | +The format of the name constraint is not recognised: for example an email |
4679 | +address format of a form not mentioned in RFC3280. This could be caused by |
4680 | +a garbage extension or some new feature not currently supported. |
4681 | + |
4682 | +=item B<X509_V_ERR_CRL_PATH_VALIDATION_ERROR: CRL path validation error> |
4683 | + |
4684 | +An error occured when attempting to verify the CRL path. This error can only |
4685 | +happen if extended CRL checking is enabled. |
4686 | + |
4687 | +=item B<X509_V_ERR_APPLICATION_VERIFICATION: application verification failure> |
4688 | + |
4689 | +an application specific error. This will never be returned unless explicitly |
4690 | +set by an application. |
4691 | + |
4692 | +=head1 NOTES |
4693 | + |
4694 | +The above functions should be used instead of directly referencing the fields |
4695 | +in the B<X509_VERIFY_CTX> structure. |
4696 | + |
4697 | +In versions of OpenSSL before 1.0 the current certificate returned by |
4698 | +X509_STORE_CTX_get_current_cert() was never B<NULL>. Applications should |
4699 | +check the return value before printing out any debugging information relating |
4700 | +to the current certificate. |
4701 | + |
4702 | +If an unrecognised error code is passed to X509_verify_cert_error_string() the |
4703 | +numerical value of the unknown code is returned in a static buffer. This is not |
4704 | +thread safe but will never happen unless an invalid code is passed. |
4705 | + |
4706 | +=head1 SEE ALSO |
4707 | + |
4708 | +L<X509_verify_cert(3)|X509_verify_cert(3)> |
4709 | + |
4710 | +=head1 HISTORY |
4711 | + |
4712 | +TBA |
4713 | + |
4714 | +=cut |
4715 | |
4716 | === added file '.pc/libdoc-manpgs-pod-spell.patch/doc/crypto/pem.pod' |
4717 | --- .pc/libdoc-manpgs-pod-spell.patch/doc/crypto/pem.pod 1970-01-01 00:00:00 +0000 |
4718 | +++ .pc/libdoc-manpgs-pod-spell.patch/doc/crypto/pem.pod 2011-09-15 05:17:15 +0000 |
4719 | @@ -0,0 +1,476 @@ |
4720 | +=pod |
4721 | + |
4722 | +=head1 NAME |
4723 | + |
4724 | +PEM, PEM_read_bio_PrivateKey, PEM_read_PrivateKey, PEM_write_bio_PrivateKey, PEM_write_PrivateKey, PEM_write_bio_PKCS8PrivateKey, PEM_write_PKCS8PrivateKey, PEM_write_bio_PKCS8PrivateKey_nid, PEM_write_PKCS8PrivateKey_nid, PEM_read_bio_PUBKEY, PEM_read_PUBKEY, PEM_write_bio_PUBKEY, PEM_write_PUBKEY, PEM_read_bio_RSAPrivateKey, PEM_read_RSAPrivateKey, PEM_write_bio_RSAPrivateKey, PEM_write_RSAPrivateKey, PEM_read_bio_RSAPublicKey, PEM_read_RSAPublicKey, PEM_write_bio_RSAPublicKey, PEM_write_RSAPublicKey, PEM_read_bio_RSA_PUBKEY, PEM_read_RSA_PUBKEY, PEM_write_bio_RSA_PUBKEY, PEM_write_RSA_PUBKEY, PEM_read_bio_DSAPrivateKey, PEM_read_DSAPrivateKey, PEM_write_bio_DSAPrivateKey, PEM_write_DSAPrivateKey, PEM_read_bio_DSA_PUBKEY, PEM_read_DSA_PUBKEY, PEM_write_bio_DSA_PUBKEY, PEM_write_DSA_PUBKEY, PEM_read_bio_DSAparams, PEM_read_DSAparams, PEM_write_bio_DSAparams, PEM_write_DSAparams, PEM_read_bio_DHparams, PEM_read_DHparams, PEM_write_bio_DHparams, PEM_write_DHparams, PEM_read_bio_X509, PEM_read_X509, PEM_write_bio_X509, PEM_write_X509, PEM_read_bio_X509_AUX, PEM_read_X509_AUX, PEM_write_bio_X509_AUX, PEM_write_X509_AUX, PEM_read_bio_X509_REQ, PEM_read_X509_REQ, PEM_write_bio_X509_REQ, PEM_write_X509_REQ, PEM_write_bio_X509_REQ_NEW, PEM_write_X509_REQ_NEW, PEM_read_bio_X509_CRL, PEM_read_X509_CRL, PEM_write_bio_X509_CRL, PEM_write_X509_CRL, PEM_read_bio_PKCS7, PEM_read_PKCS7, PEM_write_bio_PKCS7, PEM_write_PKCS7, PEM_read_bio_NETSCAPE_CERT_SEQUENCE, PEM_read_NETSCAPE_CERT_SEQUENCE, PEM_write_bio_NETSCAPE_CERT_SEQUENCE, PEM_write_NETSCAPE_CERT_SEQUENCE - PEM routines |
