Merge lp:~sbeattie/ubuntu/oneiric/openssl/lp850608 into lp:ubuntu/oneiric/openssl

Proposed by Steve Beattie
Status: Merged
Merged at revision: 58
Proposed branch: lp:~sbeattie/ubuntu/oneiric/openssl/lp850608
Merge into: lp:ubuntu/oneiric/openssl
Diff against target: 27465 lines (+20613/-1941)
206 files modified
.pc/Bsymbolic-functions.patch/Configure (+2/-1)
.pc/aesni.patch/Configure (+2/-1)
.pc/aesni.patch/util/libeay.num (+5/-0)
.pc/applied-patches (+12/-0)
.pc/block_diginotar.patch/crypto/x509/x509_vfy.c (+2219/-0)
.pc/c_rehash-multi.patch/tools/c_rehash.in (+192/-0)
.pc/config-hurd.patch/config (+4/-0)
.pc/dgst_hmac.patch/apps/dgst.c (+632/-0)
.pc/dgst_hmac.patch/doc/apps/dgst.pod (+162/-0)
.pc/engines-path.patch/Configure (+2/-1)
.pc/gnu_source.patch/crypto/dso/dso_dlfcn.c (+1/-0)
.pc/libdoc-manpgs-pod-spell.patch/doc/crypto/ASN1_generate_nconf.pod (+265/-0)
.pc/libdoc-manpgs-pod-spell.patch/doc/crypto/BN_BLINDING_new.pod (+115/-0)
.pc/libdoc-manpgs-pod-spell.patch/doc/crypto/EVP_BytesToKey.pod (+67/-0)
.pc/libdoc-manpgs-pod-spell.patch/doc/crypto/EVP_EncryptInit.pod (+511/-0)
.pc/libdoc-manpgs-pod-spell.patch/doc/crypto/EVP_PKEY_cmp.pod (+61/-0)
.pc/libdoc-manpgs-pod-spell.patch/doc/crypto/X509_STORE_CTX_get_error.pod (+303/-0)
.pc/libdoc-manpgs-pod-spell.patch/doc/crypto/pem.pod (+476/-0)
.pc/libdoc-manpgs-pod-spell.patch/doc/ssl/SSL_CTX_set_client_CA_list.pod (+94/-0)
.pc/libdoc-manpgs-pod-spell.patch/doc/ssl/SSL_CTX_set_verify.pod (+294/-0)
.pc/libdoc-manpgs-pod-spell.patch/doc/ssl/SSL_CTX_use_psk_identity_hint.pod (+102/-0)
.pc/libdoc-manpgs-pod-spell.patch/doc/ssl/SSL_accept.pod (+76/-0)
.pc/libdoc-manpgs-pod-spell.patch/doc/ssl/SSL_connect.pod (+73/-0)
.pc/libdoc-manpgs-pod-spell.patch/doc/ssl/SSL_do_handshake.pod (+75/-0)
.pc/libdoc-manpgs-pod-spell.patch/doc/ssl/SSL_shutdown.pod (+125/-0)
.pc/libssl-misspell.patch/crypto/asn1/asn1_err.c (+329/-0)
.pc/openssl-pod-misspell.patch/apps/ca.c (+2985/-0)
.pc/openssl-pod-misspell.patch/apps/ecparam.c (+731/-0)
.pc/openssl-pod-misspell.patch/crypto/evp/encode.c (+445/-0)
.pc/openssl-pod-misspell.patch/doc/apps/config.pod (+279/-0)
.pc/openssl-pod-misspell.patch/doc/apps/genpkey.pod (+213/-0)
.pc/openssl-pod-misspell.patch/doc/apps/openssl.pod (+422/-0)
.pc/openssl-pod-misspell.patch/doc/apps/req.pod (+678/-0)
.pc/openssl-pod-misspell.patch/doc/apps/ts.pod (+594/-0)
.pc/openssl-pod-misspell.patch/doc/apps/tsget.pod (+194/-0)
.pc/openssl-pod-misspell.patch/doc/apps/x509v3_config.pod (+529/-0)
.pc/pic.patch/crypto/perlasm/cbc.pl (+0/-2)
.pc/pkcs12-doc.patch/doc/apps/pkcs12.pod (+363/-0)
.pc/pod_ec.misspell.patch/doc/apps/ec.pod (+190/-0)
.pc/pod_pksc12.misspell.patch/doc/apps/pkcs12.pod (+363/-0)
.pc/pod_req_misspell2.patch/doc/apps/req.pod (+678/-0)
.pc/pod_s_server.misspell.patch/doc/apps/s_server.pod (+355/-0)
.pc/pod_x509setflags.misspell.patch/doc/crypto/X509_VERIFY_PARAM_set_flags.pod (+171/-0)
.pc/shared-lib-ext.patch/Configure (+2/-1)
.pc/version-script.patch/Configure (+2/-1)
CHANGES (+42/-1)
Configure (+2/-1)
FAQ (+1/-1)
INSTALL.VMS (+24/-30)
Makefile (+1/-1)
Makefile.bak (+640/-0)
NEWS (+8/-0)
README (+1/-1)
VMS/install-vms.com (+67/-0)
VMS/install.com (+0/-79)
VMS/mkshared.com (+163/-99)
VMS/openssl_startup.com (+108/-0)
VMS/openssl_undo.com (+20/-0)
apps/CA.com (+58/-42)
apps/apps.c (+6/-0)
apps/asn1pars.c (+1/-0)
apps/ca.c (+1/-1)
apps/dgst.c (+2/-0)
apps/ecparam.c (+2/-2)
apps/enc.c (+4/-0)
apps/install-apps.com (+107/-0)
apps/install.com (+0/-65)
apps/makeapps.com (+231/-118)
apps/openssl.c (+62/-2)
apps/pkcs12.c (+1/-1)
apps/speed.c (+2/-0)
apps/vms_decc_init.c (+188/-0)
config (+4/-0)
crypto/LPdir_vms.c (+28/-21)
crypto/alphacpuid.pl (+3/-5)
crypto/asn1/a_object.c (+2/-2)
crypto/asn1/asn1_err.c (+1/-1)
crypto/asn1/bio_ndef.c (+0/-3)
crypto/asn1/x_name.c (+5/-2)
crypto/bio/b_sock.c (+28/-1)
crypto/bio/bss_dgram.c (+12/-6)
crypto/bio/bss_log.c (+29/-3)
crypto/bn/asm/alpha-mont.pl (+1/-1)
crypto/bn/asm/s390x-mont.pl (+2/-2)
crypto/bn/bn.h (+18/-0)
crypto/bn/bn_gf2m.c (+1/-0)
crypto/bn/bn_mont.c (+1/-1)
crypto/bn/bn_nist.c (+36/-28)
crypto/conf/conf_api.c (+1/-0)
crypto/cryptlib.c (+0/-1)
crypto/crypto-lib.com (+241/-129)
crypto/dsa/dsa_pmeth.c (+1/-0)
crypto/dso/dso_dlfcn.c (+1/-0)
crypto/dso/dso_vms.c (+103/-82)
crypto/ecdsa/ecdsatest.c (+2/-3)
crypto/ecdsa/ecs_ossl.c (+8/-0)
crypto/evp/encode.c (+1/-1)
crypto/evp/evp_test.c (+1/-0)
crypto/hmac/hm_pmeth.c (+2/-0)
crypto/install-crypto.com (+196/-0)
crypto/install.com (+0/-150)
crypto/o_time.c (+14/-8)
crypto/ocsp/ocsp_lib.c (+4/-4)
crypto/opensslv.h (+3/-3)
crypto/perlasm/cbc.pl (+0/-2)
crypto/rand/rand_vms.c (+14/-2)
crypto/rand/randfile.c (+2/-0)
crypto/rsa/rsa_oaep.c (+13/-7)
crypto/stack/safestack.h (+25/-25)
crypto/vms_rms.h (+51/-0)
crypto/x509/x509_vfy.c (+31/-0)
debian/changelog (+77/-0)
debian/libssl1.0.0.postinst (+5/-1)
debian/patches/Bsymbolic-functions.patch (+7/-3)
debian/patches/aesni.patch (+29/-14)
debian/patches/block_diginotar.patch (+64/-0)
debian/patches/c_rehash-multi.patch (+86/-0)
debian/patches/debian-targets.patch (+3/-2)
debian/patches/dgst_hmac.patch (+51/-0)
debian/patches/libdoc-manpgs-pod-spell.patch (+236/-0)
debian/patches/libssl-misspell.patch (+11/-0)
debian/patches/openssl-pod-misspell.patch (+137/-0)
debian/patches/pkcs12-doc.patch (+36/-0)
debian/patches/pod_ec.misspell.patch (+11/-0)
debian/patches/pod_pksc12.misspell.patch (+11/-0)
debian/patches/pod_req_misspell2.patch (+12/-0)
debian/patches/pod_s_server.misspell.patch (+11/-0)
debian/patches/pod_x509setflags.misspell.patch (+11/-0)
debian/patches/rehash_pod.patch (+2/-2)
debian/patches/series (+12/-0)
debian/patches/version-script.patch (+22/-4)
debian/rules (+3/-1)
doc/apps/c_rehash.pod (+2/-2)
doc/apps/config.pod (+1/-1)
doc/apps/dgst.pod (+10/-0)
doc/apps/ec.pod (+1/-1)
doc/apps/genpkey.pod (+2/-0)
doc/apps/openssl.pod (+2/-2)
doc/apps/pkcs12.pod (+7/-2)
doc/apps/req.pod (+2/-2)
doc/apps/s_server.pod (+1/-1)
doc/apps/ts.pod (+2/-2)
doc/apps/tsget.pod (+1/-1)
doc/apps/x509v3_config.pod (+1/-1)
doc/crypto/ASN1_generate_nconf.pod (+1/-1)
doc/crypto/BN_BLINDING_new.pod (+1/-1)
doc/crypto/EVP_BytesToKey.pod (+1/-1)
doc/crypto/EVP_EncryptInit.pod (+1/-1)
doc/crypto/EVP_PKEY_cmp.pod (+1/-1)
doc/crypto/X509_STORE_CTX_get_error.pod (+2/-0)
doc/crypto/X509_VERIFY_PARAM_set_flags.pod (+1/-1)
doc/crypto/pem.pod (+1/-1)
doc/ssl/SSL_CTX_set_client_CA_list.pod (+4/-0)
doc/ssl/SSL_CTX_set_verify.pod (+2/-2)
doc/ssl/SSL_CTX_use_psk_identity_hint.pod (+8/-0)
doc/ssl/SSL_accept.pod (+8/-0)
doc/ssl/SSL_connect.pod (+11/-11)
doc/ssl/SSL_do_handshake.pod (+8/-0)
doc/ssl/SSL_shutdown.pod (+8/-0)
doc/ssl/ssl.pod (+1/-1)
engines/ccgost/gost_crypt.c (+2/-1)
engines/ccgost/openssl.ld (+10/-0)
engines/e_capi_err.h (+4/-0)
engines/makeengines.com (+215/-111)
engines/openssl.ld (+3/-0)
install.com (+127/-92)
makevms.com (+274/-152)
ms/uplink.c (+2/-1)
openssl.spec (+1/-1)
ssl/bio_ssl.c (+4/-0)
ssl/d1_both.c (+10/-18)
ssl/d1_clnt.c (+4/-2)
ssl/d1_lib.c (+57/-8)
ssl/d1_pkt.c (+11/-9)
ssl/d1_srvr.c (+19/-7)
ssl/install-ssl.com (+136/-0)
ssl/install.com (+0/-90)
ssl/s3_clnt.c (+2/-0)
ssl/s3_lib.c (+6/-0)
ssl/s3_pkt.c (+4/-2)
ssl/s3_srvr.c (+16/-7)
ssl/ssl-lib.com (+213/-115)
ssl/ssl_lib.c (+13/-19)
test/bntest.com (+7/-0)
test/clean_test.com (+35/-0)
test/cms-test.pl (+2/-2)
test/maketests.com (+210/-111)
test/tcrl.com (+10/-7)
test/testca.com (+5/-3)
test/testenc.com (+8/-5)
test/testgen.com (+13/-9)
test/tests.com (+65/-38)
test/testss.com (+10/-7)
test/testssl.com (+12/-8)
test/testtsa.com (+38/-35)
test/tpkcs7.com (+10/-7)
test/tpkcs7d.com (+10/-7)
test/treq.com (+10/-7)
test/trsa.com (+8/-5)
test/tsid.com (+10/-7)
test/tverify.com (+6/-4)
test/tx509.com (+10/-7)
tools/c_rehash.in (+44/-28)
util/libeay.num (+6/-1)
util/mkdef.pl (+2/-0)
util/mkerr.pl (+1/-1)
To merge this branch: bzr merge lp:~sbeattie/ubuntu/oneiric/openssl/lp850608
Reviewer Review Type Date Requested Status
Marc Deslauriers Approve
Ubuntu branches Pending
Review via email: mp+75477@code.launchpad.net

Description of the change

This branch merges openssl-1.0.0e-2 from Debian unstable to fix security issues. Both the debian changes from 1.0.0d-2 and the upstream release 1.0.0e are bugfix only releases. This merge also includes an added fix for LP: #244250 (reduce spurious reboot warnings on desktop installs) by checking for a running X server to determine whether or not to issue the reboot notification.

To post a comment you must log in.
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Looks good. Uploaded.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file '.pc/Bsymbolic-functions.patch/Configure'
2--- .pc/Bsymbolic-functions.patch/Configure 2011-05-01 23:51:53 +0000
3+++ .pc/Bsymbolic-functions.patch/Configure 2011-09-15 05:17:15 +0000
4@@ -362,6 +362,7 @@
5 "debian-powerpcspe","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
6 "debian-ppc64","gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
7 "debian-s390","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
8+"debian-s390x","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
9 "debian-sh3", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
10 "debian-sh4", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
11 "debian-sh3eb", "gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
12@@ -370,7 +371,7 @@
13 "debian-sparc","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
14 "debian-sparc-v8","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -mcpu=v8 -g -Wall -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
15 "debian-sparc-v9","gcc:-DB_ENDIAN -DTERMIO -O3 -mcpu=v9 -Wa,--noexecstack -Wa,-Av8plus -g -Wall -DULTRASPARC -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
16-"debian-sparc64","gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall -DULTRASPARC -DBN_DIV2W::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
17+"debian-sparc64","gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall -DULTRASPARC -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
18
19 ####
20 #### Variety of LINUX:-)
21
22=== modified file '.pc/aesni.patch/Configure'
23--- .pc/aesni.patch/Configure 2011-05-01 23:51:53 +0000
24+++ .pc/aesni.patch/Configure 2011-09-15 05:17:15 +0000
25@@ -362,6 +362,7 @@
26 "debian-powerpcspe","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
27 "debian-ppc64","gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
28 "debian-s390","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
29+"debian-s390x","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
30 "debian-sh3", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
31 "debian-sh4", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
32 "debian-sh3eb", "gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
33@@ -370,7 +371,7 @@
34 "debian-sparc","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
35 "debian-sparc-v8","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -mcpu=v8 -g -Wall -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
36 "debian-sparc-v9","gcc:-DB_ENDIAN -DTERMIO -O3 -mcpu=v9 -Wa,--noexecstack -Wa,-Av8plus -g -Wall -DULTRASPARC -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
37-"debian-sparc64","gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall -DULTRASPARC -DBN_DIV2W::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
38+"debian-sparc64","gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall -DULTRASPARC -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
39
40 ####
41 #### Variety of LINUX:-)
42
43=== modified file '.pc/aesni.patch/util/libeay.num'
44--- .pc/aesni.patch/util/libeay.num 2011-05-01 23:51:53 +0000
45+++ .pc/aesni.patch/util/libeay.num 2011-09-15 05:17:15 +0000
46@@ -4189,3 +4189,8 @@
47 CRYPTO_cbc128_decrypt 4561 EXIST::FUNCTION:
48 CRYPTO_cfb128_encrypt 4562 EXIST::FUNCTION:
49 CRYPTO_cfb128_8_encrypt 4563 EXIST::FUNCTION:
50+OPENSSL_strcasecmp 4564 EXIST::FUNCTION:
51+OPENSSL_memcmp 4565 EXIST::FUNCTION:
52+OPENSSL_strncasecmp 4566 EXIST::FUNCTION:
53+OPENSSL_gmtime 4567 EXIST::FUNCTION:
54+OPENSSL_gmtime_adj 4568 EXIST::FUNCTION:
55
56=== modified file '.pc/applied-patches'
57--- .pc/applied-patches 2011-05-01 23:51:53 +0000
58+++ .pc/applied-patches 2011-09-15 05:17:15 +0000
59@@ -18,6 +18,18 @@
60 version-script.patch
61 gnu_source.patch
62 c_rehash-compat.patch
63+libdoc-manpgs-pod-spell.patch
64+libssl-misspell.patch
65+openssl-pod-misspell.patch
66+pod_req_misspell2.patch
67+pod_pksc12.misspell.patch
68+pod_s_server.misspell.patch
69+pod_x509setflags.misspell.patch
70+pod_ec.misspell.patch
71+pkcs12-doc.patch
72+dgst_hmac.patch
73+block_diginotar.patch
74+c_rehash-multi.patch
75 aesni.patch
76 perlpath-quilt.patch
77 Bsymbolic-functions.patch
78
79=== added directory '.pc/block_diginotar.patch'
80=== added directory '.pc/block_diginotar.patch/crypto'
81=== added directory '.pc/block_diginotar.patch/crypto/x509'
82=== added file '.pc/block_diginotar.patch/crypto/x509/x509_vfy.c'
83--- .pc/block_diginotar.patch/crypto/x509/x509_vfy.c 1970-01-01 00:00:00 +0000
84+++ .pc/block_diginotar.patch/crypto/x509/x509_vfy.c 2011-09-15 05:17:15 +0000
85@@ -0,0 +1,2219 @@
86+/* crypto/x509/x509_vfy.c */
87+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
88+ * All rights reserved.
89+ *
90+ * This package is an SSL implementation written
91+ * by Eric Young (eay@cryptsoft.com).
92+ * The implementation was written so as to conform with Netscapes SSL.
93+ *
94+ * This library is free for commercial and non-commercial use as long as
95+ * the following conditions are aheared to. The following conditions
96+ * apply to all code found in this distribution, be it the RC4, RSA,
97+ * lhash, DES, etc., code; not just the SSL code. The SSL documentation
98+ * included with this distribution is covered by the same copyright terms
99+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
100+ *
101+ * Copyright remains Eric Young's, and as such any Copyright notices in
102+ * the code are not to be removed.
103+ * If this package is used in a product, Eric Young should be given attribution
104+ * as the author of the parts of the library used.
105+ * This can be in the form of a textual message at program startup or
106+ * in documentation (online or textual) provided with the package.
107+ *
108+ * Redistribution and use in source and binary forms, with or without
109+ * modification, are permitted provided that the following conditions
110+ * are met:
111+ * 1. Redistributions of source code must retain the copyright
112+ * notice, this list of conditions and the following disclaimer.
113+ * 2. Redistributions in binary form must reproduce the above copyright
114+ * notice, this list of conditions and the following disclaimer in the
115+ * documentation and/or other materials provided with the distribution.
116+ * 3. All advertising materials mentioning features or use of this software
117+ * must display the following acknowledgement:
118+ * "This product includes cryptographic software written by
119+ * Eric Young (eay@cryptsoft.com)"
120+ * The word 'cryptographic' can be left out if the rouines from the library
121+ * being used are not cryptographic related :-).
122+ * 4. If you include any Windows specific code (or a derivative thereof) from
123+ * the apps directory (application code) you must include an acknowledgement:
124+ * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
125+ *
126+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
127+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
128+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
129+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
130+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
131+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
132+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
133+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
134+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
135+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
136+ * SUCH DAMAGE.
137+ *
138+ * The licence and distribution terms for any publically available version or
139+ * derivative of this code cannot be changed. i.e. this code cannot simply be
140+ * copied and put under another distribution licence
141+ * [including the GNU Public Licence.]
142+ */
143+
144+#include <stdio.h>
145+#include <time.h>
146+#include <errno.h>
147+
148+#include "cryptlib.h"
149+#include <openssl/crypto.h>
150+#include <openssl/lhash.h>
151+#include <openssl/buffer.h>
152+#include <openssl/evp.h>
153+#include <openssl/asn1.h>
154+#include <openssl/x509.h>
155+#include <openssl/x509v3.h>
156+#include <openssl/objects.h>
157+
158+/* CRL score values */
159+
160+/* No unhandled critical extensions */
161+
162+#define CRL_SCORE_NOCRITICAL 0x100
163+
164+/* certificate is within CRL scope */
165+
166+#define CRL_SCORE_SCOPE 0x080
167+
168+/* CRL times valid */
169+
170+#define CRL_SCORE_TIME 0x040
171+
172+/* Issuer name matches certificate */
173+
174+#define CRL_SCORE_ISSUER_NAME 0x020
175+
176+/* If this score or above CRL is probably valid */
177+
178+#define CRL_SCORE_VALID (CRL_SCORE_NOCRITICAL|CRL_SCORE_TIME|CRL_SCORE_SCOPE)
179+
180+/* CRL issuer is certificate issuer */
181+
182+#define CRL_SCORE_ISSUER_CERT 0x018
183+
184+/* CRL issuer is on certificate path */
185+
186+#define CRL_SCORE_SAME_PATH 0x008
187+
188+/* CRL issuer matches CRL AKID */
189+
190+#define CRL_SCORE_AKID 0x004
191+
192+/* Have a delta CRL with valid times */
193+
194+#define CRL_SCORE_TIME_DELTA 0x002
195+
196+static int null_callback(int ok,X509_STORE_CTX *e);
197+static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer);
198+static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x);
199+static int check_chain_extensions(X509_STORE_CTX *ctx);
200+static int check_name_constraints(X509_STORE_CTX *ctx);
201+static int check_trust(X509_STORE_CTX *ctx);
202+static int check_revocation(X509_STORE_CTX *ctx);
203+static int check_cert(X509_STORE_CTX *ctx);
204+static int check_policy(X509_STORE_CTX *ctx);
205+
206+static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer,
207+ unsigned int *preasons,
208+ X509_CRL *crl, X509 *x);
209+static int get_crl_delta(X509_STORE_CTX *ctx,
210+ X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x);
211+static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pcrl_score,
212+ X509_CRL *base, STACK_OF(X509_CRL) *crls);
213+static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl,
214+ X509 **pissuer, int *pcrl_score);
215+static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score,
216+ unsigned int *preasons);
217+static int check_crl_path(X509_STORE_CTX *ctx, X509 *x);
218+static int check_crl_chain(X509_STORE_CTX *ctx,
219+ STACK_OF(X509) *cert_path,
220+ STACK_OF(X509) *crl_path);
221+
222+static int internal_verify(X509_STORE_CTX *ctx);
223+const char X509_version[]="X.509" OPENSSL_VERSION_PTEXT;
224+
225+
226+static int null_callback(int ok, X509_STORE_CTX *e)
227+ {
228+ return ok;
229+ }
230+
231+#if 0
232+static int x509_subject_cmp(X509 **a, X509 **b)
233+ {
234+ return X509_subject_name_cmp(*a,*b);
235+ }
236+#endif
237+
238+int X509_verify_cert(X509_STORE_CTX *ctx)
239+ {
240+ X509 *x,*xtmp,*chain_ss=NULL;
241+ X509_NAME *xn;
242+ int bad_chain = 0;
243+ X509_VERIFY_PARAM *param = ctx->param;
244+ int depth,i,ok=0;
245+ int num;
246+ int (*cb)(int xok,X509_STORE_CTX *xctx);
247+ STACK_OF(X509) *sktmp=NULL;
248+ if (ctx->cert == NULL)
249+ {
250+ X509err(X509_F_X509_VERIFY_CERT,X509_R_NO_CERT_SET_FOR_US_TO_VERIFY);
251+ return -1;
252+ }
253+
254+ cb=ctx->verify_cb;
255+
256+ /* first we make sure the chain we are going to build is
257+ * present and that the first entry is in place */
258+ if (ctx->chain == NULL)
259+ {
260+ if ( ((ctx->chain=sk_X509_new_null()) == NULL) ||
261+ (!sk_X509_push(ctx->chain,ctx->cert)))
262+ {
263+ X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
264+ goto end;
265+ }
266+ CRYPTO_add(&ctx->cert->references,1,CRYPTO_LOCK_X509);
267+ ctx->last_untrusted=1;
268+ }
269+
270+ /* We use a temporary STACK so we can chop and hack at it */
271+ if (ctx->untrusted != NULL
272+ && (sktmp=sk_X509_dup(ctx->untrusted)) == NULL)
273+ {
274+ X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
275+ goto end;
276+ }
277+
278+ num=sk_X509_num(ctx->chain);
279+ x=sk_X509_value(ctx->chain,num-1);
280+ depth=param->depth;
281+
282+
283+ for (;;)
284+ {
285+ /* If we have enough, we break */
286+ if (depth < num) break; /* FIXME: If this happens, we should take
287+ * note of it and, if appropriate, use the
288+ * X509_V_ERR_CERT_CHAIN_TOO_LONG error
289+ * code later.
290+ */
291+
292+ /* If we are self signed, we break */
293+ xn=X509_get_issuer_name(x);
294+ if (ctx->check_issued(ctx, x,x)) break;
295+
296+ /* If we were passed a cert chain, use it first */
297+ if (ctx->untrusted != NULL)
298+ {
299+ xtmp=find_issuer(ctx, sktmp,x);
300+ if (xtmp != NULL)
301+ {
302+ if (!sk_X509_push(ctx->chain,xtmp))
303+ {
304+ X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
305+ goto end;
306+ }
307+ CRYPTO_add(&xtmp->references,1,CRYPTO_LOCK_X509);
308+ (void)sk_X509_delete_ptr(sktmp,xtmp);
309+ ctx->last_untrusted++;
310+ x=xtmp;
311+ num++;
312+ /* reparse the full chain for
313+ * the next one */
314+ continue;
315+ }
316+ }
317+ break;
318+ }
319+
320+ /* at this point, chain should contain a list of untrusted
321+ * certificates. We now need to add at least one trusted one,
322+ * if possible, otherwise we complain. */
323+
324+ /* Examine last certificate in chain and see if it
325+ * is self signed.
326+ */
327+
328+ i=sk_X509_num(ctx->chain);
329+ x=sk_X509_value(ctx->chain,i-1);
330+ xn = X509_get_subject_name(x);
331+ if (ctx->check_issued(ctx, x, x))
332+ {
333+ /* we have a self signed certificate */
334+ if (sk_X509_num(ctx->chain) == 1)
335+ {
336+ /* We have a single self signed certificate: see if
337+ * we can find it in the store. We must have an exact
338+ * match to avoid possible impersonation.
339+ */
340+ ok = ctx->get_issuer(&xtmp, ctx, x);
341+ if ((ok <= 0) || X509_cmp(x, xtmp))
342+ {
343+ ctx->error=X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT;
344+ ctx->current_cert=x;
345+ ctx->error_depth=i-1;
346+ if (ok == 1) X509_free(xtmp);
347+ bad_chain = 1;
348+ ok=cb(0,ctx);
349+ if (!ok) goto end;
350+ }
351+ else
352+ {
353+ /* We have a match: replace certificate with store version
354+ * so we get any trust settings.