4725 | + |
4726 | +=head1 SYNOPSIS |
4727 | + |
4728 | + #include <openssl/pem.h> |
4729 | + |
4730 | + EVP_PKEY *PEM_read_bio_PrivateKey(BIO *bp, EVP_PKEY **x, |
4731 | + pem_password_cb *cb, void *u); |
4732 | + |
4733 | + EVP_PKEY *PEM_read_PrivateKey(FILE *fp, EVP_PKEY **x, |
4734 | + pem_password_cb *cb, void *u); |
4735 | + |
4736 | + int PEM_write_bio_PrivateKey(BIO *bp, EVP_PKEY *x, const EVP_CIPHER *enc, |
4737 | + unsigned char *kstr, int klen, |
4738 | + pem_password_cb *cb, void *u); |
4739 | + |
4740 | + int PEM_write_PrivateKey(FILE *fp, EVP_PKEY *x, const EVP_CIPHER *enc, |
4741 | + unsigned char *kstr, int klen, |
4742 | + pem_password_cb *cb, void *u); |
4743 | + |
4744 | + int PEM_write_bio_PKCS8PrivateKey(BIO *bp, EVP_PKEY *x, const EVP_CIPHER *enc, |
4745 | + char *kstr, int klen, |
4746 | + pem_password_cb *cb, void *u); |
4747 | + |
4748 | + int PEM_write_PKCS8PrivateKey(FILE *fp, EVP_PKEY *x, const EVP_CIPHER *enc, |
4749 | + char *kstr, int klen, |
4750 | + pem_password_cb *cb, void *u); |
4751 | + |
4752 | + int PEM_write_bio_PKCS8PrivateKey_nid(BIO *bp, EVP_PKEY *x, int nid, |
4753 | + char *kstr, int klen, |
4754 | + pem_password_cb *cb, void *u); |
4755 | + |
4756 | + int PEM_write_PKCS8PrivateKey_nid(FILE *fp, EVP_PKEY *x, int nid, |
4757 | + char *kstr, int klen, |
4758 | + pem_password_cb *cb, void *u); |
4759 | + |
4760 | + EVP_PKEY *PEM_read_bio_PUBKEY(BIO *bp, EVP_PKEY **x, |
4761 | + pem_password_cb *cb, void *u); |
4762 | + |
4763 | + EVP_PKEY *PEM_read_PUBKEY(FILE *fp, EVP_PKEY **x, |
4764 | + pem_password_cb *cb, void *u); |
4765 | + |
4766 | + int PEM_write_bio_PUBKEY(BIO *bp, EVP_PKEY *x); |
4767 | + int PEM_write_PUBKEY(FILE *fp, EVP_PKEY *x); |
4768 | + |
4769 | + RSA *PEM_read_bio_RSAPrivateKey(BIO *bp, RSA **x, |
4770 | + pem_password_cb *cb, void *u); |
4771 | + |
4772 | + RSA *PEM_read_RSAPrivateKey(FILE *fp, RSA **x, |
4773 | + pem_password_cb *cb, void *u); |
4774 | + |
4775 | + int PEM_write_bio_RSAPrivateKey(BIO *bp, RSA *x, const EVP_CIPHER *enc, |
4776 | + unsigned char *kstr, int klen, |
4777 | + pem_password_cb *cb, void *u); |
4778 | + |
4779 | + int PEM_write_RSAPrivateKey(FILE *fp, RSA *x, const EVP_CIPHER *enc, |
4780 | + unsigned char *kstr, int klen, |
4781 | + pem_password_cb *cb, void *u); |
4782 | + |
4783 | + RSA *PEM_read_bio_RSAPublicKey(BIO *bp, RSA **x, |
4784 | + pem_password_cb *cb, void *u); |
4785 | + |
4786 | + RSA *PEM_read_RSAPublicKey(FILE *fp, RSA **x, |
4787 | + pem_password_cb *cb, void *u); |
4788 | + |
4789 | + int PEM_write_bio_RSAPublicKey(BIO *bp, RSA *x); |
4790 | + |
4791 | + int PEM_write_RSAPublicKey(FILE *fp, RSA *x); |
4792 | + |
4793 | + RSA *PEM_read_bio_RSA_PUBKEY(BIO *bp, RSA **x, |