355+ */
356+ X509_free(x);
357+ x = xtmp;
358+ (void)sk_X509_set(ctx->chain, i - 1, x);
359+ ctx->last_untrusted=0;
360+ }
361+ }
362+ else
363+ {
364+ /* extract and save self signed certificate for later use */
365+ chain_ss=sk_X509_pop(ctx->chain);
366+ ctx->last_untrusted--;
367+ num--;
368+ x=sk_X509_value(ctx->chain,num-1);
369+ }
370+ }
371+
372+ /* We now lookup certs from the certificate store */
373+ for (;;)
374+ {
375+ /* If we have enough, we break */
376+ if (depth < num) break;
377+
378+ /* If we are self signed, we break */
379+ xn=X509_get_issuer_name(x);
380+ if (ctx->check_issued(ctx,x,x)) break;
381+
382+ ok = ctx->get_issuer(&xtmp, ctx, x);
383+
384+ if (ok < 0) return ok;
385+ if (ok == 0) break;
386+
387+ x = xtmp;
388+ if (!sk_X509_push(ctx->chain,x))
389+ {
390+ X509_free(xtmp);
391+ X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
392+ return 0;
393+ }
394+ num++;
395+ }
396+
397+ /* we now have our chain, lets check it... */
398+ xn=X509_get_issuer_name(x);
399+
400+ /* Is last certificate looked up self signed? */
401+ if (!ctx->check_issued(ctx,x,x))
402+ {
403+ if ((chain_ss == NULL) || !ctx->check_issued(ctx, x, chain_ss))
404+ {
405+ if (ctx->last_untrusted >= num)
406+ ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;
407+ else
408+ ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT;
409+ ctx->current_cert=x;
410+ }
411+ else
412+ {
413+
414+ sk_X509_push(ctx->chain,chain_ss);
415+ num++;
416+ ctx->last_untrusted=num;
417+ ctx->current_cert=chain_ss;
418+ ctx->error=X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN;
419+ chain_ss=NULL;
420+ }
421+
422+ ctx->error_depth=num-1;
423+ bad_chain = 1;
424+ ok=cb(0,ctx);
425+ if (!ok) goto end;
426+ }
427+
428+ /* We have the chain complete: now we need to check its purpose */
429+ ok = check_chain_extensions(ctx);
430+
431+ if (!ok) goto end;
432+
433+ /* Check name constraints */
434+
435+ ok = check_name_constraints(ctx);
436+
437+ if (!ok) goto end;
438+
439+ /* The chain extensions are OK: check trust */
440+
441+ if (param->trust > 0) ok = check_trust(ctx);
442+
443+ if (!ok) goto end;
444+
445+ /* We may as well copy down any DSA parameters that are required */
446+ X509_get_pubkey_parameters(NULL,ctx->chain);
447+
448+ /* Check revocation status: we do this after copying parameters
449+ * because they may be needed for CRL signature verification.
450+ */
451+
452+ ok = ctx->check_revocation(ctx);
453+ if(!ok) goto end;
454+
455+ /* At this point, we have a chain and need to verify it */
456+ if (ctx->verify != NULL)
457+ ok=ctx->verify(ctx);
458+ else
459+ ok=internal_verify(ctx);
460+ if(!ok) goto end;
461+
462+#ifndef OPENSSL_NO_RFC3779
463+ /* RFC 3779 path validation, now that CRL check has been done */
464+ ok = v3_asid_validate_path(ctx);
465+ if (!ok) goto end;
466+ ok = v3_addr_validate_path(ctx);
467+ if (!ok) goto end;
468+#endif
469+
470+ /* If we get this far evaluate policies */
471+ if (!bad_chain && (ctx->param->flags & X509_V_FLAG_POLICY_CHECK))
472+ ok = ctx->check_policy(ctx);
473+ if(!ok) goto end;
474+ if (0)
475+ {
476+end:
477+ X509_get_pubkey_parameters(NULL,ctx->chain);
478+ }
479+ if (sktmp != NULL) sk_X509_free(sktmp);
480+ if (chain_ss != NULL) X509_free(chain_ss);
481+ return ok;
482+ }
483+
484+
485+/* Given a STACK_OF(X509) find the issuer of cert (if any)
486+ */
487+
488+static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x)
489+{
490+ int i;
491+ X509 *issuer;
492+ for (i = 0; i < sk_X509_num(sk); i++)
493+ {
494+ issuer = sk_X509_value(sk, i);
495+ if (ctx->check_issued(ctx, x, issuer))
496+ return issuer;
497+ }
498+ return NULL;
499+}
500+
501+/* Given a possible certificate and issuer check them */
502+
503+static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer)
504+{
505+ int ret;
506+ ret = X509_check_issued(issuer, x);
507+ if (ret == X509_V_OK)
508+ return 1;
509+ /* If we haven't asked for issuer errors don't set ctx */
510+ if (!(ctx->param->flags & X509_V_FLAG_CB_ISSUER_CHECK))
511+ return 0;
512+
513+ ctx->error = ret;
514+ ctx->current_cert = x;
515+ ctx->current_issuer = issuer;
516+ return ctx->verify_cb(0, ctx);
517+ return 0;
518+}
519+
520+/* Alternative lookup method: look from a STACK stored in other_ctx */
521+
522+static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
523+{
524+ *issuer = find_issuer(ctx, ctx->other_ctx, x);
525+ if (*issuer)
526+ {
527+ CRYPTO_add(&(*issuer)->references,1,CRYPTO_LOCK_X509);
528+ return 1;
529+ }
530+ else
531+ return 0;
532+}
533+
534+
535+/* Check a certificate chains extensions for consistency
536+ * with the supplied purpose
537+ */
538+
539+static int check_chain_extensions(X509_STORE_CTX *ctx)
540+{
541+#ifdef OPENSSL_NO_CHAIN_VERIFY
542+ return 1;
543+#else
544+ int i, ok=0, must_be_ca, plen = 0;
545+ X509 *x;
546+ int (*cb)(int xok,X509_STORE_CTX *xctx);
547+ int proxy_path_length = 0;
548+ int purpose;
549+ int allow_proxy_certs;
550+ cb=ctx->verify_cb;
551+
552+ /* must_be_ca can have 1 of 3 values:
553+ -1: we accept both CA and non-CA certificates, to allow direct
554+ use of self-signed certificates (which are marked as CA).
555+ 0: we only accept non-CA certificates. This is currently not
556+ used, but the possibility is present for future extensions.
557+ 1: we only accept CA certificates. This is currently used for
558+ all certificates in the chain except the leaf certificate.
559+ */
560+ must_be_ca = -1;
561+
562+ /* CRL path validation */
563+ if (ctx->parent)
564+ {
565+ allow_proxy_certs = 0;
566+ purpose = X509_PURPOSE_CRL_SIGN;
567+ }
568+ else
569+ {
570+ allow_proxy_certs =
571+ !!(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS);
572+ /* A hack to keep people who don't want to modify their
573+ software happy */
574+ if (getenv("OPENSSL_ALLOW_PROXY_CERTS"))
575+ allow_proxy_certs = 1;
576+ purpose = ctx->param->purpose;
577+ }
578+
579+ /* Check all untrusted certificates */
580+ for (i = 0; i < ctx->last_untrusted; i++)
581+ {
582+ int ret;
583+ x = sk_X509_value(ctx->chain, i);
584+ if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL)
585+ && (x->ex_flags & EXFLAG_CRITICAL))
586+ {
587+ ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION;
588+ ctx->error_depth = i;
589+ ctx->current_cert = x;
590+ ok=cb(0,ctx);
591+ if (!ok) goto end;
592+ }
593+ if (!allow_proxy_certs && (x->ex_flags & EXFLAG_PROXY))
594+ {
595+ ctx->error = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED;
596+ ctx->error_depth = i;
597+ ctx->current_cert = x;
598+ ok=cb(0,ctx);
599+ if (!ok) goto end;
600+ }
601+ ret = X509_check_ca(x);
602+ switch(must_be_ca)
603+ {
604+ case -1:
605+ if ((ctx->param->flags & X509_V_FLAG_X509_STRICT)
606+ && (ret != 1) && (ret != 0))
607+ {
608+ ret = 0;
609+ ctx->error = X509_V_ERR_INVALID_CA;
610+ }
611+ else
612+ ret = 1;
613+ break;
614+ case 0:
615+ if (ret != 0)
616+ {
617+ ret = 0;
618+ ctx->error = X509_V_ERR_INVALID_NON_CA;
619+ }
620+ else
621+ ret = 1;
622+ break;
623+ default:
624+ if ((ret == 0)
625+ || ((ctx->param->flags & X509_V_FLAG_X509_STRICT)
626+ && (ret != 1)))
627+ {
628+ ret = 0;
629+ ctx->error = X509_V_ERR_INVALID_CA;
630+ }
631+ else
632+ ret = 1;
633+ break;
634+ }
635+ if (ret == 0)
636+ {
637+ ctx->error_depth = i;
638+ ctx->current_cert = x;
639+ ok=cb(0,ctx);
640+ if (!ok) goto end;
641+ }
642+ if (ctx->param->purpose > 0)
643+ {
644+ ret = X509_check_purpose(x, purpose, must_be_ca > 0);
645+ if ((ret == 0)
646+ || ((ctx->param->flags & X509_V_FLAG_X509_STRICT)
647+ && (ret != 1)))
648+ {
649+ ctx->error = X509_V_ERR_INVALID_PURPOSE;
650+ ctx->error_depth = i;
651+ ctx->current_cert = x;
652+ ok=cb(0,ctx);
653+ if (!ok) goto end;
654+ }
655+ }
656+ /* Check pathlen if not self issued */
657+ if ((i > 1) && !(x->ex_flags & EXFLAG_SI)
658+ && (x->ex_pathlen != -1)
659+ && (plen > (x->ex_pathlen + proxy_path_length + 1)))
660+ {
661+ ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED;
662+ ctx->error_depth = i;
663+ ctx->current_cert = x;
664+ ok=cb(0,ctx);
665+ if (!ok) goto end;
666+ }
667+ /* Increment path length if not self issued */
668+ if (!(x->ex_flags & EXFLAG_SI))
669+ plen++;
670+ /* If this certificate is a proxy certificate, the next
671+ certificate must be another proxy certificate or a EE
672+ certificate. If not, the next certificate must be a
673+ CA certificate. */
674+ if (x->ex_flags & EXFLAG_PROXY)
675+ {
676+ if (x->ex_pcpathlen != -1 && i > x->ex_pcpathlen)
677+ {
678+ ctx->error =
679+ X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED;
680+ ctx->error_depth = i;
681+ ctx->current_cert = x;
682+ ok=cb(0,ctx);
683+ if (!ok) goto end;
684+ }
685+ proxy_path_length++;
686+ must_be_ca = 0;
687+ }
688+ else
689+ must_be_ca = 1;
690+ }
691+ ok = 1;
692+ end:
693+ return ok;
694+#endif
695+}
696+
697+static int check_name_constraints(X509_STORE_CTX *ctx)
698+ {
699+ X509 *x;
700+ int i, j, rv;
701+ /* Check name constraints for all certificates */
702+ for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--)
703+ {
704+ x = sk_X509_value(ctx->chain, i);
705+ /* Ignore self issued certs unless last in chain */
706+ if (i && (x->ex_flags & EXFLAG_SI))
707+ continue;
708+ /* Check against constraints for all certificates higher in
709+ * chain including trust anchor. Trust anchor not strictly
710+ * speaking needed but if it includes constraints it is to be
711+ * assumed it expects them to be obeyed.
712+ */
713+ for (j = sk_X509_num(ctx->chain) - 1; j > i; j--)
714+ {
715+ NAME_CONSTRAINTS *nc = sk_X509_value(ctx->chain, j)->nc;
716+ if (nc)
717+ {
718+ rv = NAME_CONSTRAINTS_check(x, nc);
719+ if (rv != X509_V_OK)
720+ {
721+ ctx->error = rv;
722+ ctx->error_depth = i;
723+ ctx->current_cert = x;
724+ if (!ctx->verify_cb(0,ctx))
725+ return 0;
726+ }
727+ }
728+ }
729+ }
730+ return 1;
731+ }
732+
733+static int check_trust(X509_STORE_CTX *ctx)
734+{
735+#ifdef OPENSSL_NO_CHAIN_VERIFY
736+ return 1;
737+#else
738+ int i, ok;
739+ X509 *x;
740+ int (*cb)(int xok,X509_STORE_CTX *xctx);
741+ cb=ctx->verify_cb;
742+/* For now just check the last certificate in the chain */
743+ i = sk_X509_num(ctx->chain) - 1;
744+ x = sk_X509_value(ctx->chain, i);
745+ ok = X509_check_trust(x, ctx->param->trust, 0);
746+ if (ok == X509_TRUST_TRUSTED)
747+ return 1;
748+ ctx->error_depth = i;
749+ ctx->current_cert = x;
750+ if (ok == X509_TRUST_REJECTED)
751+ ctx->error = X509_V_ERR_CERT_REJECTED;
752+ else
753+ ctx->error = X509_V_ERR_CERT_UNTRUSTED;
754+ ok = cb(0, ctx);
755+ return ok;
756+#endif
757+}
758+
759+static int check_revocation(X509_STORE_CTX *ctx)
760+ {
761+ int i, last, ok;
762+ if (!(ctx->param->flags & X509_V_FLAG_CRL_CHECK))
763+ return 1;
764+ if (ctx->param->flags & X509_V_FLAG_CRL_CHECK_ALL)
765+ last = sk_X509_num(ctx->chain) - 1;
766+ else
767+ {
768+ /* If checking CRL paths this isn't the EE certificate */
769+ if (ctx->parent)
770+ return 1;
771+ last = 0;
772+ }
773+ for(i = 0; i <= last; i++)
774+ {
775+ ctx->error_depth = i;
776+ ok = check_cert(ctx);
777+ if (!ok) return ok;
778+ }
779+ return 1;
780+ }
781+
782+static int check_cert(X509_STORE_CTX *ctx)
783+ {
784+ X509_CRL *crl = NULL, *dcrl = NULL;
785+ X509 *x;
786+ int ok, cnum;
787+ cnum = ctx->error_depth;
788+ x = sk_X509_value(ctx->chain, cnum);
789+ ctx->current_cert = x;
790+ ctx->current_issuer = NULL;
791+ ctx->current_crl_score = 0;
792+ ctx->current_reasons = 0;
793+ while (ctx->current_reasons != CRLDP_ALL_REASONS)
794+ {
795+ /* Try to retrieve relevant CRL */
796+ if (ctx->get_crl)
797+ ok = ctx->get_crl(ctx, &crl, x);
798+ else
799+ ok = get_crl_delta(ctx, &crl, &dcrl, x);
800+ /* If error looking up CRL, nothing we can do except
801+ * notify callback
802+ */
803+ if(!ok)
804+ {
805+ ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL;
806+ ok = ctx->verify_cb(0, ctx);
807+ goto err;
808+ }
809+ ctx->current_crl = crl;
810+ ok = ctx->check_crl(ctx, crl);
811+ if (!ok)
812+ goto err;
813+
814+ if (dcrl)
815+ {
816+ ok = ctx->check_crl(ctx, dcrl);
817+ if (!ok)
818+ goto err;
819+ ok = ctx->cert_crl(ctx, dcrl, x);
820+ if (!ok)
821+ goto err;
822+ }
823+ else
824+ ok = 1;
825+
826+ /* Don't look in full CRL if delta reason is removefromCRL */
827+ if (ok != 2)
828+ {
829+ ok = ctx->cert_crl(ctx, crl, x);
830+ if (!ok)
831+ goto err;
832+ }
833+
834+ X509_CRL_free(crl);
835+ X509_CRL_free(dcrl);
836+ crl = NULL;
837+ dcrl = NULL;
838+ }
839+ err:
840+ X509_CRL_free(crl);
841+ X509_CRL_free(dcrl);
842+
843+ ctx->current_crl = NULL;
844+ return ok;
845+
846+ }
847+
848+/* Check CRL times against values in X509_STORE_CTX */
849+
850+static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
851+ {
852+ time_t *ptime;
853+ int i;
854+ if (notify)
855+ ctx->current_crl = crl;
856+ if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)
857+ ptime = &ctx->param->check_time;
858+ else
859+ ptime = NULL;
860+
861+ i=X509_cmp_time(X509_CRL_get_lastUpdate(crl), ptime);
862+ if (i == 0)
863+ {
864+ if (!notify)
865+ return 0;
866+ ctx->error=X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD;
867+ if (!ctx->verify_cb(0, ctx))
868+ return 0;
869+ }
870+
871+ if (i > 0)
872+ {
873+ if (!notify)
874+ return 0;
875+ ctx->error=X509_V_ERR_CRL_NOT_YET_VALID;
876+ if (!ctx->verify_cb(0, ctx))
877+ return 0;
878+ }
879+
880+ if(X509_CRL_get_nextUpdate(crl))
881+ {
882+ i=X509_cmp_time(X509_CRL_get_nextUpdate(crl), ptime);
883+
884+ if (i == 0)
885+ {
886+ if (!notify)
887+ return 0;
888+ ctx->error=X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD;
889+ if (!ctx->verify_cb(0, ctx))
890+ return 0;
891+ }
892+ /* Ignore expiry of base CRL is delta is valid */
893+ if ((i < 0) && !(ctx->current_crl_score & CRL_SCORE_TIME_DELTA))
894+ {
895+ if (!notify)
896+ return 0;
897+ ctx->error=X509_V_ERR_CRL_HAS_EXPIRED;
898+ if (!ctx->verify_cb(0, ctx))
899+ return 0;
900+ }
901+ }
902+
903+ if (notify)
904+ ctx->current_crl = NULL;
905+
906+ return 1;
907+ }
908+
909+static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl,
910+ X509 **pissuer, int *pscore, unsigned int *preasons,
911+ STACK_OF(X509_CRL) *crls)
912+ {
913+ int i, crl_score, best_score = *pscore;
914+ unsigned int reasons, best_reasons = 0;
915+ X509 *x = ctx->current_cert;
916+ X509_CRL *crl, *best_crl = NULL;
917+ X509 *crl_issuer = NULL, *best_crl_issuer = NULL;
918+
919+ for (i = 0; i < sk_X509_CRL_num(crls); i++)
920+ {
921+ crl = sk_X509_CRL_value(crls, i);
922+ reasons = *preasons;
923+ crl_score = get_crl_score(ctx, &crl_issuer, &reasons, crl, x);
924+
925+ if (crl_score > best_score)
926+ {
927+ best_crl = crl;
928+ best_crl_issuer = crl_issuer;
929+ best_score = crl_score;
930+ best_reasons = reasons;
931+ }
932+ }
933+
934+ if (best_crl)
935+ {
936+ if (*pcrl)
937+ X509_CRL_free(*pcrl);
938+ *pcrl = best_crl;
939+ *pissuer = best_crl_issuer;
940+ *pscore = best_score;
941+ *preasons = best_reasons;
942+ CRYPTO_add(&best_crl->references, 1, CRYPTO_LOCK_X509_CRL);
943+ if (*pdcrl)
944+ {
945+ X509_CRL_free(*pdcrl);
946+ *pdcrl = NULL;
947+ }
948+ get_delta_sk(ctx, pdcrl, pscore, best_crl, crls);
949+ }
950+
951+ if (best_score >= CRL_SCORE_VALID)
952+ return 1;
953+
954+ return 0;
955+ }
956+
957+/* Compare two CRL extensions for delta checking purposes. They should be
958+ * both present or both absent. If both present all fields must be identical.
959+ */
960+
961+static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid)
962+ {
963+ ASN1_OCTET_STRING *exta, *extb;
964+ int i;
965+ i = X509_CRL_get_ext_by_NID(a, nid, 0);
966+ if (i >= 0)
967+ {
968+ /* Can't have multiple occurrences */
969+ if (X509_CRL_get_ext_by_NID(a, nid, i) != -1)
970+ return 0;
971+ exta = X509_EXTENSION_get_data(X509_CRL_get_ext(a, i));
972+ }
973+ else
974+ exta = NULL;
975+
976+ i = X509_CRL_get_ext_by_NID(b, nid, 0);
977+
978+ if (i >= 0)
979+ {
980+
981+ if (X509_CRL_get_ext_by_NID(b, nid, i) != -1)
982+ return 0;
983+ extb = X509_EXTENSION_get_data(X509_CRL_get_ext(b, i));
984+ }
985+ else
986+ extb = NULL;
987+
988+ if (!exta && !extb)
989+ return 1;
990+
991+ if (!exta || !extb)
992+ return 0;
993+
994+
995+ if (ASN1_OCTET_STRING_cmp(exta, extb))
996+ return 0;
997+
998+ return 1;
999+ }
1000+
1001+/* See if a base and delta are compatible */
1002+
1003+static int check_delta_base(X509_CRL *delta, X509_CRL *base)
1004+ {
1005+ /* Delta CRL must be a delta */
1006+ if (!delta->base_crl_number)
1007+ return 0;
1008+ /* Base must have a CRL number */
1009+ if (!base->crl_number)
1010+ return 0;
1011+ /* Issuer names must match */
1012+ if (X509_NAME_cmp(X509_CRL_get_issuer(base),
1013+ X509_CRL_get_issuer(delta)))
1014+ return 0;
1015+ /* AKID and IDP must match */
1016+ if (!crl_extension_match(delta, base, NID_authority_key_identifier))
1017+ return 0;
1018+ if (!crl_extension_match(delta, base, NID_issuing_distribution_point))
1019+ return 0;
1020+ /* Delta CRL base number must not exceed Full CRL number. */
1021+ if (ASN1_INTEGER_cmp(delta->base_crl_number, base->crl_number) > 0)
1022+ return 0;
1023+ /* Delta CRL number must exceed full CRL number */
1024+ if (ASN1_INTEGER_cmp(delta->crl_number, base->crl_number) > 0)
1025+ return 1;
1026+ return 0;
1027+ }
1028+
1029+/* For a given base CRL find a delta... maybe extend to delta scoring
1030+ * or retrieve a chain of deltas...
1031+ */
1032+
1033+static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pscore,
1034+ X509_CRL *base, STACK_OF(X509_CRL) *crls)
1035+ {
1036+ X509_CRL *delta;
1037+ int i;
1038+ if (!(ctx->param->flags & X509_V_FLAG_USE_DELTAS))
1039+ return;
1040+ if (!((ctx->current_cert->ex_flags | base->flags) & EXFLAG_FRESHEST))
1041+ return;
1042+ for (i = 0; i < sk_X509_CRL_num(crls); i++)
1043+ {
1044+ delta = sk_X509_CRL_value(crls, i);
1045+ if (check_delta_base(delta, base))
1046+ {
1047+ if (check_crl_time(ctx, delta, 0))
1048+ *pscore |= CRL_SCORE_TIME_DELTA;
1049+ CRYPTO_add(&delta->references, 1, CRYPTO_LOCK_X509_CRL);
1050+ *dcrl = delta;
1051+ return;
1052+ }
1053+ }
1054+ *dcrl = NULL;
1055+ }
1056+
1057+/* For a given CRL return how suitable it is for the supplied certificate 'x'.
1058+ * The return value is a mask of several criteria.
1059+ * If the issuer is not the certificate issuer this is returned in *pissuer.
1060+ * The reasons mask is also used to determine if the CRL is suitable: if
1061+ * no new reasons the CRL is rejected, otherwise reasons is updated.
1062+ */
1063+
1064+static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer,
1065+ unsigned int *preasons,
1066+ X509_CRL *crl, X509 *x)
1067+ {
1068+
1069+ int crl_score = 0;
1070+ unsigned int tmp_reasons = *preasons, crl_reasons;
1071+
1072+ /* First see if we can reject CRL straight away */
1073+
1074+ /* Invalid IDP cannot be processed */
1075+ if (crl->idp_flags & IDP_INVALID)
1076+ return 0;
1077+ /* Reason codes or indirect CRLs need extended CRL support */
1078+ if (!(ctx->param->flags & X509_V_FLAG_EXTENDED_CRL_SUPPORT))
1079+ {
1080+ if (crl->idp_flags & (IDP_INDIRECT | IDP_REASONS))
1081+ return 0;
1082+ }
1083+ else if (crl->idp_flags & IDP_REASONS)
1084+ {
1085+ /* If no new reasons reject */
1086+ if (!(crl->idp_reasons & ~tmp_reasons))
1087+ return 0;
1088+ }
1089+ /* Don't process deltas at this stage */
1090+ else if (crl->base_crl_number)
1091+ return 0;
1092+ /* If issuer name doesn't match certificate need indirect CRL */
1093+ if (X509_NAME_cmp(X509_get_issuer_name(x), X509_CRL_get_issuer(crl)))
1094+ {
1095+ if (!(crl->idp_flags & IDP_INDIRECT))
1096+ return 0;
1097+ }
1098+ else
1099+ crl_score |= CRL_SCORE_ISSUER_NAME;
1100+
1101+ if (!(crl->flags & EXFLAG_CRITICAL))
1102+ crl_score |= CRL_SCORE_NOCRITICAL;
1103+
1104+ /* Check expiry */
1105+ if (check_crl_time(ctx, crl, 0))
1106+ crl_score |= CRL_SCORE_TIME;
1107+
1108+ /* Check authority key ID and locate certificate issuer */
1109+ crl_akid_check(ctx, crl, pissuer, &crl_score);
1110+
1111+ /* If we can't locate certificate issuer at this point forget it */
1112+
1113+ if (!(crl_score & CRL_SCORE_AKID))
1114+ return 0;
1115+
1116+ /* Check cert for matching CRL distribution points */
1117+
1118+ if (crl_crldp_check(x, crl, crl_score, &crl_reasons))
1119+ {
1120+ /* If no new reasons reject */
1121+ if (!(crl_reasons & ~tmp_reasons))
1122+ return 0;
1123+ tmp_reasons |= crl_reasons;
1124+ crl_score |= CRL_SCORE_SCOPE;
1125+ }
1126+
1127+ *preasons = tmp_reasons;
1128+
1129+ return crl_score;
1130+
1131+ }
1132+
1133+static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl,
1134+ X509 **pissuer, int *pcrl_score)
1135+ {
1136+ X509 *crl_issuer = NULL;
1137+ X509_NAME *cnm = X509_CRL_get_issuer(crl);
1138+ int cidx = ctx->error_depth;
1139+ int i;
1140+
1141+ if (cidx != sk_X509_num(ctx->chain) - 1)
1142+ cidx++;
1143+
1144+ crl_issuer = sk_X509_value(ctx->chain, cidx);
1145+
1146+ if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK)
1147+ {
1148+ if (*pcrl_score & CRL_SCORE_ISSUER_NAME)
1149+ {
1150+ *pcrl_score |= CRL_SCORE_AKID|CRL_SCORE_ISSUER_CERT;
1151+ *pissuer = crl_issuer;
1152+ return;
1153+ }
1154+ }
1155+
1156+ for (cidx++; cidx < sk_X509_num(ctx->chain); cidx++)
1157+ {
1158+ crl_issuer = sk_X509_value(ctx->chain, cidx);
1159+ if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm))
1160+ continue;
1161+ if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK)
1162+ {
1163+ *pcrl_score |= CRL_SCORE_AKID|CRL_SCORE_SAME_PATH;
1164+ *pissuer = crl_issuer;
1165+ return;
1166+ }
1167+ }
1168+
1169+ /* Anything else needs extended CRL support */
1170+
1171+ if (!(ctx->param->flags & X509_V_FLAG_EXTENDED_CRL_SUPPORT))
1172+ return;
1173+
1174+ /* Otherwise the CRL issuer is not on the path. Look for it in the
1175+ * set of untrusted certificates.