4794 | + pem_password_cb *cb, void *u); |
4795 | + |
4796 | + RSA *PEM_read_RSA_PUBKEY(FILE *fp, RSA **x, |
4797 | + pem_password_cb *cb, void *u); |
4798 | + |
4799 | + int PEM_write_bio_RSA_PUBKEY(BIO *bp, RSA *x); |
4800 | + |
4801 | + int PEM_write_RSA_PUBKEY(FILE *fp, RSA *x); |
4802 | + |
4803 | + DSA *PEM_read_bio_DSAPrivateKey(BIO *bp, DSA **x, |
4804 | + pem_password_cb *cb, void *u); |
4805 | + |
4806 | + DSA *PEM_read_DSAPrivateKey(FILE *fp, DSA **x, |
4807 | + pem_password_cb *cb, void *u); |
4808 | + |
4809 | + int PEM_write_bio_DSAPrivateKey(BIO *bp, DSA *x, const EVP_CIPHER *enc, |
4810 | + unsigned char *kstr, int klen, |
4811 | + pem_password_cb *cb, void *u); |
4812 | + |
4813 | + int PEM_write_DSAPrivateKey(FILE *fp, DSA *x, const EVP_CIPHER *enc, |
4814 | + unsigned char *kstr, int klen, |
4815 | + pem_password_cb *cb, void *u); |
4816 | + |
4817 | + DSA *PEM_read_bio_DSA_PUBKEY(BIO *bp, DSA **x, |
4818 | + pem_password_cb *cb, void *u); |
4819 | + |
4820 | + DSA *PEM_read_DSA_PUBKEY(FILE *fp, DSA **x, |
4821 | + pem_password_cb *cb, void *u); |
4822 | + |
4823 | + int PEM_write_bio_DSA_PUBKEY(BIO *bp, DSA *x); |
4824 | + |
4825 | + int PEM_write_DSA_PUBKEY(FILE *fp, DSA *x); |
4826 | + |
4827 | + DSA *PEM_read_bio_DSAparams(BIO *bp, DSA **x, pem_password_cb *cb, void *u); |
4828 | + |
4829 | + DSA *PEM_read_DSAparams(FILE *fp, DSA **x, pem_password_cb *cb, void *u); |
4830 | + |
4831 | + int PEM_write_bio_DSAparams(BIO *bp, DSA *x); |
4832 | + |
4833 | + int PEM_write_DSAparams(FILE *fp, DSA *x); |
4834 | + |
4835 | + DH *PEM_read_bio_DHparams(BIO *bp, DH **x, pem_password_cb *cb, void *u); |
4836 | + |
4837 | + DH *PEM_read_DHparams(FILE *fp, DH **x, pem_password_cb *cb, void *u); |
4838 | + |
4839 | + int PEM_write_bio_DHparams(BIO *bp, DH *x); |
4840 | + |
4841 | + int PEM_write_DHparams(FILE *fp, DH *x); |
4842 | + |
4843 | + X509 *PEM_read_bio_X509(BIO *bp, X509 **x, pem_password_cb *cb, void *u); |
4844 | + |
4845 | + X509 *PEM_read_X509(FILE *fp, X509 **x, pem_password_cb *cb, void *u); |
4846 | + |
4847 | + int PEM_write_bio_X509(BIO *bp, X509 *x); |
4848 | + |
4849 | + int PEM_write_X509(FILE *fp, X509 *x); |
4850 | + |
4851 | + X509 *PEM_read_bio_X509_AUX(BIO *bp, X509 **x, pem_password_cb *cb, void *u); |
4852 | + |
4853 | + X509 *PEM_read_X509_AUX(FILE *fp, X509 **x, pem_password_cb *cb, void *u); |
4854 | + |
4855 | + int PEM_write_bio_X509_AUX(BIO *bp, X509 *x); |
4856 | + |
4857 | + int PEM_write_X509_AUX(FILE *fp, X509 *x); |
4858 | + |
4859 | + X509_REQ *PEM_read_bio_X509_REQ(BIO *bp, X509_REQ **x, |
4860 | + pem_password_cb *cb, void *u); |
4861 | + |
4862 | + X509_REQ *PEM_read_X509_REQ(FILE *fp, X509_REQ **x, |
4863 | + pem_password_cb *cb, void *u); |
4864 | + |
4865 | + int PEM_write_bio_X509_REQ(BIO *bp, X509_REQ *x); |
4866 | + |
4867 | + int PEM_write_X509_REQ(FILE *fp, X509_REQ *x); |
4868 | + |
4869 | + int PEM_write_bio_X509_REQ_NEW(BIO *bp, X509_REQ *x); |
4870 | + |
4871 | + int PEM_write_X509_REQ_NEW(FILE *fp, X509_REQ *x); |
4872 | + |
4873 | + X509_CRL *PEM_read_bio_X509_CRL(BIO *bp, X509_CRL **x, |
4874 | + pem_password_cb *cb, void *u); |
4875 | + X509_CRL *PEM_read_X509_CRL(FILE *fp, X509_CRL **x, |
4876 | + pem_password_cb *cb, void *u); |
4877 | + int PEM_write_bio_X509_CRL(BIO *bp, X509_CRL *x); |
4878 | + int PEM_write_X509_CRL(FILE *fp, X509_CRL *x); |
4879 | + |
4880 | + PKCS7 *PEM_read_bio_PKCS7(BIO *bp, PKCS7 **x, pem_password_cb *cb, void *u); |
4881 | + |
4882 | + PKCS7 *PEM_read_PKCS7(FILE *fp, PKCS7 **x, pem_password_cb *cb, void *u); |
4883 | + |
4884 | + int PEM_write_bio_PKCS7(BIO *bp, PKCS7 *x); |
4885 | + |
4886 | + int PEM_write_PKCS7(FILE *fp, PKCS7 *x); |
4887 | + |
4888 | + NETSCAPE_CERT_SEQUENCE *PEM_read_bio_NETSCAPE_CERT_SEQUENCE(BIO *bp, |
4889 | + NETSCAPE_CERT_SEQUENCE **x, |
4890 | + pem_password_cb *cb, void *u); |
4891 | + |
4892 | + NETSCAPE_CERT_SEQUENCE *PEM_read_NETSCAPE_CERT_SEQUENCE(FILE *fp, |
4893 | + NETSCAPE_CERT_SEQUENCE **x, |
4894 | + pem_password_cb *cb, void *u); |
4895 | + |
4896 | + int PEM_write_bio_NETSCAPE_CERT_SEQUENCE(BIO *bp, NETSCAPE_CERT_SEQUENCE *x); |
4897 | + |
4898 | + int PEM_write_NETSCAPE_CERT_SEQUENCE(FILE *fp, NETSCAPE_CERT_SEQUENCE *x); |
4899 | + |
4900 | +=head1 DESCRIPTION |
4901 | + |
4902 | +The PEM functions read or write structures in PEM format. In |
4903 | +this sense PEM format is simply base64 encoded data surrounded |
4904 | +by header lines. |
4905 | + |
4906 | +For more details about the meaning of arguments see the |
4907 | +B<PEM FUNCTION ARGUMENTS> section. |
4908 | + |
4909 | +Each operation has four functions associated with it. For |
4910 | +clarity the term "B<foobar> functions" will be used to collectively |
4911 | +refer to the PEM_read_bio_foobar(), PEM_read_foobar(), |
4912 | +PEM_write_bio_foobar() and PEM_write_foobar() functions. |
4913 | + |
4914 | +The B<PrivateKey> functions read or write a private key in |
4915 | +PEM format using an EVP_PKEY structure. The write routines use |
4916 | +"traditional" private key format and can handle both RSA and DSA |
4917 | +private keys. The read functions can additionally transparently |
4918 | +handle PKCS#8 format encrypted and unencrypted keys too. |
4919 | + |
4920 | +PEM_write_bio_PKCS8PrivateKey() and PEM_write_PKCS8PrivateKey() |
4921 | +write a private key in an EVP_PKEY structure in PKCS#8 |
4922 | +EncryptedPrivateKeyInfo format using PKCS#5 v2.0 password based encryption |
4923 | +algorithms. The B<cipher> argument specifies the encryption algoritm to |
4924 | +use: unlike all other PEM routines the encryption is applied at the |
4925 | +PKCS#8 level and not in the PEM headers. If B<cipher> is NULL then no |
4926 | +encryption is used and a PKCS#8 PrivateKeyInfo structure is used instead. |
4927 | + |
4928 | +PEM_write_bio_PKCS8PrivateKey_nid() and PEM_write_PKCS8PrivateKey_nid() |
4929 | +also write out a private key as a PKCS#8 EncryptedPrivateKeyInfo however |
4930 | +it uses PKCS#5 v1.5 or PKCS#12 encryption algorithms instead. The algorithm |
4931 | +to use is specified in the B<nid> parameter and should be the NID of the |
4932 | +corresponding OBJECT IDENTIFIER (see NOTES section). |
4933 | + |
4934 | +The B<PUBKEY> functions process a public key using an EVP_PKEY |
4935 | +structure. The public key is encoded as a SubjectPublicKeyInfo |