1176+ */
1177+ for (i = 0; i < sk_X509_num(ctx->untrusted); i++)
1178+ {
1179+ crl_issuer = sk_X509_value(ctx->untrusted, i);
1180+ if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm))
1181+ continue;
1182+ if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK)
1183+ {
1184+ *pissuer = crl_issuer;
1185+ *pcrl_score |= CRL_SCORE_AKID;
1186+ return;
1187+ }
1188+ }
1189+ }
1190+
1191+/* Check the path of a CRL issuer certificate. This creates a new
1192+ * X509_STORE_CTX and populates it with most of the parameters from the
1193+ * parent. This could be optimised somewhat since a lot of path checking
1194+ * will be duplicated by the parent, but this will rarely be used in
1195+ * practice.
1196+ */
1197+
1198+static int check_crl_path(X509_STORE_CTX *ctx, X509 *x)
1199+ {
1200+ X509_STORE_CTX crl_ctx;
1201+ int ret;
1202+ /* Don't allow recursive CRL path validation */
1203+ if (ctx->parent)
1204+ return 0;
1205+ if (!X509_STORE_CTX_init(&crl_ctx, ctx->ctx, x, ctx->untrusted))
1206+ return -1;
1207+
1208+ crl_ctx.crls = ctx->crls;
1209+ /* Copy verify params across */
1210+ X509_STORE_CTX_set0_param(&crl_ctx, ctx->param);
1211+
1212+ crl_ctx.parent = ctx;
1213+ crl_ctx.verify_cb = ctx->verify_cb;
1214+
1215+ /* Verify CRL issuer */
1216+ ret = X509_verify_cert(&crl_ctx);
1217+
1218+ if (ret <= 0)
1219+ goto err;
1220+
1221+ /* Check chain is acceptable */
1222+
1223+ ret = check_crl_chain(ctx, ctx->chain, crl_ctx.chain);
1224+ err:
1225+ X509_STORE_CTX_cleanup(&crl_ctx);
1226+ return ret;
1227+ }
1228+
1229+/* RFC3280 says nothing about the relationship between CRL path
1230+ * and certificate path, which could lead to situations where a
1231+ * certificate could be revoked or validated by a CA not authorised
1232+ * to do so. RFC5280 is more strict and states that the two paths must
1233+ * end in the same trust anchor, though some discussions remain...
1234+ * until this is resolved we use the RFC5280 version
1235+ */
1236+
1237+static int check_crl_chain(X509_STORE_CTX *ctx,
1238+ STACK_OF(X509) *cert_path,
1239+ STACK_OF(X509) *crl_path)
1240+ {
1241+ X509 *cert_ta, *crl_ta;
1242+ cert_ta = sk_X509_value(cert_path, sk_X509_num(cert_path) - 1);
1243+ crl_ta = sk_X509_value(crl_path, sk_X509_num(crl_path) - 1);
1244+ if (!X509_cmp(cert_ta, crl_ta))
1245+ return 1;
1246+ return 0;
1247+ }
1248+
1249+/* Check for match between two dist point names: three separate cases.
1250+ * 1. Both are relative names and compare X509_NAME types.
1251+ * 2. One full, one relative. Compare X509_NAME to GENERAL_NAMES.
1252+ * 3. Both are full names and compare two GENERAL_NAMES.
1253+ * 4. One is NULL: automatic match.
1254+ */
1255+
1256+
1257+static int idp_check_dp(DIST_POINT_NAME *a, DIST_POINT_NAME *b)
1258+ {
1259+ X509_NAME *nm = NULL;
1260+ GENERAL_NAMES *gens = NULL;
1261+ GENERAL_NAME *gena, *genb;
1262+ int i, j;
1263+ if (!a || !b)
1264+ return 1;
1265+ if (a->type == 1)
1266+ {
1267+ if (!a->dpname)
1268+ return 0;
1269+ /* Case 1: two X509_NAME */
1270+ if (b->type == 1)
1271+ {
1272+ if (!b->dpname)
1273+ return 0;
1274+ if (!X509_NAME_cmp(a->dpname, b->dpname))
1275+ return 1;
1276+ else
1277+ return 0;
1278+ }
1279+ /* Case 2: set name and GENERAL_NAMES appropriately */
1280+ nm = a->dpname;
1281+ gens = b->name.fullname;
1282+ }
1283+ else if (b->type == 1)
1284+ {
1285+ if (!b->dpname)
1286+ return 0;
1287+ /* Case 2: set name and GENERAL_NAMES appropriately */
1288+ gens = a->name.fullname;
1289+ nm = b->dpname;
1290+ }
1291+
1292+ /* Handle case 2 with one GENERAL_NAMES and one X509_NAME */
1293+ if (nm)
1294+ {
1295+ for (i = 0; i < sk_GENERAL_NAME_num(gens); i++)
1296+ {
1297+ gena = sk_GENERAL_NAME_value(gens, i);
1298+ if (gena->type != GEN_DIRNAME)
1299+ continue;
1300+ if (!X509_NAME_cmp(nm, gena->d.directoryName))
1301+ return 1;
1302+ }
1303+ return 0;
1304+ }
1305+
1306+ /* Else case 3: two GENERAL_NAMES */
1307+
1308+ for (i = 0; i < sk_GENERAL_NAME_num(a->name.fullname); i++)
1309+ {
1310+ gena = sk_GENERAL_NAME_value(a->name.fullname, i);
1311+ for (j = 0; j < sk_GENERAL_NAME_num(b->name.fullname); j++)
1312+ {
1313+ genb = sk_GENERAL_NAME_value(b->name.fullname, j);
1314+ if (!GENERAL_NAME_cmp(gena, genb))
1315+ return 1;
1316+ }
1317+ }
1318+
1319+ return 0;
1320+
1321+ }
1322+
1323+static int crldp_check_crlissuer(DIST_POINT *dp, X509_CRL *crl, int crl_score)
1324+ {
1325+ int i;
1326+ X509_NAME *nm = X509_CRL_get_issuer(crl);
1327+ /* If no CRLissuer return is successful iff don't need a match */
1328+ if (!dp->CRLissuer)
1329+ return !!(crl_score & CRL_SCORE_ISSUER_NAME);
1330+ for (i = 0; i < sk_GENERAL_NAME_num(dp->CRLissuer); i++)
1331+ {
1332+ GENERAL_NAME *gen = sk_GENERAL_NAME_value(dp->CRLissuer, i);
1333+ if (gen->type != GEN_DIRNAME)
1334+ continue;
1335+ if (!X509_NAME_cmp(gen->d.directoryName, nm))
1336+ return 1;
1337+ }
1338+ return 0;
1339+ }
1340+
1341+/* Check CRLDP and IDP */
1342+
1343+static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score,
1344+ unsigned int *preasons)
1345+ {
1346+ int i;
1347+ if (crl->idp_flags & IDP_ONLYATTR)
1348+ return 0;
1349+ if (x->ex_flags & EXFLAG_CA)
1350+ {
1351+ if (crl->idp_flags & IDP_ONLYUSER)
1352+ return 0;
1353+ }
1354+ else
1355+ {
1356+ if (crl->idp_flags & IDP_ONLYCA)
1357+ return 0;
1358+ }
1359+ *preasons = crl->idp_reasons;
1360+ for (i = 0; i < sk_DIST_POINT_num(x->crldp); i++)
1361+ {
1362+ DIST_POINT *dp = sk_DIST_POINT_value(x->crldp, i);
1363+ if (crldp_check_crlissuer(dp, crl, crl_score))
1364+ {
1365+ if (!crl->idp ||
1366+ idp_check_dp(dp->distpoint, crl->idp->distpoint))
1367+ {
1368+ *preasons &= dp->dp_reasons;
1369+ return 1;
1370+ }
1371+ }
1372+ }
1373+ if ((!crl->idp || !crl->idp->distpoint) && (crl_score & CRL_SCORE_ISSUER_NAME))
1374+ return 1;
1375+ return 0;
1376+ }
1377+
1378+/* Retrieve CRL corresponding to current certificate.
1379+ * If deltas enabled try to find a delta CRL too
1380+ */
1381+
1382+static int get_crl_delta(X509_STORE_CTX *ctx,
1383+ X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x)
1384+ {
1385+ int ok;
1386+ X509 *issuer = NULL;
1387+ int crl_score = 0;
1388+ unsigned int reasons;
1389+ X509_CRL *crl = NULL, *dcrl = NULL;
1390+ STACK_OF(X509_CRL) *skcrl;
1391+ X509_NAME *nm = X509_get_issuer_name(x);
1392+ reasons = ctx->current_reasons;
1393+ ok = get_crl_sk(ctx, &crl, &dcrl,
1394+ &issuer, &crl_score, &reasons, ctx->crls);
1395+
1396+ if (ok)
1397+ goto done;
1398+
1399+ /* Lookup CRLs from store */
1400+
1401+ skcrl = ctx->lookup_crls(ctx, nm);
1402+
1403+ /* If no CRLs found and a near match from get_crl_sk use that */
1404+ if (!skcrl && crl)
1405+ goto done;
1406+
1407+ get_crl_sk(ctx, &crl, &dcrl, &issuer, &crl_score, &reasons, skcrl);
1408+
1409+ sk_X509_CRL_pop_free(skcrl, X509_CRL_free);
1410+
1411+ done:
1412+
1413+ /* If we got any kind of CRL use it and return success */
1414+ if (crl)
1415+ {
1416+ ctx->current_issuer = issuer;
1417+ ctx->current_crl_score = crl_score;
1418+ ctx->current_reasons = reasons;
1419+ *pcrl = crl;
1420+ *pdcrl = dcrl;
1421+ return 1;
1422+ }
1423+
1424+ return 0;
1425+ }
1426+
1427+/* Check CRL validity */
1428+static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl)
1429+ {
1430+ X509 *issuer = NULL;
1431+ EVP_PKEY *ikey = NULL;
1432+ int ok = 0, chnum, cnum;
1433+ cnum = ctx->error_depth;
1434+ chnum = sk_X509_num(ctx->chain) - 1;
1435+ /* if we have an alternative CRL issuer cert use that */
1436+ if (ctx->current_issuer)
1437+ issuer = ctx->current_issuer;
1438+
1439+ /* Else find CRL issuer: if not last certificate then issuer
1440+ * is next certificate in chain.
1441+ */
1442+ else if (cnum < chnum)
1443+ issuer = sk_X509_value(ctx->chain, cnum + 1);
1444+ else
1445+ {
1446+ issuer = sk_X509_value(ctx->chain, chnum);
1447+ /* If not self signed, can't check signature */
1448+ if(!ctx->check_issued(ctx, issuer, issuer))
1449+ {
1450+ ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER;
1451+ ok = ctx->verify_cb(0, ctx);
1452+ if(!ok) goto err;
1453+ }
1454+ }
1455+
1456+ if(issuer)
1457+ {
1458+ /* Skip most tests for deltas because they have already
1459+ * been done
1460+ */
1461+ if (!crl->base_crl_number)
1462+ {
1463+ /* Check for cRLSign bit if keyUsage present */
1464+ if ((issuer->ex_flags & EXFLAG_KUSAGE) &&
1465+ !(issuer->ex_kusage & KU_CRL_SIGN))
1466+ {
1467+ ctx->error = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN;
1468+ ok = ctx->verify_cb(0, ctx);
1469+ if(!ok) goto err;
1470+ }
1471+
1472+ if (!(ctx->current_crl_score & CRL_SCORE_SCOPE))
1473+ {
1474+ ctx->error = X509_V_ERR_DIFFERENT_CRL_SCOPE;
1475+ ok = ctx->verify_cb(0, ctx);
1476+ if(!ok) goto err;
1477+ }
1478+
1479+ if (!(ctx->current_crl_score & CRL_SCORE_SAME_PATH))
1480+ {
1481+ if (check_crl_path(ctx, ctx->current_issuer) <= 0)
1482+ {
1483+ ctx->error = X509_V_ERR_CRL_PATH_VALIDATION_ERROR;
1484+ ok = ctx->verify_cb(0, ctx);
1485+ if(!ok) goto err;
1486+ }
1487+ }
1488+
1489+ if (crl->idp_flags & IDP_INVALID)
1490+ {
1491+ ctx->error = X509_V_ERR_INVALID_EXTENSION;
1492+ ok = ctx->verify_cb(0, ctx);
1493+ if(!ok) goto err;
1494+ }
1495+
1496+
1497+ }
1498+
1499+ if (!(ctx->current_crl_score & CRL_SCORE_TIME))
1500+ {
1501+ ok = check_crl_time(ctx, crl, 1);
1502+ if (!ok)
1503+ goto err;
1504+ }
1505+
1506+ /* Attempt to get issuer certificate public key */
1507+ ikey = X509_get_pubkey(issuer);
1508+
1509+ if(!ikey)
1510+ {
1511+ ctx->error=X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
1512+ ok = ctx->verify_cb(0, ctx);
1513+ if (!ok) goto err;
1514+ }
1515+ else
1516+ {
1517+ /* Verify CRL signature */
1518+ if(X509_CRL_verify(crl, ikey) <= 0)
1519+ {
1520+ ctx->error=X509_V_ERR_CRL_SIGNATURE_FAILURE;
1521+ ok = ctx->verify_cb(0, ctx);
1522+ if (!ok) goto err;
1523+ }
1524+ }
1525+ }
1526+
1527+ ok = 1;
1528+
1529+ err:
1530+ EVP_PKEY_free(ikey);
1531+ return ok;
1532+ }
1533+
1534+/* Check certificate against CRL */
1535+static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
1536+ {
1537+ int ok;
1538+ X509_REVOKED *rev;
1539+ /* The rules changed for this... previously if a CRL contained
1540+ * unhandled critical extensions it could still be used to indicate
1541+ * a certificate was revoked. This has since been changed since
1542+ * critical extension can change the meaning of CRL entries.
1543+ */
1544+ if (crl->flags & EXFLAG_CRITICAL)
1545+ {
1546+ if (ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL)
1547+ return 1;
1548+ ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION;
1549+ ok = ctx->verify_cb(0, ctx);
1550+ if(!ok)
1551+ return 0;
1552+ }
1553+ /* Look for serial number of certificate in CRL
1554+ * If found make sure reason is not removeFromCRL.
1555+ */
1556+ if (X509_CRL_get0_by_cert(crl, &rev, x))
1557+ {
1558+ if (rev->reason == CRL_REASON_REMOVE_FROM_CRL)
1559+ return 2;
1560+ ctx->error = X509_V_ERR_CERT_REVOKED;
1561+ ok = ctx->verify_cb(0, ctx);
1562+ if (!ok)
1563+ return 0;
1564+ }
1565+
1566+ return 1;
1567+ }
1568+
1569+static int check_policy(X509_STORE_CTX *ctx)
1570+ {
1571+ int ret;
1572+ if (ctx->parent)
1573+ return 1;
1574+ ret = X509_policy_check(&ctx->tree, &ctx->explicit_policy, ctx->chain,
1575+ ctx->param->policies, ctx->param->flags);
1576+ if (ret == 0)
1577+ {
1578+ X509err(X509_F_CHECK_POLICY,ERR_R_MALLOC_FAILURE);
1579+ return 0;
1580+ }
1581+ /* Invalid or inconsistent extensions */
1582+ if (ret == -1)
1583+ {
1584+ /* Locate certificates with bad extensions and notify
1585+ * callback.
1586+ */
1587+ X509 *x;
1588+ int i;
1589+ for (i = 1; i < sk_X509_num(ctx->chain); i++)
1590+ {
1591+ x = sk_X509_value(ctx->chain, i);
1592+ if (!(x->ex_flags & EXFLAG_INVALID_POLICY))
1593+ continue;
1594+ ctx->current_cert = x;
1595+ ctx->error = X509_V_ERR_INVALID_POLICY_EXTENSION;
1596+ if(!ctx->verify_cb(0, ctx))
1597+ return 0;
1598+ }
1599+ return 1;
1600+ }
1601+ if (ret == -2)
1602+ {
1603+ ctx->current_cert = NULL;
1604+ ctx->error = X509_V_ERR_NO_EXPLICIT_POLICY;
1605+ return ctx->verify_cb(0, ctx);
1606+ }
1607+
1608+ if (ctx->param->flags & X509_V_FLAG_NOTIFY_POLICY)
1609+ {
1610+ ctx->current_cert = NULL;
1611+ ctx->error = X509_V_OK;
1612+ if (!ctx->verify_cb(2, ctx))
1613+ return 0;
1614+ }
1615+
1616+ return 1;
1617+ }
1618+
1619+static int check_cert_time(X509_STORE_CTX *ctx, X509 *x)
1620+ {
1621+ time_t *ptime;
1622+ int i;
1623+
1624+ if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)
1625+ ptime = &ctx->param->check_time;
1626+ else
1627+ ptime = NULL;
1628+
1629+ i=X509_cmp_time(X509_get_notBefore(x), ptime);
1630+ if (i == 0)
1631+ {
1632+ ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD;
1633+ ctx->current_cert=x;
1634+ if (!ctx->verify_cb(0, ctx))
1635+ return 0;
1636+ }
1637+
1638+ if (i > 0)
1639+ {
1640+ ctx->error=X509_V_ERR_CERT_NOT_YET_VALID;
1641+ ctx->current_cert=x;
1642+ if (!ctx->verify_cb(0, ctx))
1643+ return 0;
1644+ }
1645+
1646+ i=X509_cmp_time(X509_get_notAfter(x), ptime);
1647+ if (i == 0)
1648+ {
1649+ ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD;
1650+ ctx->current_cert=x;
1651+ if (!ctx->verify_cb(0, ctx))
1652+ return 0;
1653+ }
1654+
1655+ if (i < 0)
1656+ {
1657+ ctx->error=X509_V_ERR_CERT_HAS_EXPIRED;
1658+ ctx->current_cert=x;
1659+ if (!ctx->verify_cb(0, ctx))
1660+ return 0;
1661+ }
1662+
1663+ return 1;
1664+ }
1665+
1666+static int internal_verify(X509_STORE_CTX *ctx)
1667+ {
1668+ int ok=0,n;
1669+ X509 *xs,*xi;
1670+ EVP_PKEY *pkey=NULL;
1671+ int (*cb)(int xok,X509_STORE_CTX *xctx);
1672+
1673+ cb=ctx->verify_cb;
1674+
1675+ n=sk_X509_num(ctx->chain);
1676+ ctx->error_depth=n-1;
1677+ n--;
1678+ xi=sk_X509_value(ctx->chain,n);
1679+
1680+ if (ctx->check_issued(ctx, xi, xi))
1681+ xs=xi;
1682+ else
1683+ {
1684+ if (n <= 0)
1685+ {
1686+ ctx->error=X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE;
1687+ ctx->current_cert=xi;
1688+ ok=cb(0,ctx);
1689+ goto end;
1690+ }
1691+ else
1692+ {
1693+ n--;
1694+ ctx->error_depth=n;
1695+ xs=sk_X509_value(ctx->chain,n);
1696+ }
1697+ }
1698+
1699+/* ctx->error=0; not needed */
1700+ while (n >= 0)
1701+ {
1702+ ctx->error_depth=n;
1703+
1704+ /* Skip signature check for self signed certificates unless
1705+ * explicitly asked for. It doesn't add any security and
1706+ * just wastes time.
1707+ */
1708+ if (!xs->valid && (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE)))
1709+ {
1710+ if ((pkey=X509_get_pubkey(xi)) == NULL)
1711+ {
1712+ ctx->error=X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
1713+ ctx->current_cert=xi;
1714+ ok=(*cb)(0,ctx);
1715+ if (!ok) goto end;
1716+ }
1717+ else if (X509_verify(xs,pkey) <= 0)
1718+ {
1719+ ctx->error=X509_V_ERR_CERT_SIGNATURE_FAILURE;
1720+ ctx->current_cert=xs;
1721+ ok=(*cb)(0,ctx);
1722+ if (!ok)
1723+ {
1724+ EVP_PKEY_free(pkey);
1725+ goto end;
1726+ }
1727+ }
1728+ EVP_PKEY_free(pkey);
1729+ pkey=NULL;
1730+ }
1731+
1732+ xs->valid = 1;
1733+
1734+ ok = check_cert_time(ctx, xs);
1735+ if (!ok)
1736+ goto end;
1737+
1738+ /* The last error (if any) is still in the error value */
1739+ ctx->current_issuer=xi;
1740+ ctx->current_cert=xs;
1741+ ok=(*cb)(1,ctx);
1742+ if (!ok) goto end;
1743+
1744+ n--;
1745+ if (n >= 0)
1746+ {
1747+ xi=xs;
1748+ xs=sk_X509_value(ctx->chain,n);
1749+ }
1750+ }
1751+ ok=1;
1752+end:
1753+ return ok;
1754+ }
1755+
1756+int X509_cmp_current_time(const ASN1_TIME *ctm)
1757+{
1758+ return X509_cmp_time(ctm, NULL);
1759+}
1760+
1761+int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time)
1762+ {
1763+ char *str;
1764+ ASN1_TIME atm;
1765+ long offset;
1766+ char buff1[24],buff2[24],*p;
1767+ int i,j;
1768+
1769+ p=buff1;
1770+ i=ctm->length;
1771+ str=(char *)ctm->data;
1772+ if (ctm->type == V_ASN1_UTCTIME)
1773+ {
1774+ if ((i < 11) || (i > 17)) return 0;
1775+ memcpy(p,str,10);
1776+ p+=10;
1777+ str+=10;
1778+ }
1779+ else
1780+ {
1781+ if (i < 13) return 0;
1782+ memcpy(p,str,12);
1783+ p+=12;
1784+ str+=12;
1785+ }
1786+
1787+ if ((*str == 'Z') || (*str == '-') || (*str == '+'))
1788+ { *(p++)='0'; *(p++)='0'; }
1789+ else
1790+ {
1791+ *(p++)= *(str++);
1792+ *(p++)= *(str++);
1793+ /* Skip any fractional seconds... */
1794+ if (*str == '.')
1795+ {
1796+ str++;
1797+ while ((*str >= '0') && (*str <= '9')) str++;
1798+ }
1799+
1800+ }
1801+ *(p++)='Z';
1802+ *(p++)='\0';
1803+
1804+ if (*str == 'Z')
1805+ offset=0;
1806+ else
1807+ {
1808+ if ((*str != '+') && (*str != '-'))
1809+ return 0;
1810+ offset=((str[1]-'0')*10+(str[2]-'0'))*60;
1811+ offset+=(str[3]-'0')*10+(str[4]-'0');
1812+ if (*str == '-')
1813+ offset= -offset;
1814+ }
1815+ atm.type=ctm->type;
1816+ atm.flags = 0;
1817+ atm.length=sizeof(buff2);
1818+ atm.data=(unsigned char *)buff2;
1819+
1820+ if (X509_time_adj(&atm,-offset*60, cmp_time) == NULL)
1821+ return 0;
1822+
1823+ if (ctm->type == V_ASN1_UTCTIME)
1824+ {
1825+ i=(buff1[0]-'0')*10+(buff1[1]-'0');
1826+ if (i < 50) i+=100; /* cf. RFC 2459 */
1827+ j=(buff2[0]-'0')*10+(buff2[1]-'0');
1828+ if (j < 50) j+=100;
1829+
1830+ if (i < j) return -1;
1831+ if (i > j) return 1;
1832+ }
1833+ i=strcmp(buff1,buff2);
1834+ if (i == 0) /* wait a second then return younger :-) */
1835+ return -1;
1836+ else
1837+ return i;
1838+ }
1839+
1840+ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj)
1841+{
1842+ return X509_time_adj(s, adj, NULL);
1843+}
1844+
1845+ASN1_TIME *X509_time_adj(ASN1_TIME *s, long offset_sec, time_t *in_tm)
1846+ {
1847+ return X509_time_adj_ex(s, 0, offset_sec, in_tm);
1848+ }
1849+
1850+ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s,
1851+ int offset_day, long offset_sec, time_t *in_tm)
1852+ {
1853+ time_t t;
1854+
1855+ if (in_tm) t = *in_tm;
1856+ else time(&t);
1857+
1858+ if (s && !(s->flags & ASN1_STRING_FLAG_MSTRING))
1859+ {
1860+ if (s->type == V_ASN1_UTCTIME)
1861+ return ASN1_UTCTIME_adj(s,t, offset_day, offset_sec);
1862+ if (s->type == V_ASN1_GENERALIZEDTIME)
1863+ return ASN1_GENERALIZEDTIME_adj(s, t, offset_day,
1864+ offset_sec);
1865+ }
1866+ return ASN1_TIME_adj(s, t, offset_day, offset_sec);
1867+ }
1868+
1869+int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain)
1870+ {
1871+ EVP_PKEY *ktmp=NULL,*ktmp2;
1872+ int i,j;
1873+
1874+ if ((pkey != NULL) && !EVP_PKEY_missing_parameters(pkey)) return 1;
1875+
1876+ for (i=0; i<sk_X509_num(chain); i++)
1877+ {
1878+ ktmp=X509_get_pubkey(sk_X509_value(chain,i));
1879+ if (ktmp == NULL)
1880+ {
1881+ X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY);
1882+ return 0;
1883+ }
1884+ if (!EVP_PKEY_missing_parameters(ktmp))
1885+ break;
1886+ else
1887+ {
1888+ EVP_PKEY_free(ktmp);
1889+ ktmp=NULL;
1890+ }
1891+ }
1892+ if (ktmp == NULL)
1893+ {
1894+ X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN);
1895+ return 0;
1896+ }
1897+
1898+ /* first, populate the other certs */
1899+ for (j=i-1; j >= 0; j--)
1900+ {
1901+ ktmp2=X509_get_pubkey(sk_X509_value(chain,j));
1902+ EVP_PKEY_copy_parameters(ktmp2,ktmp);
1903+ EVP_PKEY_free(ktmp2);
1904+ }
1905+
1906+ if (pkey != NULL) EVP_PKEY_copy_parameters(pkey,ktmp);
1907+ EVP_PKEY_free(ktmp);
1908+ return 1;
1909+ }
1910+
1911+int X509_STORE_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
1912+ CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
1913+ {
1914+ /* This function is (usually) called only once, by
1915+ * SSL_get_ex_data_X509_STORE_CTX_idx (ssl/ssl_cert.c). */
1916+ return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_X509_STORE_CTX, argl, argp,
1917+ new_func, dup_func, free_func);
1918+ }
1919+
1920+int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, void *data)
1921+ {
1922+ return CRYPTO_set_ex_data(&ctx->ex_data,idx,data);
1923+ }
1924+
1925+void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx)
1926+ {
1927+ return CRYPTO_get_ex_data(&ctx->ex_data,idx);
1928+ }
1929+
1930+int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx)
1931+ {
1932+ return ctx->error;
1933+ }
1934+
1935+void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int err)
1936+ {
1937+ ctx->error=err;
1938+ }
1939+
1940+int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx)
1941+ {
1942+ return ctx->error_depth;
1943+ }
1944+
1945+X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx)
1946+ {
1947+ return ctx->current_cert;
1948+ }
1949+
1950+STACK_OF(X509) *X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx)
1951+ {
1952+ return ctx->chain;
1953+ }
1954+
1955+STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx)
1956+ {
1957+ int i;
1958+ X509 *x;
1959+ STACK_OF(X509) *chain;
1960+ if (!ctx->chain || !(chain = sk_X509_dup(ctx->chain))) return NULL;
1961+ for (i = 0; i < sk_X509_num(chain); i++)
1962+ {
1963+ x = sk_X509_value(chain, i);
1964+ CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
1965+ }
1966+ return chain;
1967+ }
1968+
1969+X509 *X509_STORE_CTX_get0_current_issuer(X509_STORE_CTX *ctx)
1970+ {
1971+ return ctx->current_issuer;
1972+ }
1973+
1974+X509_CRL *X509_STORE_CTX_get0_current_crl(X509_STORE_CTX *ctx)
1975+ {
1976+ return ctx->current_crl;
1977+ }
1978+
1979+X509_STORE_CTX *X509_STORE_CTX_get0_parent_ctx(X509_STORE_CTX *ctx)
1980+ {
1981+ return ctx->parent;
1982+ }
1983+
1984+void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *x)
1985+ {
1986+ ctx->cert=x;
1987+ }
1988+
1989+void X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
1990+ {
1991+ ctx->untrusted=sk;
1992+ }
1993+
1994+void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk)
1995+ {
1996+ ctx->crls=sk;
1997+ }
1998+
1999+int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose)
2000+ {
2001+ return X509_STORE_CTX_purpose_inherit(ctx, 0, purpose, 0);
2002+ }
2003+
2004+int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust)
2005+ {
2006+ return X509_STORE_CTX_purpose_inherit(ctx, 0, 0, trust);
2007+ }
2008+
2009+/* This function is used to set the X509_STORE_CTX purpose and trust
2010+ * values. This is intended to be used when another structure has its
2011+ * own trust and purpose values which (if set) will be inherited by
2012+ * the ctx. If they aren't set then we will usually have a default
2013+ * purpose in mind which should then be used to set the trust value.
2014+ * An example of this is SSL use: an SSL structure will have its own
2015+ * purpose and trust settings which the application can set: if they
2016+ * aren't set then we use the default of SSL client/server.
2017+ */
2018+
2019+int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose,
2020+ int purpose, int trust)
2021+{
2022+ int idx;
2023+ /* If purpose not set use default */
2024+ if (!purpose) purpose = def_purpose;
2025+ /* If we have a purpose then check it is valid */
2026+ if (purpose)
2027+ {
2028+ X509_PURPOSE *ptmp;
2029+ idx = X509_PURPOSE_get_by_id(purpose);
2030+ if (idx == -1)
2031+ {
2032+ X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT,
2033+ X509_R_UNKNOWN_PURPOSE_ID);
2034+ return 0;
2035+ }
2036+ ptmp = X509_PURPOSE_get0(idx);
2037+ if (ptmp->trust == X509_TRUST_DEFAULT)
2038+ {
2039+ idx = X509_PURPOSE_get_by_id(def_purpose);
2040+ if (idx == -1)
2041+ {
2042+ X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT,
2043+ X509_R_UNKNOWN_PURPOSE_ID);
2044+ return 0;
2045+ }
2046+ ptmp = X509_PURPOSE_get0(idx);
2047+ }
2048+ /* If trust not set then get from purpose default */
2049+ if (!trust) trust = ptmp->trust;
2050+ }
2051+ if (trust)
2052+ {
2053+ idx = X509_TRUST_get_by_id(trust);
2054+ if (idx == -1)
2055+ {
2056+ X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT,
2057+ X509_R_UNKNOWN_TRUST_ID);
2058+ return 0;
2059+ }
2060+ }
2061+
2062+ if (purpose && !ctx->param->purpose) ctx->param->purpose = purpose;
2063+ if (trust && !ctx->param->trust) ctx->param->trust = trust;
2064+ return 1;
2065+}
2066+
2067+X509_STORE_CTX *X509_STORE_CTX_new(void)
2068+{
2069+ X509_STORE_CTX *ctx;
2070+ ctx = (X509_STORE_CTX *)OPENSSL_malloc(sizeof(X509_STORE_CTX));
2071+ if (!ctx)
2072+ {
2073+ X509err(X509_F_X509_STORE_CTX_NEW,ERR_R_MALLOC_FAILURE);
2074+ return NULL;
2075+ }
2076+ memset(ctx, 0, sizeof(X509_STORE_CTX));
2077+ return ctx;
2078+}
2079+
2080+void X509_STORE_CTX_free(X509_STORE_CTX *ctx)
2081+{
2082+ X509_STORE_CTX_cleanup(ctx);
2083+ OPENSSL_free(ctx);
2084+}
2085+
2086+int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
2087+ STACK_OF(X509) *chain)
2088+ {
2089+ int ret = 1;
2090+ ctx->ctx=store;
2091+ ctx->current_method=0;
2092+ ctx->cert=x509;
2093+ ctx->untrusted=chain;
2094+ ctx->crls = NULL;
2095+ ctx->last_untrusted=0;
2096+ ctx->other_ctx=NULL;
2097+ ctx->valid=0;
2098+ ctx->chain=NULL;
2099+ ctx->error=0;
2100+ ctx->explicit_policy=0;
2101+ ctx->error_depth=0;
2102+ ctx->current_cert=NULL;
2103+ ctx->current_issuer=NULL;
2104+ ctx->current_crl=NULL;
2105+ ctx->current_crl_score=0;
2106+ ctx->current_reasons=0;
2107+ ctx->tree = NULL;
2108+ ctx->parent = NULL;
2109+
2110+ ctx->param = X509_VERIFY_PARAM_new();
2111+
2112+ if (!ctx->param)
2113+ {
2114+ X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE);
2115+ return 0;
2116+ }
2117+
2118+ /* Inherit callbacks and flags from X509_STORE if not set
2119+ * use defaults.
2120+ */
2121+
2122+
2123+ if (store)
2124+ ret = X509_VERIFY_PARAM_inherit(ctx->param, store->param);
2125+ else
2126+ ctx->param->inh_flags |= X509_VP_FLAG_DEFAULT|X509_VP_FLAG_ONCE;
2127+
2128+ if (store)
2129+ {
2130+ ctx->verify_cb = store->verify_cb;
2131+ ctx->cleanup = store->cleanup;
2132+ }
2133+ else
2134+ ctx->cleanup = 0;
2135+
2136+ if (ret)
2137+ ret = X509_VERIFY_PARAM_inherit(ctx->param,
2138+ X509_VERIFY_PARAM_lookup("default"));
2139+
2140+ if (ret == 0)
2141+ {
2142+ X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE);
2143+ return 0;
2144+ }
2145+
2146+ if (store && store->check_issued)
2147+ ctx->check_issued = store->check_issued;
2148+ else
2149+ ctx->check_issued = check_issued;
2150+
2151+ if (store && store->get_issuer)
2152+ ctx->get_issuer = store->get_issuer;
2153+ else
2154+ ctx->get_issuer = X509_STORE_CTX_get1_issuer;
2155+
2156+ if (store && store->verify_cb)
2157+ ctx->verify_cb = store->verify_cb;
2158+ else
2159+ ctx->verify_cb = null_callback;
2160+
2161+ if (store && store->verify)
2162+ ctx->verify = store->verify;
2163+ else
2164+ ctx->verify = internal_verify;
2165+
2166+ if (store && store->check_revocation)
2167+ ctx->check_revocation = store->check_revocation;
2168+ else
2169+ ctx->check_revocation = check_revocation;
2170+
2171+ if (store && store->get_crl)
2172+ ctx->get_crl = store->get_crl;
2173+ else
2174+ ctx->get_crl = NULL;
2175+
2176+ if (store && store->check_crl)
2177+ ctx->check_crl = store->check_crl;
2178+ else
2179+ ctx->check_crl = check_crl;
2180+
2181+ if (store && store->cert_crl)
2182+ ctx->cert_crl = store->cert_crl;
2183+ else
2184+ ctx->cert_crl = cert_crl;
2185+
2186+ if (store && store->lookup_certs)
2187+ ctx->lookup_certs = store->lookup_certs;
2188+ else
2189+ ctx->lookup_certs = X509_STORE_get1_certs;
2190+
2191+ if (store && store->lookup_crls)
2192+ ctx->lookup_crls = store->lookup_crls;
2193+ else
2194+ ctx->lookup_crls = X509_STORE_get1_crls;
2195+
2196+ ctx->check_policy = check_policy;
2197+
2198+
2199+ /* This memset() can't make any sense anyway, so it's removed. As
2200+ * X509_STORE_CTX_cleanup does a proper "free" on the ex_data, we put a
2201+ * corresponding "new" here and remove this bogus initialisation. */
2202+ /* memset(&(ctx->ex_data),0,sizeof(CRYPTO_EX_DATA)); */
2203+ if(!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx,
2204+ &(ctx->ex_data)))
2205+ {
2206+ OPENSSL_free(ctx);
2207+ X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE);
2208+ return 0;
2209+ }
2210+ return 1;
2211+ }
2212+
2213+/* Set alternative lookup method: just a STACK of trusted certificates.
2214+ * This avoids X509_STORE nastiness where it isn't needed.
2215+ */
2216+
2217+void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
2218+{
2219+ ctx->other_ctx = sk;
2220+ ctx->get_issuer = get_issuer_sk;
2221+}
2222+
2223+void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx)
2224+ {
2225+ if (ctx->cleanup) ctx->cleanup(ctx);
2226+ if (ctx->param != NULL)
2227+ {
2228+ if (ctx->parent == NULL)
2229+ X509_VERIFY_PARAM_free(ctx->param);
2230+ ctx->param=NULL;
2231+ }
2232+ if (ctx->tree != NULL)
2233+ {
2234+ X509_policy_tree_free(ctx->tree);
2235+ ctx->tree=NULL;
2236+ }
2237+ if (ctx->chain != NULL)
2238+ {
2239+ sk_X509_pop_free(ctx->chain,X509_free);
2240+ ctx->chain=NULL;
2241+ }
2242+ CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx, &(ctx->ex_data));
2243+ memset(&ctx->ex_data,0,sizeof(CRYPTO_EX_DATA));
2244+ }
2245+
2246+void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth)
2247+ {
2248+ X509_VERIFY_PARAM_set_depth(ctx->param, depth);
2249+ }
2250+
2251+void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, unsigned long flags)
2252+ {
2253+ X509_VERIFY_PARAM_set_flags(ctx->param, flags);
2254+ }
2255+
2256+void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags, time_t t)
2257+ {
2258+ X509_VERIFY_PARAM_set_time(ctx->param, t);
2259+ }
2260+
2261+void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx,
2262+ int (*verify_cb)(int, X509_STORE_CTX *))
2263+ {
2264+ ctx->verify_cb=verify_cb;
2265+ }
2266+
2267+X509_POLICY_TREE *X509_STORE_CTX_get0_policy_tree(X509_STORE_CTX *ctx)
2268+ {
2269+ return ctx->tree;
2270+ }
2271+
2272+int X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx)
2273+ {
2274+ return ctx->explicit_policy;
2275+ }
2276+
2277+int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name)
2278+ {
2279+ const X509_VERIFY_PARAM *param;
2280+ param = X509_VERIFY_PARAM_lookup(name);
2281+ if (!param)
2282+ return 0;
2283+ return X509_VERIFY_PARAM_inherit(ctx->param, param);
2284+ }
2285+
2286+X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx)
2287+ {
2288+ return ctx->param;
2289+ }
2290+
2291+void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param)
2292+ {
2293+ if (ctx->param)
2294+ X509_VERIFY_PARAM_free(ctx->param);
2295+ ctx->param = param;
2296+ }
2297+
2298+IMPLEMENT_STACK_OF(X509)
2299+IMPLEMENT_ASN1_SET_OF(X509)
2300+
2301+IMPLEMENT_STACK_OF(X509_NAME)
2302+
2303+IMPLEMENT_STACK_OF(X509_ATTRIBUTE)
2304+IMPLEMENT_ASN1_SET_OF(X509_ATTRIBUTE)
2305
2306=== added directory '.pc/c_rehash-multi.patch'
2307=== added directory '.pc/c_rehash-multi.patch/tools'
2308=== added file '.pc/c_rehash-multi.patch/tools/c_rehash.in'
2309--- .pc/c_rehash-multi.patch/tools/c_rehash.in 1970-01-01 00:00:00 +0000
2310+++ .pc/c_rehash-multi.patch/tools/c_rehash.in 2011-09-15 05:17:15 +0000
2311@@ -0,0 +1,192 @@
2312+#!/usr/local/bin/perl
2313+
2314+
2315+# Perl c_rehash script, scan all files in a directory
2316+# and add symbolic links to their hash values.
2317+
2318+my $openssl;
2319+
2320+my $dir;
2321+my $prefix;
2322+
2323+if(defined $ENV{OPENSSL}) {
2324+ $openssl = $ENV{OPENSSL};
2325+} else {
2326+ $openssl = "openssl";
2327+ $ENV{OPENSSL} = $openssl;
2328+}
2329+
2330+my $pwd;
2331+eval "require Cwd";
2332+if (defined(&Cwd::getcwd)) {
2333+ $pwd=Cwd::getcwd();
2334+} else {
2335+ $pwd=`pwd`; chomp($pwd);
2336+}
2337+my $path_delim = ($pwd =~ /^[a-z]\:/i) ? ';' : ':'; # DOS/Win32 or Unix delimiter?
2338+
2339+$ENV{PATH} = "$prefix/bin" . ($ENV{PATH} ? $path_delim . $ENV{PATH} : ""); # prefix our path
2340+
2341+if(! -x $openssl) {
2342+ my $found = 0;
2343+ foreach (split /$path_delim/, $ENV{PATH}) {
2344+ if(-x "$_/$openssl") {
2345+ $found = 1;
2346+ $openssl = "$_/$openssl";
2347+ last;
2348+ }
2349+ }
2350+ if($found == 0) {
2351+ print STDERR "c_rehash: rehashing skipped ('openssl' program not available)\n";
2352+ exit 0;
2353+ }
2354+}
2355+
2356+if(@ARGV) {
2357+ @dirlist = @ARGV;
2358+} elsif($ENV{SSL_CERT_DIR}) {
2359+ @dirlist = split /$path_delim/, $ENV{SSL_CERT_DIR};
2360+} else {
2361+ $dirlist[0] = "$dir/certs";
2362+}
2363+
2364+if (-d $dirlist[0]) {
2365+ chdir $dirlist[0];
2366+ $openssl="$pwd/$openssl" if (!-x $openssl);
2367+ chdir $pwd;
2368+}
2369+
2370+foreach (@dirlist) {
2371+ if(-d $_ and -w $_) {
2372+ hash_dir($_);
2373+ }
2374+}
2375+
2376+sub hash_dir {
2377+ my %hashlist;
2378+ print "Doing $_[0]\n";
2379+ chdir $_[0];
2380+ opendir(DIR, ".");
2381+ my @flist = readdir(DIR);
2382+ # Delete any existing symbolic links
2383+ foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) {
2384+ if(-l $_) {
2385+ unlink $_;
2386+ }
2387+ }
2388+ closedir DIR;
2389+ FILE: foreach $fname (grep {/\.pem$|\.crt$/} @flist) {
2390+ # Check to see if certificates and/or CRLs present.
2391+ my ($cert, $crl) = check_file($fname);
2392+ if(!$cert && !$crl) {
2393+ ($cert, $crl) = check_file("$openssl x509 -in \"$fname\" -inform der -outform pem | ");
2394+ if(!$cert && !$crl) {
2395+ print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n";
2396+ next;
2397+ }
2398+ }
2399+ link_hash_cert($fname) if($cert);
2400+ link_hash_cert_old($fname) if($cert);
2401+ link_hash_crl($fname) if($crl);
2402+ }
2403+}
2404+
2405+sub check_file {
2406+ my ($is_cert, $is_crl) = (0,0);
2407+ my $fname = $_[0];
2408+ open IN, $fname;
2409+ while(<IN>) {
2410+ if(/^-----BEGIN (.*)-----/) {
2411+ my $hdr = $1;
2412+ if($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) {
2413+ $is_cert = 1;
2414+ last if($is_crl);
2415+ } elsif($hdr eq "X509 CRL") {
2416+ $is_crl = 1;
2417+ last if($is_cert);
2418+ }
2419+ }
2420+ }
2421+ close IN;
2422+ return ($is_cert, $is_crl);
2423+}
2424+
2425+
2426+# Link a certificate to its subject name hash value, each hash is of
2427+# the form <hash>.<n> where n is an integer. If the hash value already exists
2428+# then we need to up the value of n, unless its a duplicate in which
2429+# case we skip the link. We check for duplicates by comparing the
2430+# certificate fingerprints
2431+
2432+sub link_hash_cert {
2433+ my $fname = $_[0];
2434+ my $hashopt = $_[1] || '-subject_hash';
2435+ $fname =~ s/'/'\\''/g;
2436+ my ($hash, $fprint) = `"$openssl" x509 $hashopt -fingerprint -noout -in "$fname"`;
2437+ chomp $hash;
2438+ chomp $fprint;
2439+ $fprint =~ s/^.*=//;
2440+ $fprint =~ tr/://d;
2441+ my $suffix = 0;
2442+ # Search for an unused hash filename
2443+ while(exists $hashlist{"$hash.$suffix"}) {
2444+ # Hash matches: if fingerprint matches its a duplicate cert
2445+ if($hashlist{"$hash.$suffix"} eq $fprint) {
2446+ print STDERR "WARNING: Skipping duplicate certificate $fname\n";
2447+ return;
2448+ }
2449+ $suffix++;
2450+ }
2451+ $hash .= ".$suffix";
2452+ print "$fname => $hash\n";
2453+ $symlink_exists=eval {symlink("",""); 1};
2454+ if ($symlink_exists) {
2455+ symlink $fname, $hash;
2456+ } else {
2457+ open IN,"<$fname" or die "can't open $fname for read";
2458+ open OUT,">$hash" or die "can't open $hash for write";
2459+ print OUT <IN>; # does the job for small text files
2460+ close OUT;
2461+ close IN;
2462+ }
2463+ $hashlist{$hash} = $fprint;
2464+}
2465+
2466+sub link_hash_cert_old {
2467+ link_hash_cert($_[0], '-subject_hash_old');
2468+}
2469+
2470+# Same as above except for a CRL. CRL links are of the form <hash>.r<n>
2471+
2472+sub link_hash_crl {
2473+ my $fname = $_[0];
2474+ $fname =~ s/'/'\\''/g;
2475+ my ($hash, $fprint) = `"$openssl" crl -hash -fingerprint -noout -in '$fname'`;
2476+ if(!$hash || !fprint) {
2477+ ($hash, $fprint) = `"$openssl" crl -hash -fingerprint -noout -in '$fname' -inform der`;
2478+ }
2479+ chomp $hash;
2480+ chomp $fprint;
2481+ $fprint =~ s/^.*=//;
2482+ $fprint =~ tr/://d;
2483+ my $suffix = 0;
2484+ # Search for an unused hash filename
2485+ while(exists $hashlist{"$hash.r$suffix"}) {
2486+ # Hash matches: if fingerprint matches its a duplicate cert
2487+ if($hashlist{"$hash.r$suffix"} eq $fprint) {
2488+ print STDERR "WARNING: Skipping duplicate CRL $fname\n";
2489+ return;
2490+ }
2491+ $suffix++;
2492+ }
2493+ $hash .= ".r$suffix";
2494+ print "$fname => $hash\n";
2495+ $symlink_exists=eval {symlink("",""); 1};
2496+ if ($symlink_exists) {
2497+ symlink $fname, $hash;
2498+ } else {
2499+ system ("cp", $fname, $hash);
2500+ }
2501+ $hashlist{$hash} = $fprint;
2502+}
2503+
2504
2505=== modified file '.pc/config-hurd.patch/config'
2506--- .pc/config-hurd.patch/config 2010-12-12 15:37:21 +0000
2507+++ .pc/config-hurd.patch/config 2011-09-15 05:17:15 +0000
2508@@ -825,6 +825,10 @@
2509 # options="$options -DATALLA"
2510 #fi
2511
2512+($CC -Wa,--help -c -o /dev/null -x assembler /dev/null 2>&1 | \
2513+ grep \\--noexecstack) 2>&1 > /dev/null && \
2514+ options="$options -Wa,--noexecstack"
2515+
2516 # gcc < 2.8 does not support -march=ultrasparc
2517 if [ "$OUT" = solaris-sparcv9-gcc -a $GCCVER -lt 28 ]
2518 then
2519
2520=== added directory '.pc/dgst_hmac.patch'
2521=== added directory '.pc/dgst_hmac.patch/apps'
2522=== added file '.pc/dgst_hmac.patch/apps/dgst.c'
2523--- .pc/dgst_hmac.patch/apps/dgst.c 1970-01-01 00:00:00 +0000
2524+++ .pc/dgst_hmac.patch/apps/dgst.c 2011-09-15 05:17:15 +0000
2525@@ -0,0 +1,632 @@
2526+/* apps/dgst.c */
2527+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2528+ * All rights reserved.
2529+ *
2530+ * This package is an SSL implementation written
2531+ * by Eric Young (eay@cryptsoft.com).
2532+ * The implementation was written so as to conform with Netscapes SSL.
2533+ *
2534+ * This library is free for commercial and non-commercial use as long as
2535+ * the following conditions are aheared to. The following conditions
2536+ * apply to all code found in this distribution, be it the RC4, RSA,
2537+ * lhash, DES, etc., code; not just the SSL code. The SSL documentation
2538+ * included with this distribution is covered by the same copyright terms
2539+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
2540+ *
2541+ * Copyright remains Eric Young's, and as such any Copyright notices in
2542+ * the code are not to be removed.
2543+ * If this package is used in a product, Eric Young should be given attribution
2544+ * as the author of the parts of the library used.
2545+ * This can be in the form of a textual message at program startup or
2546+ * in documentation (online or textual) provided with the package.
2547+ *
2548+ * Redistribution and use in source and binary forms, with or without
2549+ * modification, are permitted provided that the following conditions
2550+ * are met:
2551+ * 1. Redistributions of source code must retain the copyright
2552+ * notice, this list of conditions and the following disclaimer.
2553+ * 2. Redistributions in binary form must reproduce the above copyright
2554+ * notice, this list of conditions and the following disclaimer in the
2555+ * documentation and/or other materials provided with the distribution.
2556+ * 3. All advertising materials mentioning features or use of this software
2557+ * must display the following acknowledgement:
2558+ * "This product includes cryptographic software written by
2559+ * Eric Young (eay@cryptsoft.com)"
2560+ * The word 'cryptographic' can be left out if the rouines from the library
2561+ * being used are not cryptographic related :-).
2562+ * 4. If you include any Windows specific code (or a derivative thereof) from
2563+ * the apps directory (application code) you must include an acknowledgement:
2564+ * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
2565+ *
2566+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
2567+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
2568+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
2569+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
2570+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
2571+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
2572+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
2573+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
2574+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
2575+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
2576+ * SUCH DAMAGE.
2577+ *
2578+ * The licence and distribution terms for any publically available version or
2579+ * derivative of this code cannot be changed. i.e. this code cannot simply be
2580+ * copied and put under another distribution licence
2581+ * [including the GNU Public Licence.]