4936 | +structure. |
4937 | + |
4938 | +The B<RSAPrivateKey> functions process an RSA private key using an |
4939 | +RSA structure. It handles the same formats as the B<PrivateKey> |
4940 | +functions but an error occurs if the private key is not RSA. |
4941 | + |
4942 | +The B<RSAPublicKey> functions process an RSA public key using an |
4943 | +RSA structure. The public key is encoded using a PKCS#1 RSAPublicKey |
4944 | +structure. |
4945 | + |
4946 | +The B<RSA_PUBKEY> functions also process an RSA public key using |
4947 | +an RSA structure. However the public key is encoded using a |
4948 | +SubjectPublicKeyInfo structure and an error occurs if the public |
4949 | +key is not RSA. |
4950 | + |
4951 | +The B<DSAPrivateKey> functions process a DSA private key using a |
4952 | +DSA structure. It handles the same formats as the B<PrivateKey> |
4953 | +functions but an error occurs if the private key is not DSA. |
4954 | + |
4955 | +The B<DSA_PUBKEY> functions process a DSA public key using |
4956 | +a DSA structure. The public key is encoded using a |
4957 | +SubjectPublicKeyInfo structure and an error occurs if the public |
4958 | +key is not DSA. |
4959 | + |
4960 | +The B<DSAparams> functions process DSA parameters using a DSA |
4961 | +structure. The parameters are encoded using a foobar structure. |
4962 | + |
4963 | +The B<DHparams> functions process DH parameters using a DH |
4964 | +structure. The parameters are encoded using a PKCS#3 DHparameter |
4965 | +structure. |
4966 | + |
4967 | +The B<X509> functions process an X509 certificate using an X509 |
4968 | +structure. They will also process a trusted X509 certificate but |
4969 | +any trust settings are discarded. |
4970 | + |
4971 | +The B<X509_AUX> functions process a trusted X509 certificate using |
4972 | +an X509 structure. |
4973 | + |
4974 | +The B<X509_REQ> and B<X509_REQ_NEW> functions process a PKCS#10 |
4975 | +certificate request using an X509_REQ structure. The B<X509_REQ> |
4976 | +write functions use B<CERTIFICATE REQUEST> in the header whereas |
4977 | +the B<X509_REQ_NEW> functions use B<NEW CERTIFICATE REQUEST> |
4978 | +(as required by some CAs). The B<X509_REQ> read functions will |
4979 | +handle either form so there are no B<X509_REQ_NEW> read functions. |
4980 | + |
4981 | +The B<X509_CRL> functions process an X509 CRL using an X509_CRL |
4982 | +structure. |
4983 | + |
4984 | +The B<PKCS7> functions process a PKCS#7 ContentInfo using a PKCS7 |
4985 | +structure. |
4986 | + |
4987 | +The B<NETSCAPE_CERT_SEQUENCE> functions process a Netscape Certificate |
4988 | +Sequence using a NETSCAPE_CERT_SEQUENCE structure. |
4989 | + |
4990 | +=head1 PEM FUNCTION ARGUMENTS |
4991 | + |
4992 | +The PEM functions have many common arguments. |
4993 | + |
4994 | +The B<bp> BIO parameter (if present) specifies the BIO to read from |
4995 | +or write to. |
4996 | + |
4997 | +The B<fp> FILE parameter (if present) specifies the FILE pointer to |
4998 | +read from or write to. |
4999 | + |
5000 | +The PEM read functions all take an argument B<TYPE **x> and return |
The diff has been truncated for viewing.
Looks good. Uploaded.