2582+ */
2583+
2584+#include <stdio.h>
2585+#include <string.h>
2586+#include <stdlib.h>
2587+#include "apps.h"
2588+#include <openssl/bio.h>
2589+#include <openssl/err.h>
2590+#include <openssl/evp.h>
2591+#include <openssl/objects.h>
2592+#include <openssl/x509.h>
2593+#include <openssl/pem.h>
2594+#include <openssl/hmac.h>
2595+
2596+#undef BUFSIZE
2597+#define BUFSIZE 1024*8
2598+
2599+#undef PROG
2600+#define PROG dgst_main
2601+
2602+int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
2603+ EVP_PKEY *key, unsigned char *sigin, int siglen,
2604+ const char *sig_name, const char *md_name,
2605+ const char *file,BIO *bmd);
2606+
2607+static void list_md_fn(const EVP_MD *m,
2608+ const char *from, const char *to, void *arg)
2609+ {
2610+ const char *mname;
2611+ /* Skip aliases */
2612+ if (!m)
2613+ return;
2614+ mname = OBJ_nid2ln(EVP_MD_type(m));
2615+ /* Skip shortnames */
2616+ if (strcmp(from, mname))
2617+ return;
2618+ /* Skip clones */
2619+ if (EVP_MD_flags(m) & EVP_MD_FLAG_PKEY_DIGEST)
2620+ return;
2621+ if (strchr(mname, ' '))
2622+ mname= EVP_MD_name(m);
2623+ BIO_printf(arg, "-%-14s to use the %s message digest algorithm\n",
2624+ mname, mname);
2625+ }
2626+
2627+int MAIN(int, char **);
2628+
2629+int MAIN(int argc, char **argv)
2630+ {
2631+ ENGINE *e = NULL;
2632+ unsigned char *buf=NULL;
2633+ int i,err=1;
2634+ const EVP_MD *md=NULL,*m;
2635+ BIO *in=NULL,*inp;
2636+ BIO *bmd=NULL;
2637+ BIO *out = NULL;
2638+#define PROG_NAME_SIZE 39
2639+ char pname[PROG_NAME_SIZE+1];
2640+ int separator=0;
2641+ int debug=0;
2642+ int keyform=FORMAT_PEM;
2643+ const char *outfile = NULL, *keyfile = NULL;
2644+ const char *sigfile = NULL, *randfile = NULL;
2645+ int out_bin = -1, want_pub = 0, do_verify = 0;
2646+ EVP_PKEY *sigkey = NULL;
2647+ unsigned char *sigbuf = NULL;
2648+ int siglen = 0;
2649+ char *passargin = NULL, *passin = NULL;
2650+#ifndef OPENSSL_NO_ENGINE
2651+ char *engine=NULL;
2652+#endif
2653+ char *hmac_key=NULL;
2654+ char *mac_name=NULL;
2655+ STACK_OF(OPENSSL_STRING) *sigopts = NULL, *macopts = NULL;
2656+
2657+ apps_startup();
2658+
2659+ if ((buf=(unsigned char *)OPENSSL_malloc(BUFSIZE)) == NULL)
2660+ {
2661+ BIO_printf(bio_err,"out of memory\n");
2662+ goto end;
2663+ }
2664+ if (bio_err == NULL)
2665+ if ((bio_err=BIO_new(BIO_s_file())) != NULL)
2666+ BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
2667+
2668+ if (!load_config(bio_err, NULL))
2669+ goto end;
2670+
2671+ /* first check the program name */
2672+ program_name(argv[0],pname,sizeof pname);
2673+
2674+ md=EVP_get_digestbyname(pname);
2675+
2676+ argc--;
2677+ argv++;
2678+ while (argc > 0)
2679+ {
2680+ if ((*argv)[0] != '-') break;
2681+ if (strcmp(*argv,"-c") == 0)
2682+ separator=1;
2683+ else if (strcmp(*argv,"-r") == 0)
2684+ separator=2;
2685+ else if (strcmp(*argv,"-rand") == 0)
2686+ {
2687+ if (--argc < 1) break;
2688+ randfile=*(++argv);
2689+ }
2690+ else if (strcmp(*argv,"-out") == 0)
2691+ {
2692+ if (--argc < 1) break;
2693+ outfile=*(++argv);
2694+ }
2695+ else if (strcmp(*argv,"-sign") == 0)
2696+ {
2697+ if (--argc < 1) break;
2698+ keyfile=*(++argv);
2699+ }
2700+ else if (!strcmp(*argv,"-passin"))
2701+ {
2702+ if (--argc < 1)
2703+ break;
2704+ passargin=*++argv;
2705+ }
2706+ else if (strcmp(*argv,"-verify") == 0)
2707+ {
2708+ if (--argc < 1) break;
2709+ keyfile=*(++argv);
2710+ want_pub = 1;
2711+ do_verify = 1;
2712+ }
2713+ else if (strcmp(*argv,"-prverify") == 0)
2714+ {
2715+ if (--argc < 1) break;
2716+ keyfile=*(++argv);
2717+ do_verify = 1;
2718+ }
2719+ else if (strcmp(*argv,"-signature") == 0)
2720+ {
2721+ if (--argc < 1) break;
2722+ sigfile=*(++argv);
2723+ }
2724+ else if (strcmp(*argv,"-keyform") == 0)
2725+ {
2726+ if (--argc < 1) break;
2727+ keyform=str2fmt(*(++argv));
2728+ }
2729+#ifndef OPENSSL_NO_ENGINE
2730+ else if (strcmp(*argv,"-engine") == 0)
2731+ {
2732+ if (--argc < 1) break;
2733+ engine= *(++argv);
2734+ e = setup_engine(bio_err, engine, 0);
2735+ }
2736+#endif
2737+ else if (strcmp(*argv,"-hex") == 0)
2738+ out_bin = 0;
2739+ else if (strcmp(*argv,"-binary") == 0)
2740+ out_bin = 1;
2741+ else if (strcmp(*argv,"-d") == 0)
2742+ debug=1;
2743+ else if (!strcmp(*argv,"-hmac"))
2744+ {
2745+ if (--argc < 1)
2746+ break;
2747+ hmac_key=*++argv;
2748+ }
2749+ else if (!strcmp(*argv,"-mac"))
2750+ {
2751+ if (--argc < 1)
2752+ break;
2753+ mac_name=*++argv;
2754+ }
2755+ else if (strcmp(*argv,"-sigopt") == 0)
2756+ {
2757+ if (--argc < 1)
2758+ break;
2759+ if (!sigopts)
2760+ sigopts = sk_OPENSSL_STRING_new_null();
2761+ if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, *(++argv)))
2762+ break;
2763+ }
2764+ else if (strcmp(*argv,"-macopt") == 0)
2765+ {
2766+ if (--argc < 1)
2767+ break;
2768+ if (!macopts)
2769+ macopts = sk_OPENSSL_STRING_new_null();
2770+ if (!macopts || !sk_OPENSSL_STRING_push(macopts, *(++argv)))
2771+ break;
2772+ }
2773+ else if ((m=EVP_get_digestbyname(&((*argv)[1]))) != NULL)
2774+ md=m;
2775+ else
2776+ break;
2777+ argc--;
2778+ argv++;
2779+ }
2780+
2781+
2782+ if(do_verify && !sigfile) {
2783+ BIO_printf(bio_err, "No signature to verify: use the -signature option\n");
2784+ goto end;
2785+ }
2786+
2787+ if ((argc > 0) && (argv[0][0] == '-')) /* bad option */
2788+ {
2789+ BIO_printf(bio_err,"unknown option '%s'\n",*argv);
2790+ BIO_printf(bio_err,"options are\n");
2791+ BIO_printf(bio_err,"-c to output the digest with separating colons\n");
2792+ BIO_printf(bio_err,"-r to output the digest in coreutils format\n");
2793+ BIO_printf(bio_err,"-d to output debug info\n");
2794+ BIO_printf(bio_err,"-hex output as hex dump\n");
2795+ BIO_printf(bio_err,"-binary output in binary form\n");
2796+ BIO_printf(bio_err,"-sign file sign digest using private key in file\n");
2797+ BIO_printf(bio_err,"-verify file verify a signature using public key in file\n");
2798+ BIO_printf(bio_err,"-prverify file verify a signature using private key in file\n");
2799+ BIO_printf(bio_err,"-keyform arg key file format (PEM or ENGINE)\n");
2800+ BIO_printf(bio_err,"-out filename output to filename rather than stdout\n");
2801+ BIO_printf(bio_err,"-signature file signature to verify\n");
2802+ BIO_printf(bio_err,"-sigopt nm:v signature parameter\n");
2803+ BIO_printf(bio_err,"-hmac key create hashed MAC with key\n");
2804+ BIO_printf(bio_err,"-mac algorithm create MAC (not neccessarily HMAC)\n");
2805+ BIO_printf(bio_err,"-macopt nm:v MAC algorithm parameters or key\n");
2806+#ifndef OPENSSL_NO_ENGINE
2807+ BIO_printf(bio_err,"-engine e use engine e, possibly a hardware device.\n");
2808+#endif
2809+
2810+ EVP_MD_do_all_sorted(list_md_fn, bio_err);
2811+ goto end;
2812+ }
2813+
2814+ in=BIO_new(BIO_s_file());
2815+ bmd=BIO_new(BIO_f_md());
2816+ if (debug)
2817+ {
2818+ BIO_set_callback(in,BIO_debug_callback);
2819+ /* needed for windows 3.1 */
2820+ BIO_set_callback_arg(in,(char *)bio_err);
2821+ }
2822+
2823+ if(!app_passwd(bio_err, passargin, NULL, &passin, NULL))
2824+ {
2825+ BIO_printf(bio_err, "Error getting password\n");
2826+ goto end;
2827+ }
2828+
2829+ if ((in == NULL) || (bmd == NULL))
2830+ {
2831+ ERR_print_errors(bio_err);
2832+ goto end;
2833+ }
2834+
2835+ if(out_bin == -1) {
2836+ if(keyfile)
2837+ out_bin = 1;
2838+ else
2839+ out_bin = 0;
2840+ }
2841+
2842+ if(randfile)
2843+ app_RAND_load_file(randfile, bio_err, 0);
2844+
2845+ if(outfile) {
2846+ if(out_bin)
2847+ out = BIO_new_file(outfile, "wb");
2848+ else out = BIO_new_file(outfile, "w");
2849+ } else {
2850+ out = BIO_new_fp(stdout, BIO_NOCLOSE);
2851+#ifdef OPENSSL_SYS_VMS
2852+ {
2853+ BIO *tmpbio = BIO_new(BIO_f_linebuffer());
2854+ out = BIO_push(tmpbio, out);
2855+ }
2856+#endif
2857+ }
2858+
2859+ if(!out) {
2860+ BIO_printf(bio_err, "Error opening output file %s\n",
2861+ outfile ? outfile : "(stdout)");
2862+ ERR_print_errors(bio_err);
2863+ goto end;
2864+ }
2865+ if ((!!mac_name + !!keyfile + !!hmac_key) > 1)
2866+ {
2867+ BIO_printf(bio_err, "MAC and Signing key cannot both be specified\n");
2868+ goto end;
2869+ }
2870+
2871+ if(keyfile)
2872+ {
2873+ if (want_pub)
2874+ sigkey = load_pubkey(bio_err, keyfile, keyform, 0, NULL,
2875+ e, "key file");
2876+ else
2877+ sigkey = load_key(bio_err, keyfile, keyform, 0, passin,
2878+ e, "key file");
2879+ if (!sigkey)
2880+ {
2881+ /* load_[pub]key() has already printed an appropriate
2882+ message */
2883+ goto end;
2884+ }
2885+ }
2886+
2887+ if (mac_name)
2888+ {
2889+ EVP_PKEY_CTX *mac_ctx = NULL;
2890+ int r = 0;
2891+ if (!init_gen_str(bio_err, &mac_ctx, mac_name,e, 0))
2892+ goto mac_end;
2893+ if (macopts)
2894+ {
2895+ char *macopt;
2896+ for (i = 0; i < sk_OPENSSL_STRING_num(macopts); i++)
2897+ {
2898+ macopt = sk_OPENSSL_STRING_value(macopts, i);
2899+ if (pkey_ctrl_string(mac_ctx, macopt) <= 0)
2900+ {
2901+ BIO_printf(bio_err,
2902+ "MAC parameter error \"%s\"\n",
2903+ macopt);
2904+ ERR_print_errors(bio_err);
2905+ goto mac_end;
2906+ }
2907+ }
2908+ }
2909+ if (EVP_PKEY_keygen(mac_ctx, &sigkey) <= 0)
2910+ {
2911+ BIO_puts(bio_err, "Error generating key\n");
2912+ ERR_print_errors(bio_err);
2913+ goto mac_end;
2914+ }
2915+ r = 1;
2916+ mac_end:
2917+ if (mac_ctx)
2918+ EVP_PKEY_CTX_free(mac_ctx);
2919+ if (r == 0)
2920+ goto end;
2921+ }
2922+
2923+ if (hmac_key)
2924+ {
2925+ sigkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, e,
2926+ (unsigned char *)hmac_key, -1);
2927+ if (!sigkey)
2928+ goto end;
2929+ }
2930+
2931+ if (sigkey)
2932+ {
2933+ EVP_MD_CTX *mctx = NULL;
2934+ EVP_PKEY_CTX *pctx = NULL;
2935+ int r;
2936+ if (!BIO_get_md_ctx(bmd, &mctx))
2937+ {
2938+ BIO_printf(bio_err, "Error getting context\n");
2939+ ERR_print_errors(bio_err);
2940+ goto end;
2941+ }
2942+ if (do_verify)
2943+ r = EVP_DigestVerifyInit(mctx, &pctx, md, e, sigkey);
2944+ else
2945+ r = EVP_DigestSignInit(mctx, &pctx, md, e, sigkey);
2946+ if (!r)
2947+ {
2948+ BIO_printf(bio_err, "Error setting context\n");
2949+ ERR_print_errors(bio_err);
2950+ goto end;
2951+ }
2952+ if (sigopts)
2953+ {
2954+ char *sigopt;
2955+ for (i = 0; i < sk_OPENSSL_STRING_num(sigopts); i++)
2956+ {
2957+ sigopt = sk_OPENSSL_STRING_value(sigopts, i);
2958+ if (pkey_ctrl_string(pctx, sigopt) <= 0)
2959+ {
2960+ BIO_printf(bio_err,
2961+ "parameter error \"%s\"\n",
2962+ sigopt);
2963+ ERR_print_errors(bio_err);
2964+ goto end;
2965+ }
2966+ }
2967+ }
2968+ }
2969+ /* we use md as a filter, reading from 'in' */
2970+ else
2971+ {
2972+ if (md == NULL)
2973+ md = EVP_md5();
2974+ if (!BIO_set_md(bmd,md))
2975+ {
2976+ BIO_printf(bio_err, "Error setting digest %s\n", pname);
2977+ ERR_print_errors(bio_err);
2978+ goto end;
2979+ }
2980+ }
2981+
2982+ if(sigfile && sigkey) {
2983+ BIO *sigbio;
2984+ sigbio = BIO_new_file(sigfile, "rb");
2985+ siglen = EVP_PKEY_size(sigkey);
2986+ sigbuf = OPENSSL_malloc(siglen);
2987+ if(!sigbio) {
2988+ BIO_printf(bio_err, "Error opening signature file %s\n",
2989+ sigfile);
2990+ ERR_print_errors(bio_err);
2991+ goto end;
2992+ }
2993+ siglen = BIO_read(sigbio, sigbuf, siglen);
2994+ BIO_free(sigbio);
2995+ if(siglen <= 0) {
2996+ BIO_printf(bio_err, "Error reading signature file %s\n",
2997+ sigfile);
2998+ ERR_print_errors(bio_err);
2999+ goto end;
3000+ }
3001+ }
3002+ inp=BIO_push(bmd,in);
3003+
3004+ if (md == NULL)
3005+ {
3006+ EVP_MD_CTX *tctx;
3007+ BIO_get_md_ctx(bmd, &tctx);
3008+ md = EVP_MD_CTX_md(tctx);
3009+ }
3010+
3011+ if (argc == 0)
3012+ {
3013+ BIO_set_fp(in,stdin,BIO_NOCLOSE);
3014+ err=do_fp(out, buf,inp,separator, out_bin, sigkey, sigbuf,
3015+ siglen,NULL,NULL,"stdin",bmd);
3016+ }
3017+ else
3018+ {
3019+ const char *md_name = NULL, *sig_name = NULL;
3020+ if(!out_bin)
3021+ {
3022+ if (sigkey)
3023+ {
3024+ const EVP_PKEY_ASN1_METHOD *ameth;
3025+ ameth = EVP_PKEY_get0_asn1(sigkey);
3026+ if (ameth)
3027+ EVP_PKEY_asn1_get0_info(NULL, NULL,
3028+ NULL, NULL, &sig_name, ameth);
3029+ }
3030+ md_name = EVP_MD_name(md);
3031+ }
3032+ err = 0;
3033+ for (i=0; i<argc; i++)
3034+ {
3035+ int r;
3036+ if (BIO_read_filename(in,argv[i]) <= 0)
3037+ {
3038+ perror(argv[i]);
3039+ err++;
3040+ continue;
3041+ }
3042+ else
3043+ r=do_fp(out,buf,inp,separator,out_bin,sigkey,sigbuf,
3044+ siglen,sig_name,md_name, argv[i],bmd);
3045+ if(r)
3046+ err=r;
3047+ (void)BIO_reset(bmd);
3048+ }
3049+ }
3050+end:
3051+ if (buf != NULL)
3052+ {
3053+ OPENSSL_cleanse(buf,BUFSIZE);
3054+ OPENSSL_free(buf);
3055+ }
3056+ if (in != NULL) BIO_free(in);
3057+ if (passin)
3058+ OPENSSL_free(passin);
3059+ BIO_free_all(out);
3060+ EVP_PKEY_free(sigkey);
3061+ if (sigopts)
3062+ sk_OPENSSL_STRING_free(sigopts);
3063+ if (macopts)
3064+ sk_OPENSSL_STRING_free(macopts);
3065+ if(sigbuf) OPENSSL_free(sigbuf);
3066+ if (bmd != NULL) BIO_free(bmd);
3067+ apps_shutdown();
3068+ OPENSSL_EXIT(err);
3069+ }
3070+
3071+int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
3072+ EVP_PKEY *key, unsigned char *sigin, int siglen,
3073+ const char *sig_name, const char *md_name,
3074+ const char *file,BIO *bmd)
3075+ {
3076+ size_t len;
3077+ int i;
3078+
3079+ for (;;)
3080+ {
3081+ i=BIO_read(bp,(char *)buf,BUFSIZE);
3082+ if(i < 0)
3083+ {
3084+ BIO_printf(bio_err, "Read Error in %s\n",file);
3085+ ERR_print_errors(bio_err);
3086+ return 1;
3087+ }
3088+ if (i == 0) break;
3089+ }
3090+ if(sigin)
3091+ {
3092+ EVP_MD_CTX *ctx;
3093+ BIO_get_md_ctx(bp, &ctx);
3094+ i = EVP_DigestVerifyFinal(ctx, sigin, (unsigned int)siglen);
3095+ if(i > 0)
3096+ BIO_printf(out, "Verified OK\n");
3097+ else if(i == 0)
3098+ {
3099+ BIO_printf(out, "Verification Failure\n");
3100+ return 1;
3101+ }
3102+ else
3103+ {
3104+ BIO_printf(bio_err, "Error Verifying Data\n");
3105+ ERR_print_errors(bio_err);
3106+ return 1;
3107+ }
3108+ return 0;
3109+ }
3110+ if(key)
3111+ {
3112+ EVP_MD_CTX *ctx;
3113+ BIO_get_md_ctx(bp, &ctx);
3114+ len = BUFSIZE;
3115+ if(!EVP_DigestSignFinal(ctx, buf, &len))
3116+ {
3117+ BIO_printf(bio_err, "Error Signing Data\n");
3118+ ERR_print_errors(bio_err);
3119+ return 1;
3120+ }
3121+ }
3122+ else
3123+ {
3124+ len=BIO_gets(bp,(char *)buf,BUFSIZE);
3125+ if ((int)len <0)
3126+ {
3127+ ERR_print_errors(bio_err);
3128+ return 1;
3129+ }
3130+ }
3131+
3132+ if(binout) BIO_write(out, buf, len);
3133+ else if (sep == 2)
3134+ {
3135+ for (i=0; i<(int)len; i++)
3136+ BIO_printf(out, "%02x",buf[i]);
3137+ BIO_printf(out, " *%s\n", file);
3138+ }
3139+ else
3140+ {
3141+ if (sig_name)
3142+ BIO_printf(out, "%s-%s(%s)= ", sig_name, md_name, file);
3143+ else if (md_name)
3144+ BIO_printf(out, "%s(%s)= ", md_name, file);
3145+ else
3146+ BIO_printf(out, "(%s)= ", file);
3147+ for (i=0; i<(int)len; i++)
3148+ {
3149+ if (sep && (i != 0))
3150+ BIO_printf(out, ":");
3151+ BIO_printf(out, "%02x",buf[i]);
3152+ }
3153+ BIO_printf(out, "\n");
3154+ }
3155+ return 0;
3156+ }
3157+
3158
3159=== added directory '.pc/dgst_hmac.patch/doc'
3160=== added directory '.pc/dgst_hmac.patch/doc/apps'
3161=== added file '.pc/dgst_hmac.patch/doc/apps/dgst.pod'
3162--- .pc/dgst_hmac.patch/doc/apps/dgst.pod 1970-01-01 00:00:00 +0000
3163+++ .pc/dgst_hmac.patch/doc/apps/dgst.pod 2011-09-15 05:17:15 +0000
3164@@ -0,0 +1,162 @@
3165+=pod
3166+
3167+=head1 NAME
3168+
3169+dgst, md5, md4, md2, sha1, sha, mdc2, ripemd160 - message digests
3170+
3171+=head1 SYNOPSIS
3172+
3173+B<openssl> B<dgst>
3174+[B<-md5|-md4|-md2|-sha1|-sha|-mdc2|-ripemd160|-dss1>]
3175+[B<-c>]
3176+[B<-d>]
3177+[B<-hex>]
3178+[B<-binary>]
3179+[B<-out filename>]
3180+[B<-sign filename>]
3181+[B<-keyform arg>]
3182+[B<-passin arg>]
3183+[B<-verify filename>]
3184+[B<-prverify filename>]
3185+[B<-signature filename>]
3186+[B<-hmac key>]
3187+[B<file...>]
3188+
3189+[B<md5|md4|md2|sha1|sha|mdc2|ripemd160>]
3190+[B<-c>]
3191+[B<-d>]
3192+[B<file...>]
3193+
3194+=head1 DESCRIPTION
3195+
3196+The digest functions output the message digest of a supplied file or files
3197+in hexadecimal form. They can also be used for digital signing and verification.
3198+
3199+=head1 OPTIONS
3200+
3201+=over 4
3202+
3203+=item B<-c>
3204+
3205+print out the digest in two digit groups separated by colons, only relevant if
3206+B<hex> format output is used.
3207+
3208+=item B<-d>
3209+
3210+print out BIO debugging information.
3211+
3212+=item B<-hex>
3213+
3214+digest is to be output as a hex dump. This is the default case for a "normal"
3215+digest as opposed to a digital signature.
3216+
3217+=item B<-binary>
3218+
3219+output the digest or signature in binary form.
3220+
3221+=item B<-out filename>
3222+
3223+filename to output to, or standard output by default.
3224+
3225+=item B<-sign filename>
3226+
3227+digitally sign the digest using the private key in "filename".
3228+
3229+=item B<-keyform arg>
3230+
3231+Specifies the key format to sign digest with. Only PEM and ENGINE
3232+formats are supported by the B<dgst> command.
3233+
3234+=item B<-engine id>
3235+
3236+Use engine B<id> for operations (including private key storage).
3237+This engine is not used as source for digest algorithms, unless it is
3238+also specified in the configuration file.
3239+
3240+=item B<-sigopt nm:v>
3241+
3242+Pass options to the signature algorithm during sign or verify operations.
3243+Names and values of these options are algorithm-specific.
3244+
3245+
3246+=item B<-passin arg>
3247+
3248+the private key password source. For more information about the format of B<arg>
3249+see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
3250+
3251+=item B<-verify filename>
3252+
3253+verify the signature using the the public key in "filename".
3254+The output is either "Verification OK" or "Verification Failure".
3255+
3256+=item B<-prverify filename>
3257+
3258+verify the signature using the the private key in "filename".
3259+
3260+=item B<-signature filename>
3261+
3262+the actual signature to verify.
3263+
3264+=item B<-hmac key>
3265+
3266+create a hashed MAC using "key".
3267+
3268+=item B<-mac alg>
3269+
3270+create MAC (keyed Message Authentication Code). The most popular MAC
3271+algorithm is HMAC (hash-based MAC), but there are other MAC algorithms
3272+which are not based on hash, for instance B<gost-mac> algorithm,
3273+supported by B<ccgost> engine. MAC keys and other options should be set
3274+via B<-macopt> parameter.
3275+
3276+=item B<-macopt nm:v>
3277+
3278+Passes options to MAC algorithm, specified by B<-mac> key.
3279+Following options are supported by both by B<HMAC> and B<gost-mac>:
3280+
3281+=over 8
3282+
3283+=item B<key:string>
3284+
3285+Specifies MAC key as alphnumeric string (use if key contain printable
3286+characters only). String length must conform to any restrictions of
3287+the MAC algorithm for example exactly 32 chars for gost-mac.
3288+
3289+=item B<hexkey:string>
3290+
3291+Specifies MAC key in hexadecimal form (two hex digits per byte).
3292+Key length must conform to any restrictions of the MAC algorithm
3293+for example exactly 32 chars for gost-mac.
3294+
3295+=back
3296+
3297+=item B<-rand file(s)>
3298+
3299+a file or files containing random data used to seed the random number
3300+generator, or an EGD socket (see L<RAND_egd(3)|RAND_egd(3)>).
3301+Multiple files can be specified separated by a OS-dependent character.
3302+The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
3303+all others.
3304+
3305+=item B<file...>
3306+
3307+file or files to digest. If no files are specified then standard input is
3308+used.
3309+
3310+=back
3311+
3312+=head1 NOTES
3313+
3314+The digest of choice for all new applications is SHA1. Other digests are
3315+however still widely used.
3316+
3317+If you wish to sign or verify data using the DSA algorithm then the dss1
3318+digest must be used.
3319+
3320+A source of random numbers is required for certain signing algorithms, in
3321+particular DSA.
3322+
3323+The signing and verify options should only be used if a single file is
3324+being signed or verified.
3325+
3326+=cut
3327
3328=== modified file '.pc/engines-path.patch/Configure'
3329--- .pc/engines-path.patch/Configure 2010-12-19 16:24:16 +0000
3330+++ .pc/engines-path.patch/Configure 2011-09-15 05:17:15 +0000
3331@@ -362,6 +362,7 @@
3332 "debian-powerpcspe","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
3333 "debian-ppc64","gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
3334 "debian-s390","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
3335+"debian-s390x","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
3336 "debian-sh3", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
3337 "debian-sh4", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
3338 "debian-sh3eb", "gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
3339@@ -370,7 +371,7 @@
3340 "debian-sparc","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
3341 "debian-sparc-v8","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -mcpu=v8 -g -Wall -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
3342 "debian-sparc-v9","gcc:-DB_ENDIAN -DTERMIO -O3 -mcpu=v9 -Wa,--noexecstack -Wa,-Av8plus -g -Wall -DULTRASPARC -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
3343-"debian-sparc64","gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall -DULTRASPARC -DBN_DIV2W::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
3344+"debian-sparc64","gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall -DULTRASPARC -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
3345
3346 ####
3347 #### Variety of LINUX:-)
3348
3349=== modified file '.pc/gnu_source.patch/crypto/dso/dso_dlfcn.c'
3350--- .pc/gnu_source.patch/crypto/dso/dso_dlfcn.c 2010-12-19 16:24:16 +0000
3351+++ .pc/gnu_source.patch/crypto/dso/dso_dlfcn.c 2011-09-15 05:17:15 +0000
3352@@ -85,6 +85,7 @@
3353 # define HAVE_DLINFO 1
3354 # if defined(_AIX) || defined(__CYGWIN__) || \
3355 defined(__SCO_VERSION__) || defined(_SCO_ELF) || \
3356+ (defined(__osf__) && !defined(RTLD_NEXT)) || \
3357 (defined(__OpenBSD__) && !defined(RTLD_SELF))
3358 # undef HAVE_DLINFO
3359 # endif
3360
3361=== added directory '.pc/libdoc-manpgs-pod-spell.patch'
3362=== added directory '.pc/libdoc-manpgs-pod-spell.patch/doc'
3363=== added directory '.pc/libdoc-manpgs-pod-spell.patch/doc/crypto'
3364=== added file '.pc/libdoc-manpgs-pod-spell.patch/doc/crypto/ASN1_generate_nconf.pod'
3365--- .pc/libdoc-manpgs-pod-spell.patch/doc/crypto/ASN1_generate_nconf.pod 1970-01-01 00:00:00 +0000
3366+++ .pc/libdoc-manpgs-pod-spell.patch/doc/crypto/ASN1_generate_nconf.pod 2011-09-15 05:17:15 +0000
3367@@ -0,0 +1,265 @@
3368+=pod
3369+
3370+=head1 NAME
3371+
3372+ASN1_generate_nconf, ASN1_generate_v3 - ASN1 generation functions
3373+
3374+=head1 SYNOPSIS
3375+
3376+ #include <openssl/asn1.h>
3377+
3378+ ASN1_TYPE *ASN1_generate_nconf(char *str, CONF *nconf);
3379+ ASN1_TYPE *ASN1_generate_v3(char *str, X509V3_CTX *cnf);
3380+
3381+=head1 DESCRIPTION
3382+
3383+These functions generate the ASN1 encoding of a string
3384+in an B<ASN1_TYPE> structure.
3385+
3386+B<str> contains the string to encode B<nconf> or B<cnf> contains
3387+the optional configuration information where additional strings
3388+will be read from. B<nconf> will typically come from a config
3389+file wherease B<cnf> is obtained from an B<X509V3_CTX> structure
3390+which will typically be used by X509 v3 certificate extension
3391+functions. B<cnf> or B<nconf> can be set to B<NULL> if no additional
3392+configuration will be used.
3393+
3394+=head1 GENERATION STRING FORMAT
3395+
3396+The actual data encoded is determined by the string B<str> and
3397+the configuration information. The general format of the string
3398+is:
3399+
3400+=over 2
3401+
3402+=item B<[modifier,]type[:value]>
3403+
3404+=back
3405+
3406+That is zero or more comma separated modifiers followed by a type
3407+followed by an optional colon and a value. The formats of B<type>,
3408+B<value> and B<modifier> are explained below.
3409+
3410+=head2 SUPPORTED TYPES
3411+
3412+The supported types are listed below. Unless otherwise specified
3413+only the B<ASCII> format is permissible.
3414+
3415+=over 2
3416+
3417+=item B<BOOLEAN>, B<BOOL>
3418+
3419+This encodes a boolean type. The B<value> string is mandatory and
3420+should be B<TRUE> or B<FALSE>. Additionally B<TRUE>, B<true>, B<Y>,
3421+B<y>, B<YES>, B<yes>, B<FALSE>, B<false>, B<N>, B<n>, B<NO> and B<no>
3422+are acceptable.
3423+
3424+=item B<NULL>
3425+
3426+Encode the B<NULL> type, the B<value> string must not be present.
3427+
3428+=item B<INTEGER>, B<INT>
3429+
3430+Encodes an ASN1 B<INTEGER> type. The B<value> string represents
3431+the value of the integer, it can be preceeded by a minus sign and
3432+is normally interpreted as a decimal value unless the prefix B<0x>
3433+is included.
3434+
3435+=item B<ENUMERATED>, B<ENUM>
3436+
3437+Encodes the ASN1 B<ENUMERATED> type, it is otherwise identical to
3438+B<INTEGER>.
3439+
3440+=item B<OBJECT>, B<OID>
3441+
3442+Encodes an ASN1 B<OBJECT IDENTIFIER>, the B<value> string can be
3443+a short name, a long name or numerical format.
3444+
3445+=item B<UTCTIME>, B<UTC>
3446+
3447+Encodes an ASN1 B<UTCTime> structure, the value should be in
3448+the format B<YYMMDDHHMMSSZ>.
3449+
3450+=item B<GENERALIZEDTIME>, B<GENTIME>
3451+
3452+Encodes an ASN1 B<GeneralizedTime> structure, the value should be in
3453+the format B<YYYYMMDDHHMMSSZ>.
3454+
3455+=item B<OCTETSTRING>, B<OCT>
3456+
3457+Encodes an ASN1 B<OCTET STRING>. B<value> represents the contents
3458+of this structure, the format strings B<ASCII> and B<HEX> can be
3459+used to specify the format of B<value>.
3460+
3461+=item B<BITSTRING>, B<BITSTR>
3462+
3463+Encodes an ASN1 B<BIT STRING>. B<value> represents the contents
3464+of this structure, the format strings B<ASCII>, B<HEX> and B<BITLIST>
3465+can be used to specify the format of B<value>.
3466+
3467+If the format is anything other than B<BITLIST> the number of unused
3468+bits is set to zero.
3469+
3470+=item B<UNIVERSALSTRING>, B<UNIV>, B<IA5>, B<IA5STRING>, B<UTF8>,
3471+B<UTF8String>, B<BMP>, B<BMPSTRING>, B<VISIBLESTRING>,
3472+B<VISIBLE>, B<PRINTABLESTRING>, B<PRINTABLE>, B<T61>,
3473+B<T61STRING>, B<TELETEXSTRING>, B<GeneralString>, B<NUMERICSTRING>,
3474+B<NUMERIC>
3475+
3476+These encode the corresponding string types. B<value> represents the
3477+contents of this structure. The format can be B<ASCII> or B<UTF8>.
3478+
3479+=item B<SEQUENCE>, B<SEQ>, B<SET>
3480+
3481+Formats the result as an ASN1 B<SEQUENCE> or B<SET> type. B<value>
3482+should be a section name which will contain the contents. The
3483+field names in the section are ignored and the values are in the
3484+generated string format. If B<value> is absent then an empty SEQUENCE
3485+will be encoded.
3486+
3487+=back
3488+
3489+=head2 MODIFIERS
3490+
3491+Modifiers affect the following structure, they can be used to
3492+add EXPLICIT or IMPLICIT tagging, add wrappers or to change
3493+the string format of the final type and value. The supported
3494+formats are documented below.
3495+
3496+=over 2
3497+
3498+=item B<EXPLICIT>, B<EXP>
3499+
3500+Add an explicit tag to the following structure. This string
3501+should be followed by a colon and the tag value to use as a
3502+decimal value.
3503+
3504+By following the number with B<U>, B<A>, B<P> or B<C> UNIVERSAL,
3505+APPLICATION, PRIVATE or CONTEXT SPECIFIC tagging can be used,
3506+the default is CONTEXT SPECIFIC.
3507+
3508+=item B<IMPLICIT>, B<IMP>
3509+
3510+This is the same as B<EXPLICIT> except IMPLICIT tagging is used
3511+instead.
3512+
3513+=item B<OCTWRAP>, B<SEQWRAP>, B<SETWRAP>, B<BITWRAP>
3514+
3515+The following structure is surrounded by an OCTET STRING, a SEQUENCE,
3516+a SET or a BIT STRING respectively. For a BIT STRING the number of unused
3517+bits is set to zero.
3518+
3519+=item B<FORMAT>
3520+
3521+This specifies the format of the ultimate value. It should be followed
3522+by a colon and one of the strings B<ASCII>, B<UTF8>, B<HEX> or B<BITLIST>.
3523+
3524+If no format specifier is included then B<ASCII> is used. If B<UTF8> is
3525+specified then the value string must be a valid B<UTF8> string. For B<HEX> the
3526+output must be a set of hex digits. B<BITLIST> (which is only valid for a BIT
3527+STRING) is a comma separated list of the indices of the set bits, all other
3528+bits are zero.
3529+
3530+=back
3531+
3532+=head1 EXAMPLES
3533+
3534+A simple IA5String:
3535+
3536+ IA5STRING:Hello World
3537+
3538+An IA5String explicitly tagged:
3539+
3540+ EXPLICIT:0,IA5STRING:Hello World
3541+
3542+An IA5String explicitly tagged using APPLICATION tagging:
3543+
3544+ EXPLICIT:0A,IA5STRING:Hello World
3545+
3546+A BITSTRING with bits 1 and 5 set and all others zero:
3547+
3548+ FORMAT:BITLIST,BITSTRING:1,5
3549+
3550+A more complex example using a config file to produce a
3551+SEQUENCE consiting of a BOOL an OID and a UTF8String:
3552+
3553+ asn1 = SEQUENCE:seq_section
3554+
3555+ [seq_section]
3556+
3557+ field1 = BOOLEAN:TRUE
3558+ field2 = OID:commonName
3559+ field3 = UTF8:Third field
3560+
3561+This example produces an RSAPrivateKey structure, this is the
3562+key contained in the file client.pem in all OpenSSL distributions
3563+(note: the field names such as 'coeff' are ignored and are present just
3564+for clarity):
3565+
3566+ asn1=SEQUENCE:private_key
3567+ [private_key]
3568+ version=INTEGER:0
3569+
3570+ n=INTEGER:0xBB6FE79432CC6EA2D8F970675A5A87BFBE1AFF0BE63E879F2AFFB93644\
3571+ D4D2C6D000430DEC66ABF47829E74B8C5108623A1C0EE8BE217B3AD8D36D5EB4FCA1D9
3572+
3573+ e=INTEGER:0x010001
3574+
3575+ d=INTEGER:0x6F05EAD2F27FFAEC84BEC360C4B928FD5F3A9865D0FCAAD291E2A52F4A\
3576+ F810DC6373278C006A0ABBA27DC8C63BF97F7E666E27C5284D7D3B1FFFE16B7A87B51D
3577+
3578+ p=INTEGER:0xF3929B9435608F8A22C208D86795271D54EBDFB09DDEF539AB083DA912\
3579+ D4BD57
3580+
3581+ q=INTEGER:0xC50016F89DFF2561347ED1186A46E150E28BF2D0F539A1594BBD7FE467\
3582+ 46EC4F
3583+
3584+ exp1=INTEGER:0x9E7D4326C924AFC1DEA40B45650134966D6F9DFA3A7F9D698CD4ABEA\
3585+ 9C0A39B9
3586+
3587+ exp2=INTEGER:0xBA84003BB95355AFB7C50DF140C60513D0BA51D637272E355E397779\
3588+ E7B2458F
3589+
3590+ coeff=INTEGER:0x30B9E4F2AFA5AC679F920FC83F1F2DF1BAF1779CF989447FABC2F5\
3591+ 628657053A
3592+
3593+This example is the corresponding public key in a SubjectPublicKeyInfo
3594+structure:
3595+
3596+ # Start with a SEQUENCE
3597+ asn1=SEQUENCE:pubkeyinfo
3598+
3599+ # pubkeyinfo contains an algorithm identifier and the public key wrapped
3600+ # in a BIT STRING
3601+ [pubkeyinfo]
3602+ algorithm=SEQUENCE:rsa_alg
3603+ pubkey=BITWRAP,SEQUENCE:rsapubkey
3604+
3605+ # algorithm ID for RSA is just an OID and a NULL
3606+ [rsa_alg]
3607+ algorithm=OID:rsaEncryption
3608+ parameter=NULL
3609+
3610+ # Actual public key: modulus and exponent
3611+ [rsapubkey]
3612+ n=INTEGER:0xBB6FE79432CC6EA2D8F970675A5A87BFBE1AFF0BE63E879F2AFFB93644\
3613+ D4D2C6D000430DEC66ABF47829E74B8C5108623A1C0EE8BE217B3AD8D36D5EB4FCA1D9
3614+
3615+ e=INTEGER:0x010001
3616+
3617+=head1 RETURN VALUES
3618+
3619+ASN1_generate_nconf() and ASN1_generate_v3() return the encoded
3620+data as an B<ASN1_TYPE> structure or B<NULL> if an error occurred.
3621+
3622+The error codes that can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
3623+
3624+=head1 SEE ALSO
3625+
3626+L<ERR_get_error(3)|ERR_get_error(3)>
3627+
3628+=head1 HISTORY
3629+
3630+ASN1_generate_nconf() and ASN1_generate_v3() were added to OpenSSL 0.9.8
3631+
3632+=cut
3633
3634=== added file '.pc/libdoc-manpgs-pod-spell.patch/doc/crypto/BN_BLINDING_new.pod'
3635--- .pc/libdoc-manpgs-pod-spell.patch/doc/crypto/BN_BLINDING_new.pod 1970-01-01 00:00:00 +0000
3636+++ .pc/libdoc-manpgs-pod-spell.patch/doc/crypto/BN_BLINDING_new.pod 2011-09-15 05:17:15 +0000
3637@@ -0,0 +1,115 @@
3638+=pod
3639+
3640+=head1 NAME
3641+
3642+BN_BLINDING_new, BN_BLINDING_free, BN_BLINDING_update, BN_BLINDING_convert,
3643+BN_BLINDING_invert, BN_BLINDING_convert_ex, BN_BLINDING_invert_ex,
3644+BN_BLINDING_get_thread_id, BN_BLINDING_set_thread_id, BN_BLINDING_get_flags,
3645+BN_BLINDING_set_flags, BN_BLINDING_create_param - blinding related BIGNUM
3646+functions.
3647+
3648+=head1 SYNOPSIS
3649+
3650+ #include <openssl/bn.h>
3651+
3652+ BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai,
3653+ BIGNUM *mod);
3654+ void BN_BLINDING_free(BN_BLINDING *b);
3655+ int BN_BLINDING_update(BN_BLINDING *b,BN_CTX *ctx);
3656+ int BN_BLINDING_convert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx);
3657+ int BN_BLINDING_invert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx);
3658+ int BN_BLINDING_convert_ex(BIGNUM *n, BIGNUM *r, BN_BLINDING *b,
3659+ BN_CTX *ctx);
3660+ int BN_BLINDING_invert_ex(BIGNUM *n, const BIGNUM *r, BN_BLINDING *b,
3661+ BN_CTX *ctx);
3662+ #ifndef OPENSSL_NO_DEPRECATED
3663+ unsigned long BN_BLINDING_get_thread_id(const BN_BLINDING *);
3664+ void BN_BLINDING_set_thread_id(BN_BLINDING *, unsigned long);
3665+ #endif
3666+ CRYPTO_THREADID *BN_BLINDING_thread_id(BN_BLINDING *);
3667+ unsigned long BN_BLINDING_get_flags(const BN_BLINDING *);
3668+ void BN_BLINDING_set_flags(BN_BLINDING *, unsigned long);
3669+ BN_BLINDING *BN_BLINDING_create_param(BN_BLINDING *b,
3670+ const BIGNUM *e, BIGNUM *m, BN_CTX *ctx,
3671+ int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
3672+ const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx),
3673+ BN_MONT_CTX *m_ctx);
3674+
3675+=head1 DESCRIPTION
3676+
3677+BN_BLINDING_new() allocates a new B<BN_BLINDING> structure and copies
3678+the B<A> and B<Ai> values into the newly created B<BN_BLINDING> object.
3679+
3680+BN_BLINDING_free() frees the B<BN_BLINDING> structure.
3681+
3682+BN_BLINDING_update() updates the B<BN_BLINDING> parameters by squaring
3683+the B<A> and B<Ai> or, after specific number of uses and if the
3684+necessary parameters are set, by re-creating the blinding parameters.
3685+
3686+BN_BLINDING_convert_ex() multiplies B<n> with the blinding factor B<A>.
3687+If B<r> is not NULL a copy the inverse blinding factor B<Ai> will be
3688+returned in B<r> (this is useful if a B<RSA> object is shared amoung
3689+several threads). BN_BLINDING_invert_ex() multiplies B<n> with the
3690+inverse blinding factor B<Ai>. If B<r> is not NULL it will be used as
3691+the inverse blinding.
3692+
3693+BN_BLINDING_convert() and BN_BLINDING_invert() are wrapper
3694+functions for BN_BLINDING_convert_ex() and BN_BLINDING_invert_ex()
3695+with B<r> set to NULL.
3696+
3697+BN_BLINDING_thread_id() provides access to the B<CRYPTO_THREADID>
3698+object within the B<BN_BLINDING> structure. This is to help users
3699+provide proper locking if needed for multi-threaded use. The "thread
3700+id" object of a newly allocated B<BN_BLINDING> structure is
3701+initialised to the thread id in which BN_BLINDING_new() was called.
3702+
3703+BN_BLINDING_get_flags() returns the BN_BLINDING flags. Currently
3704+there are two supported flags: B<BN_BLINDING_NO_UPDATE> and
3705+B<BN_BLINDING_NO_RECREATE>. B<BN_BLINDING_NO_UPDATE> inhibits the
3706+automatic update of the B<BN_BLINDING> parameters after each use
3707+and B<BN_BLINDING_NO_RECREATE> inhibits the automatic re-creation
3708+of the B<BN_BLINDING> parameters after a fixed number of uses (currently
3709+32). In newly allocated B<BN_BLINDING> objects no flags are set.
3710+BN_BLINDING_set_flags() sets the B<BN_BLINDING> parameters flags.
3711+
3712+BN_BLINDING_create_param() creates new B<BN_BLINDING> parameters
3713+using the exponent B<e> and the modulus B<m>. B<bn_mod_exp> and
3714+B<m_ctx> can be used to pass special functions for exponentiation
3715+(normally BN_mod_exp_mont() and B<BN_MONT_CTX>).
3716+
3717+=head1 RETURN VALUES
3718+
3719+BN_BLINDING_new() returns the newly allocated B<BN_BLINDING> structure
3720+or NULL in case of an error.
3721+
3722+BN_BLINDING_update(), BN_BLINDING_convert(), BN_BLINDING_invert(),
3723+BN_BLINDING_convert_ex() and BN_BLINDING_invert_ex() return 1 on
3724+success and 0 if an error occured.
3725+
3726+BN_BLINDING_thread_id() returns a pointer to the thread id object
3727+within a B<BN_BLINDING> object.
3728+
3729+BN_BLINDING_get_flags() returns the currently set B<BN_BLINDING> flags
3730+(a B<unsigned long> value).
3731+
3732+BN_BLINDING_create_param() returns the newly created B<BN_BLINDING>
3733+parameters or NULL on error.
3734+
3735+=head1 SEE ALSO
3736+
3737+L<bn(3)|bn(3)>
3738+
3739+=head1 HISTORY
3740+
3741+BN_BLINDING_thread_id was first introduced in OpenSSL 1.0.0, and it
3742+deprecates BN_BLINDING_set_thread_id and BN_BLINDING_get_thread_id.
3743+
3744+BN_BLINDING_convert_ex, BN_BLINDIND_invert_ex, BN_BLINDING_get_thread_id,
3745+BN_BLINDING_set_thread_id, BN_BLINDING_set_flags, BN_BLINDING_get_flags
3746+and BN_BLINDING_create_param were first introduced in OpenSSL 0.9.8
3747+
3748+=head1 AUTHOR
3749+
3750+Nils Larsch for the OpenSSL project (http://www.openssl.org).
3751+
3752+=cut
3753
3754=== added file '.pc/libdoc-manpgs-pod-spell.patch/doc/crypto/EVP_BytesToKey.pod'
3755--- .pc/libdoc-manpgs-pod-spell.patch/doc/crypto/EVP_BytesToKey.pod 1970-01-01 00:00:00 +0000
3756+++ .pc/libdoc-manpgs-pod-spell.patch/doc/crypto/EVP_BytesToKey.pod 2011-09-15 05:17:15 +0000
3757@@ -0,0 +1,67 @@
3758+=pod
3759+
3760+=head1 NAME
3761+
3762+EVP_BytesToKey - password based encryption routine
3763+
3764+=head1 SYNOPSIS
3765+
3766+ #include <openssl/evp.h>
3767+
3768+ int EVP_BytesToKey(const EVP_CIPHER *type,const EVP_MD *md,
3769+ const unsigned char *salt,
3770+ const unsigned char *data, int datal, int count,
3771+ unsigned char *key,unsigned char *iv);
3772+
3773+=head1 DESCRIPTION
3774+
3775+EVP_BytesToKey() derives a key and IV from various parameters. B<type> is
3776+the cipher to derive the key and IV for. B<md> is the message digest to use.
3777+The B<salt> paramter is used as a salt in the derivation: it should point to
3778+an 8 byte buffer or NULL if no salt is used. B<data> is a buffer containing
3779+B<datal> bytes which is used to derive the keying data. B<count> is the
3780+iteration count to use. The derived key and IV will be written to B<key>
3781+and B<iv> respectively.
3782+
3783+=head1 NOTES
3784+
3785+A typical application of this function is to derive keying material for an
3786+encryption algorithm from a password in the B<data> parameter.
3787+
3788+Increasing the B<count> parameter slows down the algorithm which makes it
3789+harder for an attacker to peform a brute force attack using a large number
3790+of candidate passwords.
3791+
3792+If the total key and IV length is less than the digest length and
3793+B<MD5> is used then the derivation algorithm is compatible with PKCS#5 v1.5
3794+otherwise a non standard extension is used to derive the extra data.
3795+
3796+Newer applications should use more standard algorithms such as PKCS#5
3797+v2.0 for key derivation.
3798+
3799+=head1 KEY DERIVATION ALGORITHM
3800+
3801+The key and IV is derived by concatenating D_1, D_2, etc until
3802+enough data is available for the key and IV. D_i is defined as:
3803+
3804+ D_i = HASH^count(D_(i-1) || data || salt)
3805+
3806+where || denotes concatentaion, D_0 is empty, HASH is the digest
3807+algorithm in use, HASH^1(data) is simply HASH(data), HASH^2(data)
3808+is HASH(HASH(data)) and so on.
3809+
3810+The initial bytes are used for the key and the subsequent bytes for
3811+the IV.
3812+
3813+=head1 RETURN VALUES
3814+
3815+EVP_BytesToKey() returns the size of the derived key in bytes.
3816+
3817+=head1 SEE ALSO
3818+
3819+L<evp(3)|evp(3)>, L<rand(3)|rand(3)>,
3820+L<EVP_EncryptInit(3)|EVP_EncryptInit(3)>
3821+
3822+=head1 HISTORY
3823+
3824+=cut
3825
3826=== added file '.pc/libdoc-manpgs-pod-spell.patch/doc/crypto/EVP_EncryptInit.pod'
3827--- .pc/libdoc-manpgs-pod-spell.patch/doc/crypto/EVP_EncryptInit.pod 1970-01-01 00:00:00 +0000
3828+++ .pc/libdoc-manpgs-pod-spell.patch/doc/crypto/EVP_EncryptInit.pod 2011-09-15 05:17:15 +0000
3829@@ -0,0 +1,511 @@
3830+=pod
3831+
3832+=head1 NAME
3833+
3834+EVP_CIPHER_CTX_init, EVP_EncryptInit_ex, EVP_EncryptUpdate,
3835+EVP_EncryptFinal_ex, EVP_DecryptInit_ex, EVP_DecryptUpdate,
3836+EVP_DecryptFinal_ex, EVP_CipherInit_ex, EVP_CipherUpdate,
3837+EVP_CipherFinal_ex, EVP_CIPHER_CTX_set_key_length,
3838+EVP_CIPHER_CTX_ctrl, EVP_CIPHER_CTX_cleanup, EVP_EncryptInit,
3839+EVP_EncryptFinal, EVP_DecryptInit, EVP_DecryptFinal,
3840+EVP_CipherInit, EVP_CipherFinal, EVP_get_cipherbyname,
3841+EVP_get_cipherbynid, EVP_get_cipherbyobj, EVP_CIPHER_nid,
3842+EVP_CIPHER_block_size, EVP_CIPHER_key_length, EVP_CIPHER_iv_length,
3843+EVP_CIPHER_flags, EVP_CIPHER_mode, EVP_CIPHER_type, EVP_CIPHER_CTX_cipher,
3844+EVP_CIPHER_CTX_nid, EVP_CIPHER_CTX_block_size, EVP_CIPHER_CTX_key_length,
3845+EVP_CIPHER_CTX_iv_length, EVP_CIPHER_CTX_get_app_data,
3846+EVP_CIPHER_CTX_set_app_data, EVP_CIPHER_CTX_type, EVP_CIPHER_CTX_flags,
3847+EVP_CIPHER_CTX_mode, EVP_CIPHER_param_to_asn1, EVP_CIPHER_asn1_to_param,
3848+EVP_CIPHER_CTX_set_padding - EVP cipher routines
3849+
3850+=head1 SYNOPSIS
3851+
3852+ #include <openssl/evp.h>
3853+
3854+ void EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *a);
3855+
3856+ int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
3857+ ENGINE *impl, unsigned char *key, unsigned char *iv);
3858+ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
3859+ int *outl, unsigned char *in, int inl);
3860+ int EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out,
3861+ int *outl);
3862+
3863+ int EVP_DecryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
3864+ ENGINE *impl, unsigned char *key, unsigned char *iv);
3865+ int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
3866+ int *outl, unsigned char *in, int inl);
3867+ int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm,
3868+ int *outl);
3869+
3870+ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
3871+ ENGINE *impl, unsigned char *key, unsigned char *iv, int enc);
3872+ int EVP_CipherUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
3873+ int *outl, unsigned char *in, int inl);
3874+ int EVP_CipherFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm,
3875+ int *outl);
3876+
3877+ int EVP_EncryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
3878+ unsigned char *key, unsigned char *iv);
3879+ int EVP_EncryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out,
3880+ int *outl);
3881+
3882+ int EVP_DecryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
3883+ unsigned char *key, unsigned char *iv);
3884+ int EVP_DecryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *outm,
3885+ int *outl);
3886+
3887+ int EVP_CipherInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
3888+ unsigned char *key, unsigned char *iv, int enc);
3889+ int EVP_CipherFinal(EVP_CIPHER_CTX *ctx, unsigned char *outm,
3890+ int *outl);
3891+
3892+ int EVP_CIPHER_CTX_set_padding(EVP_CIPHER_CTX *x, int padding);
3893+ int EVP_CIPHER_CTX_set_key_length(EVP_CIPHER_CTX *x, int keylen);
3894+ int EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr);
3895+ int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *a);
3896+
3897+ const EVP_CIPHER *EVP_get_cipherbyname(const char *name);
3898+ #define EVP_get_cipherbynid(a) EVP_get_cipherbyname(OBJ_nid2sn(a))
3899+ #define EVP_get_cipherbyobj(a) EVP_get_cipherbynid(OBJ_obj2nid(a))
3900+
3901+ #define EVP_CIPHER_nid(e) ((e)->nid)
3902+ #define EVP_CIPHER_block_size(e) ((e)->block_size)
3903+ #define EVP_CIPHER_key_length(e) ((e)->key_len)
3904+ #define EVP_CIPHER_iv_length(e) ((e)->iv_len)
3905+ #define EVP_CIPHER_flags(e) ((e)->flags)
3906+ #define EVP_CIPHER_mode(e) ((e)->flags) & EVP_CIPH_MODE)
3907+ int EVP_CIPHER_type(const EVP_CIPHER *ctx);
3908+
3909+ #define EVP_CIPHER_CTX_cipher(e) ((e)->cipher)
3910+ #define EVP_CIPHER_CTX_nid(e) ((e)->cipher->nid)
3911+ #define EVP_CIPHER_CTX_block_size(e) ((e)->cipher->block_size)
3912+ #define EVP_CIPHER_CTX_key_length(e) ((e)->key_len)
3913+ #define EVP_CIPHER_CTX_iv_length(e) ((e)->cipher->iv_len)
3914+ #define EVP_CIPHER_CTX_get_app_data(e) ((e)->app_data)
3915+ #define EVP_CIPHER_CTX_set_app_data(e,d) ((e)->app_data=(char *)(d))
3916+ #define EVP_CIPHER_CTX_type(c) EVP_CIPHER_type(EVP_CIPHER_CTX_cipher(c))
3917+ #define EVP_CIPHER_CTX_flags(e) ((e)->cipher->flags)
3918+ #define EVP_CIPHER_CTX_mode(e) ((e)->cipher->flags & EVP_CIPH_MODE)
3919+
3920+ int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type);
3921+ int EVP_CIPHER_asn1_to_param(EVP_CIPHER_CTX *c, ASN1_TYPE *type);
3922+
3923+=head1 DESCRIPTION
3924+
3925+The EVP cipher routines are a high level interface to certain
3926+symmetric ciphers.
3927+
3928+EVP_CIPHER_CTX_init() initializes cipher contex B<ctx>.
3929+
3930+EVP_EncryptInit_ex() sets up cipher context B<ctx> for encryption
3931+with cipher B<type> from ENGINE B<impl>. B<ctx> must be initialized
3932+before calling this function. B<type> is normally supplied
3933+by a function such as EVP_des_cbc(). If B<impl> is NULL then the
3934+default implementation is used. B<key> is the symmetric key to use
3935+and B<iv> is the IV to use (if necessary), the actual number of bytes
3936+used for the key and IV depends on the cipher. It is possible to set
3937+all parameters to NULL except B<type> in an initial call and supply
3938+the remaining parameters in subsequent calls, all of which have B<type>
3939+set to NULL. This is done when the default cipher parameters are not
3940+appropriate.
3941+
3942+EVP_EncryptUpdate() encrypts B<inl> bytes from the buffer B<in> and
3943+writes the encrypted version to B<out>. This function can be called
3944+multiple times to encrypt successive blocks of data. The amount
3945+of data written depends on the block alignment of the encrypted data:
3946+as a result the amount of data written may be anything from zero bytes
3947+to (inl + cipher_block_size - 1) so B<outl> should contain sufficient
3948+room. The actual number of bytes written is placed in B<outl>.
3949+
3950+If padding is enabled (the default) then EVP_EncryptFinal_ex() encrypts
3951+the "final" data, that is any data that remains in a partial block.
3952+It uses L<standard block padding|/NOTES> (aka PKCS padding). The encrypted
3953+final data is written to B<out> which should have sufficient space for
3954+one cipher block. The number of bytes written is placed in B<outl>. After
3955+this function is called the encryption operation is finished and no further
3956+calls to EVP_EncryptUpdate() should be made.
3957+
3958+If padding is disabled then EVP_EncryptFinal_ex() will not encrypt any more
3959+data and it will return an error if any data remains in a partial block:
3960+that is if the total data length is not a multiple of the block size.
3961+
3962+EVP_DecryptInit_ex(), EVP_DecryptUpdate() and EVP_DecryptFinal_ex() are the
3963+corresponding decryption operations. EVP_DecryptFinal() will return an
3964+error code if padding is enabled and the final block is not correctly
3965+formatted. The parameters and restrictions are identical to the encryption
3966+operations except that if padding is enabled the decrypted data buffer B<out>
3967+passed to EVP_DecryptUpdate() should have sufficient room for
3968+(B<inl> + cipher_block_size) bytes unless the cipher block size is 1 in
3969+which case B<inl> bytes is sufficient.
3970+
3971+EVP_CipherInit_ex(), EVP_CipherUpdate() and EVP_CipherFinal_ex() are
3972+functions that can be used for decryption or encryption. The operation
3973+performed depends on the value of the B<enc> parameter. It should be set
3974+to 1 for encryption, 0 for decryption and -1 to leave the value unchanged
3975+(the actual value of 'enc' being supplied in a previous call).
3976+
3977+EVP_CIPHER_CTX_cleanup() clears all information from a cipher context
3978+and free up any allocated memory associate with it. It should be called
3979+after all operations using a cipher are complete so sensitive information
3980+does not remain in memory.
3981+
3982+EVP_EncryptInit(), EVP_DecryptInit() and EVP_CipherInit() behave in a
3983+similar way to EVP_EncryptInit_ex(), EVP_DecryptInit_ex and
3984+EVP_CipherInit_ex() except the B<ctx> paramter does not need to be
3985+initialized and they always use the default cipher implementation.
3986+
3987+EVP_EncryptFinal(), EVP_DecryptFinal() and EVP_CipherFinal() behave in a
3988+similar way to EVP_EncryptFinal_ex(), EVP_DecryptFinal_ex() and
3989+EVP_CipherFinal_ex() except B<ctx> is automatically cleaned up
3990+after the call.
3991+
3992+EVP_get_cipherbyname(), EVP_get_cipherbynid() and EVP_get_cipherbyobj()
3993+return an EVP_CIPHER structure when passed a cipher name, a NID or an
3994+ASN1_OBJECT structure.
3995+
3996+EVP_CIPHER_nid() and EVP_CIPHER_CTX_nid() return the NID of a cipher when
3997+passed an B<EVP_CIPHER> or B<EVP_CIPHER_CTX> structure. The actual NID
3998+value is an internal value which may not have a corresponding OBJECT
3999+IDENTIFIER.
4000+
4001+EVP_CIPHER_CTX_set_padding() enables or disables padding. By default
4002+encryption operations are padded using standard block padding and the
4003+padding is checked and removed when decrypting. If the B<pad> parameter
4004+is zero then no padding is performed, the total amount of data encrypted
4005+or decrypted must then be a multiple of the block size or an error will
4006+occur.
4007+
4008+EVP_CIPHER_key_length() and EVP_CIPHER_CTX_key_length() return the key
4009+length of a cipher when passed an B<EVP_CIPHER> or B<EVP_CIPHER_CTX>
4010+structure. The constant B<EVP_MAX_KEY_LENGTH> is the maximum key length
4011+for all ciphers. Note: although EVP_CIPHER_key_length() is fixed for a
4012+given cipher, the value of EVP_CIPHER_CTX_key_length() may be different
4013+for variable key length ciphers.
4014+
4015+EVP_CIPHER_CTX_set_key_length() sets the key length of the cipher ctx.
4016+If the cipher is a fixed length cipher then attempting to set the key
4017+length to any value other than the fixed value is an error.
4018+
4019+EVP_CIPHER_iv_length() and EVP_CIPHER_CTX_iv_length() return the IV
4020+length of a cipher when passed an B<EVP_CIPHER> or B<EVP_CIPHER_CTX>.
4021+It will return zero if the cipher does not use an IV. The constant
4022+B<EVP_MAX_IV_LENGTH> is the maximum IV length for all ciphers.
4023+
4024+EVP_CIPHER_block_size() and EVP_CIPHER_CTX_block_size() return the block
4025+size of a cipher when passed an B<EVP_CIPHER> or B<EVP_CIPHER_CTX>
4026+structure. The constant B<EVP_MAX_IV_LENGTH> is also the maximum block
4027+length for all ciphers.
4028+
4029+EVP_CIPHER_type() and EVP_CIPHER_CTX_type() return the type of the passed
4030+cipher or context. This "type" is the actual NID of the cipher OBJECT
4031+IDENTIFIER as such it ignores the cipher parameters and 40 bit RC2 and
4032+128 bit RC2 have the same NID. If the cipher does not have an object
4033+identifier or does not have ASN1 support this function will return
4034+B<NID_undef>.
4035+
4036+EVP_CIPHER_CTX_cipher() returns the B<EVP_CIPHER> structure when passed
4037+an B<EVP_CIPHER_CTX> structure.
4038+
4039+EVP_CIPHER_mode() and EVP_CIPHER_CTX_mode() return the block cipher mode:
4040+EVP_CIPH_ECB_MODE, EVP_CIPH_CBC_MODE, EVP_CIPH_CFB_MODE or
4041+EVP_CIPH_OFB_MODE. If the cipher is a stream cipher then
4042+EVP_CIPH_STREAM_CIPHER is returned.
4043+
4044+EVP_CIPHER_param_to_asn1() sets the AlgorithmIdentifier "parameter" based
4045+on the passed cipher. This will typically include any parameters and an
4046+IV. The cipher IV (if any) must be set when this call is made. This call
4047+should be made before the cipher is actually "used" (before any
4048+EVP_EncryptUpdate(), EVP_DecryptUpdate() calls for example). This function
4049+may fail if the cipher does not have any ASN1 support.
4050+
4051+EVP_CIPHER_asn1_to_param() sets the cipher parameters based on an ASN1
4052+AlgorithmIdentifier "parameter". The precise effect depends on the cipher
4053+In the case of RC2, for example, it will set the IV and effective key length.
4054+This function should be called after the base cipher type is set but before
4055+the key is set. For example EVP_CipherInit() will be called with the IV and
4056+key set to NULL, EVP_CIPHER_asn1_to_param() will be called and finally
4057+EVP_CipherInit() again with all parameters except the key set to NULL. It is
4058+possible for this function to fail if the cipher does not have any ASN1 support
4059+or the parameters cannot be set (for example the RC2 effective key length
4060+is not supported.
4061+
4062+EVP_CIPHER_CTX_ctrl() allows various cipher specific parameters to be determined
4063+and set. Currently only the RC2 effective key length and the number of rounds of
4064+RC5 can be set.
4065+
4066+=head1 RETURN VALUES
4067+
4068+EVP_EncryptInit_ex(), EVP_EncryptUpdate() and EVP_EncryptFinal_ex()
4069+return 1 for success and 0 for failure.
4070+
4071+EVP_DecryptInit_ex() and EVP_DecryptUpdate() return 1 for success and 0 for failure.
4072+EVP_DecryptFinal_ex() returns 0 if the decrypt failed or 1 for success.
4073+
4074+EVP_CipherInit_ex() and EVP_CipherUpdate() return 1 for success and 0 for failure.
4075+EVP_CipherFinal_ex() returns 0 for a decryption failure or 1 for success.
4076+
4077+EVP_CIPHER_CTX_cleanup() returns 1 for success and 0 for failure.
4078+
4079+EVP_get_cipherbyname(), EVP_get_cipherbynid() and EVP_get_cipherbyobj()
4080+return an B<EVP_CIPHER> structure or NULL on error.
4081+
4082+EVP_CIPHER_nid() and EVP_CIPHER_CTX_nid() return a NID.
4083+
4084+EVP_CIPHER_block_size() and EVP_CIPHER_CTX_block_size() return the block
4085+size.
4086+
4087+EVP_CIPHER_key_length() and EVP_CIPHER_CTX_key_length() return the key
4088+length.
4089+
4090+EVP_CIPHER_CTX_set_padding() always returns 1.
4091+
4092+EVP_CIPHER_iv_length() and EVP_CIPHER_CTX_iv_length() return the IV
4093+length or zero if the cipher does not use an IV.
4094+
4095+EVP_CIPHER_type() and EVP_CIPHER_CTX_type() return the NID of the cipher's
4096+OBJECT IDENTIFIER or NID_undef if it has no defined OBJECT IDENTIFIER.
4097+
4098+EVP_CIPHER_CTX_cipher() returns an B<EVP_CIPHER> structure.
4099+
4100+EVP_CIPHER_param_to_asn1() and EVP_CIPHER_asn1_to_param() return 1 for
4101+success or zero for failure.
4102+
4103+=head1 CIPHER LISTING
4104+
4105+All algorithms have a fixed key length unless otherwise stated.
4106+
4107+=over 4
4108+
4109+=item EVP_enc_null()
4110+
4111+Null cipher: does nothing.
4112+
4113+=item EVP_des_cbc(void), EVP_des_ecb(void), EVP_des_cfb(void), EVP_des_ofb(void)
4114+
4115+DES in CBC, ECB, CFB and OFB modes respectively.
4116+
4117+=item EVP_des_ede_cbc(void), EVP_des_ede(), EVP_des_ede_ofb(void), EVP_des_ede_cfb(void)
4118+
4119+Two key triple DES in CBC, ECB, CFB and OFB modes respectively.
4120+
4121+=item EVP_des_ede3_cbc(void), EVP_des_ede3(), EVP_des_ede3_ofb(void), EVP_des_ede3_cfb(void)
4122+
4123+Three key triple DES in CBC, ECB, CFB and OFB modes respectively.
4124+
4125+=item EVP_desx_cbc(void)
4126+
4127+DESX algorithm in CBC mode.
4128+
4129+=item EVP_rc4(void)
4130+
4131+RC4 stream cipher. This is a variable key length cipher with default key length 128 bits.
4132+
4133+=item EVP_rc4_40(void)
4134+
4135+RC4 stream cipher with 40 bit key length. This is obsolete and new code should use EVP_rc4()
4136+and the EVP_CIPHER_CTX_set_key_length() function.
4137+
4138+=item EVP_idea_cbc() EVP_idea_ecb(void), EVP_idea_cfb(void), EVP_idea_ofb(void), EVP_idea_cbc(void)
4139+
4140+IDEA encryption algorithm in CBC, ECB, CFB and OFB modes respectively.
4141+
4142+=item EVP_rc2_cbc(void), EVP_rc2_ecb(void), EVP_rc2_cfb(void), EVP_rc2_ofb(void)
4143+
4144+RC2 encryption algorithm in CBC, ECB, CFB and OFB modes respectively. This is a variable key
4145+length cipher with an additional parameter called "effective key bits" or "effective key length".
4146+By default both are set to 128 bits.
4147+
4148+=item EVP_rc2_40_cbc(void), EVP_rc2_64_cbc(void)
4149+
4150+RC2 algorithm in CBC mode with a default key length and effective key length of 40 and 64 bits.
4151+These are obsolete and new code should use EVP_rc2_cbc(), EVP_CIPHER_CTX_set_key_length() and
4152+EVP_CIPHER_CTX_ctrl() to set the key length and effective key length.
4153+
4154+=item EVP_bf_cbc(void), EVP_bf_ecb(void), EVP_bf_cfb(void), EVP_bf_ofb(void);
4155+
4156+Blowfish encryption algorithm in CBC, ECB, CFB and OFB modes respectively. This is a variable key
4157+length cipher.
4158+
4159+=item EVP_cast5_cbc(void), EVP_cast5_ecb(void), EVP_cast5_cfb(void), EVP_cast5_ofb(void)
4160+
4161+CAST encryption algorithm in CBC, ECB, CFB and OFB modes respectively. This is a variable key
4162+length cipher.
4163+
4164+=item EVP_rc5_32_12_16_cbc(void), EVP_rc5_32_12_16_ecb(void), EVP_rc5_32_12_16_cfb(void), EVP_rc5_32_12_16_ofb(void)
4165+
4166+RC5 encryption algorithm in CBC, ECB, CFB and OFB modes respectively. This is a variable key length
4167+cipher with an additional "number of rounds" parameter. By default the key length is set to 128
4168+bits and 12 rounds.
4169+
4170+=back
4171+
4172+=head1 NOTES
4173+
4174+Where possible the B<EVP> interface to symmetric ciphers should be used in
4175+preference to the low level interfaces. This is because the code then becomes
4176+transparent to the cipher used and much more flexible.
4177+
4178+PKCS padding works by adding B<n> padding bytes of value B<n> to make the total
4179+length of the encrypted data a multiple of the block size. Padding is always
4180+added so if the data is already a multiple of the block size B<n> will equal
4181+the block size. For example if the block size is 8 and 11 bytes are to be
4182+encrypted then 5 padding bytes of value 5 will be added.
4183+
4184+When decrypting the final block is checked to see if it has the correct form.
4185+
4186+Although the decryption operation can produce an error if padding is enabled,
4187+it is not a strong test that the input data or key is correct. A random block
4188+has better than 1 in 256 chance of being of the correct format and problems with
4189+the input data earlier on will not produce a final decrypt error.
4190+
4191+If padding is disabled then the decryption operation will always succeed if
4192+the total amount of data decrypted is a multiple of the block size.
4193+
4194+The functions EVP_EncryptInit(), EVP_EncryptFinal(), EVP_DecryptInit(),
4195+EVP_CipherInit() and EVP_CipherFinal() are obsolete but are retained for
4196+compatibility with existing code. New code should use EVP_EncryptInit_ex(),
4197+EVP_EncryptFinal_ex(), EVP_DecryptInit_ex(), EVP_DecryptFinal_ex(),
4198+EVP_CipherInit_ex() and EVP_CipherFinal_ex() because they can reuse an
4199+existing context without allocating and freeing it up on each call.
4200+
4201+=head1 BUGS
4202+
4203+For RC5 the number of rounds can currently only be set to 8, 12 or 16. This is
4204+a limitation of the current RC5 code rather than the EVP interface.
4205+
4206+EVP_MAX_KEY_LENGTH and EVP_MAX_IV_LENGTH only refer to the internal ciphers with
4207+default key lengths. If custom ciphers exceed these values the results are
4208+unpredictable. This is because it has become standard practice to define a
4209+generic key as a fixed unsigned char array containing EVP_MAX_KEY_LENGTH bytes.
4210+
4211+The ASN1 code is incomplete (and sometimes inaccurate) it has only been tested
4212+for certain common S/MIME ciphers (RC2, DES, triple DES) in CBC mode.
4213+
4214+=head1 EXAMPLES
4215+
4216+Get the number of rounds used in RC5:
4217+
4218+ int nrounds;
4219+ EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GET_RC5_ROUNDS, 0, &nrounds);
4220+
4221+Get the RC2 effective key length:
4222+
4223+ int key_bits;
4224+ EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GET_RC2_KEY_BITS, 0, &key_bits);
4225+
4226+Set the number of rounds used in RC5:
4227+
4228+ int nrounds;
4229+ EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_SET_RC5_ROUNDS, nrounds, NULL);
4230+
4231+Set the effective key length used in RC2:
4232+
4233+ int key_bits;
4234+ EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_SET_RC2_KEY_BITS, key_bits, NULL);
4235+
4236+Encrypt a string using blowfish:
4237+
4238+ int do_crypt(char *outfile)
4239+ {
4240+ unsigned char outbuf[1024];
4241+ int outlen, tmplen;
4242+ /* Bogus key and IV: we'd normally set these from
4243+ * another source.
4244+ */
4245+ unsigned char key[] = {0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15};
4246+ unsigned char iv[] = {1,2,3,4,5,6,7,8};
4247+ char intext[] = "Some Crypto Text";
4248+ EVP_CIPHER_CTX ctx;
4249+ FILE *out;
4250+ EVP_CIPHER_CTX_init(&ctx);
4251+ EVP_EncryptInit_ex(&ctx, EVP_bf_cbc(), NULL, key, iv);
4252+
4253+ if(!EVP_EncryptUpdate(&ctx, outbuf, &outlen, intext, strlen(intext)))
4254+ {
4255+ /* Error */
4256+ return 0;
4257+ }
4258+ /* Buffer passed to EVP_EncryptFinal() must be after data just
4259+ * encrypted to avoid overwriting it.
4260+ */
4261+ if(!EVP_EncryptFinal_ex(&ctx, outbuf + outlen, &tmplen))
4262+ {
4263+ /* Error */
4264+ return 0;
4265+ }
4266+ outlen += tmplen;
4267+ EVP_CIPHER_CTX_cleanup(&ctx);
4268+ /* Need binary mode for fopen because encrypted data is
4269+ * binary data. Also cannot use strlen() on it because
4270+ * it wont be null terminated and may contain embedded
4271+ * nulls.
4272+ */
4273+ out = fopen(outfile, "wb");
4274+ fwrite(outbuf, 1, outlen, out);
4275+ fclose(out);
4276+ return 1;
4277+ }
4278+
4279+The ciphertext from the above example can be decrypted using the B<openssl>
4280+utility with the command line:
4281+
4282+ S<openssl bf -in cipher.bin -K 000102030405060708090A0B0C0D0E0F -iv 0102030405060708 -d>
4283+
4284+General encryption, decryption function example using FILE I/O and RC2 with an
4285+80 bit key:
4286+
4287+ int do_crypt(FILE *in, FILE *out, int do_encrypt)
4288+ {
4289+ /* Allow enough space in output buffer for additional block */
4290+ inbuf[1024], outbuf[1024 + EVP_MAX_BLOCK_LENGTH];
4291+ int inlen, outlen;
4292+ /* Bogus key and IV: we'd normally set these from
4293+ * another source.
4294+ */
4295+ unsigned char key[] = "0123456789";
4296+ unsigned char iv[] = "12345678";
4297+ /* Don't set key or IV because we will modify the parameters */
4298+ EVP_CIPHER_CTX_init(&ctx);
4299+ EVP_CipherInit_ex(&ctx, EVP_rc2(), NULL, NULL, NULL, do_encrypt);
4300+ EVP_CIPHER_CTX_set_key_length(&ctx, 10);
4301+ /* We finished modifying parameters so now we can set key and IV */
4302+ EVP_CipherInit_ex(&ctx, NULL, NULL, key, iv, do_encrypt);
4303+
4304+ for(;;)
4305+ {
4306+ inlen = fread(inbuf, 1, 1024, in);
4307+ if(inlen <= 0) break;
4308+ if(!EVP_CipherUpdate(&ctx, outbuf, &outlen, inbuf, inlen))
4309+ {
4310+ /* Error */
4311+ EVP_CIPHER_CTX_cleanup(&ctx);
4312+ return 0;
4313+ }
4314+ fwrite(outbuf, 1, outlen, out);
4315+ }
4316+ if(!EVP_CipherFinal_ex(&ctx, outbuf, &outlen))
4317+ {
4318+ /* Error */
4319+ EVP_CIPHER_CTX_cleanup(&ctx);
4320+ return 0;
4321+ }
4322+ fwrite(outbuf, 1, outlen, out);
4323+
4324+ EVP_CIPHER_CTX_cleanup(&ctx);
4325+ return 1;
4326+ }
4327+
4328+
4329+=head1 SEE ALSO
4330+
4331+L<evp(3)|evp(3)>
4332+
4333+=head1 HISTORY
4334+
4335+EVP_CIPHER_CTX_init(), EVP_EncryptInit_ex(), EVP_EncryptFinal_ex(),
4336+EVP_DecryptInit_ex(), EVP_DecryptFinal_ex(), EVP_CipherInit_ex(),
4337+EVP_CipherFinal_ex() and EVP_CIPHER_CTX_set_padding() appeared in
4338+OpenSSL 0.9.7.
4339+
4340+=cut
4341
4342=== added file '.pc/libdoc-manpgs-pod-spell.patch/doc/crypto/EVP_PKEY_cmp.pod'
4343--- .pc/libdoc-manpgs-pod-spell.patch/doc/crypto/EVP_PKEY_cmp.pod 1970-01-01 00:00:00 +0000
4344+++ .pc/libdoc-manpgs-pod-spell.patch/doc/crypto/EVP_PKEY_cmp.pod 2011-09-15 05:17:15 +0000
4345@@ -0,0 +1,61 @@
4346+=pod
4347+
4348+=head1 NAME
4349+
4350+EVP_PKEY_copy_parameters, EVP_PKEY_missing_parameters, EVP_PKEY_cmp_parameters, EVP_PKEY_cmp - public key parameter and comparison functions
4351+
4352+=head1 SYNOPSIS
4353+
4354+ #include <openssl/evp.h>
4355+
4356+ int EVP_PKEY_missing_parameters(const EVP_PKEY *pkey);
4357+ int EVP_PKEY_copy_parameters(EVP_PKEY *to, const EVP_PKEY *from);
4358+
4359+ int EVP_PKEY_cmp_parameters(const EVP_PKEY *a, const EVP_PKEY *b);
4360+ int EVP_PKEY_cmp(const EVP_PKEY *a, const EVP_PKEY *b);
4361+
4362+=head1 DESCRIPTION
4363+
4364+The function EVP_PKEY_missing_parameters() returns 1 if the public key
4365+parameters of B<pkey> are missing and 0 if they are present or the algorithm
4366+doesn't use parameters.
4367+
4368+The function EVP_PKEY_copy_parameters() copies the parameters from key
4369+B<from> to key B<to>.
4370+
4371+The funcion EVP_PKEY_cmp_parameters() compares the parameters of keys
4372+B<a> and B<b>.
4373+
4374+The funcion EVP_PKEY_cmp() compares the public key components and paramters
4375+(if present) of keys B<a> and B<b>.
4376+
4377+=head1 NOTES
4378+
4379+The main purpose of the functions EVP_PKEY_missing_parameters() and
4380+EVP_PKEY_copy_parameters() is to handle public keys in certificates where the
4381+parameters are sometimes omitted from a public key if they are inherited from
4382+the CA that signed it.
4383+
4384+Since OpenSSL private keys contain public key components too the function
4385+EVP_PKEY_cmp() can also be used to determine if a private key matches
4386+a public key.
4387+
4388+=head1 RETURN VALUES
4389+
4390+The function EVP_PKEY_missing_parameters() returns 1 if the public key
4391+parameters of B<pkey> are missing and 0 if they are present or the algorithm
4392+doesn't use parameters.
4393+
4394+These functions EVP_PKEY_copy_parameters() returns 1 for success and 0 for
4395+failure.
4396+
4397+The function EVP_PKEY_cmp_parameters() and EVP_PKEY_cmp() return 1 if the
4398+keys match, 0 if they don't match, -1 if the key types are different and
4399+-2 if the operation is not supported.
4400+
4401+=head1 SEE ALSO
4402+
4403+L<EVP_PKEY_CTX_new(3)|EVP_PKEY_CTX_new(3)>,
4404+L<EVP_PKEY_keygen(3)|EVP_PKEY_keygen(3)>
4405+
4406+=cut
4407
4408=== added file '.pc/libdoc-manpgs-pod-spell.patch/doc/crypto/X509_STORE_CTX_get_error.pod'
4409--- .pc/libdoc-manpgs-pod-spell.patch/doc/crypto/X509_STORE_CTX_get_error.pod 1970-01-01 00:00:00 +0000
4410+++ .pc/libdoc-manpgs-pod-spell.patch/doc/crypto/X509_STORE_CTX_get_error.pod 2011-09-15 05:17:15 +0000
4411@@ -0,0 +1,303 @@
4412+=pod
4413+
4414+=head1 NAME
4415+
4416+X509_STORE_CTX_get_error, X509_STORE_CTX_set_error, X509_STORE_CTX_get_error_depth, X509_STORE_CTX_get_current_cert, X509_STORE_CTX_get1_chain, X509_verify_cert_error_string - get or set certificate verification status information
4417+
4418+=head1 SYNOPSIS
4419+
4420+ #include <openssl/x509.h>
4421+ #include <openssl/x509_vfy.h>
4422+
4423+ int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx);
4424+ void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx,int s);
4425+ int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx);
4426+ X509 * X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx);
4427+
4428+ STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx);
4429+
4430+ const char *X509_verify_cert_error_string(long n);
4431+
4432+=head1 DESCRIPTION
4433+
4434+These functions are typically called after X509_verify_cert() has indicated
4435+an error or in a verification callback to determine the nature of an error.
4436+
4437+X509_STORE_CTX_get_error() returns the error code of B<ctx>, see
4438+the B<ERROR CODES> section for a full description of all error codes.
4439+
4440+X509_STORE_CTX_set_error() sets the error code of B<ctx> to B<s>. For example
4441+it might be used in a verification callback to set an error based on additional
4442+checks.
4443+
4444+X509_STORE_CTX_get_error_depth() returns the B<depth> of the error. This is a
4445+non-negative integer representing where in the certificate chain the error
4446+occurred. If it is zero it occured in the end entity certificate, one if
4447+it is the certificate which signed the end entity certificate and so on.
4448+
4449+X509_STORE_CTX_get_current_cert() returns the certificate in B<ctx> which
4450+caused the error or B<NULL> if no certificate is relevant.
4451+
4452+X509_STORE_CTX_get1_chain() returns a complete validate chain if a previous
4453+call to X509_verify_cert() is successful. If the call to X509_verify_cert()
4454+is B<not> successful the returned chain may be incomplete or invalid. The
4455+returned chain persists after the B<ctx> structure is freed, when it is
4456+no longer needed it should be free up using:
4457+
4458+ sk_X509_pop_free(chain, X509_free);
4459+
4460+X509_verify_cert_error_string() returns a human readable error string for
4461+verification error B<n>.
4462+
4463+=head1 RETURN VALUES
4464+
4465+X509_STORE_CTX_get_error() returns B<X509_V_OK> or an error code.
4466+
4467+X509_STORE_CTX_get_error_depth() returns a non-negative error depth.
4468+
4469+X509_STORE_CTX_get_current_cert() returns the cerificate which caused the
4470+error or B<NULL> if no certificate is relevant to the error.
4471+
4472+X509_verify_cert_error_string() returns a human readable error string for
4473+verification error B<n>.
4474+
4475+=head1 ERROR CODES
4476+
4477+A list of error codes and messages is shown below. Some of the
4478+error codes are defined but currently never returned: these are described as
4479+"unused".
4480+
4481+=over 4
4482+
4483+=item B<X509_V_OK: ok>
4484+
4485+the operation was successful.
4486+
4487+=item B<X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: unable to get issuer certificate>
4488+
4489+the issuer certificate could not be found: this occurs if the issuer certificate
4490+of an untrusted certificate cannot be found.
4491+
4492+=item B<X509_V_ERR_UNABLE_TO_GET_CRL: unable to get certificate CRL>
4493+
4494+the CRL of a certificate could not be found.
4495+
4496+=item B<X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: unable to decrypt certificate's signature>
4497+
4498+the certificate signature could not be decrypted. This means that the actual
4499+signature value could not be determined rather than it not matching the
4500+expected value, this is only meaningful for RSA keys.
4501+
4502+=item B<X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: unable to decrypt CRL's signature>
4503+
4504+the CRL signature could not be decrypted: this means that the actual signature
4505+value could not be determined rather than it not matching the expected value.
4506+Unused.
4507+
4508+=item B<X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: unable to decode issuer public key>
4509+
4510+the public key in the certificate SubjectPublicKeyInfo could not be read.
4511+
4512+=item B<X509_V_ERR_CERT_SIGNATURE_FAILURE: certificate signature failure>
4513+
4514+the signature of the certificate is invalid.
4515+
4516+=item B<X509_V_ERR_CRL_SIGNATURE_FAILURE: CRL signature failure>
4517+
4518+the signature of the certificate is invalid.
4519+
4520+=item B<X509_V_ERR_CERT_NOT_YET_VALID: certificate is not yet valid>
4521+
4522+the certificate is not yet valid: the notBefore date is after the current time.
4523+
4524+=item B<X509_V_ERR_CERT_HAS_EXPIRED: certificate has expired>
4525+
4526+the certificate has expired: that is the notAfter date is before the current time.
4527+
4528+=item B<X509_V_ERR_CRL_NOT_YET_VALID: CRL is not yet valid>
4529+
4530+the CRL is not yet valid.
4531+
4532+=item B<X509_V_ERR_CRL_HAS_EXPIRED: CRL has expired>
4533+
4534+the CRL has expired.
4535+
4536+=item B<X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: format error in certificate's notBefore field>
4537+
4538+the certificate notBefore field contains an invalid time.
4539+
4540+=item B<X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: format error in certificate's notAfter field>
4541+
4542+the certificate notAfter field contains an invalid time.
4543+
4544+=item B<X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: format error in CRL's lastUpdate field>
4545+
4546+the CRL lastUpdate field contains an invalid time.
4547+
4548+=item B<X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: format error in CRL's nextUpdate field>
4549+
4550+the CRL nextUpdate field contains an invalid time.
4551+
4552+=item B<X509_V_ERR_OUT_OF_MEM: out of memory>
4553+
4554+an error occurred trying to allocate memory. This should never happen.
4555+
4556+=item B<X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: self signed certificate>
4557+
4558+the passed certificate is self signed and the same certificate cannot be found
4559+in the list of trusted certificates.
4560+
4561+=item B<X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: self signed certificate in certificate chain>
4562+
4563+the certificate chain could be built up using the untrusted certificates but
4564+the root could not be found locally.
4565+
4566+=item B<X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer certificate>
4567+
4568+the issuer certificate of a locally looked up certificate could not be found.
4569+This normally means the list of trusted certificates is not complete.
4570+
4571+=item B<X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: unable to verify the first certificate>
4572+
4573+no signatures could be verified because the chain contains only one certificate
4574+and it is not self signed.
4575+
4576+=item B<X509_V_ERR_CERT_CHAIN_TOO_LONG: certificate chain too long>
4577+
4578+the certificate chain length is greater than the supplied maximum depth. Unused.
4579+
4580+=item B<X509_V_ERR_CERT_REVOKED: certificate revoked>
4581+
4582+the certificate has been revoked.
4583+
4584+=item B<X509_V_ERR_INVALID_CA: invalid CA certificate>
4585+
4586+a CA certificate is invalid. Either it is not a CA or its extensions are not
4587+consistent with the supplied purpose.
4588+
4589+=item B<X509_V_ERR_PATH_LENGTH_EXCEEDED: path length constraint exceeded>
4590+
4591+the basicConstraints pathlength parameter has been exceeded.
4592+
4593+=item B<X509_V_ERR_INVALID_PURPOSE: unsupported certificate purpose>
4594+
4595+the supplied certificate cannot be used for the specified purpose.
4596+
4597+=item B<X509_V_ERR_CERT_UNTRUSTED: certificate not trusted>
4598+
4599+the root CA is not marked as trusted for the specified purpose.
4600+
4601+=item B<X509_V_ERR_CERT_REJECTED: certificate rejected>
4602+
4603+the root CA is marked to reject the specified purpose.
4604+
4605+=item B<X509_V_ERR_SUBJECT_ISSUER_MISMATCH: subject issuer mismatch>
4606+
4607+the current candidate issuer certificate was rejected because its subject name
4608+did not match the issuer name of the current certificate. This is only set
4609+if issuer check debugging is enabled it is used for status notification and
4610+is B<not> in itself an error.
4611+
4612+=item B<X509_V_ERR_AKID_SKID_MISMATCH: authority and subject key identifier mismatch>
4613+
4614+the current candidate issuer certificate was rejected because its subject key
4615+identifier was present and did not match the authority key identifier current
4616+certificate. This is only set if issuer check debugging is enabled it is used
4617+for status notification and is B<not> in itself an error.
4618+
4619+=item B<X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH: authority and issuer serial number mismatch>
4620+
4621+the current candidate issuer certificate was rejected because its issuer name
4622+and serial number was present and did not match the authority key identifier of
4623+the current certificate. This is only set if issuer check debugging is enabled
4624+it is used for status notification and is B<not> in itself an error.
4625+
4626+=item B<X509_V_ERR_KEYUSAGE_NO_CERTSIGN:key usage does not include certificate signing>
4627+
4628+the current candidate issuer certificate was rejected because its keyUsage
4629+extension does not permit certificate signing. This is only set if issuer check
4630+debugging is enabled it is used for status notification and is B<not> in itself
4631+an error.
4632+
4633+=item B<X509_V_ERR_INVALID_EXTENSION: invalid or inconsistent certificate extension>
4634+
4635+A certificate extension had an invalid value (for example an incorrect
4636+encoding) or some value inconsistent with other extensions.
4637+
4638+
4639+=item B<X509_V_ERR_INVALID_POLICY_EXTENSION: invalid or inconsistent certificate policy extension>
4640+
4641+A certificate policies extension had an invalid value (for example an incorrect
4642+encoding) or some value inconsistent with other extensions. This error only
4643+occurs if policy processing is enabled.
4644+
4645+=item B<X509_V_ERR_NO_EXPLICIT_POLICY: no explicit policy>
4646+
4647+The verification flags were set to require and explicit policy but none was
4648+present.
4649+
4650+=item B<X509_V_ERR_DIFFERENT_CRL_SCOPE: Different CRL scope>
4651+
4652+The only CRLs that could be found did not match the scope of the certificate.
4653+
4654+=item B<X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE: Unsupported extension feature>
4655+
4656+Some feature of a certificate extension is not supported. Unused.
4657+
4658+=item B<X509_V_ERR_PERMITTED_VIOLATION: permitted subtree violation>
4659+
4660+A name constraint violation occured in the permitted subtrees.
4661+
4662+=item B<X509_V_ERR_EXCLUDED_VIOLATION: excluded subtree violation>
4663+
4664+A name constraint violation occured in the excluded subtrees.
4665+
4666+=item B<X509_V_ERR_SUBTREE_MINMAX: name constraints minimum and maximum not supported>
4667+
4668+A certificate name constraints extension included a minimum or maximum field:
4669+this is not supported.
4670+
4671+=item B<X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE: unsupported name constraint type>
4672+
4673+An unsupported name constraint type was encountered. OpenSSL currently only
4674+supports directory name, DNS name, email and URI types.
4675+
4676+=item B<X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX: unsupported or invalid name constraint syntax>
4677+
4678+The format of the name constraint is not recognised: for example an email
4679+address format of a form not mentioned in RFC3280. This could be caused by
4680+a garbage extension or some new feature not currently supported.
4681+
4682+=item B<X509_V_ERR_CRL_PATH_VALIDATION_ERROR: CRL path validation error>
4683+
4684+An error occured when attempting to verify the CRL path. This error can only
4685+happen if extended CRL checking is enabled.
4686+
4687+=item B<X509_V_ERR_APPLICATION_VERIFICATION: application verification failure>
4688+
4689+an application specific error. This will never be returned unless explicitly
4690+set by an application.
4691+
4692+=head1 NOTES
4693+
4694+The above functions should be used instead of directly referencing the fields
4695+in the B<X509_VERIFY_CTX> structure.
4696+
4697+In versions of OpenSSL before 1.0 the current certificate returned by
4698+X509_STORE_CTX_get_current_cert() was never B<NULL>. Applications should
4699+check the return value before printing out any debugging information relating
4700+to the current certificate.
4701+
4702+If an unrecognised error code is passed to X509_verify_cert_error_string() the
4703+numerical value of the unknown code is returned in a static buffer. This is not
4704+thread safe but will never happen unless an invalid code is passed.
4705+
4706+=head1 SEE ALSO
4707+
4708+L<X509_verify_cert(3)|X509_verify_cert(3)>
4709+
4710+=head1 HISTORY
4711+
4712+TBA
4713+
4714+=cut
4715
4716=== added file '.pc/libdoc-manpgs-pod-spell.patch/doc/crypto/pem.pod'
4717--- .pc/libdoc-manpgs-pod-spell.patch/doc/crypto/pem.pod 1970-01-01 00:00:00 +0000
4718+++ .pc/libdoc-manpgs-pod-spell.patch/doc/crypto/pem.pod 2011-09-15 05:17:15 +0000
4719@@ -0,0 +1,476 @@
4720+=pod
4721+
4722+=head1 NAME
4723+
4724+PEM, PEM_read_bio_PrivateKey, PEM_read_PrivateKey, PEM_write_bio_PrivateKey, PEM_write_PrivateKey, PEM_write_bio_PKCS8PrivateKey, PEM_write_PKCS8PrivateKey, PEM_write_bio_PKCS8PrivateKey_nid, PEM_write_PKCS8PrivateKey_nid, PEM_read_bio_PUBKEY, PEM_read_PUBKEY, PEM_write_bio_PUBKEY, PEM_write_PUBKEY, PEM_read_bio_RSAPrivateKey, PEM_read_RSAPrivateKey, PEM_write_bio_RSAPrivateKey, PEM_write_RSAPrivateKey, PEM_read_bio_RSAPublicKey, PEM_read_RSAPublicKey, PEM_write_bio_RSAPublicKey, PEM_write_RSAPublicKey, PEM_read_bio_RSA_PUBKEY, PEM_read_RSA_PUBKEY, PEM_write_bio_RSA_PUBKEY, PEM_write_RSA_PUBKEY, PEM_read_bio_DSAPrivateKey, PEM_read_DSAPrivateKey, PEM_write_bio_DSAPrivateKey, PEM_write_DSAPrivateKey, PEM_read_bio_DSA_PUBKEY, PEM_read_DSA_PUBKEY, PEM_write_bio_DSA_PUBKEY, PEM_write_DSA_PUBKEY, PEM_read_bio_DSAparams, PEM_read_DSAparams, PEM_write_bio_DSAparams, PEM_write_DSAparams, PEM_read_bio_DHparams, PEM_read_DHparams, PEM_write_bio_DHparams, PEM_write_DHparams, PEM_read_bio_X509, PEM_read_X509, PEM_write_bio_X509, PEM_write_X509, PEM_read_bio_X509_AUX, PEM_read_X509_AUX, PEM_write_bio_X509_AUX, PEM_write_X509_AUX, PEM_read_bio_X509_REQ, PEM_read_X509_REQ, PEM_write_bio_X509_REQ, PEM_write_X509_REQ, PEM_write_bio_X509_REQ_NEW, PEM_write_X509_REQ_NEW, PEM_read_bio_X509_CRL, PEM_read_X509_CRL, PEM_write_bio_X509_CRL, PEM_write_X509_CRL, PEM_read_bio_PKCS7, PEM_read_PKCS7, PEM_write_bio_PKCS7, PEM_write_PKCS7, PEM_read_bio_NETSCAPE_CERT_SEQUENCE, PEM_read_NETSCAPE_CERT_SEQUENCE, PEM_write_bio_NETSCAPE_CERT_SEQUENCE, PEM_write_NETSCAPE_CERT_SEQUENCE - PEM routines
4725+
4726+=head1 SYNOPSIS
4727+
4728+ #include <openssl/pem.h>
4729+
4730+ EVP_PKEY *PEM_read_bio_PrivateKey(BIO *bp, EVP_PKEY **x,
4731+ pem_password_cb *cb, void *u);
4732+
4733+ EVP_PKEY *PEM_read_PrivateKey(FILE *fp, EVP_PKEY **x,
4734+ pem_password_cb *cb, void *u);
4735+
4736+ int PEM_write_bio_PrivateKey(BIO *bp, EVP_PKEY *x, const EVP_CIPHER *enc,
4737+ unsigned char *kstr, int klen,
4738+ pem_password_cb *cb, void *u);
4739+
4740+ int PEM_write_PrivateKey(FILE *fp, EVP_PKEY *x, const EVP_CIPHER *enc,
4741+ unsigned char *kstr, int klen,
4742+ pem_password_cb *cb, void *u);
4743+
4744+ int PEM_write_bio_PKCS8PrivateKey(BIO *bp, EVP_PKEY *x, const EVP_CIPHER *enc,
4745+ char *kstr, int klen,
4746+ pem_password_cb *cb, void *u);
4747+
4748+ int PEM_write_PKCS8PrivateKey(FILE *fp, EVP_PKEY *x, const EVP_CIPHER *enc,
4749+ char *kstr, int klen,
4750+ pem_password_cb *cb, void *u);
4751+
4752+ int PEM_write_bio_PKCS8PrivateKey_nid(BIO *bp, EVP_PKEY *x, int nid,
4753+ char *kstr, int klen,
4754+ pem_password_cb *cb, void *u);
4755+
4756+ int PEM_write_PKCS8PrivateKey_nid(FILE *fp, EVP_PKEY *x, int nid,
4757+ char *kstr, int klen,
4758+ pem_password_cb *cb, void *u);
4759+
4760+ EVP_PKEY *PEM_read_bio_PUBKEY(BIO *bp, EVP_PKEY **x,
4761+ pem_password_cb *cb, void *u);
4762+
4763+ EVP_PKEY *PEM_read_PUBKEY(FILE *fp, EVP_PKEY **x,
4764+ pem_password_cb *cb, void *u);
4765+
4766+ int PEM_write_bio_PUBKEY(BIO *bp, EVP_PKEY *x);
4767+ int PEM_write_PUBKEY(FILE *fp, EVP_PKEY *x);
4768+
4769+ RSA *PEM_read_bio_RSAPrivateKey(BIO *bp, RSA **x,
4770+ pem_password_cb *cb, void *u);
4771+
4772+ RSA *PEM_read_RSAPrivateKey(FILE *fp, RSA **x,
4773+ pem_password_cb *cb, void *u);
4774+
4775+ int PEM_write_bio_RSAPrivateKey(BIO *bp, RSA *x, const EVP_CIPHER *enc,
4776+ unsigned char *kstr, int klen,
4777+ pem_password_cb *cb, void *u);
4778+
4779+ int PEM_write_RSAPrivateKey(FILE *fp, RSA *x, const EVP_CIPHER *enc,
4780+ unsigned char *kstr, int klen,
4781+ pem_password_cb *cb, void *u);
4782+
4783+ RSA *PEM_read_bio_RSAPublicKey(BIO *bp, RSA **x,
4784+ pem_password_cb *cb, void *u);
4785+
4786+ RSA *PEM_read_RSAPublicKey(FILE *fp, RSA **x,
4787+ pem_password_cb *cb, void *u);
4788+
4789+ int PEM_write_bio_RSAPublicKey(BIO *bp, RSA *x);
4790+
4791+ int PEM_write_RSAPublicKey(FILE *fp, RSA *x);
4792+
4793+ RSA *PEM_read_bio_RSA_PUBKEY(BIO *bp, RSA **x,
4794+ pem_password_cb *cb, void *u);
4795+
4796+ RSA *PEM_read_RSA_PUBKEY(FILE *fp, RSA **x,
4797+ pem_password_cb *cb, void *u);
4798+
4799+ int PEM_write_bio_RSA_PUBKEY(BIO *bp, RSA *x);
4800+
4801+ int PEM_write_RSA_PUBKEY(FILE *fp, RSA *x);
4802+
4803+ DSA *PEM_read_bio_DSAPrivateKey(BIO *bp, DSA **x,
4804+ pem_password_cb *cb, void *u);
4805+
4806+ DSA *PEM_read_DSAPrivateKey(FILE *fp, DSA **x,
4807+ pem_password_cb *cb, void *u);
4808+
4809+ int PEM_write_bio_DSAPrivateKey(BIO *bp, DSA *x, const EVP_CIPHER *enc,
4810+ unsigned char *kstr, int klen,
4811+ pem_password_cb *cb, void *u);
4812+
4813+ int PEM_write_DSAPrivateKey(FILE *fp, DSA *x, const EVP_CIPHER *enc,
4814+ unsigned char *kstr, int klen,
4815+ pem_password_cb *cb, void *u);
4816+
4817+ DSA *PEM_read_bio_DSA_PUBKEY(BIO *bp, DSA **x,
4818+ pem_password_cb *cb, void *u);
4819+
4820+ DSA *PEM_read_DSA_PUBKEY(FILE *fp, DSA **x,
4821+ pem_password_cb *cb, void *u);
4822+
4823+ int PEM_write_bio_DSA_PUBKEY(BIO *bp, DSA *x);
4824+
4825+ int PEM_write_DSA_PUBKEY(FILE *fp, DSA *x);
4826+
4827+ DSA *PEM_read_bio_DSAparams(BIO *bp, DSA **x, pem_password_cb *cb, void *u);
4828+
4829+ DSA *PEM_read_DSAparams(FILE *fp, DSA **x, pem_password_cb *cb, void *u);
4830+
4831+ int PEM_write_bio_DSAparams(BIO *bp, DSA *x);
4832+
4833+ int PEM_write_DSAparams(FILE *fp, DSA *x);
4834+
4835+ DH *PEM_read_bio_DHparams(BIO *bp, DH **x, pem_password_cb *cb, void *u);
4836+
4837+ DH *PEM_read_DHparams(FILE *fp, DH **x, pem_password_cb *cb, void *u);
4838+
4839+ int PEM_write_bio_DHparams(BIO *bp, DH *x);
4840+
4841+ int PEM_write_DHparams(FILE *fp, DH *x);
4842+
4843+ X509 *PEM_read_bio_X509(BIO *bp, X509 **x, pem_password_cb *cb, void *u);
4844+
4845+ X509 *PEM_read_X509(FILE *fp, X509 **x, pem_password_cb *cb, void *u);
4846+
4847+ int PEM_write_bio_X509(BIO *bp, X509 *x);
4848+
4849+ int PEM_write_X509(FILE *fp, X509 *x);
4850+
4851+ X509 *PEM_read_bio_X509_AUX(BIO *bp, X509 **x, pem_password_cb *cb, void *u);
4852+
4853+ X509 *PEM_read_X509_AUX(FILE *fp, X509 **x, pem_password_cb *cb, void *u);
4854+
4855+ int PEM_write_bio_X509_AUX(BIO *bp, X509 *x);
4856+
4857+ int PEM_write_X509_AUX(FILE *fp, X509 *x);
4858+
4859+ X509_REQ *PEM_read_bio_X509_REQ(BIO *bp, X509_REQ **x,
4860+ pem_password_cb *cb, void *u);
4861+
4862+ X509_REQ *PEM_read_X509_REQ(FILE *fp, X509_REQ **x,
4863+ pem_password_cb *cb, void *u);
4864+
4865+ int PEM_write_bio_X509_REQ(BIO *bp, X509_REQ *x);
4866+
4867+ int PEM_write_X509_REQ(FILE *fp, X509_REQ *x);
4868+
4869+ int PEM_write_bio_X509_REQ_NEW(BIO *bp, X509_REQ *x);
4870+
4871+ int PEM_write_X509_REQ_NEW(FILE *fp, X509_REQ *x);
4872+
4873+ X509_CRL *PEM_read_bio_X509_CRL(BIO *bp, X509_CRL **x,
4874+ pem_password_cb *cb, void *u);
4875+ X509_CRL *PEM_read_X509_CRL(FILE *fp, X509_CRL **x,
4876+ pem_password_cb *cb, void *u);
4877+ int PEM_write_bio_X509_CRL(BIO *bp, X509_CRL *x);
4878+ int PEM_write_X509_CRL(FILE *fp, X509_CRL *x);
4879+
4880+ PKCS7 *PEM_read_bio_PKCS7(BIO *bp, PKCS7 **x, pem_password_cb *cb, void *u);
4881+
4882+ PKCS7 *PEM_read_PKCS7(FILE *fp, PKCS7 **x, pem_password_cb *cb, void *u);
4883+
4884+ int PEM_write_bio_PKCS7(BIO *bp, PKCS7 *x);
4885+
4886+ int PEM_write_PKCS7(FILE *fp, PKCS7 *x);
4887+
4888+ NETSCAPE_CERT_SEQUENCE *PEM_read_bio_NETSCAPE_CERT_SEQUENCE(BIO *bp,
4889+ NETSCAPE_CERT_SEQUENCE **x,
4890+ pem_password_cb *cb, void *u);
4891+
4892+ NETSCAPE_CERT_SEQUENCE *PEM_read_NETSCAPE_CERT_SEQUENCE(FILE *fp,
4893+ NETSCAPE_CERT_SEQUENCE **x,
4894+ pem_password_cb *cb, void *u);
4895+
4896+ int PEM_write_bio_NETSCAPE_CERT_SEQUENCE(BIO *bp, NETSCAPE_CERT_SEQUENCE *x);
4897+
4898+ int PEM_write_NETSCAPE_CERT_SEQUENCE(FILE *fp, NETSCAPE_CERT_SEQUENCE *x);
4899+
4900+=head1 DESCRIPTION
4901+
4902+The PEM functions read or write structures in PEM format. In
4903+this sense PEM format is simply base64 encoded data surrounded
4904+by header lines.
4905+
4906+For more details about the meaning of arguments see the
4907+B<PEM FUNCTION ARGUMENTS> section.
4908+
4909+Each operation has four functions associated with it. For
4910+clarity the term "B<foobar> functions" will be used to collectively
4911+refer to the PEM_read_bio_foobar(), PEM_read_foobar(),
4912+PEM_write_bio_foobar() and PEM_write_foobar() functions.
4913+
4914+The B<PrivateKey> functions read or write a private key in
4915+PEM format using an EVP_PKEY structure. The write routines use
4916+"traditional" private key format and can handle both RSA and DSA
4917+private keys. The read functions can additionally transparently
4918+handle PKCS#8 format encrypted and unencrypted keys too.
4919+
4920+PEM_write_bio_PKCS8PrivateKey() and PEM_write_PKCS8PrivateKey()
4921+write a private key in an EVP_PKEY structure in PKCS#8
4922+EncryptedPrivateKeyInfo format using PKCS#5 v2.0 password based encryption
4923+algorithms. The B<cipher> argument specifies the encryption algoritm to
4924+use: unlike all other PEM routines the encryption is applied at the
4925+PKCS#8 level and not in the PEM headers. If B<cipher> is NULL then no
4926+encryption is used and a PKCS#8 PrivateKeyInfo structure is used instead.
4927+
4928+PEM_write_bio_PKCS8PrivateKey_nid() and PEM_write_PKCS8PrivateKey_nid()
4929+also write out a private key as a PKCS#8 EncryptedPrivateKeyInfo however
4930+it uses PKCS#5 v1.5 or PKCS#12 encryption algorithms instead. The algorithm
4931+to use is specified in the B<nid> parameter and should be the NID of the
4932+corresponding OBJECT IDENTIFIER (see NOTES section).
4933+
4934+The B<PUBKEY> functions process a public key using an EVP_PKEY
4935+structure. The public key is encoded as a SubjectPublicKeyInfo
4936+structure.
4937+
4938+The B<RSAPrivateKey> functions process an RSA private key using an
4939+RSA structure. It handles the same formats as the B<PrivateKey>
4940+functions but an error occurs if the private key is not RSA.
4941+
4942+The B<RSAPublicKey> functions process an RSA public key using an
4943+RSA structure. The public key is encoded using a PKCS#1 RSAPublicKey
4944+structure.
4945+
4946+The B<RSA_PUBKEY> functions also process an RSA public key using
4947+an RSA structure. However the public key is encoded using a
4948+SubjectPublicKeyInfo structure and an error occurs if the public
4949+key is not RSA.
4950+
4951+The B<DSAPrivateKey> functions process a DSA private key using a
4952+DSA structure. It handles the same formats as the B<PrivateKey>
4953+functions but an error occurs if the private key is not DSA.
4954+
4955+The B<DSA_PUBKEY> functions process a DSA public key using
4956+a DSA structure. The public key is encoded using a
4957+SubjectPublicKeyInfo structure and an error occurs if the public
4958+key is not DSA.
4959+
4960+The B<DSAparams> functions process DSA parameters using a DSA
4961+structure. The parameters are encoded using a foobar structure.
4962+
4963+The B<DHparams> functions process DH parameters using a DH
4964+structure. The parameters are encoded using a PKCS#3 DHparameter
4965+structure.
4966+
4967+The B<X509> functions process an X509 certificate using an X509
4968+structure. They will also process a trusted X509 certificate but
4969+any trust settings are discarded.
4970+
4971+The B<X509_AUX> functions process a trusted X509 certificate using
4972+an X509 structure.
4973+
4974+The B<X509_REQ> and B<X509_REQ_NEW> functions process a PKCS#10
4975+certificate request using an X509_REQ structure. The B<X509_REQ>
4976+write functions use B<CERTIFICATE REQUEST> in the header whereas
4977+the B<X509_REQ_NEW> functions use B<NEW CERTIFICATE REQUEST>
4978+(as required by some CAs). The B<X509_REQ> read functions will
4979+handle either form so there are no B<X509_REQ_NEW> read functions.
4980+
4981+The B<X509_CRL> functions process an X509 CRL using an X509_CRL
4982+structure.
4983+
4984+The B<PKCS7> functions process a PKCS#7 ContentInfo using a PKCS7
4985+structure.
4986+
4987+The B<NETSCAPE_CERT_SEQUENCE> functions process a Netscape Certificate
4988+Sequence using a NETSCAPE_CERT_SEQUENCE structure.
4989+
4990+=head1 PEM FUNCTION ARGUMENTS
4991+
4992+The PEM functions have many common arguments.
4993+
4994+The B<bp> BIO parameter (if present) specifies the BIO to read from
4995+or write to.
4996+
4997+The B<fp> FILE parameter (if present) specifies the FILE pointer to
4998+read from or write to.
4999+
5000+The PEM read functions all take an argument B<TYPE **x> and return
The diff has been truncated for viewing.

Subscribers

People subscribed via source and target branches

to all changes: