Merge lp:~sbeattie/ubuntu/oneiric/openssl/lp850608 into lp:ubuntu/oneiric/openssl
- Oneiric (11.10)
- lp850608
- Merge into oneiric
Proposed by
Steve Beattie
Status: | Merged |
---|---|
Merged at revision: | 58 |
Proposed branch: | lp:~sbeattie/ubuntu/oneiric/openssl/lp850608 |
Merge into: | lp:ubuntu/oneiric/openssl |
Diff against target: |
27465 lines (+20613/-1941) 206 files modified
.pc/Bsymbolic-functions.patch/Configure (+2/-1) .pc/aesni.patch/Configure (+2/-1) .pc/aesni.patch/util/libeay.num (+5/-0) .pc/applied-patches (+12/-0) .pc/block_diginotar.patch/crypto/x509/x509_vfy.c (+2219/-0) .pc/c_rehash-multi.patch/tools/c_rehash.in (+192/-0) .pc/config-hurd.patch/config (+4/-0) .pc/dgst_hmac.patch/apps/dgst.c (+632/-0) .pc/dgst_hmac.patch/doc/apps/dgst.pod (+162/-0) .pc/engines-path.patch/Configure (+2/-1) .pc/gnu_source.patch/crypto/dso/dso_dlfcn.c (+1/-0) .pc/libdoc-manpgs-pod-spell.patch/doc/crypto/ASN1_generate_nconf.pod (+265/-0) .pc/libdoc-manpgs-pod-spell.patch/doc/crypto/BN_BLINDING_new.pod (+115/-0) .pc/libdoc-manpgs-pod-spell.patch/doc/crypto/EVP_BytesToKey.pod (+67/-0) .pc/libdoc-manpgs-pod-spell.patch/doc/crypto/EVP_EncryptInit.pod (+511/-0) .pc/libdoc-manpgs-pod-spell.patch/doc/crypto/EVP_PKEY_cmp.pod (+61/-0) .pc/libdoc-manpgs-pod-spell.patch/doc/crypto/X509_STORE_CTX_get_error.pod (+303/-0) .pc/libdoc-manpgs-pod-spell.patch/doc/crypto/pem.pod (+476/-0) .pc/libdoc-manpgs-pod-spell.patch/doc/ssl/SSL_CTX_set_client_CA_list.pod (+94/-0) .pc/libdoc-manpgs-pod-spell.patch/doc/ssl/SSL_CTX_set_verify.pod (+294/-0) .pc/libdoc-manpgs-pod-spell.patch/doc/ssl/SSL_CTX_use_psk_identity_hint.pod (+102/-0) .pc/libdoc-manpgs-pod-spell.patch/doc/ssl/SSL_accept.pod (+76/-0) .pc/libdoc-manpgs-pod-spell.patch/doc/ssl/SSL_connect.pod (+73/-0) .pc/libdoc-manpgs-pod-spell.patch/doc/ssl/SSL_do_handshake.pod (+75/-0) .pc/libdoc-manpgs-pod-spell.patch/doc/ssl/SSL_shutdown.pod (+125/-0) .pc/libssl-misspell.patch/crypto/asn1/asn1_err.c (+329/-0) .pc/openssl-pod-misspell.patch/apps/ca.c (+2985/-0) .pc/openssl-pod-misspell.patch/apps/ecparam.c (+731/-0) .pc/openssl-pod-misspell.patch/crypto/evp/encode.c (+445/-0) .pc/openssl-pod-misspell.patch/doc/apps/config.pod (+279/-0) .pc/openssl-pod-misspell.patch/doc/apps/genpkey.pod (+213/-0) .pc/openssl-pod-misspell.patch/doc/apps/openssl.pod (+422/-0) .pc/openssl-pod-misspell.patch/doc/apps/req.pod (+678/-0) .pc/openssl-pod-misspell.patch/doc/apps/ts.pod (+594/-0) .pc/openssl-pod-misspell.patch/doc/apps/tsget.pod (+194/-0) .pc/openssl-pod-misspell.patch/doc/apps/x509v3_config.pod (+529/-0) .pc/pic.patch/crypto/perlasm/cbc.pl (+0/-2) .pc/pkcs12-doc.patch/doc/apps/pkcs12.pod (+363/-0) .pc/pod_ec.misspell.patch/doc/apps/ec.pod (+190/-0) .pc/pod_pksc12.misspell.patch/doc/apps/pkcs12.pod (+363/-0) .pc/pod_req_misspell2.patch/doc/apps/req.pod (+678/-0) .pc/pod_s_server.misspell.patch/doc/apps/s_server.pod (+355/-0) .pc/pod_x509setflags.misspell.patch/doc/crypto/X509_VERIFY_PARAM_set_flags.pod (+171/-0) .pc/shared-lib-ext.patch/Configure (+2/-1) .pc/version-script.patch/Configure (+2/-1) CHANGES (+42/-1) Configure (+2/-1) FAQ (+1/-1) INSTALL.VMS (+24/-30) Makefile (+1/-1) Makefile.bak (+640/-0) NEWS (+8/-0) README (+1/-1) VMS/install-vms.com (+67/-0) VMS/install.com (+0/-79) VMS/mkshared.com (+163/-99) VMS/openssl_startup.com (+108/-0) VMS/openssl_undo.com (+20/-0) apps/CA.com (+58/-42) apps/apps.c (+6/-0) apps/asn1pars.c (+1/-0) apps/ca.c (+1/-1) apps/dgst.c (+2/-0) apps/ecparam.c (+2/-2) apps/enc.c (+4/-0) apps/install-apps.com (+107/-0) apps/install.com (+0/-65) apps/makeapps.com (+231/-118) apps/openssl.c (+62/-2) apps/pkcs12.c (+1/-1) apps/speed.c (+2/-0) apps/vms_decc_init.c (+188/-0) config (+4/-0) crypto/LPdir_vms.c (+28/-21) crypto/alphacpuid.pl (+3/-5) crypto/asn1/a_object.c (+2/-2) crypto/asn1/asn1_err.c (+1/-1) crypto/asn1/bio_ndef.c (+0/-3) crypto/asn1/x_name.c (+5/-2) crypto/bio/b_sock.c (+28/-1) crypto/bio/bss_dgram.c (+12/-6) crypto/bio/bss_log.c (+29/-3) crypto/bn/asm/alpha-mont.pl (+1/-1) crypto/bn/asm/s390x-mont.pl (+2/-2) crypto/bn/bn.h (+18/-0) crypto/bn/bn_gf2m.c (+1/-0) crypto/bn/bn_mont.c (+1/-1) crypto/bn/bn_nist.c (+36/-28) crypto/conf/conf_api.c (+1/-0) crypto/cryptlib.c (+0/-1) crypto/crypto-lib.com (+241/-129) crypto/dsa/dsa_pmeth.c (+1/-0) crypto/dso/dso_dlfcn.c (+1/-0) crypto/dso/dso_vms.c (+103/-82) crypto/ecdsa/ecdsatest.c (+2/-3) crypto/ecdsa/ecs_ossl.c (+8/-0) crypto/evp/encode.c (+1/-1) crypto/evp/evp_test.c (+1/-0) crypto/hmac/hm_pmeth.c (+2/-0) crypto/install-crypto.com (+196/-0) crypto/install.com (+0/-150) crypto/o_time.c (+14/-8) crypto/ocsp/ocsp_lib.c (+4/-4) crypto/opensslv.h (+3/-3) crypto/perlasm/cbc.pl (+0/-2) crypto/rand/rand_vms.c (+14/-2) crypto/rand/randfile.c (+2/-0) crypto/rsa/rsa_oaep.c (+13/-7) crypto/stack/safestack.h (+25/-25) crypto/vms_rms.h (+51/-0) crypto/x509/x509_vfy.c (+31/-0) debian/changelog (+77/-0) debian/libssl1.0.0.postinst (+5/-1) debian/patches/Bsymbolic-functions.patch (+7/-3) debian/patches/aesni.patch (+29/-14) debian/patches/block_diginotar.patch (+64/-0) debian/patches/c_rehash-multi.patch (+86/-0) debian/patches/debian-targets.patch (+3/-2) debian/patches/dgst_hmac.patch (+51/-0) debian/patches/libdoc-manpgs-pod-spell.patch (+236/-0) debian/patches/libssl-misspell.patch (+11/-0) debian/patches/openssl-pod-misspell.patch (+137/-0) debian/patches/pkcs12-doc.patch (+36/-0) debian/patches/pod_ec.misspell.patch (+11/-0) debian/patches/pod_pksc12.misspell.patch (+11/-0) debian/patches/pod_req_misspell2.patch (+12/-0) debian/patches/pod_s_server.misspell.patch (+11/-0) debian/patches/pod_x509setflags.misspell.patch (+11/-0) debian/patches/rehash_pod.patch (+2/-2) debian/patches/series (+12/-0) debian/patches/version-script.patch (+22/-4) debian/rules (+3/-1) doc/apps/c_rehash.pod (+2/-2) doc/apps/config.pod (+1/-1) doc/apps/dgst.pod (+10/-0) doc/apps/ec.pod (+1/-1) doc/apps/genpkey.pod (+2/-0) doc/apps/openssl.pod (+2/-2) doc/apps/pkcs12.pod (+7/-2) doc/apps/req.pod (+2/-2) doc/apps/s_server.pod (+1/-1) doc/apps/ts.pod (+2/-2) doc/apps/tsget.pod (+1/-1) doc/apps/x509v3_config.pod (+1/-1) doc/crypto/ASN1_generate_nconf.pod (+1/-1) doc/crypto/BN_BLINDING_new.pod (+1/-1) doc/crypto/EVP_BytesToKey.pod (+1/-1) doc/crypto/EVP_EncryptInit.pod (+1/-1) doc/crypto/EVP_PKEY_cmp.pod (+1/-1) doc/crypto/X509_STORE_CTX_get_error.pod (+2/-0) doc/crypto/X509_VERIFY_PARAM_set_flags.pod (+1/-1) doc/crypto/pem.pod (+1/-1) doc/ssl/SSL_CTX_set_client_CA_list.pod (+4/-0) doc/ssl/SSL_CTX_set_verify.pod (+2/-2) doc/ssl/SSL_CTX_use_psk_identity_hint.pod (+8/-0) doc/ssl/SSL_accept.pod (+8/-0) doc/ssl/SSL_connect.pod (+11/-11) doc/ssl/SSL_do_handshake.pod (+8/-0) doc/ssl/SSL_shutdown.pod (+8/-0) doc/ssl/ssl.pod (+1/-1) engines/ccgost/gost_crypt.c (+2/-1) engines/ccgost/openssl.ld (+10/-0) engines/e_capi_err.h (+4/-0) engines/makeengines.com (+215/-111) engines/openssl.ld (+3/-0) install.com (+127/-92) makevms.com (+274/-152) ms/uplink.c (+2/-1) openssl.spec (+1/-1) ssl/bio_ssl.c (+4/-0) ssl/d1_both.c (+10/-18) ssl/d1_clnt.c (+4/-2) ssl/d1_lib.c (+57/-8) ssl/d1_pkt.c (+11/-9) ssl/d1_srvr.c (+19/-7) ssl/install-ssl.com (+136/-0) ssl/install.com (+0/-90) ssl/s3_clnt.c (+2/-0) ssl/s3_lib.c (+6/-0) ssl/s3_pkt.c (+4/-2) ssl/s3_srvr.c (+16/-7) ssl/ssl-lib.com (+213/-115) ssl/ssl_lib.c (+13/-19) test/bntest.com (+7/-0) test/clean_test.com (+35/-0) test/cms-test.pl (+2/-2) test/maketests.com (+210/-111) test/tcrl.com (+10/-7) test/testca.com (+5/-3) test/testenc.com (+8/-5) test/testgen.com (+13/-9) test/tests.com (+65/-38) test/testss.com (+10/-7) test/testssl.com (+12/-8) test/testtsa.com (+38/-35) test/tpkcs7.com (+10/-7) test/tpkcs7d.com (+10/-7) test/treq.com (+10/-7) test/trsa.com (+8/-5) test/tsid.com (+10/-7) test/tverify.com (+6/-4) test/tx509.com (+10/-7) tools/c_rehash.in (+44/-28) util/libeay.num (+6/-1) util/mkdef.pl (+2/-0) util/mkerr.pl (+1/-1) |
To merge this branch: | bzr merge lp:~sbeattie/ubuntu/oneiric/openssl/lp850608 |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Marc Deslauriers | Approve | ||
Ubuntu branches | Pending | ||
Review via email: mp+75477@code.launchpad.net |
Commit message
Description of the change
This branch merges openssl-1.0.0e-2 from Debian unstable to fix security issues. Both the debian changes from 1.0.0d-2 and the upstream release 1.0.0e are bugfix only releases. This merge also includes an added fix for LP: #244250 (reduce spurious reboot warnings on desktop installs) by checking for a running X server to determine whether or not to issue the reboot notification.
To post a comment you must log in.
Preview Diff
[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1 | === modified file '.pc/Bsymbolic-functions.patch/Configure' | |||
2 | --- .pc/Bsymbolic-functions.patch/Configure 2011-05-01 23:51:53 +0000 | |||
3 | +++ .pc/Bsymbolic-functions.patch/Configure 2011-09-15 05:17:15 +0000 | |||
4 | @@ -362,6 +362,7 @@ | |||
5 | 362 | "debian-powerpcspe","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", | 362 | "debian-powerpcspe","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", |
6 | 363 | "debian-ppc64","gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", | 363 | "debian-ppc64","gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", |
7 | 364 | "debian-s390","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", | 364 | "debian-s390","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", |
8 | 365 | "debian-s390x","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", | ||
9 | 365 | "debian-sh3", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", | 366 | "debian-sh3", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", |
10 | 366 | "debian-sh4", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", | 367 | "debian-sh4", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", |
11 | 367 | "debian-sh3eb", "gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", | 368 | "debian-sh3eb", "gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", |
12 | @@ -370,7 +371,7 @@ | |||
13 | 370 | "debian-sparc","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", | 371 | "debian-sparc","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", |
14 | 371 | "debian-sparc-v8","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -mcpu=v8 -g -Wall -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", | 372 | "debian-sparc-v8","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -mcpu=v8 -g -Wall -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", |
15 | 372 | "debian-sparc-v9","gcc:-DB_ENDIAN -DTERMIO -O3 -mcpu=v9 -Wa,--noexecstack -Wa,-Av8plus -g -Wall -DULTRASPARC -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", | 373 | "debian-sparc-v9","gcc:-DB_ENDIAN -DTERMIO -O3 -mcpu=v9 -Wa,--noexecstack -Wa,-Av8plus -g -Wall -DULTRASPARC -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", |
17 | 373 | "debian-sparc64","gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall -DULTRASPARC -DBN_DIV2W::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", | 374 | "debian-sparc64","gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall -DULTRASPARC -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", |
18 | 374 | 375 | ||
19 | 375 | #### | 376 | #### |
20 | 376 | #### Variety of LINUX:-) | 377 | #### Variety of LINUX:-) |
21 | 377 | 378 | ||
22 | === modified file '.pc/aesni.patch/Configure' | |||
23 | --- .pc/aesni.patch/Configure 2011-05-01 23:51:53 +0000 | |||
24 | +++ .pc/aesni.patch/Configure 2011-09-15 05:17:15 +0000 | |||
25 | @@ -362,6 +362,7 @@ | |||
26 | 362 | "debian-powerpcspe","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", | 362 | "debian-powerpcspe","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", |
27 | 363 | "debian-ppc64","gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", | 363 | "debian-ppc64","gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", |
28 | 364 | "debian-s390","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", | 364 | "debian-s390","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", |
29 | 365 | "debian-s390x","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", | ||
30 | 365 | "debian-sh3", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", | 366 | "debian-sh3", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", |
31 | 366 | "debian-sh4", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", | 367 | "debian-sh4", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", |
32 | 367 | "debian-sh3eb", "gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", | 368 | "debian-sh3eb", "gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", |
33 | @@ -370,7 +371,7 @@ | |||
34 | 370 | "debian-sparc","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", | 371 | "debian-sparc","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", |
35 | 371 | "debian-sparc-v8","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -mcpu=v8 -g -Wall -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", | 372 | "debian-sparc-v8","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -mcpu=v8 -g -Wall -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", |
36 | 372 | "debian-sparc-v9","gcc:-DB_ENDIAN -DTERMIO -O3 -mcpu=v9 -Wa,--noexecstack -Wa,-Av8plus -g -Wall -DULTRASPARC -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", | 373 | "debian-sparc-v9","gcc:-DB_ENDIAN -DTERMIO -O3 -mcpu=v9 -Wa,--noexecstack -Wa,-Av8plus -g -Wall -DULTRASPARC -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", |
38 | 373 | "debian-sparc64","gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall -DULTRASPARC -DBN_DIV2W::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", | 374 | "debian-sparc64","gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall -DULTRASPARC -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", |
39 | 374 | 375 | ||
40 | 375 | #### | 376 | #### |
41 | 376 | #### Variety of LINUX:-) | 377 | #### Variety of LINUX:-) |
42 | 377 | 378 | ||
43 | === modified file '.pc/aesni.patch/util/libeay.num' | |||
44 | --- .pc/aesni.patch/util/libeay.num 2011-05-01 23:51:53 +0000 | |||
45 | +++ .pc/aesni.patch/util/libeay.num 2011-09-15 05:17:15 +0000 | |||
46 | @@ -4189,3 +4189,8 @@ | |||
47 | 4189 | CRYPTO_cbc128_decrypt 4561 EXIST::FUNCTION: | 4189 | CRYPTO_cbc128_decrypt 4561 EXIST::FUNCTION: |
48 | 4190 | CRYPTO_cfb128_encrypt 4562 EXIST::FUNCTION: | 4190 | CRYPTO_cfb128_encrypt 4562 EXIST::FUNCTION: |
49 | 4191 | CRYPTO_cfb128_8_encrypt 4563 EXIST::FUNCTION: | 4191 | CRYPTO_cfb128_8_encrypt 4563 EXIST::FUNCTION: |
50 | 4192 | OPENSSL_strcasecmp 4564 EXIST::FUNCTION: | ||
51 | 4193 | OPENSSL_memcmp 4565 EXIST::FUNCTION: | ||
52 | 4194 | OPENSSL_strncasecmp 4566 EXIST::FUNCTION: | ||
53 | 4195 | OPENSSL_gmtime 4567 EXIST::FUNCTION: | ||
54 | 4196 | OPENSSL_gmtime_adj 4568 EXIST::FUNCTION: | ||
55 | 4192 | 4197 | ||
56 | === modified file '.pc/applied-patches' | |||
57 | --- .pc/applied-patches 2011-05-01 23:51:53 +0000 | |||
58 | +++ .pc/applied-patches 2011-09-15 05:17:15 +0000 | |||
59 | @@ -18,6 +18,18 @@ | |||
60 | 18 | version-script.patch | 18 | version-script.patch |
61 | 19 | gnu_source.patch | 19 | gnu_source.patch |
62 | 20 | c_rehash-compat.patch | 20 | c_rehash-compat.patch |
63 | 21 | libdoc-manpgs-pod-spell.patch | ||
64 | 22 | libssl-misspell.patch | ||
65 | 23 | openssl-pod-misspell.patch | ||
66 | 24 | pod_req_misspell2.patch | ||
67 | 25 | pod_pksc12.misspell.patch | ||
68 | 26 | pod_s_server.misspell.patch | ||
69 | 27 | pod_x509setflags.misspell.patch | ||
70 | 28 | pod_ec.misspell.patch | ||
71 | 29 | pkcs12-doc.patch | ||
72 | 30 | dgst_hmac.patch | ||
73 | 31 | block_diginotar.patch | ||
74 | 32 | c_rehash-multi.patch | ||
75 | 21 | aesni.patch | 33 | aesni.patch |
76 | 22 | perlpath-quilt.patch | 34 | perlpath-quilt.patch |
77 | 23 | Bsymbolic-functions.patch | 35 | Bsymbolic-functions.patch |
78 | 24 | 36 | ||
79 | === added directory '.pc/block_diginotar.patch' | |||
80 | === added directory '.pc/block_diginotar.patch/crypto' | |||
81 | === added directory '.pc/block_diginotar.patch/crypto/x509' | |||
82 | === added file '.pc/block_diginotar.patch/crypto/x509/x509_vfy.c' | |||
83 | --- .pc/block_diginotar.patch/crypto/x509/x509_vfy.c 1970-01-01 00:00:00 +0000 | |||
84 | +++ .pc/block_diginotar.patch/crypto/x509/x509_vfy.c 2011-09-15 05:17:15 +0000 | |||
85 | @@ -0,0 +1,2219 @@ | |||
86 | 1 | /* crypto/x509/x509_vfy.c */ | ||
87 | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | ||
88 | 3 | * All rights reserved. | ||
89 | 4 | * | ||
90 | 5 | * This package is an SSL implementation written | ||
91 | 6 | * by Eric Young (eay@cryptsoft.com). | ||
92 | 7 | * The implementation was written so as to conform with Netscapes SSL. | ||
93 | 8 | * | ||
94 | 9 | * This library is free for commercial and non-commercial use as long as | ||
95 | 10 | * the following conditions are aheared to. The following conditions | ||
96 | 11 | * apply to all code found in this distribution, be it the RC4, RSA, | ||
97 | 12 | * lhash, DES, etc., code; not just the SSL code. The SSL documentation | ||
98 | 13 | * included with this distribution is covered by the same copyright terms | ||
99 | 14 | * except that the holder is Tim Hudson (tjh@cryptsoft.com). | ||
100 | 15 | * | ||
101 | 16 | * Copyright remains Eric Young's, and as such any Copyright notices in | ||
102 | 17 | * the code are not to be removed. | ||
103 | 18 | * If this package is used in a product, Eric Young should be given attribution | ||
104 | 19 | * as the author of the parts of the library used. | ||
105 | 20 | * This can be in the form of a textual message at program startup or | ||
106 | 21 | * in documentation (online or textual) provided with the package. | ||
107 | 22 | * | ||
108 | 23 | * Redistribution and use in source and binary forms, with or without | ||
109 | 24 | * modification, are permitted provided that the following conditions | ||
110 | 25 | * are met: | ||
111 | 26 | * 1. Redistributions of source code must retain the copyright | ||
112 | 27 | * notice, this list of conditions and the following disclaimer. | ||
113 | 28 | * 2. Redistributions in binary form must reproduce the above copyright | ||
114 | 29 | * notice, this list of conditions and the following disclaimer in the | ||
115 | 30 | * documentation and/or other materials provided with the distribution. | ||
116 | 31 | * 3. All advertising materials mentioning features or use of this software | ||
117 | 32 | * must display the following acknowledgement: | ||
118 | 33 | * "This product includes cryptographic software written by | ||
119 | 34 | * Eric Young (eay@cryptsoft.com)" | ||
120 | 35 | * The word 'cryptographic' can be left out if the rouines from the library | ||
121 | 36 | * being used are not cryptographic related :-). | ||
122 | 37 | * 4. If you include any Windows specific code (or a derivative thereof) from | ||
123 | 38 | * the apps directory (application code) you must include an acknowledgement: | ||
124 | 39 | * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" | ||
125 | 40 | * | ||
126 | 41 | * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND | ||
127 | 42 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | ||
128 | 43 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | ||
129 | 44 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE | ||
130 | 45 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | ||
131 | 46 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | ||
132 | 47 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | ||
133 | 48 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | ||
134 | 49 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | ||
135 | 50 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | ||
136 | 51 | * SUCH DAMAGE. | ||
137 | 52 | * | ||
138 | 53 | * The licence and distribution terms for any publically available version or | ||
139 | 54 | * derivative of this code cannot be changed. i.e. this code cannot simply be | ||
140 | 55 | * copied and put under another distribution licence | ||
141 | 56 | * [including the GNU Public Licence.] | ||
142 | 57 | */ | ||
143 | 58 | |||
144 | 59 | #include <stdio.h> | ||
145 | 60 | #include <time.h> | ||
146 | 61 | #include <errno.h> | ||
147 | 62 | |||
148 | 63 | #include "cryptlib.h" | ||
149 | 64 | #include <openssl/crypto.h> | ||
150 | 65 | #include <openssl/lhash.h> | ||
151 | 66 | #include <openssl/buffer.h> | ||
152 | 67 | #include <openssl/evp.h> | ||
153 | 68 | #include <openssl/asn1.h> | ||
154 | 69 | #include <openssl/x509.h> | ||
155 | 70 | #include <openssl/x509v3.h> | ||
156 | 71 | #include <openssl/objects.h> | ||
157 | 72 | |||
158 | 73 | /* CRL score values */ | ||
159 | 74 | |||
160 | 75 | /* No unhandled critical extensions */ | ||
161 | 76 | |||
162 | 77 | #define CRL_SCORE_NOCRITICAL 0x100 | ||
163 | 78 | |||
164 | 79 | /* certificate is within CRL scope */ | ||
165 | 80 | |||
166 | 81 | #define CRL_SCORE_SCOPE 0x080 | ||
167 | 82 | |||
168 | 83 | /* CRL times valid */ | ||
169 | 84 | |||
170 | 85 | #define CRL_SCORE_TIME 0x040 | ||
171 | 86 | |||
172 | 87 | /* Issuer name matches certificate */ | ||
173 | 88 | |||
174 | 89 | #define CRL_SCORE_ISSUER_NAME 0x020 | ||
175 | 90 | |||
176 | 91 | /* If this score or above CRL is probably valid */ | ||
177 | 92 | |||
178 | 93 | #define CRL_SCORE_VALID (CRL_SCORE_NOCRITICAL|CRL_SCORE_TIME|CRL_SCORE_SCOPE) | ||
179 | 94 | |||
180 | 95 | /* CRL issuer is certificate issuer */ | ||
181 | 96 | |||
182 | 97 | #define CRL_SCORE_ISSUER_CERT 0x018 | ||
183 | 98 | |||
184 | 99 | /* CRL issuer is on certificate path */ | ||
185 | 100 | |||
186 | 101 | #define CRL_SCORE_SAME_PATH 0x008 | ||
187 | 102 | |||
188 | 103 | /* CRL issuer matches CRL AKID */ | ||
189 | 104 | |||
190 | 105 | #define CRL_SCORE_AKID 0x004 | ||
191 | 106 | |||
192 | 107 | /* Have a delta CRL with valid times */ | ||
193 | 108 | |||
194 | 109 | #define CRL_SCORE_TIME_DELTA 0x002 | ||
195 | 110 | |||
196 | 111 | static int null_callback(int ok,X509_STORE_CTX *e); | ||
197 | 112 | static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); | ||
198 | 113 | static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x); | ||
199 | 114 | static int check_chain_extensions(X509_STORE_CTX *ctx); | ||
200 | 115 | static int check_name_constraints(X509_STORE_CTX *ctx); | ||
201 | 116 | static int check_trust(X509_STORE_CTX *ctx); | ||
202 | 117 | static int check_revocation(X509_STORE_CTX *ctx); | ||
203 | 118 | static int check_cert(X509_STORE_CTX *ctx); | ||
204 | 119 | static int check_policy(X509_STORE_CTX *ctx); | ||
205 | 120 | |||
206 | 121 | static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, | ||
207 | 122 | unsigned int *preasons, | ||
208 | 123 | X509_CRL *crl, X509 *x); | ||
209 | 124 | static int get_crl_delta(X509_STORE_CTX *ctx, | ||
210 | 125 | X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x); | ||
211 | 126 | static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pcrl_score, | ||
212 | 127 | X509_CRL *base, STACK_OF(X509_CRL) *crls); | ||
213 | 128 | static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, | ||
214 | 129 | X509 **pissuer, int *pcrl_score); | ||
215 | 130 | static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score, | ||
216 | 131 | unsigned int *preasons); | ||
217 | 132 | static int check_crl_path(X509_STORE_CTX *ctx, X509 *x); | ||
218 | 133 | static int check_crl_chain(X509_STORE_CTX *ctx, | ||
219 | 134 | STACK_OF(X509) *cert_path, | ||
220 | 135 | STACK_OF(X509) *crl_path); | ||
221 | 136 | |||
222 | 137 | static int internal_verify(X509_STORE_CTX *ctx); | ||
223 | 138 | const char X509_version[]="X.509" OPENSSL_VERSION_PTEXT; | ||
224 | 139 | |||
225 | 140 | |||
226 | 141 | static int null_callback(int ok, X509_STORE_CTX *e) | ||
227 | 142 | { | ||
228 | 143 | return ok; | ||
229 | 144 | } | ||
230 | 145 | |||
231 | 146 | #if 0 | ||
232 | 147 | static int x509_subject_cmp(X509 **a, X509 **b) | ||
233 | 148 | { | ||
234 | 149 | return X509_subject_name_cmp(*a,*b); | ||
235 | 150 | } | ||
236 | 151 | #endif | ||
237 | 152 | |||
238 | 153 | int X509_verify_cert(X509_STORE_CTX *ctx) | ||
239 | 154 | { | ||
240 | 155 | X509 *x,*xtmp,*chain_ss=NULL; | ||
241 | 156 | X509_NAME *xn; | ||
242 | 157 | int bad_chain = 0; | ||
243 | 158 | X509_VERIFY_PARAM *param = ctx->param; | ||
244 | 159 | int depth,i,ok=0; | ||
245 | 160 | int num; | ||
246 | 161 | int (*cb)(int xok,X509_STORE_CTX *xctx); | ||
247 | 162 | STACK_OF(X509) *sktmp=NULL; | ||
248 | 163 | if (ctx->cert == NULL) | ||
249 | 164 | { | ||
250 | 165 | X509err(X509_F_X509_VERIFY_CERT,X509_R_NO_CERT_SET_FOR_US_TO_VERIFY); | ||
251 | 166 | return -1; | ||
252 | 167 | } | ||
253 | 168 | |||
254 | 169 | cb=ctx->verify_cb; | ||
255 | 170 | |||
256 | 171 | /* first we make sure the chain we are going to build is | ||
257 | 172 | * present and that the first entry is in place */ | ||
258 | 173 | if (ctx->chain == NULL) | ||
259 | 174 | { | ||
260 | 175 | if ( ((ctx->chain=sk_X509_new_null()) == NULL) || | ||
261 | 176 | (!sk_X509_push(ctx->chain,ctx->cert))) | ||
262 | 177 | { | ||
263 | 178 | X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE); | ||
264 | 179 | goto end; | ||
265 | 180 | } | ||
266 | 181 | CRYPTO_add(&ctx->cert->references,1,CRYPTO_LOCK_X509); | ||
267 | 182 | ctx->last_untrusted=1; | ||
268 | 183 | } | ||
269 | 184 | |||
270 | 185 | /* We use a temporary STACK so we can chop and hack at it */ | ||
271 | 186 | if (ctx->untrusted != NULL | ||
272 | 187 | && (sktmp=sk_X509_dup(ctx->untrusted)) == NULL) | ||
273 | 188 | { | ||
274 | 189 | X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE); | ||
275 | 190 | goto end; | ||
276 | 191 | } | ||
277 | 192 | |||
278 | 193 | num=sk_X509_num(ctx->chain); | ||
279 | 194 | x=sk_X509_value(ctx->chain,num-1); | ||
280 | 195 | depth=param->depth; | ||
281 | 196 | |||
282 | 197 | |||
283 | 198 | for (;;) | ||
284 | 199 | { | ||
285 | 200 | /* If we have enough, we break */ | ||
286 | 201 | if (depth < num) break; /* FIXME: If this happens, we should take | ||
287 | 202 | * note of it and, if appropriate, use the | ||
288 | 203 | * X509_V_ERR_CERT_CHAIN_TOO_LONG error | ||
289 | 204 | * code later. | ||
290 | 205 | */ | ||
291 | 206 | |||
292 | 207 | /* If we are self signed, we break */ | ||
293 | 208 | xn=X509_get_issuer_name(x); | ||
294 | 209 | if (ctx->check_issued(ctx, x,x)) break; | ||
295 | 210 | |||
296 | 211 | /* If we were passed a cert chain, use it first */ | ||
297 | 212 | if (ctx->untrusted != NULL) | ||
298 | 213 | { | ||
299 | 214 | xtmp=find_issuer(ctx, sktmp,x); | ||
300 | 215 | if (xtmp != NULL) | ||
301 | 216 | { | ||
302 | 217 | if (!sk_X509_push(ctx->chain,xtmp)) | ||
303 | 218 | { | ||
304 | 219 | X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE); | ||
305 | 220 | goto end; | ||
306 | 221 | } | ||
307 | 222 | CRYPTO_add(&xtmp->references,1,CRYPTO_LOCK_X509); | ||
308 | 223 | (void)sk_X509_delete_ptr(sktmp,xtmp); | ||
309 | 224 | ctx->last_untrusted++; | ||
310 | 225 | x=xtmp; | ||
311 | 226 | num++; | ||
312 | 227 | /* reparse the full chain for | ||
313 | 228 | * the next one */ | ||
314 | 229 | continue; | ||
315 | 230 | } | ||
316 | 231 | } | ||
317 | 232 | break; | ||
318 | 233 | } | ||
319 | 234 | |||
320 | 235 | /* at this point, chain should contain a list of untrusted | ||
321 | 236 | * certificates. We now need to add at least one trusted one, | ||
322 | 237 | * if possible, otherwise we complain. */ | ||
323 | 238 | |||
324 | 239 | /* Examine last certificate in chain and see if it | ||
325 | 240 | * is self signed. | ||
326 | 241 | */ | ||
327 | 242 | |||
328 | 243 | i=sk_X509_num(ctx->chain); | ||
329 | 244 | x=sk_X509_value(ctx->chain,i-1); | ||
330 | 245 | xn = X509_get_subject_name(x); | ||
331 | 246 | if (ctx->check_issued(ctx, x, x)) | ||
332 | 247 | { | ||
333 | 248 | /* we have a self signed certificate */ | ||
334 | 249 | if (sk_X509_num(ctx->chain) == 1) | ||
335 | 250 | { | ||
336 | 251 | /* We have a single self signed certificate: see if | ||
337 | 252 | * we can find it in the store. We must have an exact | ||
338 | 253 | * match to avoid possible impersonation. | ||
339 | 254 | */ | ||
340 | 255 | ok = ctx->get_issuer(&xtmp, ctx, x); | ||
341 | 256 | if ((ok <= 0) || X509_cmp(x, xtmp)) | ||
342 | 257 | { | ||
343 | 258 | ctx->error=X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT; | ||
344 | 259 | ctx->current_cert=x; | ||
345 | 260 | ctx->error_depth=i-1; | ||
346 | 261 | if (ok == 1) X509_free(xtmp); | ||
347 | 262 | bad_chain = 1; | ||
348 | 263 | ok=cb(0,ctx); | ||
349 | 264 | if (!ok) goto end; | ||
350 | 265 | } | ||
351 | 266 | else | ||
352 | 267 | { | ||
353 | 268 | /* We have a match: replace certificate with store version | ||
354 | 269 | * so we get any trust settings. | ||
355 | 270 | */ | ||
356 | 271 | X509_free(x); | ||
357 | 272 | x = xtmp; | ||
358 | 273 | (void)sk_X509_set(ctx->chain, i - 1, x); | ||
359 | 274 | ctx->last_untrusted=0; | ||
360 | 275 | } | ||
361 | 276 | } | ||
362 | 277 | else | ||
363 | 278 | { | ||
364 | 279 | /* extract and save self signed certificate for later use */ | ||
365 | 280 | chain_ss=sk_X509_pop(ctx->chain); | ||
366 | 281 | ctx->last_untrusted--; | ||
367 | 282 | num--; | ||
368 | 283 | x=sk_X509_value(ctx->chain,num-1); | ||
369 | 284 | } | ||
370 | 285 | } | ||
371 | 286 | |||
372 | 287 | /* We now lookup certs from the certificate store */ | ||
373 | 288 | for (;;) | ||
374 | 289 | { | ||
375 | 290 | /* If we have enough, we break */ | ||
376 | 291 | if (depth < num) break; | ||
377 | 292 | |||
378 | 293 | /* If we are self signed, we break */ | ||
379 | 294 | xn=X509_get_issuer_name(x); | ||
380 | 295 | if (ctx->check_issued(ctx,x,x)) break; | ||
381 | 296 | |||
382 | 297 | ok = ctx->get_issuer(&xtmp, ctx, x); | ||
383 | 298 | |||
384 | 299 | if (ok < 0) return ok; | ||
385 | 300 | if (ok == 0) break; | ||
386 | 301 | |||
387 | 302 | x = xtmp; | ||
388 | 303 | if (!sk_X509_push(ctx->chain,x)) | ||
389 | 304 | { | ||
390 | 305 | X509_free(xtmp); | ||
391 | 306 | X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE); | ||
392 | 307 | return 0; | ||
393 | 308 | } | ||
394 | 309 | num++; | ||
395 | 310 | } | ||
396 | 311 | |||
397 | 312 | /* we now have our chain, lets check it... */ | ||
398 | 313 | xn=X509_get_issuer_name(x); | ||
399 | 314 | |||
400 | 315 | /* Is last certificate looked up self signed? */ | ||
401 | 316 | if (!ctx->check_issued(ctx,x,x)) | ||
402 | 317 | { | ||
403 | 318 | if ((chain_ss == NULL) || !ctx->check_issued(ctx, x, chain_ss)) | ||
404 | 319 | { | ||
405 | 320 | if (ctx->last_untrusted >= num) | ||
406 | 321 | ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY; | ||
407 | 322 | else | ||
408 | 323 | ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT; | ||
409 | 324 | ctx->current_cert=x; | ||
410 | 325 | } | ||
411 | 326 | else | ||
412 | 327 | { | ||
413 | 328 | |||
414 | 329 | sk_X509_push(ctx->chain,chain_ss); | ||
415 | 330 | num++; | ||
416 | 331 | ctx->last_untrusted=num; | ||
417 | 332 | ctx->current_cert=chain_ss; | ||
418 | 333 | ctx->error=X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN; | ||
419 | 334 | chain_ss=NULL; | ||
420 | 335 | } | ||
421 | 336 | |||
422 | 337 | ctx->error_depth=num-1; | ||
423 | 338 | bad_chain = 1; | ||
424 | 339 | ok=cb(0,ctx); | ||
425 | 340 | if (!ok) goto end; | ||
426 | 341 | } | ||
427 | 342 | |||
428 | 343 | /* We have the chain complete: now we need to check its purpose */ | ||
429 | 344 | ok = check_chain_extensions(ctx); | ||
430 | 345 | |||
431 | 346 | if (!ok) goto end; | ||
432 | 347 | |||
433 | 348 | /* Check name constraints */ | ||
434 | 349 | |||
435 | 350 | ok = check_name_constraints(ctx); | ||
436 | 351 | |||
437 | 352 | if (!ok) goto end; | ||
438 | 353 | |||
439 | 354 | /* The chain extensions are OK: check trust */ | ||
440 | 355 | |||
441 | 356 | if (param->trust > 0) ok = check_trust(ctx); | ||
442 | 357 | |||
443 | 358 | if (!ok) goto end; | ||
444 | 359 | |||
445 | 360 | /* We may as well copy down any DSA parameters that are required */ | ||
446 | 361 | X509_get_pubkey_parameters(NULL,ctx->chain); | ||
447 | 362 | |||
448 | 363 | /* Check revocation status: we do this after copying parameters | ||
449 | 364 | * because they may be needed for CRL signature verification. | ||
450 | 365 | */ | ||
451 | 366 | |||
452 | 367 | ok = ctx->check_revocation(ctx); | ||
453 | 368 | if(!ok) goto end; | ||
454 | 369 | |||
455 | 370 | /* At this point, we have a chain and need to verify it */ | ||
456 | 371 | if (ctx->verify != NULL) | ||
457 | 372 | ok=ctx->verify(ctx); | ||
458 | 373 | else | ||
459 | 374 | ok=internal_verify(ctx); | ||
460 | 375 | if(!ok) goto end; | ||
461 | 376 | |||
462 | 377 | #ifndef OPENSSL_NO_RFC3779 | ||
463 | 378 | /* RFC 3779 path validation, now that CRL check has been done */ | ||
464 | 379 | ok = v3_asid_validate_path(ctx); | ||
465 | 380 | if (!ok) goto end; | ||
466 | 381 | ok = v3_addr_validate_path(ctx); | ||
467 | 382 | if (!ok) goto end; | ||
468 | 383 | #endif | ||
469 | 384 | |||
470 | 385 | /* If we get this far evaluate policies */ | ||
471 | 386 | if (!bad_chain && (ctx->param->flags & X509_V_FLAG_POLICY_CHECK)) | ||
472 | 387 | ok = ctx->check_policy(ctx); | ||
473 | 388 | if(!ok) goto end; | ||
474 | 389 | if (0) | ||
475 | 390 | { | ||
476 | 391 | end: | ||
477 | 392 | X509_get_pubkey_parameters(NULL,ctx->chain); | ||
478 | 393 | } | ||
479 | 394 | if (sktmp != NULL) sk_X509_free(sktmp); | ||
480 | 395 | if (chain_ss != NULL) X509_free(chain_ss); | ||
481 | 396 | return ok; | ||
482 | 397 | } | ||
483 | 398 | |||
484 | 399 | |||
485 | 400 | /* Given a STACK_OF(X509) find the issuer of cert (if any) | ||
486 | 401 | */ | ||
487 | 402 | |||
488 | 403 | static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x) | ||
489 | 404 | { | ||
490 | 405 | int i; | ||
491 | 406 | X509 *issuer; | ||
492 | 407 | for (i = 0; i < sk_X509_num(sk); i++) | ||
493 | 408 | { | ||
494 | 409 | issuer = sk_X509_value(sk, i); | ||
495 | 410 | if (ctx->check_issued(ctx, x, issuer)) | ||
496 | 411 | return issuer; | ||
497 | 412 | } | ||
498 | 413 | return NULL; | ||
499 | 414 | } | ||
500 | 415 | |||
501 | 416 | /* Given a possible certificate and issuer check them */ | ||
502 | 417 | |||
503 | 418 | static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer) | ||
504 | 419 | { | ||
505 | 420 | int ret; | ||
506 | 421 | ret = X509_check_issued(issuer, x); | ||
507 | 422 | if (ret == X509_V_OK) | ||
508 | 423 | return 1; | ||
509 | 424 | /* If we haven't asked for issuer errors don't set ctx */ | ||
510 | 425 | if (!(ctx->param->flags & X509_V_FLAG_CB_ISSUER_CHECK)) | ||
511 | 426 | return 0; | ||
512 | 427 | |||
513 | 428 | ctx->error = ret; | ||
514 | 429 | ctx->current_cert = x; | ||
515 | 430 | ctx->current_issuer = issuer; | ||
516 | 431 | return ctx->verify_cb(0, ctx); | ||
517 | 432 | return 0; | ||
518 | 433 | } | ||
519 | 434 | |||
520 | 435 | /* Alternative lookup method: look from a STACK stored in other_ctx */ | ||
521 | 436 | |||
522 | 437 | static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) | ||
523 | 438 | { | ||
524 | 439 | *issuer = find_issuer(ctx, ctx->other_ctx, x); | ||
525 | 440 | if (*issuer) | ||
526 | 441 | { | ||
527 | 442 | CRYPTO_add(&(*issuer)->references,1,CRYPTO_LOCK_X509); | ||
528 | 443 | return 1; | ||
529 | 444 | } | ||
530 | 445 | else | ||
531 | 446 | return 0; | ||
532 | 447 | } | ||
533 | 448 | |||
534 | 449 | |||
535 | 450 | /* Check a certificate chains extensions for consistency | ||
536 | 451 | * with the supplied purpose | ||
537 | 452 | */ | ||
538 | 453 | |||
539 | 454 | static int check_chain_extensions(X509_STORE_CTX *ctx) | ||
540 | 455 | { | ||
541 | 456 | #ifdef OPENSSL_NO_CHAIN_VERIFY | ||
542 | 457 | return 1; | ||
543 | 458 | #else | ||
544 | 459 | int i, ok=0, must_be_ca, plen = 0; | ||
545 | 460 | X509 *x; | ||
546 | 461 | int (*cb)(int xok,X509_STORE_CTX *xctx); | ||
547 | 462 | int proxy_path_length = 0; | ||
548 | 463 | int purpose; | ||
549 | 464 | int allow_proxy_certs; | ||
550 | 465 | cb=ctx->verify_cb; | ||
551 | 466 | |||
552 | 467 | /* must_be_ca can have 1 of 3 values: | ||
553 | 468 | -1: we accept both CA and non-CA certificates, to allow direct | ||
554 | 469 | use of self-signed certificates (which are marked as CA). | ||
555 | 470 | 0: we only accept non-CA certificates. This is currently not | ||
556 | 471 | used, but the possibility is present for future extensions. | ||
557 | 472 | 1: we only accept CA certificates. This is currently used for | ||
558 | 473 | all certificates in the chain except the leaf certificate. | ||
559 | 474 | */ | ||
560 | 475 | must_be_ca = -1; | ||
561 | 476 | |||
562 | 477 | /* CRL path validation */ | ||
563 | 478 | if (ctx->parent) | ||
564 | 479 | { | ||
565 | 480 | allow_proxy_certs = 0; | ||
566 | 481 | purpose = X509_PURPOSE_CRL_SIGN; | ||
567 | 482 | } | ||
568 | 483 | else | ||
569 | 484 | { | ||
570 | 485 | allow_proxy_certs = | ||
571 | 486 | !!(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS); | ||
572 | 487 | /* A hack to keep people who don't want to modify their | ||
573 | 488 | software happy */ | ||
574 | 489 | if (getenv("OPENSSL_ALLOW_PROXY_CERTS")) | ||
575 | 490 | allow_proxy_certs = 1; | ||
576 | 491 | purpose = ctx->param->purpose; | ||
577 | 492 | } | ||
578 | 493 | |||
579 | 494 | /* Check all untrusted certificates */ | ||
580 | 495 | for (i = 0; i < ctx->last_untrusted; i++) | ||
581 | 496 | { | ||
582 | 497 | int ret; | ||
583 | 498 | x = sk_X509_value(ctx->chain, i); | ||
584 | 499 | if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) | ||
585 | 500 | && (x->ex_flags & EXFLAG_CRITICAL)) | ||
586 | 501 | { | ||
587 | 502 | ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION; | ||
588 | 503 | ctx->error_depth = i; | ||
589 | 504 | ctx->current_cert = x; | ||
590 | 505 | ok=cb(0,ctx); | ||
591 | 506 | if (!ok) goto end; | ||
592 | 507 | } | ||
593 | 508 | if (!allow_proxy_certs && (x->ex_flags & EXFLAG_PROXY)) | ||
594 | 509 | { | ||
595 | 510 | ctx->error = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED; | ||
596 | 511 | ctx->error_depth = i; | ||
597 | 512 | ctx->current_cert = x; | ||
598 | 513 | ok=cb(0,ctx); | ||
599 | 514 | if (!ok) goto end; | ||
600 | 515 | } | ||
601 | 516 | ret = X509_check_ca(x); | ||
602 | 517 | switch(must_be_ca) | ||
603 | 518 | { | ||
604 | 519 | case -1: | ||
605 | 520 | if ((ctx->param->flags & X509_V_FLAG_X509_STRICT) | ||
606 | 521 | && (ret != 1) && (ret != 0)) | ||
607 | 522 | { | ||
608 | 523 | ret = 0; | ||
609 | 524 | ctx->error = X509_V_ERR_INVALID_CA; | ||
610 | 525 | } | ||
611 | 526 | else | ||
612 | 527 | ret = 1; | ||
613 | 528 | break; | ||
614 | 529 | case 0: | ||
615 | 530 | if (ret != 0) | ||
616 | 531 | { | ||
617 | 532 | ret = 0; | ||
618 | 533 | ctx->error = X509_V_ERR_INVALID_NON_CA; | ||
619 | 534 | } | ||
620 | 535 | else | ||
621 | 536 | ret = 1; | ||
622 | 537 | break; | ||
623 | 538 | default: | ||
624 | 539 | if ((ret == 0) | ||
625 | 540 | || ((ctx->param->flags & X509_V_FLAG_X509_STRICT) | ||
626 | 541 | && (ret != 1))) | ||
627 | 542 | { | ||
628 | 543 | ret = 0; | ||
629 | 544 | ctx->error = X509_V_ERR_INVALID_CA; | ||
630 | 545 | } | ||
631 | 546 | else | ||
632 | 547 | ret = 1; | ||
633 | 548 | break; | ||
634 | 549 | } | ||
635 | 550 | if (ret == 0) | ||
636 | 551 | { | ||
637 | 552 | ctx->error_depth = i; | ||
638 | 553 | ctx->current_cert = x; | ||
639 | 554 | ok=cb(0,ctx); | ||
640 | 555 | if (!ok) goto end; | ||
641 | 556 | } | ||
642 | 557 | if (ctx->param->purpose > 0) | ||
643 | 558 | { | ||
644 | 559 | ret = X509_check_purpose(x, purpose, must_be_ca > 0); | ||
645 | 560 | if ((ret == 0) | ||
646 | 561 | || ((ctx->param->flags & X509_V_FLAG_X509_STRICT) | ||
647 | 562 | && (ret != 1))) | ||
648 | 563 | { | ||
649 | 564 | ctx->error = X509_V_ERR_INVALID_PURPOSE; | ||
650 | 565 | ctx->error_depth = i; | ||
651 | 566 | ctx->current_cert = x; | ||
652 | 567 | ok=cb(0,ctx); | ||
653 | 568 | if (!ok) goto end; | ||
654 | 569 | } | ||
655 | 570 | } | ||
656 | 571 | /* Check pathlen if not self issued */ | ||
657 | 572 | if ((i > 1) && !(x->ex_flags & EXFLAG_SI) | ||
658 | 573 | && (x->ex_pathlen != -1) | ||
659 | 574 | && (plen > (x->ex_pathlen + proxy_path_length + 1))) | ||
660 | 575 | { | ||
661 | 576 | ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED; | ||
662 | 577 | ctx->error_depth = i; | ||
663 | 578 | ctx->current_cert = x; | ||
664 | 579 | ok=cb(0,ctx); | ||
665 | 580 | if (!ok) goto end; | ||
666 | 581 | } | ||
667 | 582 | /* Increment path length if not self issued */ | ||
668 | 583 | if (!(x->ex_flags & EXFLAG_SI)) | ||
669 | 584 | plen++; | ||
670 | 585 | /* If this certificate is a proxy certificate, the next | ||
671 | 586 | certificate must be another proxy certificate or a EE | ||
672 | 587 | certificate. If not, the next certificate must be a | ||
673 | 588 | CA certificate. */ | ||
674 | 589 | if (x->ex_flags & EXFLAG_PROXY) | ||
675 | 590 | { | ||
676 | 591 | if (x->ex_pcpathlen != -1 && i > x->ex_pcpathlen) | ||
677 | 592 | { | ||
678 | 593 | ctx->error = | ||
679 | 594 | X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED; | ||
680 | 595 | ctx->error_depth = i; | ||
681 | 596 | ctx->current_cert = x; | ||
682 | 597 | ok=cb(0,ctx); | ||
683 | 598 | if (!ok) goto end; | ||
684 | 599 | } | ||
685 | 600 | proxy_path_length++; | ||
686 | 601 | must_be_ca = 0; | ||
687 | 602 | } | ||
688 | 603 | else | ||
689 | 604 | must_be_ca = 1; | ||
690 | 605 | } | ||
691 | 606 | ok = 1; | ||
692 | 607 | end: | ||
693 | 608 | return ok; | ||
694 | 609 | #endif | ||
695 | 610 | } | ||
696 | 611 | |||
697 | 612 | static int check_name_constraints(X509_STORE_CTX *ctx) | ||
698 | 613 | { | ||
699 | 614 | X509 *x; | ||
700 | 615 | int i, j, rv; | ||
701 | 616 | /* Check name constraints for all certificates */ | ||
702 | 617 | for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--) | ||
703 | 618 | { | ||
704 | 619 | x = sk_X509_value(ctx->chain, i); | ||
705 | 620 | /* Ignore self issued certs unless last in chain */ | ||
706 | 621 | if (i && (x->ex_flags & EXFLAG_SI)) | ||
707 | 622 | continue; | ||
708 | 623 | /* Check against constraints for all certificates higher in | ||
709 | 624 | * chain including trust anchor. Trust anchor not strictly | ||
710 | 625 | * speaking needed but if it includes constraints it is to be | ||
711 | 626 | * assumed it expects them to be obeyed. | ||
712 | 627 | */ | ||
713 | 628 | for (j = sk_X509_num(ctx->chain) - 1; j > i; j--) | ||
714 | 629 | { | ||
715 | 630 | NAME_CONSTRAINTS *nc = sk_X509_value(ctx->chain, j)->nc; | ||
716 | 631 | if (nc) | ||
717 | 632 | { | ||
718 | 633 | rv = NAME_CONSTRAINTS_check(x, nc); | ||
719 | 634 | if (rv != X509_V_OK) | ||
720 | 635 | { | ||
721 | 636 | ctx->error = rv; | ||
722 | 637 | ctx->error_depth = i; | ||
723 | 638 | ctx->current_cert = x; | ||
724 | 639 | if (!ctx->verify_cb(0,ctx)) | ||
725 | 640 | return 0; | ||
726 | 641 | } | ||
727 | 642 | } | ||
728 | 643 | } | ||
729 | 644 | } | ||
730 | 645 | return 1; | ||
731 | 646 | } | ||
732 | 647 | |||
733 | 648 | static int check_trust(X509_STORE_CTX *ctx) | ||
734 | 649 | { | ||
735 | 650 | #ifdef OPENSSL_NO_CHAIN_VERIFY | ||
736 | 651 | return 1; | ||
737 | 652 | #else | ||
738 | 653 | int i, ok; | ||
739 | 654 | X509 *x; | ||
740 | 655 | int (*cb)(int xok,X509_STORE_CTX *xctx); | ||
741 | 656 | cb=ctx->verify_cb; | ||
742 | 657 | /* For now just check the last certificate in the chain */ | ||
743 | 658 | i = sk_X509_num(ctx->chain) - 1; | ||
744 | 659 | x = sk_X509_value(ctx->chain, i); | ||
745 | 660 | ok = X509_check_trust(x, ctx->param->trust, 0); | ||
746 | 661 | if (ok == X509_TRUST_TRUSTED) | ||
747 | 662 | return 1; | ||
748 | 663 | ctx->error_depth = i; | ||
749 | 664 | ctx->current_cert = x; | ||
750 | 665 | if (ok == X509_TRUST_REJECTED) | ||
751 | 666 | ctx->error = X509_V_ERR_CERT_REJECTED; | ||
752 | 667 | else | ||
753 | 668 | ctx->error = X509_V_ERR_CERT_UNTRUSTED; | ||
754 | 669 | ok = cb(0, ctx); | ||
755 | 670 | return ok; | ||
756 | 671 | #endif | ||
757 | 672 | } | ||
758 | 673 | |||
759 | 674 | static int check_revocation(X509_STORE_CTX *ctx) | ||
760 | 675 | { | ||
761 | 676 | int i, last, ok; | ||
762 | 677 | if (!(ctx->param->flags & X509_V_FLAG_CRL_CHECK)) | ||
763 | 678 | return 1; | ||
764 | 679 | if (ctx->param->flags & X509_V_FLAG_CRL_CHECK_ALL) | ||
765 | 680 | last = sk_X509_num(ctx->chain) - 1; | ||
766 | 681 | else | ||
767 | 682 | { | ||
768 | 683 | /* If checking CRL paths this isn't the EE certificate */ | ||
769 | 684 | if (ctx->parent) | ||
770 | 685 | return 1; | ||
771 | 686 | last = 0; | ||
772 | 687 | } | ||
773 | 688 | for(i = 0; i <= last; i++) | ||
774 | 689 | { | ||
775 | 690 | ctx->error_depth = i; | ||
776 | 691 | ok = check_cert(ctx); | ||
777 | 692 | if (!ok) return ok; | ||
778 | 693 | } | ||
779 | 694 | return 1; | ||
780 | 695 | } | ||
781 | 696 | |||
782 | 697 | static int check_cert(X509_STORE_CTX *ctx) | ||
783 | 698 | { | ||
784 | 699 | X509_CRL *crl = NULL, *dcrl = NULL; | ||
785 | 700 | X509 *x; | ||
786 | 701 | int ok, cnum; | ||
787 | 702 | cnum = ctx->error_depth; | ||
788 | 703 | x = sk_X509_value(ctx->chain, cnum); | ||
789 | 704 | ctx->current_cert = x; | ||
790 | 705 | ctx->current_issuer = NULL; | ||
791 | 706 | ctx->current_crl_score = 0; | ||
792 | 707 | ctx->current_reasons = 0; | ||
793 | 708 | while (ctx->current_reasons != CRLDP_ALL_REASONS) | ||
794 | 709 | { | ||
795 | 710 | /* Try to retrieve relevant CRL */ | ||
796 | 711 | if (ctx->get_crl) | ||
797 | 712 | ok = ctx->get_crl(ctx, &crl, x); | ||
798 | 713 | else | ||
799 | 714 | ok = get_crl_delta(ctx, &crl, &dcrl, x); | ||
800 | 715 | /* If error looking up CRL, nothing we can do except | ||
801 | 716 | * notify callback | ||
802 | 717 | */ | ||
803 | 718 | if(!ok) | ||
804 | 719 | { | ||
805 | 720 | ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL; | ||
806 | 721 | ok = ctx->verify_cb(0, ctx); | ||
807 | 722 | goto err; | ||
808 | 723 | } | ||
809 | 724 | ctx->current_crl = crl; | ||
810 | 725 | ok = ctx->check_crl(ctx, crl); | ||
811 | 726 | if (!ok) | ||
812 | 727 | goto err; | ||
813 | 728 | |||
814 | 729 | if (dcrl) | ||
815 | 730 | { | ||
816 | 731 | ok = ctx->check_crl(ctx, dcrl); | ||
817 | 732 | if (!ok) | ||
818 | 733 | goto err; | ||
819 | 734 | ok = ctx->cert_crl(ctx, dcrl, x); | ||
820 | 735 | if (!ok) | ||
821 | 736 | goto err; | ||
822 | 737 | } | ||
823 | 738 | else | ||
824 | 739 | ok = 1; | ||
825 | 740 | |||
826 | 741 | /* Don't look in full CRL if delta reason is removefromCRL */ | ||
827 | 742 | if (ok != 2) | ||
828 | 743 | { | ||
829 | 744 | ok = ctx->cert_crl(ctx, crl, x); | ||
830 | 745 | if (!ok) | ||
831 | 746 | goto err; | ||
832 | 747 | } | ||
833 | 748 | |||
834 | 749 | X509_CRL_free(crl); | ||
835 | 750 | X509_CRL_free(dcrl); | ||
836 | 751 | crl = NULL; | ||
837 | 752 | dcrl = NULL; | ||
838 | 753 | } | ||
839 | 754 | err: | ||
840 | 755 | X509_CRL_free(crl); | ||
841 | 756 | X509_CRL_free(dcrl); | ||
842 | 757 | |||
843 | 758 | ctx->current_crl = NULL; | ||
844 | 759 | return ok; | ||
845 | 760 | |||
846 | 761 | } | ||
847 | 762 | |||
848 | 763 | /* Check CRL times against values in X509_STORE_CTX */ | ||
849 | 764 | |||
850 | 765 | static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify) | ||
851 | 766 | { | ||
852 | 767 | time_t *ptime; | ||
853 | 768 | int i; | ||
854 | 769 | if (notify) | ||
855 | 770 | ctx->current_crl = crl; | ||
856 | 771 | if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME) | ||
857 | 772 | ptime = &ctx->param->check_time; | ||
858 | 773 | else | ||
859 | 774 | ptime = NULL; | ||
860 | 775 | |||
861 | 776 | i=X509_cmp_time(X509_CRL_get_lastUpdate(crl), ptime); | ||
862 | 777 | if (i == 0) | ||
863 | 778 | { | ||
864 | 779 | if (!notify) | ||
865 | 780 | return 0; | ||
866 | 781 | ctx->error=X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD; | ||
867 | 782 | if (!ctx->verify_cb(0, ctx)) | ||
868 | 783 | return 0; | ||
869 | 784 | } | ||
870 | 785 | |||
871 | 786 | if (i > 0) | ||
872 | 787 | { | ||
873 | 788 | if (!notify) | ||
874 | 789 | return 0; | ||
875 | 790 | ctx->error=X509_V_ERR_CRL_NOT_YET_VALID; | ||
876 | 791 | if (!ctx->verify_cb(0, ctx)) | ||
877 | 792 | return 0; | ||
878 | 793 | } | ||
879 | 794 | |||
880 | 795 | if(X509_CRL_get_nextUpdate(crl)) | ||
881 | 796 | { | ||
882 | 797 | i=X509_cmp_time(X509_CRL_get_nextUpdate(crl), ptime); | ||
883 | 798 | |||
884 | 799 | if (i == 0) | ||
885 | 800 | { | ||
886 | 801 | if (!notify) | ||
887 | 802 | return 0; | ||
888 | 803 | ctx->error=X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD; | ||
889 | 804 | if (!ctx->verify_cb(0, ctx)) | ||
890 | 805 | return 0; | ||
891 | 806 | } | ||
892 | 807 | /* Ignore expiry of base CRL is delta is valid */ | ||
893 | 808 | if ((i < 0) && !(ctx->current_crl_score & CRL_SCORE_TIME_DELTA)) | ||
894 | 809 | { | ||
895 | 810 | if (!notify) | ||
896 | 811 | return 0; | ||
897 | 812 | ctx->error=X509_V_ERR_CRL_HAS_EXPIRED; | ||
898 | 813 | if (!ctx->verify_cb(0, ctx)) | ||
899 | 814 | return 0; | ||
900 | 815 | } | ||
901 | 816 | } | ||
902 | 817 | |||
903 | 818 | if (notify) | ||
904 | 819 | ctx->current_crl = NULL; | ||
905 | 820 | |||
906 | 821 | return 1; | ||
907 | 822 | } | ||
908 | 823 | |||
909 | 824 | static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl, | ||
910 | 825 | X509 **pissuer, int *pscore, unsigned int *preasons, | ||
911 | 826 | STACK_OF(X509_CRL) *crls) | ||
912 | 827 | { | ||
913 | 828 | int i, crl_score, best_score = *pscore; | ||
914 | 829 | unsigned int reasons, best_reasons = 0; | ||
915 | 830 | X509 *x = ctx->current_cert; | ||
916 | 831 | X509_CRL *crl, *best_crl = NULL; | ||
917 | 832 | X509 *crl_issuer = NULL, *best_crl_issuer = NULL; | ||
918 | 833 | |||
919 | 834 | for (i = 0; i < sk_X509_CRL_num(crls); i++) | ||
920 | 835 | { | ||
921 | 836 | crl = sk_X509_CRL_value(crls, i); | ||
922 | 837 | reasons = *preasons; | ||
923 | 838 | crl_score = get_crl_score(ctx, &crl_issuer, &reasons, crl, x); | ||
924 | 839 | |||
925 | 840 | if (crl_score > best_score) | ||
926 | 841 | { | ||
927 | 842 | best_crl = crl; | ||
928 | 843 | best_crl_issuer = crl_issuer; | ||
929 | 844 | best_score = crl_score; | ||
930 | 845 | best_reasons = reasons; | ||
931 | 846 | } | ||
932 | 847 | } | ||
933 | 848 | |||
934 | 849 | if (best_crl) | ||
935 | 850 | { | ||
936 | 851 | if (*pcrl) | ||
937 | 852 | X509_CRL_free(*pcrl); | ||
938 | 853 | *pcrl = best_crl; | ||
939 | 854 | *pissuer = best_crl_issuer; | ||
940 | 855 | *pscore = best_score; | ||
941 | 856 | *preasons = best_reasons; | ||
942 | 857 | CRYPTO_add(&best_crl->references, 1, CRYPTO_LOCK_X509_CRL); | ||
943 | 858 | if (*pdcrl) | ||
944 | 859 | { | ||
945 | 860 | X509_CRL_free(*pdcrl); | ||
946 | 861 | *pdcrl = NULL; | ||
947 | 862 | } | ||
948 | 863 | get_delta_sk(ctx, pdcrl, pscore, best_crl, crls); | ||
949 | 864 | } | ||
950 | 865 | |||
951 | 866 | if (best_score >= CRL_SCORE_VALID) | ||
952 | 867 | return 1; | ||
953 | 868 | |||
954 | 869 | return 0; | ||
955 | 870 | } | ||
956 | 871 | |||
957 | 872 | /* Compare two CRL extensions for delta checking purposes. They should be | ||
958 | 873 | * both present or both absent. If both present all fields must be identical. | ||
959 | 874 | */ | ||
960 | 875 | |||
961 | 876 | static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid) | ||
962 | 877 | { | ||
963 | 878 | ASN1_OCTET_STRING *exta, *extb; | ||
964 | 879 | int i; | ||
965 | 880 | i = X509_CRL_get_ext_by_NID(a, nid, 0); | ||
966 | 881 | if (i >= 0) | ||
967 | 882 | { | ||
968 | 883 | /* Can't have multiple occurrences */ | ||
969 | 884 | if (X509_CRL_get_ext_by_NID(a, nid, i) != -1) | ||
970 | 885 | return 0; | ||
971 | 886 | exta = X509_EXTENSION_get_data(X509_CRL_get_ext(a, i)); | ||
972 | 887 | } | ||
973 | 888 | else | ||
974 | 889 | exta = NULL; | ||
975 | 890 | |||
976 | 891 | i = X509_CRL_get_ext_by_NID(b, nid, 0); | ||
977 | 892 | |||
978 | 893 | if (i >= 0) | ||
979 | 894 | { | ||
980 | 895 | |||
981 | 896 | if (X509_CRL_get_ext_by_NID(b, nid, i) != -1) | ||
982 | 897 | return 0; | ||
983 | 898 | extb = X509_EXTENSION_get_data(X509_CRL_get_ext(b, i)); | ||
984 | 899 | } | ||
985 | 900 | else | ||
986 | 901 | extb = NULL; | ||
987 | 902 | |||
988 | 903 | if (!exta && !extb) | ||
989 | 904 | return 1; | ||
990 | 905 | |||
991 | 906 | if (!exta || !extb) | ||
992 | 907 | return 0; | ||
993 | 908 | |||
994 | 909 | |||
995 | 910 | if (ASN1_OCTET_STRING_cmp(exta, extb)) | ||
996 | 911 | return 0; | ||
997 | 912 | |||
998 | 913 | return 1; | ||
999 | 914 | } | ||
1000 | 915 | |||
1001 | 916 | /* See if a base and delta are compatible */ | ||
1002 | 917 | |||
1003 | 918 | static int check_delta_base(X509_CRL *delta, X509_CRL *base) | ||
1004 | 919 | { | ||
1005 | 920 | /* Delta CRL must be a delta */ | ||
1006 | 921 | if (!delta->base_crl_number) | ||
1007 | 922 | return 0; | ||
1008 | 923 | /* Base must have a CRL number */ | ||
1009 | 924 | if (!base->crl_number) | ||
1010 | 925 | return 0; | ||
1011 | 926 | /* Issuer names must match */ | ||
1012 | 927 | if (X509_NAME_cmp(X509_CRL_get_issuer(base), | ||
1013 | 928 | X509_CRL_get_issuer(delta))) | ||
1014 | 929 | return 0; | ||
1015 | 930 | /* AKID and IDP must match */ | ||
1016 | 931 | if (!crl_extension_match(delta, base, NID_authority_key_identifier)) | ||
1017 | 932 | return 0; | ||
1018 | 933 | if (!crl_extension_match(delta, base, NID_issuing_distribution_point)) | ||
1019 | 934 | return 0; | ||
1020 | 935 | /* Delta CRL base number must not exceed Full CRL number. */ | ||
1021 | 936 | if (ASN1_INTEGER_cmp(delta->base_crl_number, base->crl_number) > 0) | ||
1022 | 937 | return 0; | ||
1023 | 938 | /* Delta CRL number must exceed full CRL number */ | ||
1024 | 939 | if (ASN1_INTEGER_cmp(delta->crl_number, base->crl_number) > 0) | ||
1025 | 940 | return 1; | ||
1026 | 941 | return 0; | ||
1027 | 942 | } | ||
1028 | 943 | |||
1029 | 944 | /* For a given base CRL find a delta... maybe extend to delta scoring | ||
1030 | 945 | * or retrieve a chain of deltas... | ||
1031 | 946 | */ | ||
1032 | 947 | |||
1033 | 948 | static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pscore, | ||
1034 | 949 | X509_CRL *base, STACK_OF(X509_CRL) *crls) | ||
1035 | 950 | { | ||
1036 | 951 | X509_CRL *delta; | ||
1037 | 952 | int i; | ||
1038 | 953 | if (!(ctx->param->flags & X509_V_FLAG_USE_DELTAS)) | ||
1039 | 954 | return; | ||
1040 | 955 | if (!((ctx->current_cert->ex_flags | base->flags) & EXFLAG_FRESHEST)) | ||
1041 | 956 | return; | ||
1042 | 957 | for (i = 0; i < sk_X509_CRL_num(crls); i++) | ||
1043 | 958 | { | ||
1044 | 959 | delta = sk_X509_CRL_value(crls, i); | ||
1045 | 960 | if (check_delta_base(delta, base)) | ||
1046 | 961 | { | ||
1047 | 962 | if (check_crl_time(ctx, delta, 0)) | ||
1048 | 963 | *pscore |= CRL_SCORE_TIME_DELTA; | ||
1049 | 964 | CRYPTO_add(&delta->references, 1, CRYPTO_LOCK_X509_CRL); | ||
1050 | 965 | *dcrl = delta; | ||
1051 | 966 | return; | ||
1052 | 967 | } | ||
1053 | 968 | } | ||
1054 | 969 | *dcrl = NULL; | ||
1055 | 970 | } | ||
1056 | 971 | |||
1057 | 972 | /* For a given CRL return how suitable it is for the supplied certificate 'x'. | ||
1058 | 973 | * The return value is a mask of several criteria. | ||
1059 | 974 | * If the issuer is not the certificate issuer this is returned in *pissuer. | ||
1060 | 975 | * The reasons mask is also used to determine if the CRL is suitable: if | ||
1061 | 976 | * no new reasons the CRL is rejected, otherwise reasons is updated. | ||
1062 | 977 | */ | ||
1063 | 978 | |||
1064 | 979 | static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, | ||
1065 | 980 | unsigned int *preasons, | ||
1066 | 981 | X509_CRL *crl, X509 *x) | ||
1067 | 982 | { | ||
1068 | 983 | |||
1069 | 984 | int crl_score = 0; | ||
1070 | 985 | unsigned int tmp_reasons = *preasons, crl_reasons; | ||
1071 | 986 | |||
1072 | 987 | /* First see if we can reject CRL straight away */ | ||
1073 | 988 | |||
1074 | 989 | /* Invalid IDP cannot be processed */ | ||
1075 | 990 | if (crl->idp_flags & IDP_INVALID) | ||
1076 | 991 | return 0; | ||
1077 | 992 | /* Reason codes or indirect CRLs need extended CRL support */ | ||
1078 | 993 | if (!(ctx->param->flags & X509_V_FLAG_EXTENDED_CRL_SUPPORT)) | ||
1079 | 994 | { | ||
1080 | 995 | if (crl->idp_flags & (IDP_INDIRECT | IDP_REASONS)) | ||
1081 | 996 | return 0; | ||
1082 | 997 | } | ||
1083 | 998 | else if (crl->idp_flags & IDP_REASONS) | ||
1084 | 999 | { | ||
1085 | 1000 | /* If no new reasons reject */ | ||
1086 | 1001 | if (!(crl->idp_reasons & ~tmp_reasons)) | ||
1087 | 1002 | return 0; | ||
1088 | 1003 | } | ||
1089 | 1004 | /* Don't process deltas at this stage */ | ||
1090 | 1005 | else if (crl->base_crl_number) | ||
1091 | 1006 | return 0; | ||
1092 | 1007 | /* If issuer name doesn't match certificate need indirect CRL */ | ||
1093 | 1008 | if (X509_NAME_cmp(X509_get_issuer_name(x), X509_CRL_get_issuer(crl))) | ||
1094 | 1009 | { | ||
1095 | 1010 | if (!(crl->idp_flags & IDP_INDIRECT)) | ||
1096 | 1011 | return 0; | ||
1097 | 1012 | } | ||
1098 | 1013 | else | ||
1099 | 1014 | crl_score |= CRL_SCORE_ISSUER_NAME; | ||
1100 | 1015 | |||
1101 | 1016 | if (!(crl->flags & EXFLAG_CRITICAL)) | ||
1102 | 1017 | crl_score |= CRL_SCORE_NOCRITICAL; | ||
1103 | 1018 | |||
1104 | 1019 | /* Check expiry */ | ||
1105 | 1020 | if (check_crl_time(ctx, crl, 0)) | ||
1106 | 1021 | crl_score |= CRL_SCORE_TIME; | ||
1107 | 1022 | |||
1108 | 1023 | /* Check authority key ID and locate certificate issuer */ | ||
1109 | 1024 | crl_akid_check(ctx, crl, pissuer, &crl_score); | ||
1110 | 1025 | |||
1111 | 1026 | /* If we can't locate certificate issuer at this point forget it */ | ||
1112 | 1027 | |||
1113 | 1028 | if (!(crl_score & CRL_SCORE_AKID)) | ||
1114 | 1029 | return 0; | ||
1115 | 1030 | |||
1116 | 1031 | /* Check cert for matching CRL distribution points */ | ||
1117 | 1032 | |||
1118 | 1033 | if (crl_crldp_check(x, crl, crl_score, &crl_reasons)) | ||
1119 | 1034 | { | ||
1120 | 1035 | /* If no new reasons reject */ | ||
1121 | 1036 | if (!(crl_reasons & ~tmp_reasons)) | ||
1122 | 1037 | return 0; | ||
1123 | 1038 | tmp_reasons |= crl_reasons; | ||
1124 | 1039 | crl_score |= CRL_SCORE_SCOPE; | ||
1125 | 1040 | } | ||
1126 | 1041 | |||
1127 | 1042 | *preasons = tmp_reasons; | ||
1128 | 1043 | |||
1129 | 1044 | return crl_score; | ||
1130 | 1045 | |||
1131 | 1046 | } | ||
1132 | 1047 | |||
1133 | 1048 | static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl, | ||
1134 | 1049 | X509 **pissuer, int *pcrl_score) | ||
1135 | 1050 | { | ||
1136 | 1051 | X509 *crl_issuer = NULL; | ||
1137 | 1052 | X509_NAME *cnm = X509_CRL_get_issuer(crl); | ||
1138 | 1053 | int cidx = ctx->error_depth; | ||
1139 | 1054 | int i; | ||
1140 | 1055 | |||
1141 | 1056 | if (cidx != sk_X509_num(ctx->chain) - 1) | ||
1142 | 1057 | cidx++; | ||
1143 | 1058 | |||
1144 | 1059 | crl_issuer = sk_X509_value(ctx->chain, cidx); | ||
1145 | 1060 | |||
1146 | 1061 | if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) | ||
1147 | 1062 | { | ||
1148 | 1063 | if (*pcrl_score & CRL_SCORE_ISSUER_NAME) | ||
1149 | 1064 | { | ||
1150 | 1065 | *pcrl_score |= CRL_SCORE_AKID|CRL_SCORE_ISSUER_CERT; | ||
1151 | 1066 | *pissuer = crl_issuer; | ||
1152 | 1067 | return; | ||
1153 | 1068 | } | ||
1154 | 1069 | } | ||
1155 | 1070 | |||
1156 | 1071 | for (cidx++; cidx < sk_X509_num(ctx->chain); cidx++) | ||
1157 | 1072 | { | ||
1158 | 1073 | crl_issuer = sk_X509_value(ctx->chain, cidx); | ||
1159 | 1074 | if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm)) | ||
1160 | 1075 | continue; | ||
1161 | 1076 | if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) | ||
1162 | 1077 | { | ||
1163 | 1078 | *pcrl_score |= CRL_SCORE_AKID|CRL_SCORE_SAME_PATH; | ||
1164 | 1079 | *pissuer = crl_issuer; | ||
1165 | 1080 | return; | ||
1166 | 1081 | } | ||
1167 | 1082 | } | ||
1168 | 1083 | |||
1169 | 1084 | /* Anything else needs extended CRL support */ | ||
1170 | 1085 | |||
1171 | 1086 | if (!(ctx->param->flags & X509_V_FLAG_EXTENDED_CRL_SUPPORT)) | ||
1172 | 1087 | return; | ||
1173 | 1088 | |||
1174 | 1089 | /* Otherwise the CRL issuer is not on the path. Look for it in the | ||
1175 | 1090 | * set of untrusted certificates. | ||
1176 | 1091 | */ | ||
1177 | 1092 | for (i = 0; i < sk_X509_num(ctx->untrusted); i++) | ||
1178 | 1093 | { | ||
1179 | 1094 | crl_issuer = sk_X509_value(ctx->untrusted, i); | ||
1180 | 1095 | if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm)) | ||
1181 | 1096 | continue; | ||
1182 | 1097 | if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK) | ||
1183 | 1098 | { | ||
1184 | 1099 | *pissuer = crl_issuer; | ||
1185 | 1100 | *pcrl_score |= CRL_SCORE_AKID; | ||
1186 | 1101 | return; | ||
1187 | 1102 | } | ||
1188 | 1103 | } | ||
1189 | 1104 | } | ||
1190 | 1105 | |||
1191 | 1106 | /* Check the path of a CRL issuer certificate. This creates a new | ||
1192 | 1107 | * X509_STORE_CTX and populates it with most of the parameters from the | ||
1193 | 1108 | * parent. This could be optimised somewhat since a lot of path checking | ||
1194 | 1109 | * will be duplicated by the parent, but this will rarely be used in | ||
1195 | 1110 | * practice. | ||
1196 | 1111 | */ | ||
1197 | 1112 | |||
1198 | 1113 | static int check_crl_path(X509_STORE_CTX *ctx, X509 *x) | ||
1199 | 1114 | { | ||
1200 | 1115 | X509_STORE_CTX crl_ctx; | ||
1201 | 1116 | int ret; | ||
1202 | 1117 | /* Don't allow recursive CRL path validation */ | ||
1203 | 1118 | if (ctx->parent) | ||
1204 | 1119 | return 0; | ||
1205 | 1120 | if (!X509_STORE_CTX_init(&crl_ctx, ctx->ctx, x, ctx->untrusted)) | ||
1206 | 1121 | return -1; | ||
1207 | 1122 | |||
1208 | 1123 | crl_ctx.crls = ctx->crls; | ||
1209 | 1124 | /* Copy verify params across */ | ||
1210 | 1125 | X509_STORE_CTX_set0_param(&crl_ctx, ctx->param); | ||
1211 | 1126 | |||
1212 | 1127 | crl_ctx.parent = ctx; | ||
1213 | 1128 | crl_ctx.verify_cb = ctx->verify_cb; | ||
1214 | 1129 | |||
1215 | 1130 | /* Verify CRL issuer */ | ||
1216 | 1131 | ret = X509_verify_cert(&crl_ctx); | ||
1217 | 1132 | |||
1218 | 1133 | if (ret <= 0) | ||
1219 | 1134 | goto err; | ||
1220 | 1135 | |||
1221 | 1136 | /* Check chain is acceptable */ | ||
1222 | 1137 | |||
1223 | 1138 | ret = check_crl_chain(ctx, ctx->chain, crl_ctx.chain); | ||
1224 | 1139 | err: | ||
1225 | 1140 | X509_STORE_CTX_cleanup(&crl_ctx); | ||
1226 | 1141 | return ret; | ||
1227 | 1142 | } | ||
1228 | 1143 | |||
1229 | 1144 | /* RFC3280 says nothing about the relationship between CRL path | ||
1230 | 1145 | * and certificate path, which could lead to situations where a | ||
1231 | 1146 | * certificate could be revoked or validated by a CA not authorised | ||
1232 | 1147 | * to do so. RFC5280 is more strict and states that the two paths must | ||
1233 | 1148 | * end in the same trust anchor, though some discussions remain... | ||
1234 | 1149 | * until this is resolved we use the RFC5280 version | ||
1235 | 1150 | */ | ||
1236 | 1151 | |||
1237 | 1152 | static int check_crl_chain(X509_STORE_CTX *ctx, | ||
1238 | 1153 | STACK_OF(X509) *cert_path, | ||
1239 | 1154 | STACK_OF(X509) *crl_path) | ||
1240 | 1155 | { | ||
1241 | 1156 | X509 *cert_ta, *crl_ta; | ||
1242 | 1157 | cert_ta = sk_X509_value(cert_path, sk_X509_num(cert_path) - 1); | ||
1243 | 1158 | crl_ta = sk_X509_value(crl_path, sk_X509_num(crl_path) - 1); | ||
1244 | 1159 | if (!X509_cmp(cert_ta, crl_ta)) | ||
1245 | 1160 | return 1; | ||
1246 | 1161 | return 0; | ||
1247 | 1162 | } | ||
1248 | 1163 | |||
1249 | 1164 | /* Check for match between two dist point names: three separate cases. | ||
1250 | 1165 | * 1. Both are relative names and compare X509_NAME types. | ||
1251 | 1166 | * 2. One full, one relative. Compare X509_NAME to GENERAL_NAMES. | ||
1252 | 1167 | * 3. Both are full names and compare two GENERAL_NAMES. | ||
1253 | 1168 | * 4. One is NULL: automatic match. | ||
1254 | 1169 | */ | ||
1255 | 1170 | |||
1256 | 1171 | |||
1257 | 1172 | static int idp_check_dp(DIST_POINT_NAME *a, DIST_POINT_NAME *b) | ||
1258 | 1173 | { | ||
1259 | 1174 | X509_NAME *nm = NULL; | ||
1260 | 1175 | GENERAL_NAMES *gens = NULL; | ||
1261 | 1176 | GENERAL_NAME *gena, *genb; | ||
1262 | 1177 | int i, j; | ||
1263 | 1178 | if (!a || !b) | ||
1264 | 1179 | return 1; | ||
1265 | 1180 | if (a->type == 1) | ||
1266 | 1181 | { | ||
1267 | 1182 | if (!a->dpname) | ||
1268 | 1183 | return 0; | ||
1269 | 1184 | /* Case 1: two X509_NAME */ | ||
1270 | 1185 | if (b->type == 1) | ||
1271 | 1186 | { | ||
1272 | 1187 | if (!b->dpname) | ||
1273 | 1188 | return 0; | ||
1274 | 1189 | if (!X509_NAME_cmp(a->dpname, b->dpname)) | ||
1275 | 1190 | return 1; | ||
1276 | 1191 | else | ||
1277 | 1192 | return 0; | ||
1278 | 1193 | } | ||
1279 | 1194 | /* Case 2: set name and GENERAL_NAMES appropriately */ | ||
1280 | 1195 | nm = a->dpname; | ||
1281 | 1196 | gens = b->name.fullname; | ||
1282 | 1197 | } | ||
1283 | 1198 | else if (b->type == 1) | ||
1284 | 1199 | { | ||
1285 | 1200 | if (!b->dpname) | ||
1286 | 1201 | return 0; | ||
1287 | 1202 | /* Case 2: set name and GENERAL_NAMES appropriately */ | ||
1288 | 1203 | gens = a->name.fullname; | ||
1289 | 1204 | nm = b->dpname; | ||
1290 | 1205 | } | ||
1291 | 1206 | |||
1292 | 1207 | /* Handle case 2 with one GENERAL_NAMES and one X509_NAME */ | ||
1293 | 1208 | if (nm) | ||
1294 | 1209 | { | ||
1295 | 1210 | for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) | ||
1296 | 1211 | { | ||
1297 | 1212 | gena = sk_GENERAL_NAME_value(gens, i); | ||
1298 | 1213 | if (gena->type != GEN_DIRNAME) | ||
1299 | 1214 | continue; | ||
1300 | 1215 | if (!X509_NAME_cmp(nm, gena->d.directoryName)) | ||
1301 | 1216 | return 1; | ||
1302 | 1217 | } | ||
1303 | 1218 | return 0; | ||
1304 | 1219 | } | ||
1305 | 1220 | |||
1306 | 1221 | /* Else case 3: two GENERAL_NAMES */ | ||
1307 | 1222 | |||
1308 | 1223 | for (i = 0; i < sk_GENERAL_NAME_num(a->name.fullname); i++) | ||
1309 | 1224 | { | ||
1310 | 1225 | gena = sk_GENERAL_NAME_value(a->name.fullname, i); | ||
1311 | 1226 | for (j = 0; j < sk_GENERAL_NAME_num(b->name.fullname); j++) | ||
1312 | 1227 | { | ||
1313 | 1228 | genb = sk_GENERAL_NAME_value(b->name.fullname, j); | ||
1314 | 1229 | if (!GENERAL_NAME_cmp(gena, genb)) | ||
1315 | 1230 | return 1; | ||
1316 | 1231 | } | ||
1317 | 1232 | } | ||
1318 | 1233 | |||
1319 | 1234 | return 0; | ||
1320 | 1235 | |||
1321 | 1236 | } | ||
1322 | 1237 | |||
1323 | 1238 | static int crldp_check_crlissuer(DIST_POINT *dp, X509_CRL *crl, int crl_score) | ||
1324 | 1239 | { | ||
1325 | 1240 | int i; | ||
1326 | 1241 | X509_NAME *nm = X509_CRL_get_issuer(crl); | ||
1327 | 1242 | /* If no CRLissuer return is successful iff don't need a match */ | ||
1328 | 1243 | if (!dp->CRLissuer) | ||
1329 | 1244 | return !!(crl_score & CRL_SCORE_ISSUER_NAME); | ||
1330 | 1245 | for (i = 0; i < sk_GENERAL_NAME_num(dp->CRLissuer); i++) | ||
1331 | 1246 | { | ||
1332 | 1247 | GENERAL_NAME *gen = sk_GENERAL_NAME_value(dp->CRLissuer, i); | ||
1333 | 1248 | if (gen->type != GEN_DIRNAME) | ||
1334 | 1249 | continue; | ||
1335 | 1250 | if (!X509_NAME_cmp(gen->d.directoryName, nm)) | ||
1336 | 1251 | return 1; | ||
1337 | 1252 | } | ||
1338 | 1253 | return 0; | ||
1339 | 1254 | } | ||
1340 | 1255 | |||
1341 | 1256 | /* Check CRLDP and IDP */ | ||
1342 | 1257 | |||
1343 | 1258 | static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score, | ||
1344 | 1259 | unsigned int *preasons) | ||
1345 | 1260 | { | ||
1346 | 1261 | int i; | ||
1347 | 1262 | if (crl->idp_flags & IDP_ONLYATTR) | ||
1348 | 1263 | return 0; | ||
1349 | 1264 | if (x->ex_flags & EXFLAG_CA) | ||
1350 | 1265 | { | ||
1351 | 1266 | if (crl->idp_flags & IDP_ONLYUSER) | ||
1352 | 1267 | return 0; | ||
1353 | 1268 | } | ||
1354 | 1269 | else | ||
1355 | 1270 | { | ||
1356 | 1271 | if (crl->idp_flags & IDP_ONLYCA) | ||
1357 | 1272 | return 0; | ||
1358 | 1273 | } | ||
1359 | 1274 | *preasons = crl->idp_reasons; | ||
1360 | 1275 | for (i = 0; i < sk_DIST_POINT_num(x->crldp); i++) | ||
1361 | 1276 | { | ||
1362 | 1277 | DIST_POINT *dp = sk_DIST_POINT_value(x->crldp, i); | ||
1363 | 1278 | if (crldp_check_crlissuer(dp, crl, crl_score)) | ||
1364 | 1279 | { | ||
1365 | 1280 | if (!crl->idp || | ||
1366 | 1281 | idp_check_dp(dp->distpoint, crl->idp->distpoint)) | ||
1367 | 1282 | { | ||
1368 | 1283 | *preasons &= dp->dp_reasons; | ||
1369 | 1284 | return 1; | ||
1370 | 1285 | } | ||
1371 | 1286 | } | ||
1372 | 1287 | } | ||
1373 | 1288 | if ((!crl->idp || !crl->idp->distpoint) && (crl_score & CRL_SCORE_ISSUER_NAME)) | ||
1374 | 1289 | return 1; | ||
1375 | 1290 | return 0; | ||
1376 | 1291 | } | ||
1377 | 1292 | |||
1378 | 1293 | /* Retrieve CRL corresponding to current certificate. | ||
1379 | 1294 | * If deltas enabled try to find a delta CRL too | ||
1380 | 1295 | */ | ||
1381 | 1296 | |||
1382 | 1297 | static int get_crl_delta(X509_STORE_CTX *ctx, | ||
1383 | 1298 | X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x) | ||
1384 | 1299 | { | ||
1385 | 1300 | int ok; | ||
1386 | 1301 | X509 *issuer = NULL; | ||
1387 | 1302 | int crl_score = 0; | ||
1388 | 1303 | unsigned int reasons; | ||
1389 | 1304 | X509_CRL *crl = NULL, *dcrl = NULL; | ||
1390 | 1305 | STACK_OF(X509_CRL) *skcrl; | ||
1391 | 1306 | X509_NAME *nm = X509_get_issuer_name(x); | ||
1392 | 1307 | reasons = ctx->current_reasons; | ||
1393 | 1308 | ok = get_crl_sk(ctx, &crl, &dcrl, | ||
1394 | 1309 | &issuer, &crl_score, &reasons, ctx->crls); | ||
1395 | 1310 | |||
1396 | 1311 | if (ok) | ||
1397 | 1312 | goto done; | ||
1398 | 1313 | |||
1399 | 1314 | /* Lookup CRLs from store */ | ||
1400 | 1315 | |||
1401 | 1316 | skcrl = ctx->lookup_crls(ctx, nm); | ||
1402 | 1317 | |||
1403 | 1318 | /* If no CRLs found and a near match from get_crl_sk use that */ | ||
1404 | 1319 | if (!skcrl && crl) | ||
1405 | 1320 | goto done; | ||
1406 | 1321 | |||
1407 | 1322 | get_crl_sk(ctx, &crl, &dcrl, &issuer, &crl_score, &reasons, skcrl); | ||
1408 | 1323 | |||
1409 | 1324 | sk_X509_CRL_pop_free(skcrl, X509_CRL_free); | ||
1410 | 1325 | |||
1411 | 1326 | done: | ||
1412 | 1327 | |||
1413 | 1328 | /* If we got any kind of CRL use it and return success */ | ||
1414 | 1329 | if (crl) | ||
1415 | 1330 | { | ||
1416 | 1331 | ctx->current_issuer = issuer; | ||
1417 | 1332 | ctx->current_crl_score = crl_score; | ||
1418 | 1333 | ctx->current_reasons = reasons; | ||
1419 | 1334 | *pcrl = crl; | ||
1420 | 1335 | *pdcrl = dcrl; | ||
1421 | 1336 | return 1; | ||
1422 | 1337 | } | ||
1423 | 1338 | |||
1424 | 1339 | return 0; | ||
1425 | 1340 | } | ||
1426 | 1341 | |||
1427 | 1342 | /* Check CRL validity */ | ||
1428 | 1343 | static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl) | ||
1429 | 1344 | { | ||
1430 | 1345 | X509 *issuer = NULL; | ||
1431 | 1346 | EVP_PKEY *ikey = NULL; | ||
1432 | 1347 | int ok = 0, chnum, cnum; | ||
1433 | 1348 | cnum = ctx->error_depth; | ||
1434 | 1349 | chnum = sk_X509_num(ctx->chain) - 1; | ||
1435 | 1350 | /* if we have an alternative CRL issuer cert use that */ | ||
1436 | 1351 | if (ctx->current_issuer) | ||
1437 | 1352 | issuer = ctx->current_issuer; | ||
1438 | 1353 | |||
1439 | 1354 | /* Else find CRL issuer: if not last certificate then issuer | ||
1440 | 1355 | * is next certificate in chain. | ||
1441 | 1356 | */ | ||
1442 | 1357 | else if (cnum < chnum) | ||
1443 | 1358 | issuer = sk_X509_value(ctx->chain, cnum + 1); | ||
1444 | 1359 | else | ||
1445 | 1360 | { | ||
1446 | 1361 | issuer = sk_X509_value(ctx->chain, chnum); | ||
1447 | 1362 | /* If not self signed, can't check signature */ | ||
1448 | 1363 | if(!ctx->check_issued(ctx, issuer, issuer)) | ||
1449 | 1364 | { | ||
1450 | 1365 | ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER; | ||
1451 | 1366 | ok = ctx->verify_cb(0, ctx); | ||
1452 | 1367 | if(!ok) goto err; | ||
1453 | 1368 | } | ||
1454 | 1369 | } | ||
1455 | 1370 | |||
1456 | 1371 | if(issuer) | ||
1457 | 1372 | { | ||
1458 | 1373 | /* Skip most tests for deltas because they have already | ||
1459 | 1374 | * been done | ||
1460 | 1375 | */ | ||
1461 | 1376 | if (!crl->base_crl_number) | ||
1462 | 1377 | { | ||
1463 | 1378 | /* Check for cRLSign bit if keyUsage present */ | ||
1464 | 1379 | if ((issuer->ex_flags & EXFLAG_KUSAGE) && | ||
1465 | 1380 | !(issuer->ex_kusage & KU_CRL_SIGN)) | ||
1466 | 1381 | { | ||
1467 | 1382 | ctx->error = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN; | ||
1468 | 1383 | ok = ctx->verify_cb(0, ctx); | ||
1469 | 1384 | if(!ok) goto err; | ||
1470 | 1385 | } | ||
1471 | 1386 | |||
1472 | 1387 | if (!(ctx->current_crl_score & CRL_SCORE_SCOPE)) | ||
1473 | 1388 | { | ||
1474 | 1389 | ctx->error = X509_V_ERR_DIFFERENT_CRL_SCOPE; | ||
1475 | 1390 | ok = ctx->verify_cb(0, ctx); | ||
1476 | 1391 | if(!ok) goto err; | ||
1477 | 1392 | } | ||
1478 | 1393 | |||
1479 | 1394 | if (!(ctx->current_crl_score & CRL_SCORE_SAME_PATH)) | ||
1480 | 1395 | { | ||
1481 | 1396 | if (check_crl_path(ctx, ctx->current_issuer) <= 0) | ||
1482 | 1397 | { | ||
1483 | 1398 | ctx->error = X509_V_ERR_CRL_PATH_VALIDATION_ERROR; | ||
1484 | 1399 | ok = ctx->verify_cb(0, ctx); | ||
1485 | 1400 | if(!ok) goto err; | ||
1486 | 1401 | } | ||
1487 | 1402 | } | ||
1488 | 1403 | |||
1489 | 1404 | if (crl->idp_flags & IDP_INVALID) | ||
1490 | 1405 | { | ||
1491 | 1406 | ctx->error = X509_V_ERR_INVALID_EXTENSION; | ||
1492 | 1407 | ok = ctx->verify_cb(0, ctx); | ||
1493 | 1408 | if(!ok) goto err; | ||
1494 | 1409 | } | ||
1495 | 1410 | |||
1496 | 1411 | |||
1497 | 1412 | } | ||
1498 | 1413 | |||
1499 | 1414 | if (!(ctx->current_crl_score & CRL_SCORE_TIME)) | ||
1500 | 1415 | { | ||
1501 | 1416 | ok = check_crl_time(ctx, crl, 1); | ||
1502 | 1417 | if (!ok) | ||
1503 | 1418 | goto err; | ||
1504 | 1419 | } | ||
1505 | 1420 | |||
1506 | 1421 | /* Attempt to get issuer certificate public key */ | ||
1507 | 1422 | ikey = X509_get_pubkey(issuer); | ||
1508 | 1423 | |||
1509 | 1424 | if(!ikey) | ||
1510 | 1425 | { | ||
1511 | 1426 | ctx->error=X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY; | ||
1512 | 1427 | ok = ctx->verify_cb(0, ctx); | ||
1513 | 1428 | if (!ok) goto err; | ||
1514 | 1429 | } | ||
1515 | 1430 | else | ||
1516 | 1431 | { | ||
1517 | 1432 | /* Verify CRL signature */ | ||
1518 | 1433 | if(X509_CRL_verify(crl, ikey) <= 0) | ||
1519 | 1434 | { | ||
1520 | 1435 | ctx->error=X509_V_ERR_CRL_SIGNATURE_FAILURE; | ||
1521 | 1436 | ok = ctx->verify_cb(0, ctx); | ||
1522 | 1437 | if (!ok) goto err; | ||
1523 | 1438 | } | ||
1524 | 1439 | } | ||
1525 | 1440 | } | ||
1526 | 1441 | |||
1527 | 1442 | ok = 1; | ||
1528 | 1443 | |||
1529 | 1444 | err: | ||
1530 | 1445 | EVP_PKEY_free(ikey); | ||
1531 | 1446 | return ok; | ||
1532 | 1447 | } | ||
1533 | 1448 | |||
1534 | 1449 | /* Check certificate against CRL */ | ||
1535 | 1450 | static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x) | ||
1536 | 1451 | { | ||
1537 | 1452 | int ok; | ||
1538 | 1453 | X509_REVOKED *rev; | ||
1539 | 1454 | /* The rules changed for this... previously if a CRL contained | ||
1540 | 1455 | * unhandled critical extensions it could still be used to indicate | ||
1541 | 1456 | * a certificate was revoked. This has since been changed since | ||
1542 | 1457 | * critical extension can change the meaning of CRL entries. | ||
1543 | 1458 | */ | ||
1544 | 1459 | if (crl->flags & EXFLAG_CRITICAL) | ||
1545 | 1460 | { | ||
1546 | 1461 | if (ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) | ||
1547 | 1462 | return 1; | ||
1548 | 1463 | ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION; | ||
1549 | 1464 | ok = ctx->verify_cb(0, ctx); | ||
1550 | 1465 | if(!ok) | ||
1551 | 1466 | return 0; | ||
1552 | 1467 | } | ||
1553 | 1468 | /* Look for serial number of certificate in CRL | ||
1554 | 1469 | * If found make sure reason is not removeFromCRL. | ||
1555 | 1470 | */ | ||
1556 | 1471 | if (X509_CRL_get0_by_cert(crl, &rev, x)) | ||
1557 | 1472 | { | ||
1558 | 1473 | if (rev->reason == CRL_REASON_REMOVE_FROM_CRL) | ||
1559 | 1474 | return 2; | ||
1560 | 1475 | ctx->error = X509_V_ERR_CERT_REVOKED; | ||
1561 | 1476 | ok = ctx->verify_cb(0, ctx); | ||
1562 | 1477 | if (!ok) | ||
1563 | 1478 | return 0; | ||
1564 | 1479 | } | ||
1565 | 1480 | |||
1566 | 1481 | return 1; | ||
1567 | 1482 | } | ||
1568 | 1483 | |||
1569 | 1484 | static int check_policy(X509_STORE_CTX *ctx) | ||
1570 | 1485 | { | ||
1571 | 1486 | int ret; | ||
1572 | 1487 | if (ctx->parent) | ||
1573 | 1488 | return 1; | ||
1574 | 1489 | ret = X509_policy_check(&ctx->tree, &ctx->explicit_policy, ctx->chain, | ||
1575 | 1490 | ctx->param->policies, ctx->param->flags); | ||
1576 | 1491 | if (ret == 0) | ||
1577 | 1492 | { | ||
1578 | 1493 | X509err(X509_F_CHECK_POLICY,ERR_R_MALLOC_FAILURE); | ||
1579 | 1494 | return 0; | ||
1580 | 1495 | } | ||
1581 | 1496 | /* Invalid or inconsistent extensions */ | ||
1582 | 1497 | if (ret == -1) | ||
1583 | 1498 | { | ||
1584 | 1499 | /* Locate certificates with bad extensions and notify | ||
1585 | 1500 | * callback. | ||
1586 | 1501 | */ | ||
1587 | 1502 | X509 *x; | ||
1588 | 1503 | int i; | ||
1589 | 1504 | for (i = 1; i < sk_X509_num(ctx->chain); i++) | ||
1590 | 1505 | { | ||
1591 | 1506 | x = sk_X509_value(ctx->chain, i); | ||
1592 | 1507 | if (!(x->ex_flags & EXFLAG_INVALID_POLICY)) | ||
1593 | 1508 | continue; | ||
1594 | 1509 | ctx->current_cert = x; | ||
1595 | 1510 | ctx->error = X509_V_ERR_INVALID_POLICY_EXTENSION; | ||
1596 | 1511 | if(!ctx->verify_cb(0, ctx)) | ||
1597 | 1512 | return 0; | ||
1598 | 1513 | } | ||
1599 | 1514 | return 1; | ||
1600 | 1515 | } | ||
1601 | 1516 | if (ret == -2) | ||
1602 | 1517 | { | ||
1603 | 1518 | ctx->current_cert = NULL; | ||
1604 | 1519 | ctx->error = X509_V_ERR_NO_EXPLICIT_POLICY; | ||
1605 | 1520 | return ctx->verify_cb(0, ctx); | ||
1606 | 1521 | } | ||
1607 | 1522 | |||
1608 | 1523 | if (ctx->param->flags & X509_V_FLAG_NOTIFY_POLICY) | ||
1609 | 1524 | { | ||
1610 | 1525 | ctx->current_cert = NULL; | ||
1611 | 1526 | ctx->error = X509_V_OK; | ||
1612 | 1527 | if (!ctx->verify_cb(2, ctx)) | ||
1613 | 1528 | return 0; | ||
1614 | 1529 | } | ||
1615 | 1530 | |||
1616 | 1531 | return 1; | ||
1617 | 1532 | } | ||
1618 | 1533 | |||
1619 | 1534 | static int check_cert_time(X509_STORE_CTX *ctx, X509 *x) | ||
1620 | 1535 | { | ||
1621 | 1536 | time_t *ptime; | ||
1622 | 1537 | int i; | ||
1623 | 1538 | |||
1624 | 1539 | if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME) | ||
1625 | 1540 | ptime = &ctx->param->check_time; | ||
1626 | 1541 | else | ||
1627 | 1542 | ptime = NULL; | ||
1628 | 1543 | |||
1629 | 1544 | i=X509_cmp_time(X509_get_notBefore(x), ptime); | ||
1630 | 1545 | if (i == 0) | ||
1631 | 1546 | { | ||
1632 | 1547 | ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD; | ||
1633 | 1548 | ctx->current_cert=x; | ||
1634 | 1549 | if (!ctx->verify_cb(0, ctx)) | ||
1635 | 1550 | return 0; | ||
1636 | 1551 | } | ||
1637 | 1552 | |||
1638 | 1553 | if (i > 0) | ||
1639 | 1554 | { | ||
1640 | 1555 | ctx->error=X509_V_ERR_CERT_NOT_YET_VALID; | ||
1641 | 1556 | ctx->current_cert=x; | ||
1642 | 1557 | if (!ctx->verify_cb(0, ctx)) | ||
1643 | 1558 | return 0; | ||
1644 | 1559 | } | ||
1645 | 1560 | |||
1646 | 1561 | i=X509_cmp_time(X509_get_notAfter(x), ptime); | ||
1647 | 1562 | if (i == 0) | ||
1648 | 1563 | { | ||
1649 | 1564 | ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD; | ||
1650 | 1565 | ctx->current_cert=x; | ||
1651 | 1566 | if (!ctx->verify_cb(0, ctx)) | ||
1652 | 1567 | return 0; | ||
1653 | 1568 | } | ||
1654 | 1569 | |||
1655 | 1570 | if (i < 0) | ||
1656 | 1571 | { | ||
1657 | 1572 | ctx->error=X509_V_ERR_CERT_HAS_EXPIRED; | ||
1658 | 1573 | ctx->current_cert=x; | ||
1659 | 1574 | if (!ctx->verify_cb(0, ctx)) | ||
1660 | 1575 | return 0; | ||
1661 | 1576 | } | ||
1662 | 1577 | |||
1663 | 1578 | return 1; | ||
1664 | 1579 | } | ||
1665 | 1580 | |||
1666 | 1581 | static int internal_verify(X509_STORE_CTX *ctx) | ||
1667 | 1582 | { | ||
1668 | 1583 | int ok=0,n; | ||
1669 | 1584 | X509 *xs,*xi; | ||
1670 | 1585 | EVP_PKEY *pkey=NULL; | ||
1671 | 1586 | int (*cb)(int xok,X509_STORE_CTX *xctx); | ||
1672 | 1587 | |||
1673 | 1588 | cb=ctx->verify_cb; | ||
1674 | 1589 | |||
1675 | 1590 | n=sk_X509_num(ctx->chain); | ||
1676 | 1591 | ctx->error_depth=n-1; | ||
1677 | 1592 | n--; | ||
1678 | 1593 | xi=sk_X509_value(ctx->chain,n); | ||
1679 | 1594 | |||
1680 | 1595 | if (ctx->check_issued(ctx, xi, xi)) | ||
1681 | 1596 | xs=xi; | ||
1682 | 1597 | else | ||
1683 | 1598 | { | ||
1684 | 1599 | if (n <= 0) | ||
1685 | 1600 | { | ||
1686 | 1601 | ctx->error=X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE; | ||
1687 | 1602 | ctx->current_cert=xi; | ||
1688 | 1603 | ok=cb(0,ctx); | ||
1689 | 1604 | goto end; | ||
1690 | 1605 | } | ||
1691 | 1606 | else | ||
1692 | 1607 | { | ||
1693 | 1608 | n--; | ||
1694 | 1609 | ctx->error_depth=n; | ||
1695 | 1610 | xs=sk_X509_value(ctx->chain,n); | ||
1696 | 1611 | } | ||
1697 | 1612 | } | ||
1698 | 1613 | |||
1699 | 1614 | /* ctx->error=0; not needed */ | ||
1700 | 1615 | while (n >= 0) | ||
1701 | 1616 | { | ||
1702 | 1617 | ctx->error_depth=n; | ||
1703 | 1618 | |||
1704 | 1619 | /* Skip signature check for self signed certificates unless | ||
1705 | 1620 | * explicitly asked for. It doesn't add any security and | ||
1706 | 1621 | * just wastes time. | ||
1707 | 1622 | */ | ||
1708 | 1623 | if (!xs->valid && (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE))) | ||
1709 | 1624 | { | ||
1710 | 1625 | if ((pkey=X509_get_pubkey(xi)) == NULL) | ||
1711 | 1626 | { | ||
1712 | 1627 | ctx->error=X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY; | ||
1713 | 1628 | ctx->current_cert=xi; | ||
1714 | 1629 | ok=(*cb)(0,ctx); | ||
1715 | 1630 | if (!ok) goto end; | ||
1716 | 1631 | } | ||
1717 | 1632 | else if (X509_verify(xs,pkey) <= 0) | ||
1718 | 1633 | { | ||
1719 | 1634 | ctx->error=X509_V_ERR_CERT_SIGNATURE_FAILURE; | ||
1720 | 1635 | ctx->current_cert=xs; | ||
1721 | 1636 | ok=(*cb)(0,ctx); | ||
1722 | 1637 | if (!ok) | ||
1723 | 1638 | { | ||
1724 | 1639 | EVP_PKEY_free(pkey); | ||
1725 | 1640 | goto end; | ||
1726 | 1641 | } | ||
1727 | 1642 | } | ||
1728 | 1643 | EVP_PKEY_free(pkey); | ||
1729 | 1644 | pkey=NULL; | ||
1730 | 1645 | } | ||
1731 | 1646 | |||
1732 | 1647 | xs->valid = 1; | ||
1733 | 1648 | |||
1734 | 1649 | ok = check_cert_time(ctx, xs); | ||
1735 | 1650 | if (!ok) | ||
1736 | 1651 | goto end; | ||
1737 | 1652 | |||
1738 | 1653 | /* The last error (if any) is still in the error value */ | ||
1739 | 1654 | ctx->current_issuer=xi; | ||
1740 | 1655 | ctx->current_cert=xs; | ||
1741 | 1656 | ok=(*cb)(1,ctx); | ||
1742 | 1657 | if (!ok) goto end; | ||
1743 | 1658 | |||
1744 | 1659 | n--; | ||
1745 | 1660 | if (n >= 0) | ||
1746 | 1661 | { | ||
1747 | 1662 | xi=xs; | ||
1748 | 1663 | xs=sk_X509_value(ctx->chain,n); | ||
1749 | 1664 | } | ||
1750 | 1665 | } | ||
1751 | 1666 | ok=1; | ||
1752 | 1667 | end: | ||
1753 | 1668 | return ok; | ||
1754 | 1669 | } | ||
1755 | 1670 | |||
1756 | 1671 | int X509_cmp_current_time(const ASN1_TIME *ctm) | ||
1757 | 1672 | { | ||
1758 | 1673 | return X509_cmp_time(ctm, NULL); | ||
1759 | 1674 | } | ||
1760 | 1675 | |||
1761 | 1676 | int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time) | ||
1762 | 1677 | { | ||
1763 | 1678 | char *str; | ||
1764 | 1679 | ASN1_TIME atm; | ||
1765 | 1680 | long offset; | ||
1766 | 1681 | char buff1[24],buff2[24],*p; | ||
1767 | 1682 | int i,j; | ||
1768 | 1683 | |||
1769 | 1684 | p=buff1; | ||
1770 | 1685 | i=ctm->length; | ||
1771 | 1686 | str=(char *)ctm->data; | ||
1772 | 1687 | if (ctm->type == V_ASN1_UTCTIME) | ||
1773 | 1688 | { | ||
1774 | 1689 | if ((i < 11) || (i > 17)) return 0; | ||
1775 | 1690 | memcpy(p,str,10); | ||
1776 | 1691 | p+=10; | ||
1777 | 1692 | str+=10; | ||
1778 | 1693 | } | ||
1779 | 1694 | else | ||
1780 | 1695 | { | ||
1781 | 1696 | if (i < 13) return 0; | ||
1782 | 1697 | memcpy(p,str,12); | ||
1783 | 1698 | p+=12; | ||
1784 | 1699 | str+=12; | ||
1785 | 1700 | } | ||
1786 | 1701 | |||
1787 | 1702 | if ((*str == 'Z') || (*str == '-') || (*str == '+')) | ||
1788 | 1703 | { *(p++)='0'; *(p++)='0'; } | ||
1789 | 1704 | else | ||
1790 | 1705 | { | ||
1791 | 1706 | *(p++)= *(str++); | ||
1792 | 1707 | *(p++)= *(str++); | ||
1793 | 1708 | /* Skip any fractional seconds... */ | ||
1794 | 1709 | if (*str == '.') | ||
1795 | 1710 | { | ||
1796 | 1711 | str++; | ||
1797 | 1712 | while ((*str >= '0') && (*str <= '9')) str++; | ||
1798 | 1713 | } | ||
1799 | 1714 | |||
1800 | 1715 | } | ||
1801 | 1716 | *(p++)='Z'; | ||
1802 | 1717 | *(p++)='\0'; | ||
1803 | 1718 | |||
1804 | 1719 | if (*str == 'Z') | ||
1805 | 1720 | offset=0; | ||
1806 | 1721 | else | ||
1807 | 1722 | { | ||
1808 | 1723 | if ((*str != '+') && (*str != '-')) | ||
1809 | 1724 | return 0; | ||
1810 | 1725 | offset=((str[1]-'0')*10+(str[2]-'0'))*60; | ||
1811 | 1726 | offset+=(str[3]-'0')*10+(str[4]-'0'); | ||
1812 | 1727 | if (*str == '-') | ||
1813 | 1728 | offset= -offset; | ||
1814 | 1729 | } | ||
1815 | 1730 | atm.type=ctm->type; | ||
1816 | 1731 | atm.flags = 0; | ||
1817 | 1732 | atm.length=sizeof(buff2); | ||
1818 | 1733 | atm.data=(unsigned char *)buff2; | ||
1819 | 1734 | |||
1820 | 1735 | if (X509_time_adj(&atm,-offset*60, cmp_time) == NULL) | ||
1821 | 1736 | return 0; | ||
1822 | 1737 | |||
1823 | 1738 | if (ctm->type == V_ASN1_UTCTIME) | ||
1824 | 1739 | { | ||
1825 | 1740 | i=(buff1[0]-'0')*10+(buff1[1]-'0'); | ||
1826 | 1741 | if (i < 50) i+=100; /* cf. RFC 2459 */ | ||
1827 | 1742 | j=(buff2[0]-'0')*10+(buff2[1]-'0'); | ||
1828 | 1743 | if (j < 50) j+=100; | ||
1829 | 1744 | |||
1830 | 1745 | if (i < j) return -1; | ||
1831 | 1746 | if (i > j) return 1; | ||
1832 | 1747 | } | ||
1833 | 1748 | i=strcmp(buff1,buff2); | ||
1834 | 1749 | if (i == 0) /* wait a second then return younger :-) */ | ||
1835 | 1750 | return -1; | ||
1836 | 1751 | else | ||
1837 | 1752 | return i; | ||
1838 | 1753 | } | ||
1839 | 1754 | |||
1840 | 1755 | ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj) | ||
1841 | 1756 | { | ||
1842 | 1757 | return X509_time_adj(s, adj, NULL); | ||
1843 | 1758 | } | ||
1844 | 1759 | |||
1845 | 1760 | ASN1_TIME *X509_time_adj(ASN1_TIME *s, long offset_sec, time_t *in_tm) | ||
1846 | 1761 | { | ||
1847 | 1762 | return X509_time_adj_ex(s, 0, offset_sec, in_tm); | ||
1848 | 1763 | } | ||
1849 | 1764 | |||
1850 | 1765 | ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s, | ||
1851 | 1766 | int offset_day, long offset_sec, time_t *in_tm) | ||
1852 | 1767 | { | ||
1853 | 1768 | time_t t; | ||
1854 | 1769 | |||
1855 | 1770 | if (in_tm) t = *in_tm; | ||
1856 | 1771 | else time(&t); | ||
1857 | 1772 | |||
1858 | 1773 | if (s && !(s->flags & ASN1_STRING_FLAG_MSTRING)) | ||
1859 | 1774 | { | ||
1860 | 1775 | if (s->type == V_ASN1_UTCTIME) | ||
1861 | 1776 | return ASN1_UTCTIME_adj(s,t, offset_day, offset_sec); | ||
1862 | 1777 | if (s->type == V_ASN1_GENERALIZEDTIME) | ||
1863 | 1778 | return ASN1_GENERALIZEDTIME_adj(s, t, offset_day, | ||
1864 | 1779 | offset_sec); | ||
1865 | 1780 | } | ||
1866 | 1781 | return ASN1_TIME_adj(s, t, offset_day, offset_sec); | ||
1867 | 1782 | } | ||
1868 | 1783 | |||
1869 | 1784 | int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain) | ||
1870 | 1785 | { | ||
1871 | 1786 | EVP_PKEY *ktmp=NULL,*ktmp2; | ||
1872 | 1787 | int i,j; | ||
1873 | 1788 | |||
1874 | 1789 | if ((pkey != NULL) && !EVP_PKEY_missing_parameters(pkey)) return 1; | ||
1875 | 1790 | |||
1876 | 1791 | for (i=0; i<sk_X509_num(chain); i++) | ||
1877 | 1792 | { | ||
1878 | 1793 | ktmp=X509_get_pubkey(sk_X509_value(chain,i)); | ||
1879 | 1794 | if (ktmp == NULL) | ||
1880 | 1795 | { | ||
1881 | 1796 | X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY); | ||
1882 | 1797 | return 0; | ||
1883 | 1798 | } | ||
1884 | 1799 | if (!EVP_PKEY_missing_parameters(ktmp)) | ||
1885 | 1800 | break; | ||
1886 | 1801 | else | ||
1887 | 1802 | { | ||
1888 | 1803 | EVP_PKEY_free(ktmp); | ||
1889 | 1804 | ktmp=NULL; | ||
1890 | 1805 | } | ||
1891 | 1806 | } | ||
1892 | 1807 | if (ktmp == NULL) | ||
1893 | 1808 | { | ||
1894 | 1809 | X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN); | ||
1895 | 1810 | return 0; | ||
1896 | 1811 | } | ||
1897 | 1812 | |||
1898 | 1813 | /* first, populate the other certs */ | ||
1899 | 1814 | for (j=i-1; j >= 0; j--) | ||
1900 | 1815 | { | ||
1901 | 1816 | ktmp2=X509_get_pubkey(sk_X509_value(chain,j)); | ||
1902 | 1817 | EVP_PKEY_copy_parameters(ktmp2,ktmp); | ||
1903 | 1818 | EVP_PKEY_free(ktmp2); | ||
1904 | 1819 | } | ||
1905 | 1820 | |||
1906 | 1821 | if (pkey != NULL) EVP_PKEY_copy_parameters(pkey,ktmp); | ||
1907 | 1822 | EVP_PKEY_free(ktmp); | ||
1908 | 1823 | return 1; | ||
1909 | 1824 | } | ||
1910 | 1825 | |||
1911 | 1826 | int X509_STORE_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, | ||
1912 | 1827 | CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func) | ||
1913 | 1828 | { | ||
1914 | 1829 | /* This function is (usually) called only once, by | ||
1915 | 1830 | * SSL_get_ex_data_X509_STORE_CTX_idx (ssl/ssl_cert.c). */ | ||
1916 | 1831 | return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_X509_STORE_CTX, argl, argp, | ||
1917 | 1832 | new_func, dup_func, free_func); | ||
1918 | 1833 | } | ||
1919 | 1834 | |||
1920 | 1835 | int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, void *data) | ||
1921 | 1836 | { | ||
1922 | 1837 | return CRYPTO_set_ex_data(&ctx->ex_data,idx,data); | ||
1923 | 1838 | } | ||
1924 | 1839 | |||
1925 | 1840 | void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx) | ||
1926 | 1841 | { | ||
1927 | 1842 | return CRYPTO_get_ex_data(&ctx->ex_data,idx); | ||
1928 | 1843 | } | ||
1929 | 1844 | |||
1930 | 1845 | int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx) | ||
1931 | 1846 | { | ||
1932 | 1847 | return ctx->error; | ||
1933 | 1848 | } | ||
1934 | 1849 | |||
1935 | 1850 | void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int err) | ||
1936 | 1851 | { | ||
1937 | 1852 | ctx->error=err; | ||
1938 | 1853 | } | ||
1939 | 1854 | |||
1940 | 1855 | int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx) | ||
1941 | 1856 | { | ||
1942 | 1857 | return ctx->error_depth; | ||
1943 | 1858 | } | ||
1944 | 1859 | |||
1945 | 1860 | X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx) | ||
1946 | 1861 | { | ||
1947 | 1862 | return ctx->current_cert; | ||
1948 | 1863 | } | ||
1949 | 1864 | |||
1950 | 1865 | STACK_OF(X509) *X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx) | ||
1951 | 1866 | { | ||
1952 | 1867 | return ctx->chain; | ||
1953 | 1868 | } | ||
1954 | 1869 | |||
1955 | 1870 | STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx) | ||
1956 | 1871 | { | ||
1957 | 1872 | int i; | ||
1958 | 1873 | X509 *x; | ||
1959 | 1874 | STACK_OF(X509) *chain; | ||
1960 | 1875 | if (!ctx->chain || !(chain = sk_X509_dup(ctx->chain))) return NULL; | ||
1961 | 1876 | for (i = 0; i < sk_X509_num(chain); i++) | ||
1962 | 1877 | { | ||
1963 | 1878 | x = sk_X509_value(chain, i); | ||
1964 | 1879 | CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509); | ||
1965 | 1880 | } | ||
1966 | 1881 | return chain; | ||
1967 | 1882 | } | ||
1968 | 1883 | |||
1969 | 1884 | X509 *X509_STORE_CTX_get0_current_issuer(X509_STORE_CTX *ctx) | ||
1970 | 1885 | { | ||
1971 | 1886 | return ctx->current_issuer; | ||
1972 | 1887 | } | ||
1973 | 1888 | |||
1974 | 1889 | X509_CRL *X509_STORE_CTX_get0_current_crl(X509_STORE_CTX *ctx) | ||
1975 | 1890 | { | ||
1976 | 1891 | return ctx->current_crl; | ||
1977 | 1892 | } | ||
1978 | 1893 | |||
1979 | 1894 | X509_STORE_CTX *X509_STORE_CTX_get0_parent_ctx(X509_STORE_CTX *ctx) | ||
1980 | 1895 | { | ||
1981 | 1896 | return ctx->parent; | ||
1982 | 1897 | } | ||
1983 | 1898 | |||
1984 | 1899 | void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *x) | ||
1985 | 1900 | { | ||
1986 | 1901 | ctx->cert=x; | ||
1987 | 1902 | } | ||
1988 | 1903 | |||
1989 | 1904 | void X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) | ||
1990 | 1905 | { | ||
1991 | 1906 | ctx->untrusted=sk; | ||
1992 | 1907 | } | ||
1993 | 1908 | |||
1994 | 1909 | void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk) | ||
1995 | 1910 | { | ||
1996 | 1911 | ctx->crls=sk; | ||
1997 | 1912 | } | ||
1998 | 1913 | |||
1999 | 1914 | int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose) | ||
2000 | 1915 | { | ||
2001 | 1916 | return X509_STORE_CTX_purpose_inherit(ctx, 0, purpose, 0); | ||
2002 | 1917 | } | ||
2003 | 1918 | |||
2004 | 1919 | int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust) | ||
2005 | 1920 | { | ||
2006 | 1921 | return X509_STORE_CTX_purpose_inherit(ctx, 0, 0, trust); | ||
2007 | 1922 | } | ||
2008 | 1923 | |||
2009 | 1924 | /* This function is used to set the X509_STORE_CTX purpose and trust | ||
2010 | 1925 | * values. This is intended to be used when another structure has its | ||
2011 | 1926 | * own trust and purpose values which (if set) will be inherited by | ||
2012 | 1927 | * the ctx. If they aren't set then we will usually have a default | ||
2013 | 1928 | * purpose in mind which should then be used to set the trust value. | ||
2014 | 1929 | * An example of this is SSL use: an SSL structure will have its own | ||
2015 | 1930 | * purpose and trust settings which the application can set: if they | ||
2016 | 1931 | * aren't set then we use the default of SSL client/server. | ||
2017 | 1932 | */ | ||
2018 | 1933 | |||
2019 | 1934 | int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose, | ||
2020 | 1935 | int purpose, int trust) | ||
2021 | 1936 | { | ||
2022 | 1937 | int idx; | ||
2023 | 1938 | /* If purpose not set use default */ | ||
2024 | 1939 | if (!purpose) purpose = def_purpose; | ||
2025 | 1940 | /* If we have a purpose then check it is valid */ | ||
2026 | 1941 | if (purpose) | ||
2027 | 1942 | { | ||
2028 | 1943 | X509_PURPOSE *ptmp; | ||
2029 | 1944 | idx = X509_PURPOSE_get_by_id(purpose); | ||
2030 | 1945 | if (idx == -1) | ||
2031 | 1946 | { | ||
2032 | 1947 | X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT, | ||
2033 | 1948 | X509_R_UNKNOWN_PURPOSE_ID); | ||
2034 | 1949 | return 0; | ||
2035 | 1950 | } | ||
2036 | 1951 | ptmp = X509_PURPOSE_get0(idx); | ||
2037 | 1952 | if (ptmp->trust == X509_TRUST_DEFAULT) | ||
2038 | 1953 | { | ||
2039 | 1954 | idx = X509_PURPOSE_get_by_id(def_purpose); | ||
2040 | 1955 | if (idx == -1) | ||
2041 | 1956 | { | ||
2042 | 1957 | X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT, | ||
2043 | 1958 | X509_R_UNKNOWN_PURPOSE_ID); | ||
2044 | 1959 | return 0; | ||
2045 | 1960 | } | ||
2046 | 1961 | ptmp = X509_PURPOSE_get0(idx); | ||
2047 | 1962 | } | ||
2048 | 1963 | /* If trust not set then get from purpose default */ | ||
2049 | 1964 | if (!trust) trust = ptmp->trust; | ||
2050 | 1965 | } | ||
2051 | 1966 | if (trust) | ||
2052 | 1967 | { | ||
2053 | 1968 | idx = X509_TRUST_get_by_id(trust); | ||
2054 | 1969 | if (idx == -1) | ||
2055 | 1970 | { | ||
2056 | 1971 | X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT, | ||
2057 | 1972 | X509_R_UNKNOWN_TRUST_ID); | ||
2058 | 1973 | return 0; | ||
2059 | 1974 | } | ||
2060 | 1975 | } | ||
2061 | 1976 | |||
2062 | 1977 | if (purpose && !ctx->param->purpose) ctx->param->purpose = purpose; | ||
2063 | 1978 | if (trust && !ctx->param->trust) ctx->param->trust = trust; | ||
2064 | 1979 | return 1; | ||
2065 | 1980 | } | ||
2066 | 1981 | |||
2067 | 1982 | X509_STORE_CTX *X509_STORE_CTX_new(void) | ||
2068 | 1983 | { | ||
2069 | 1984 | X509_STORE_CTX *ctx; | ||
2070 | 1985 | ctx = (X509_STORE_CTX *)OPENSSL_malloc(sizeof(X509_STORE_CTX)); | ||
2071 | 1986 | if (!ctx) | ||
2072 | 1987 | { | ||
2073 | 1988 | X509err(X509_F_X509_STORE_CTX_NEW,ERR_R_MALLOC_FAILURE); | ||
2074 | 1989 | return NULL; | ||
2075 | 1990 | } | ||
2076 | 1991 | memset(ctx, 0, sizeof(X509_STORE_CTX)); | ||
2077 | 1992 | return ctx; | ||
2078 | 1993 | } | ||
2079 | 1994 | |||
2080 | 1995 | void X509_STORE_CTX_free(X509_STORE_CTX *ctx) | ||
2081 | 1996 | { | ||
2082 | 1997 | X509_STORE_CTX_cleanup(ctx); | ||
2083 | 1998 | OPENSSL_free(ctx); | ||
2084 | 1999 | } | ||
2085 | 2000 | |||
2086 | 2001 | int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, | ||
2087 | 2002 | STACK_OF(X509) *chain) | ||
2088 | 2003 | { | ||
2089 | 2004 | int ret = 1; | ||
2090 | 2005 | ctx->ctx=store; | ||
2091 | 2006 | ctx->current_method=0; | ||
2092 | 2007 | ctx->cert=x509; | ||
2093 | 2008 | ctx->untrusted=chain; | ||
2094 | 2009 | ctx->crls = NULL; | ||
2095 | 2010 | ctx->last_untrusted=0; | ||
2096 | 2011 | ctx->other_ctx=NULL; | ||
2097 | 2012 | ctx->valid=0; | ||
2098 | 2013 | ctx->chain=NULL; | ||
2099 | 2014 | ctx->error=0; | ||
2100 | 2015 | ctx->explicit_policy=0; | ||
2101 | 2016 | ctx->error_depth=0; | ||
2102 | 2017 | ctx->current_cert=NULL; | ||
2103 | 2018 | ctx->current_issuer=NULL; | ||
2104 | 2019 | ctx->current_crl=NULL; | ||
2105 | 2020 | ctx->current_crl_score=0; | ||
2106 | 2021 | ctx->current_reasons=0; | ||
2107 | 2022 | ctx->tree = NULL; | ||
2108 | 2023 | ctx->parent = NULL; | ||
2109 | 2024 | |||
2110 | 2025 | ctx->param = X509_VERIFY_PARAM_new(); | ||
2111 | 2026 | |||
2112 | 2027 | if (!ctx->param) | ||
2113 | 2028 | { | ||
2114 | 2029 | X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE); | ||
2115 | 2030 | return 0; | ||
2116 | 2031 | } | ||
2117 | 2032 | |||
2118 | 2033 | /* Inherit callbacks and flags from X509_STORE if not set | ||
2119 | 2034 | * use defaults. | ||
2120 | 2035 | */ | ||
2121 | 2036 | |||
2122 | 2037 | |||
2123 | 2038 | if (store) | ||
2124 | 2039 | ret = X509_VERIFY_PARAM_inherit(ctx->param, store->param); | ||
2125 | 2040 | else | ||
2126 | 2041 | ctx->param->inh_flags |= X509_VP_FLAG_DEFAULT|X509_VP_FLAG_ONCE; | ||
2127 | 2042 | |||
2128 | 2043 | if (store) | ||
2129 | 2044 | { | ||
2130 | 2045 | ctx->verify_cb = store->verify_cb; | ||
2131 | 2046 | ctx->cleanup = store->cleanup; | ||
2132 | 2047 | } | ||
2133 | 2048 | else | ||
2134 | 2049 | ctx->cleanup = 0; | ||
2135 | 2050 | |||
2136 | 2051 | if (ret) | ||
2137 | 2052 | ret = X509_VERIFY_PARAM_inherit(ctx->param, | ||
2138 | 2053 | X509_VERIFY_PARAM_lookup("default")); | ||
2139 | 2054 | |||
2140 | 2055 | if (ret == 0) | ||
2141 | 2056 | { | ||
2142 | 2057 | X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE); | ||
2143 | 2058 | return 0; | ||
2144 | 2059 | } | ||
2145 | 2060 | |||
2146 | 2061 | if (store && store->check_issued) | ||
2147 | 2062 | ctx->check_issued = store->check_issued; | ||
2148 | 2063 | else | ||
2149 | 2064 | ctx->check_issued = check_issued; | ||
2150 | 2065 | |||
2151 | 2066 | if (store && store->get_issuer) | ||
2152 | 2067 | ctx->get_issuer = store->get_issuer; | ||
2153 | 2068 | else | ||
2154 | 2069 | ctx->get_issuer = X509_STORE_CTX_get1_issuer; | ||
2155 | 2070 | |||
2156 | 2071 | if (store && store->verify_cb) | ||
2157 | 2072 | ctx->verify_cb = store->verify_cb; | ||
2158 | 2073 | else | ||
2159 | 2074 | ctx->verify_cb = null_callback; | ||
2160 | 2075 | |||
2161 | 2076 | if (store && store->verify) | ||
2162 | 2077 | ctx->verify = store->verify; | ||
2163 | 2078 | else | ||
2164 | 2079 | ctx->verify = internal_verify; | ||
2165 | 2080 | |||
2166 | 2081 | if (store && store->check_revocation) | ||
2167 | 2082 | ctx->check_revocation = store->check_revocation; | ||
2168 | 2083 | else | ||
2169 | 2084 | ctx->check_revocation = check_revocation; | ||
2170 | 2085 | |||
2171 | 2086 | if (store && store->get_crl) | ||
2172 | 2087 | ctx->get_crl = store->get_crl; | ||
2173 | 2088 | else | ||
2174 | 2089 | ctx->get_crl = NULL; | ||
2175 | 2090 | |||
2176 | 2091 | if (store && store->check_crl) | ||
2177 | 2092 | ctx->check_crl = store->check_crl; | ||
2178 | 2093 | else | ||
2179 | 2094 | ctx->check_crl = check_crl; | ||
2180 | 2095 | |||
2181 | 2096 | if (store && store->cert_crl) | ||
2182 | 2097 | ctx->cert_crl = store->cert_crl; | ||
2183 | 2098 | else | ||
2184 | 2099 | ctx->cert_crl = cert_crl; | ||
2185 | 2100 | |||
2186 | 2101 | if (store && store->lookup_certs) | ||
2187 | 2102 | ctx->lookup_certs = store->lookup_certs; | ||
2188 | 2103 | else | ||
2189 | 2104 | ctx->lookup_certs = X509_STORE_get1_certs; | ||
2190 | 2105 | |||
2191 | 2106 | if (store && store->lookup_crls) | ||
2192 | 2107 | ctx->lookup_crls = store->lookup_crls; | ||
2193 | 2108 | else | ||
2194 | 2109 | ctx->lookup_crls = X509_STORE_get1_crls; | ||
2195 | 2110 | |||
2196 | 2111 | ctx->check_policy = check_policy; | ||
2197 | 2112 | |||
2198 | 2113 | |||
2199 | 2114 | /* This memset() can't make any sense anyway, so it's removed. As | ||
2200 | 2115 | * X509_STORE_CTX_cleanup does a proper "free" on the ex_data, we put a | ||
2201 | 2116 | * corresponding "new" here and remove this bogus initialisation. */ | ||
2202 | 2117 | /* memset(&(ctx->ex_data),0,sizeof(CRYPTO_EX_DATA)); */ | ||
2203 | 2118 | if(!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx, | ||
2204 | 2119 | &(ctx->ex_data))) | ||
2205 | 2120 | { | ||
2206 | 2121 | OPENSSL_free(ctx); | ||
2207 | 2122 | X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE); | ||
2208 | 2123 | return 0; | ||
2209 | 2124 | } | ||
2210 | 2125 | return 1; | ||
2211 | 2126 | } | ||
2212 | 2127 | |||
2213 | 2128 | /* Set alternative lookup method: just a STACK of trusted certificates. | ||
2214 | 2129 | * This avoids X509_STORE nastiness where it isn't needed. | ||
2215 | 2130 | */ | ||
2216 | 2131 | |||
2217 | 2132 | void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) | ||
2218 | 2133 | { | ||
2219 | 2134 | ctx->other_ctx = sk; | ||
2220 | 2135 | ctx->get_issuer = get_issuer_sk; | ||
2221 | 2136 | } | ||
2222 | 2137 | |||
2223 | 2138 | void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx) | ||
2224 | 2139 | { | ||
2225 | 2140 | if (ctx->cleanup) ctx->cleanup(ctx); | ||
2226 | 2141 | if (ctx->param != NULL) | ||
2227 | 2142 | { | ||
2228 | 2143 | if (ctx->parent == NULL) | ||
2229 | 2144 | X509_VERIFY_PARAM_free(ctx->param); | ||
2230 | 2145 | ctx->param=NULL; | ||
2231 | 2146 | } | ||
2232 | 2147 | if (ctx->tree != NULL) | ||
2233 | 2148 | { | ||
2234 | 2149 | X509_policy_tree_free(ctx->tree); | ||
2235 | 2150 | ctx->tree=NULL; | ||
2236 | 2151 | } | ||
2237 | 2152 | if (ctx->chain != NULL) | ||
2238 | 2153 | { | ||
2239 | 2154 | sk_X509_pop_free(ctx->chain,X509_free); | ||
2240 | 2155 | ctx->chain=NULL; | ||
2241 | 2156 | } | ||
2242 | 2157 | CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx, &(ctx->ex_data)); | ||
2243 | 2158 | memset(&ctx->ex_data,0,sizeof(CRYPTO_EX_DATA)); | ||
2244 | 2159 | } | ||
2245 | 2160 | |||
2246 | 2161 | void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth) | ||
2247 | 2162 | { | ||
2248 | 2163 | X509_VERIFY_PARAM_set_depth(ctx->param, depth); | ||
2249 | 2164 | } | ||
2250 | 2165 | |||
2251 | 2166 | void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, unsigned long flags) | ||
2252 | 2167 | { | ||
2253 | 2168 | X509_VERIFY_PARAM_set_flags(ctx->param, flags); | ||
2254 | 2169 | } | ||
2255 | 2170 | |||
2256 | 2171 | void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags, time_t t) | ||
2257 | 2172 | { | ||
2258 | 2173 | X509_VERIFY_PARAM_set_time(ctx->param, t); | ||
2259 | 2174 | } | ||
2260 | 2175 | |||
2261 | 2176 | void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx, | ||
2262 | 2177 | int (*verify_cb)(int, X509_STORE_CTX *)) | ||
2263 | 2178 | { | ||
2264 | 2179 | ctx->verify_cb=verify_cb; | ||
2265 | 2180 | } | ||
2266 | 2181 | |||
2267 | 2182 | X509_POLICY_TREE *X509_STORE_CTX_get0_policy_tree(X509_STORE_CTX *ctx) | ||
2268 | 2183 | { | ||
2269 | 2184 | return ctx->tree; | ||
2270 | 2185 | } | ||
2271 | 2186 | |||
2272 | 2187 | int X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx) | ||
2273 | 2188 | { | ||
2274 | 2189 | return ctx->explicit_policy; | ||
2275 | 2190 | } | ||
2276 | 2191 | |||
2277 | 2192 | int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name) | ||
2278 | 2193 | { | ||
2279 | 2194 | const X509_VERIFY_PARAM *param; | ||
2280 | 2195 | param = X509_VERIFY_PARAM_lookup(name); | ||
2281 | 2196 | if (!param) | ||
2282 | 2197 | return 0; | ||
2283 | 2198 | return X509_VERIFY_PARAM_inherit(ctx->param, param); | ||
2284 | 2199 | } | ||
2285 | 2200 | |||
2286 | 2201 | X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx) | ||
2287 | 2202 | { | ||
2288 | 2203 | return ctx->param; | ||
2289 | 2204 | } | ||
2290 | 2205 | |||
2291 | 2206 | void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param) | ||
2292 | 2207 | { | ||
2293 | 2208 | if (ctx->param) | ||
2294 | 2209 | X509_VERIFY_PARAM_free(ctx->param); | ||
2295 | 2210 | ctx->param = param; | ||
2296 | 2211 | } | ||
2297 | 2212 | |||
2298 | 2213 | IMPLEMENT_STACK_OF(X509) | ||
2299 | 2214 | IMPLEMENT_ASN1_SET_OF(X509) | ||
2300 | 2215 | |||
2301 | 2216 | IMPLEMENT_STACK_OF(X509_NAME) | ||
2302 | 2217 | |||
2303 | 2218 | IMPLEMENT_STACK_OF(X509_ATTRIBUTE) | ||
2304 | 2219 | IMPLEMENT_ASN1_SET_OF(X509_ATTRIBUTE) | ||
2305 | 0 | 2220 | ||
2306 | === added directory '.pc/c_rehash-multi.patch' | |||
2307 | === added directory '.pc/c_rehash-multi.patch/tools' | |||
2308 | === added file '.pc/c_rehash-multi.patch/tools/c_rehash.in' | |||
2309 | --- .pc/c_rehash-multi.patch/tools/c_rehash.in 1970-01-01 00:00:00 +0000 | |||
2310 | +++ .pc/c_rehash-multi.patch/tools/c_rehash.in 2011-09-15 05:17:15 +0000 | |||
2311 | @@ -0,0 +1,192 @@ | |||
2312 | 1 | #!/usr/local/bin/perl | ||
2313 | 2 | |||
2314 | 3 | |||
2315 | 4 | # Perl c_rehash script, scan all files in a directory | ||
2316 | 5 | # and add symbolic links to their hash values. | ||
2317 | 6 | |||
2318 | 7 | my $openssl; | ||
2319 | 8 | |||
2320 | 9 | my $dir; | ||
2321 | 10 | my $prefix; | ||
2322 | 11 | |||
2323 | 12 | if(defined $ENV{OPENSSL}) { | ||
2324 | 13 | $openssl = $ENV{OPENSSL}; | ||
2325 | 14 | } else { | ||
2326 | 15 | $openssl = "openssl"; | ||
2327 | 16 | $ENV{OPENSSL} = $openssl; | ||
2328 | 17 | } | ||
2329 | 18 | |||
2330 | 19 | my $pwd; | ||
2331 | 20 | eval "require Cwd"; | ||
2332 | 21 | if (defined(&Cwd::getcwd)) { | ||
2333 | 22 | $pwd=Cwd::getcwd(); | ||
2334 | 23 | } else { | ||
2335 | 24 | $pwd=`pwd`; chomp($pwd); | ||
2336 | 25 | } | ||
2337 | 26 | my $path_delim = ($pwd =~ /^[a-z]\:/i) ? ';' : ':'; # DOS/Win32 or Unix delimiter? | ||
2338 | 27 | |||
2339 | 28 | $ENV{PATH} = "$prefix/bin" . ($ENV{PATH} ? $path_delim . $ENV{PATH} : ""); # prefix our path | ||
2340 | 29 | |||
2341 | 30 | if(! -x $openssl) { | ||
2342 | 31 | my $found = 0; | ||
2343 | 32 | foreach (split /$path_delim/, $ENV{PATH}) { | ||
2344 | 33 | if(-x "$_/$openssl") { | ||
2345 | 34 | $found = 1; | ||
2346 | 35 | $openssl = "$_/$openssl"; | ||
2347 | 36 | last; | ||
2348 | 37 | } | ||
2349 | 38 | } | ||
2350 | 39 | if($found == 0) { | ||
2351 | 40 | print STDERR "c_rehash: rehashing skipped ('openssl' program not available)\n"; | ||
2352 | 41 | exit 0; | ||
2353 | 42 | } | ||
2354 | 43 | } | ||
2355 | 44 | |||
2356 | 45 | if(@ARGV) { | ||
2357 | 46 | @dirlist = @ARGV; | ||
2358 | 47 | } elsif($ENV{SSL_CERT_DIR}) { | ||
2359 | 48 | @dirlist = split /$path_delim/, $ENV{SSL_CERT_DIR}; | ||
2360 | 49 | } else { | ||
2361 | 50 | $dirlist[0] = "$dir/certs"; | ||
2362 | 51 | } | ||
2363 | 52 | |||
2364 | 53 | if (-d $dirlist[0]) { | ||
2365 | 54 | chdir $dirlist[0]; | ||
2366 | 55 | $openssl="$pwd/$openssl" if (!-x $openssl); | ||
2367 | 56 | chdir $pwd; | ||
2368 | 57 | } | ||
2369 | 58 | |||
2370 | 59 | foreach (@dirlist) { | ||
2371 | 60 | if(-d $_ and -w $_) { | ||
2372 | 61 | hash_dir($_); | ||
2373 | 62 | } | ||
2374 | 63 | } | ||
2375 | 64 | |||
2376 | 65 | sub hash_dir { | ||
2377 | 66 | my %hashlist; | ||
2378 | 67 | print "Doing $_[0]\n"; | ||
2379 | 68 | chdir $_[0]; | ||
2380 | 69 | opendir(DIR, "."); | ||
2381 | 70 | my @flist = readdir(DIR); | ||
2382 | 71 | # Delete any existing symbolic links | ||
2383 | 72 | foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) { | ||
2384 | 73 | if(-l $_) { | ||
2385 | 74 | unlink $_; | ||
2386 | 75 | } | ||
2387 | 76 | } | ||
2388 | 77 | closedir DIR; | ||
2389 | 78 | FILE: foreach $fname (grep {/\.pem$|\.crt$/} @flist) { | ||
2390 | 79 | # Check to see if certificates and/or CRLs present. | ||
2391 | 80 | my ($cert, $crl) = check_file($fname); | ||
2392 | 81 | if(!$cert && !$crl) { | ||
2393 | 82 | ($cert, $crl) = check_file("$openssl x509 -in \"$fname\" -inform der -outform pem | "); | ||
2394 | 83 | if(!$cert && !$crl) { | ||
2395 | 84 | print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n"; | ||
2396 | 85 | next; | ||
2397 | 86 | } | ||
2398 | 87 | } | ||
2399 | 88 | link_hash_cert($fname) if($cert); | ||
2400 | 89 | link_hash_cert_old($fname) if($cert); | ||
2401 | 90 | link_hash_crl($fname) if($crl); | ||
2402 | 91 | } | ||
2403 | 92 | } | ||
2404 | 93 | |||
2405 | 94 | sub check_file { | ||
2406 | 95 | my ($is_cert, $is_crl) = (0,0); | ||
2407 | 96 | my $fname = $_[0]; | ||
2408 | 97 | open IN, $fname; | ||
2409 | 98 | while(<IN>) { | ||
2410 | 99 | if(/^-----BEGIN (.*)-----/) { | ||
2411 | 100 | my $hdr = $1; | ||
2412 | 101 | if($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) { | ||
2413 | 102 | $is_cert = 1; | ||
2414 | 103 | last if($is_crl); | ||
2415 | 104 | } elsif($hdr eq "X509 CRL") { | ||
2416 | 105 | $is_crl = 1; | ||
2417 | 106 | last if($is_cert); | ||
2418 | 107 | } | ||
2419 | 108 | } | ||
2420 | 109 | } | ||
2421 | 110 | close IN; | ||
2422 | 111 | return ($is_cert, $is_crl); | ||
2423 | 112 | } | ||
2424 | 113 | |||
2425 | 114 | |||
2426 | 115 | # Link a certificate to its subject name hash value, each hash is of | ||
2427 | 116 | # the form <hash>.<n> where n is an integer. If the hash value already exists | ||
2428 | 117 | # then we need to up the value of n, unless its a duplicate in which | ||
2429 | 118 | # case we skip the link. We check for duplicates by comparing the | ||
2430 | 119 | # certificate fingerprints | ||
2431 | 120 | |||
2432 | 121 | sub link_hash_cert { | ||
2433 | 122 | my $fname = $_[0]; | ||
2434 | 123 | my $hashopt = $_[1] || '-subject_hash'; | ||
2435 | 124 | $fname =~ s/'/'\\''/g; | ||
2436 | 125 | my ($hash, $fprint) = `"$openssl" x509 $hashopt -fingerprint -noout -in "$fname"`; | ||
2437 | 126 | chomp $hash; | ||
2438 | 127 | chomp $fprint; | ||
2439 | 128 | $fprint =~ s/^.*=//; | ||
2440 | 129 | $fprint =~ tr/://d; | ||
2441 | 130 | my $suffix = 0; | ||
2442 | 131 | # Search for an unused hash filename | ||
2443 | 132 | while(exists $hashlist{"$hash.$suffix"}) { | ||
2444 | 133 | # Hash matches: if fingerprint matches its a duplicate cert | ||
2445 | 134 | if($hashlist{"$hash.$suffix"} eq $fprint) { | ||
2446 | 135 | print STDERR "WARNING: Skipping duplicate certificate $fname\n"; | ||
2447 | 136 | return; | ||
2448 | 137 | } | ||
2449 | 138 | $suffix++; | ||
2450 | 139 | } | ||
2451 | 140 | $hash .= ".$suffix"; | ||
2452 | 141 | print "$fname => $hash\n"; | ||
2453 | 142 | $symlink_exists=eval {symlink("",""); 1}; | ||
2454 | 143 | if ($symlink_exists) { | ||
2455 | 144 | symlink $fname, $hash; | ||
2456 | 145 | } else { | ||
2457 | 146 | open IN,"<$fname" or die "can't open $fname for read"; | ||
2458 | 147 | open OUT,">$hash" or die "can't open $hash for write"; | ||
2459 | 148 | print OUT <IN>; # does the job for small text files | ||
2460 | 149 | close OUT; | ||
2461 | 150 | close IN; | ||
2462 | 151 | } | ||
2463 | 152 | $hashlist{$hash} = $fprint; | ||
2464 | 153 | } | ||
2465 | 154 | |||
2466 | 155 | sub link_hash_cert_old { | ||
2467 | 156 | link_hash_cert($_[0], '-subject_hash_old'); | ||
2468 | 157 | } | ||
2469 | 158 | |||
2470 | 159 | # Same as above except for a CRL. CRL links are of the form <hash>.r<n> | ||
2471 | 160 | |||
2472 | 161 | sub link_hash_crl { | ||
2473 | 162 | my $fname = $_[0]; | ||
2474 | 163 | $fname =~ s/'/'\\''/g; | ||
2475 | 164 | my ($hash, $fprint) = `"$openssl" crl -hash -fingerprint -noout -in '$fname'`; | ||
2476 | 165 | if(!$hash || !fprint) { | ||
2477 | 166 | ($hash, $fprint) = `"$openssl" crl -hash -fingerprint -noout -in '$fname' -inform der`; | ||
2478 | 167 | } | ||
2479 | 168 | chomp $hash; | ||
2480 | 169 | chomp $fprint; | ||
2481 | 170 | $fprint =~ s/^.*=//; | ||
2482 | 171 | $fprint =~ tr/://d; | ||
2483 | 172 | my $suffix = 0; | ||
2484 | 173 | # Search for an unused hash filename | ||
2485 | 174 | while(exists $hashlist{"$hash.r$suffix"}) { | ||
2486 | 175 | # Hash matches: if fingerprint matches its a duplicate cert | ||
2487 | 176 | if($hashlist{"$hash.r$suffix"} eq $fprint) { | ||
2488 | 177 | print STDERR "WARNING: Skipping duplicate CRL $fname\n"; | ||
2489 | 178 | return; | ||
2490 | 179 | } | ||
2491 | 180 | $suffix++; | ||
2492 | 181 | } | ||
2493 | 182 | $hash .= ".r$suffix"; | ||
2494 | 183 | print "$fname => $hash\n"; | ||
2495 | 184 | $symlink_exists=eval {symlink("",""); 1}; | ||
2496 | 185 | if ($symlink_exists) { | ||
2497 | 186 | symlink $fname, $hash; | ||
2498 | 187 | } else { | ||
2499 | 188 | system ("cp", $fname, $hash); | ||
2500 | 189 | } | ||
2501 | 190 | $hashlist{$hash} = $fprint; | ||
2502 | 191 | } | ||
2503 | 192 | |||
2504 | 0 | 193 | ||
2505 | === modified file '.pc/config-hurd.patch/config' | |||
2506 | --- .pc/config-hurd.patch/config 2010-12-12 15:37:21 +0000 | |||
2507 | +++ .pc/config-hurd.patch/config 2011-09-15 05:17:15 +0000 | |||
2508 | @@ -825,6 +825,10 @@ | |||
2509 | 825 | # options="$options -DATALLA" | 825 | # options="$options -DATALLA" |
2510 | 826 | #fi | 826 | #fi |
2511 | 827 | 827 | ||
2512 | 828 | ($CC -Wa,--help -c -o /dev/null -x assembler /dev/null 2>&1 | \ | ||
2513 | 829 | grep \\--noexecstack) 2>&1 > /dev/null && \ | ||
2514 | 830 | options="$options -Wa,--noexecstack" | ||
2515 | 831 | |||
2516 | 828 | # gcc < 2.8 does not support -march=ultrasparc | 832 | # gcc < 2.8 does not support -march=ultrasparc |
2517 | 829 | if [ "$OUT" = solaris-sparcv9-gcc -a $GCCVER -lt 28 ] | 833 | if [ "$OUT" = solaris-sparcv9-gcc -a $GCCVER -lt 28 ] |
2518 | 830 | then | 834 | then |
2519 | 831 | 835 | ||
2520 | === added directory '.pc/dgst_hmac.patch' | |||
2521 | === added directory '.pc/dgst_hmac.patch/apps' | |||
2522 | === added file '.pc/dgst_hmac.patch/apps/dgst.c' | |||
2523 | --- .pc/dgst_hmac.patch/apps/dgst.c 1970-01-01 00:00:00 +0000 | |||
2524 | +++ .pc/dgst_hmac.patch/apps/dgst.c 2011-09-15 05:17:15 +0000 | |||
2525 | @@ -0,0 +1,632 @@ | |||
2526 | 1 | /* apps/dgst.c */ | ||
2527 | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | ||
2528 | 3 | * All rights reserved. | ||
2529 | 4 | * | ||
2530 | 5 | * This package is an SSL implementation written | ||
2531 | 6 | * by Eric Young (eay@cryptsoft.com). | ||
2532 | 7 | * The implementation was written so as to conform with Netscapes SSL. | ||
2533 | 8 | * | ||
2534 | 9 | * This library is free for commercial and non-commercial use as long as | ||
2535 | 10 | * the following conditions are aheared to. The following conditions | ||
2536 | 11 | * apply to all code found in this distribution, be it the RC4, RSA, | ||
2537 | 12 | * lhash, DES, etc., code; not just the SSL code. The SSL documentation | ||
2538 | 13 | * included with this distribution is covered by the same copyright terms | ||
2539 | 14 | * except that the holder is Tim Hudson (tjh@cryptsoft.com). | ||
2540 | 15 | * | ||
2541 | 16 | * Copyright remains Eric Young's, and as such any Copyright notices in | ||
2542 | 17 | * the code are not to be removed. | ||
2543 | 18 | * If this package is used in a product, Eric Young should be given attribution | ||
2544 | 19 | * as the author of the parts of the library used. | ||
2545 | 20 | * This can be in the form of a textual message at program startup or | ||
2546 | 21 | * in documentation (online or textual) provided with the package. | ||
2547 | 22 | * | ||
2548 | 23 | * Redistribution and use in source and binary forms, with or without | ||
2549 | 24 | * modification, are permitted provided that the following conditions | ||
2550 | 25 | * are met: | ||
2551 | 26 | * 1. Redistributions of source code must retain the copyright | ||
2552 | 27 | * notice, this list of conditions and the following disclaimer. | ||
2553 | 28 | * 2. Redistributions in binary form must reproduce the above copyright | ||
2554 | 29 | * notice, this list of conditions and the following disclaimer in the | ||
2555 | 30 | * documentation and/or other materials provided with the distribution. | ||
2556 | 31 | * 3. All advertising materials mentioning features or use of this software | ||
2557 | 32 | * must display the following acknowledgement: | ||
2558 | 33 | * "This product includes cryptographic software written by | ||
2559 | 34 | * Eric Young (eay@cryptsoft.com)" | ||
2560 | 35 | * The word 'cryptographic' can be left out if the rouines from the library | ||
2561 | 36 | * being used are not cryptographic related :-). | ||
2562 | 37 | * 4. If you include any Windows specific code (or a derivative thereof) from | ||
2563 | 38 | * the apps directory (application code) you must include an acknowledgement: | ||
2564 | 39 | * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" | ||
2565 | 40 | * | ||
2566 | 41 | * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND | ||
2567 | 42 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | ||
2568 | 43 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | ||
2569 | 44 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE | ||
2570 | 45 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | ||
2571 | 46 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | ||
2572 | 47 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | ||
2573 | 48 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | ||
2574 | 49 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | ||
2575 | 50 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | ||
2576 | 51 | * SUCH DAMAGE. | ||
2577 | 52 | * | ||
2578 | 53 | * The licence and distribution terms for any publically available version or | ||
2579 | 54 | * derivative of this code cannot be changed. i.e. this code cannot simply be | ||
2580 | 55 | * copied and put under another distribution licence | ||
2581 | 56 | * [including the GNU Public Licence.] | ||
2582 | 57 | */ | ||
2583 | 58 | |||
2584 | 59 | #include <stdio.h> | ||
2585 | 60 | #include <string.h> | ||
2586 | 61 | #include <stdlib.h> | ||
2587 | 62 | #include "apps.h" | ||
2588 | 63 | #include <openssl/bio.h> | ||
2589 | 64 | #include <openssl/err.h> | ||
2590 | 65 | #include <openssl/evp.h> | ||
2591 | 66 | #include <openssl/objects.h> | ||
2592 | 67 | #include <openssl/x509.h> | ||
2593 | 68 | #include <openssl/pem.h> | ||
2594 | 69 | #include <openssl/hmac.h> | ||
2595 | 70 | |||
2596 | 71 | #undef BUFSIZE | ||
2597 | 72 | #define BUFSIZE 1024*8 | ||
2598 | 73 | |||
2599 | 74 | #undef PROG | ||
2600 | 75 | #define PROG dgst_main | ||
2601 | 76 | |||
2602 | 77 | int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout, | ||
2603 | 78 | EVP_PKEY *key, unsigned char *sigin, int siglen, | ||
2604 | 79 | const char *sig_name, const char *md_name, | ||
2605 | 80 | const char *file,BIO *bmd); | ||
2606 | 81 | |||
2607 | 82 | static void list_md_fn(const EVP_MD *m, | ||
2608 | 83 | const char *from, const char *to, void *arg) | ||
2609 | 84 | { | ||
2610 | 85 | const char *mname; | ||
2611 | 86 | /* Skip aliases */ | ||
2612 | 87 | if (!m) | ||
2613 | 88 | return; | ||
2614 | 89 | mname = OBJ_nid2ln(EVP_MD_type(m)); | ||
2615 | 90 | /* Skip shortnames */ | ||
2616 | 91 | if (strcmp(from, mname)) | ||
2617 | 92 | return; | ||
2618 | 93 | /* Skip clones */ | ||
2619 | 94 | if (EVP_MD_flags(m) & EVP_MD_FLAG_PKEY_DIGEST) | ||
2620 | 95 | return; | ||
2621 | 96 | if (strchr(mname, ' ')) | ||
2622 | 97 | mname= EVP_MD_name(m); | ||
2623 | 98 | BIO_printf(arg, "-%-14s to use the %s message digest algorithm\n", | ||
2624 | 99 | mname, mname); | ||
2625 | 100 | } | ||
2626 | 101 | |||
2627 | 102 | int MAIN(int, char **); | ||
2628 | 103 | |||
2629 | 104 | int MAIN(int argc, char **argv) | ||
2630 | 105 | { | ||
2631 | 106 | ENGINE *e = NULL; | ||
2632 | 107 | unsigned char *buf=NULL; | ||
2633 | 108 | int i,err=1; | ||
2634 | 109 | const EVP_MD *md=NULL,*m; | ||
2635 | 110 | BIO *in=NULL,*inp; | ||
2636 | 111 | BIO *bmd=NULL; | ||
2637 | 112 | BIO *out = NULL; | ||
2638 | 113 | #define PROG_NAME_SIZE 39 | ||
2639 | 114 | char pname[PROG_NAME_SIZE+1]; | ||
2640 | 115 | int separator=0; | ||
2641 | 116 | int debug=0; | ||
2642 | 117 | int keyform=FORMAT_PEM; | ||
2643 | 118 | const char *outfile = NULL, *keyfile = NULL; | ||
2644 | 119 | const char *sigfile = NULL, *randfile = NULL; | ||
2645 | 120 | int out_bin = -1, want_pub = 0, do_verify = 0; | ||
2646 | 121 | EVP_PKEY *sigkey = NULL; | ||
2647 | 122 | unsigned char *sigbuf = NULL; | ||
2648 | 123 | int siglen = 0; | ||
2649 | 124 | char *passargin = NULL, *passin = NULL; | ||
2650 | 125 | #ifndef OPENSSL_NO_ENGINE | ||
2651 | 126 | char *engine=NULL; | ||
2652 | 127 | #endif | ||
2653 | 128 | char *hmac_key=NULL; | ||
2654 | 129 | char *mac_name=NULL; | ||
2655 | 130 | STACK_OF(OPENSSL_STRING) *sigopts = NULL, *macopts = NULL; | ||
2656 | 131 | |||
2657 | 132 | apps_startup(); | ||
2658 | 133 | |||
2659 | 134 | if ((buf=(unsigned char *)OPENSSL_malloc(BUFSIZE)) == NULL) | ||
2660 | 135 | { | ||
2661 | 136 | BIO_printf(bio_err,"out of memory\n"); | ||
2662 | 137 | goto end; | ||
2663 | 138 | } | ||
2664 | 139 | if (bio_err == NULL) | ||
2665 | 140 | if ((bio_err=BIO_new(BIO_s_file())) != NULL) | ||
2666 | 141 | BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT); | ||
2667 | 142 | |||
2668 | 143 | if (!load_config(bio_err, NULL)) | ||
2669 | 144 | goto end; | ||
2670 | 145 | |||
2671 | 146 | /* first check the program name */ | ||
2672 | 147 | program_name(argv[0],pname,sizeof pname); | ||
2673 | 148 | |||
2674 | 149 | md=EVP_get_digestbyname(pname); | ||
2675 | 150 | |||
2676 | 151 | argc--; | ||
2677 | 152 | argv++; | ||
2678 | 153 | while (argc > 0) | ||
2679 | 154 | { | ||
2680 | 155 | if ((*argv)[0] != '-') break; | ||
2681 | 156 | if (strcmp(*argv,"-c") == 0) | ||
2682 | 157 | separator=1; | ||
2683 | 158 | else if (strcmp(*argv,"-r") == 0) | ||
2684 | 159 | separator=2; | ||
2685 | 160 | else if (strcmp(*argv,"-rand") == 0) | ||
2686 | 161 | { | ||
2687 | 162 | if (--argc < 1) break; | ||
2688 | 163 | randfile=*(++argv); | ||
2689 | 164 | } | ||
2690 | 165 | else if (strcmp(*argv,"-out") == 0) | ||
2691 | 166 | { | ||
2692 | 167 | if (--argc < 1) break; | ||
2693 | 168 | outfile=*(++argv); | ||
2694 | 169 | } | ||
2695 | 170 | else if (strcmp(*argv,"-sign") == 0) | ||
2696 | 171 | { | ||
2697 | 172 | if (--argc < 1) break; | ||
2698 | 173 | keyfile=*(++argv); | ||
2699 | 174 | } | ||
2700 | 175 | else if (!strcmp(*argv,"-passin")) | ||
2701 | 176 | { | ||
2702 | 177 | if (--argc < 1) | ||
2703 | 178 | break; | ||
2704 | 179 | passargin=*++argv; | ||
2705 | 180 | } | ||
2706 | 181 | else if (strcmp(*argv,"-verify") == 0) | ||
2707 | 182 | { | ||
2708 | 183 | if (--argc < 1) break; | ||
2709 | 184 | keyfile=*(++argv); | ||
2710 | 185 | want_pub = 1; | ||
2711 | 186 | do_verify = 1; | ||
2712 | 187 | } | ||
2713 | 188 | else if (strcmp(*argv,"-prverify") == 0) | ||
2714 | 189 | { | ||
2715 | 190 | if (--argc < 1) break; | ||
2716 | 191 | keyfile=*(++argv); | ||
2717 | 192 | do_verify = 1; | ||
2718 | 193 | } | ||
2719 | 194 | else if (strcmp(*argv,"-signature") == 0) | ||
2720 | 195 | { | ||
2721 | 196 | if (--argc < 1) break; | ||
2722 | 197 | sigfile=*(++argv); | ||
2723 | 198 | } | ||
2724 | 199 | else if (strcmp(*argv,"-keyform") == 0) | ||
2725 | 200 | { | ||
2726 | 201 | if (--argc < 1) break; | ||
2727 | 202 | keyform=str2fmt(*(++argv)); | ||
2728 | 203 | } | ||
2729 | 204 | #ifndef OPENSSL_NO_ENGINE | ||
2730 | 205 | else if (strcmp(*argv,"-engine") == 0) | ||
2731 | 206 | { | ||
2732 | 207 | if (--argc < 1) break; | ||
2733 | 208 | engine= *(++argv); | ||
2734 | 209 | e = setup_engine(bio_err, engine, 0); | ||
2735 | 210 | } | ||
2736 | 211 | #endif | ||
2737 | 212 | else if (strcmp(*argv,"-hex") == 0) | ||
2738 | 213 | out_bin = 0; | ||
2739 | 214 | else if (strcmp(*argv,"-binary") == 0) | ||
2740 | 215 | out_bin = 1; | ||
2741 | 216 | else if (strcmp(*argv,"-d") == 0) | ||
2742 | 217 | debug=1; | ||
2743 | 218 | else if (!strcmp(*argv,"-hmac")) | ||
2744 | 219 | { | ||
2745 | 220 | if (--argc < 1) | ||
2746 | 221 | break; | ||
2747 | 222 | hmac_key=*++argv; | ||
2748 | 223 | } | ||
2749 | 224 | else if (!strcmp(*argv,"-mac")) | ||
2750 | 225 | { | ||
2751 | 226 | if (--argc < 1) | ||
2752 | 227 | break; | ||
2753 | 228 | mac_name=*++argv; | ||
2754 | 229 | } | ||
2755 | 230 | else if (strcmp(*argv,"-sigopt") == 0) | ||
2756 | 231 | { | ||
2757 | 232 | if (--argc < 1) | ||
2758 | 233 | break; | ||
2759 | 234 | if (!sigopts) | ||
2760 | 235 | sigopts = sk_OPENSSL_STRING_new_null(); | ||
2761 | 236 | if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, *(++argv))) | ||
2762 | 237 | break; | ||
2763 | 238 | } | ||
2764 | 239 | else if (strcmp(*argv,"-macopt") == 0) | ||
2765 | 240 | { | ||
2766 | 241 | if (--argc < 1) | ||
2767 | 242 | break; | ||
2768 | 243 | if (!macopts) | ||
2769 | 244 | macopts = sk_OPENSSL_STRING_new_null(); | ||
2770 | 245 | if (!macopts || !sk_OPENSSL_STRING_push(macopts, *(++argv))) | ||
2771 | 246 | break; | ||
2772 | 247 | } | ||
2773 | 248 | else if ((m=EVP_get_digestbyname(&((*argv)[1]))) != NULL) | ||
2774 | 249 | md=m; | ||
2775 | 250 | else | ||
2776 | 251 | break; | ||
2777 | 252 | argc--; | ||
2778 | 253 | argv++; | ||
2779 | 254 | } | ||
2780 | 255 | |||
2781 | 256 | |||
2782 | 257 | if(do_verify && !sigfile) { | ||
2783 | 258 | BIO_printf(bio_err, "No signature to verify: use the -signature option\n"); | ||
2784 | 259 | goto end; | ||
2785 | 260 | } | ||
2786 | 261 | |||
2787 | 262 | if ((argc > 0) && (argv[0][0] == '-')) /* bad option */ | ||
2788 | 263 | { | ||
2789 | 264 | BIO_printf(bio_err,"unknown option '%s'\n",*argv); | ||
2790 | 265 | BIO_printf(bio_err,"options are\n"); | ||
2791 | 266 | BIO_printf(bio_err,"-c to output the digest with separating colons\n"); | ||
2792 | 267 | BIO_printf(bio_err,"-r to output the digest in coreutils format\n"); | ||
2793 | 268 | BIO_printf(bio_err,"-d to output debug info\n"); | ||
2794 | 269 | BIO_printf(bio_err,"-hex output as hex dump\n"); | ||
2795 | 270 | BIO_printf(bio_err,"-binary output in binary form\n"); | ||
2796 | 271 | BIO_printf(bio_err,"-sign file sign digest using private key in file\n"); | ||
2797 | 272 | BIO_printf(bio_err,"-verify file verify a signature using public key in file\n"); | ||
2798 | 273 | BIO_printf(bio_err,"-prverify file verify a signature using private key in file\n"); | ||
2799 | 274 | BIO_printf(bio_err,"-keyform arg key file format (PEM or ENGINE)\n"); | ||
2800 | 275 | BIO_printf(bio_err,"-out filename output to filename rather than stdout\n"); | ||
2801 | 276 | BIO_printf(bio_err,"-signature file signature to verify\n"); | ||
2802 | 277 | BIO_printf(bio_err,"-sigopt nm:v signature parameter\n"); | ||
2803 | 278 | BIO_printf(bio_err,"-hmac key create hashed MAC with key\n"); | ||
2804 | 279 | BIO_printf(bio_err,"-mac algorithm create MAC (not neccessarily HMAC)\n"); | ||
2805 | 280 | BIO_printf(bio_err,"-macopt nm:v MAC algorithm parameters or key\n"); | ||
2806 | 281 | #ifndef OPENSSL_NO_ENGINE | ||
2807 | 282 | BIO_printf(bio_err,"-engine e use engine e, possibly a hardware device.\n"); | ||
2808 | 283 | #endif | ||
2809 | 284 | |||
2810 | 285 | EVP_MD_do_all_sorted(list_md_fn, bio_err); | ||
2811 | 286 | goto end; | ||
2812 | 287 | } | ||
2813 | 288 | |||
2814 | 289 | in=BIO_new(BIO_s_file()); | ||
2815 | 290 | bmd=BIO_new(BIO_f_md()); | ||
2816 | 291 | if (debug) | ||
2817 | 292 | { | ||
2818 | 293 | BIO_set_callback(in,BIO_debug_callback); | ||
2819 | 294 | /* needed for windows 3.1 */ | ||
2820 | 295 | BIO_set_callback_arg(in,(char *)bio_err); | ||
2821 | 296 | } | ||
2822 | 297 | |||
2823 | 298 | if(!app_passwd(bio_err, passargin, NULL, &passin, NULL)) | ||
2824 | 299 | { | ||
2825 | 300 | BIO_printf(bio_err, "Error getting password\n"); | ||
2826 | 301 | goto end; | ||
2827 | 302 | } | ||
2828 | 303 | |||
2829 | 304 | if ((in == NULL) || (bmd == NULL)) | ||
2830 | 305 | { | ||
2831 | 306 | ERR_print_errors(bio_err); | ||
2832 | 307 | goto end; | ||
2833 | 308 | } | ||
2834 | 309 | |||
2835 | 310 | if(out_bin == -1) { | ||
2836 | 311 | if(keyfile) | ||
2837 | 312 | out_bin = 1; | ||
2838 | 313 | else | ||
2839 | 314 | out_bin = 0; | ||
2840 | 315 | } | ||
2841 | 316 | |||
2842 | 317 | if(randfile) | ||
2843 | 318 | app_RAND_load_file(randfile, bio_err, 0); | ||
2844 | 319 | |||
2845 | 320 | if(outfile) { | ||
2846 | 321 | if(out_bin) | ||
2847 | 322 | out = BIO_new_file(outfile, "wb"); | ||
2848 | 323 | else out = BIO_new_file(outfile, "w"); | ||
2849 | 324 | } else { | ||
2850 | 325 | out = BIO_new_fp(stdout, BIO_NOCLOSE); | ||
2851 | 326 | #ifdef OPENSSL_SYS_VMS | ||
2852 | 327 | { | ||
2853 | 328 | BIO *tmpbio = BIO_new(BIO_f_linebuffer()); | ||
2854 | 329 | out = BIO_push(tmpbio, out); | ||
2855 | 330 | } | ||
2856 | 331 | #endif | ||
2857 | 332 | } | ||
2858 | 333 | |||
2859 | 334 | if(!out) { | ||
2860 | 335 | BIO_printf(bio_err, "Error opening output file %s\n", | ||
2861 | 336 | outfile ? outfile : "(stdout)"); | ||
2862 | 337 | ERR_print_errors(bio_err); | ||
2863 | 338 | goto end; | ||
2864 | 339 | } | ||
2865 | 340 | if ((!!mac_name + !!keyfile + !!hmac_key) > 1) | ||
2866 | 341 | { | ||
2867 | 342 | BIO_printf(bio_err, "MAC and Signing key cannot both be specified\n"); | ||
2868 | 343 | goto end; | ||
2869 | 344 | } | ||
2870 | 345 | |||
2871 | 346 | if(keyfile) | ||
2872 | 347 | { | ||
2873 | 348 | if (want_pub) | ||
2874 | 349 | sigkey = load_pubkey(bio_err, keyfile, keyform, 0, NULL, | ||
2875 | 350 | e, "key file"); | ||
2876 | 351 | else | ||
2877 | 352 | sigkey = load_key(bio_err, keyfile, keyform, 0, passin, | ||
2878 | 353 | e, "key file"); | ||
2879 | 354 | if (!sigkey) | ||
2880 | 355 | { | ||
2881 | 356 | /* load_[pub]key() has already printed an appropriate | ||
2882 | 357 | message */ | ||
2883 | 358 | goto end; | ||
2884 | 359 | } | ||
2885 | 360 | } | ||
2886 | 361 | |||
2887 | 362 | if (mac_name) | ||
2888 | 363 | { | ||
2889 | 364 | EVP_PKEY_CTX *mac_ctx = NULL; | ||
2890 | 365 | int r = 0; | ||
2891 | 366 | if (!init_gen_str(bio_err, &mac_ctx, mac_name,e, 0)) | ||
2892 | 367 | goto mac_end; | ||
2893 | 368 | if (macopts) | ||
2894 | 369 | { | ||
2895 | 370 | char *macopt; | ||
2896 | 371 | for (i = 0; i < sk_OPENSSL_STRING_num(macopts); i++) | ||
2897 | 372 | { | ||
2898 | 373 | macopt = sk_OPENSSL_STRING_value(macopts, i); | ||
2899 | 374 | if (pkey_ctrl_string(mac_ctx, macopt) <= 0) | ||
2900 | 375 | { | ||
2901 | 376 | BIO_printf(bio_err, | ||
2902 | 377 | "MAC parameter error \"%s\"\n", | ||
2903 | 378 | macopt); | ||
2904 | 379 | ERR_print_errors(bio_err); | ||
2905 | 380 | goto mac_end; | ||
2906 | 381 | } | ||
2907 | 382 | } | ||
2908 | 383 | } | ||
2909 | 384 | if (EVP_PKEY_keygen(mac_ctx, &sigkey) <= 0) | ||
2910 | 385 | { | ||
2911 | 386 | BIO_puts(bio_err, "Error generating key\n"); | ||
2912 | 387 | ERR_print_errors(bio_err); | ||
2913 | 388 | goto mac_end; | ||
2914 | 389 | } | ||
2915 | 390 | r = 1; | ||
2916 | 391 | mac_end: | ||
2917 | 392 | if (mac_ctx) | ||
2918 | 393 | EVP_PKEY_CTX_free(mac_ctx); | ||
2919 | 394 | if (r == 0) | ||
2920 | 395 | goto end; | ||
2921 | 396 | } | ||
2922 | 397 | |||
2923 | 398 | if (hmac_key) | ||
2924 | 399 | { | ||
2925 | 400 | sigkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, e, | ||
2926 | 401 | (unsigned char *)hmac_key, -1); | ||
2927 | 402 | if (!sigkey) | ||
2928 | 403 | goto end; | ||
2929 | 404 | } | ||
2930 | 405 | |||
2931 | 406 | if (sigkey) | ||
2932 | 407 | { | ||
2933 | 408 | EVP_MD_CTX *mctx = NULL; | ||
2934 | 409 | EVP_PKEY_CTX *pctx = NULL; | ||
2935 | 410 | int r; | ||
2936 | 411 | if (!BIO_get_md_ctx(bmd, &mctx)) | ||
2937 | 412 | { | ||
2938 | 413 | BIO_printf(bio_err, "Error getting context\n"); | ||
2939 | 414 | ERR_print_errors(bio_err); | ||
2940 | 415 | goto end; | ||
2941 | 416 | } | ||
2942 | 417 | if (do_verify) | ||
2943 | 418 | r = EVP_DigestVerifyInit(mctx, &pctx, md, e, sigkey); | ||
2944 | 419 | else | ||
2945 | 420 | r = EVP_DigestSignInit(mctx, &pctx, md, e, sigkey); | ||
2946 | 421 | if (!r) | ||
2947 | 422 | { | ||
2948 | 423 | BIO_printf(bio_err, "Error setting context\n"); | ||
2949 | 424 | ERR_print_errors(bio_err); | ||
2950 | 425 | goto end; | ||
2951 | 426 | } | ||
2952 | 427 | if (sigopts) | ||
2953 | 428 | { | ||
2954 | 429 | char *sigopt; | ||
2955 | 430 | for (i = 0; i < sk_OPENSSL_STRING_num(sigopts); i++) | ||
2956 | 431 | { | ||
2957 | 432 | sigopt = sk_OPENSSL_STRING_value(sigopts, i); | ||
2958 | 433 | if (pkey_ctrl_string(pctx, sigopt) <= 0) | ||
2959 | 434 | { | ||
2960 | 435 | BIO_printf(bio_err, | ||
2961 | 436 | "parameter error \"%s\"\n", | ||
2962 | 437 | sigopt); | ||
2963 | 438 | ERR_print_errors(bio_err); | ||
2964 | 439 | goto end; | ||
2965 | 440 | } | ||
2966 | 441 | } | ||
2967 | 442 | } | ||
2968 | 443 | } | ||
2969 | 444 | /* we use md as a filter, reading from 'in' */ | ||
2970 | 445 | else | ||
2971 | 446 | { | ||
2972 | 447 | if (md == NULL) | ||
2973 | 448 | md = EVP_md5(); | ||
2974 | 449 | if (!BIO_set_md(bmd,md)) | ||
2975 | 450 | { | ||
2976 | 451 | BIO_printf(bio_err, "Error setting digest %s\n", pname); | ||
2977 | 452 | ERR_print_errors(bio_err); | ||
2978 | 453 | goto end; | ||
2979 | 454 | } | ||
2980 | 455 | } | ||
2981 | 456 | |||
2982 | 457 | if(sigfile && sigkey) { | ||
2983 | 458 | BIO *sigbio; | ||
2984 | 459 | sigbio = BIO_new_file(sigfile, "rb"); | ||
2985 | 460 | siglen = EVP_PKEY_size(sigkey); | ||
2986 | 461 | sigbuf = OPENSSL_malloc(siglen); | ||
2987 | 462 | if(!sigbio) { | ||
2988 | 463 | BIO_printf(bio_err, "Error opening signature file %s\n", | ||
2989 | 464 | sigfile); | ||
2990 | 465 | ERR_print_errors(bio_err); | ||
2991 | 466 | goto end; | ||
2992 | 467 | } | ||
2993 | 468 | siglen = BIO_read(sigbio, sigbuf, siglen); | ||
2994 | 469 | BIO_free(sigbio); | ||
2995 | 470 | if(siglen <= 0) { | ||
2996 | 471 | BIO_printf(bio_err, "Error reading signature file %s\n", | ||
2997 | 472 | sigfile); | ||
2998 | 473 | ERR_print_errors(bio_err); | ||
2999 | 474 | goto end; | ||
3000 | 475 | } | ||
3001 | 476 | } | ||
3002 | 477 | inp=BIO_push(bmd,in); | ||
3003 | 478 | |||
3004 | 479 | if (md == NULL) | ||
3005 | 480 | { | ||
3006 | 481 | EVP_MD_CTX *tctx; | ||
3007 | 482 | BIO_get_md_ctx(bmd, &tctx); | ||
3008 | 483 | md = EVP_MD_CTX_md(tctx); | ||
3009 | 484 | } | ||
3010 | 485 | |||
3011 | 486 | if (argc == 0) | ||
3012 | 487 | { | ||
3013 | 488 | BIO_set_fp(in,stdin,BIO_NOCLOSE); | ||
3014 | 489 | err=do_fp(out, buf,inp,separator, out_bin, sigkey, sigbuf, | ||
3015 | 490 | siglen,NULL,NULL,"stdin",bmd); | ||
3016 | 491 | } | ||
3017 | 492 | else | ||
3018 | 493 | { | ||
3019 | 494 | const char *md_name = NULL, *sig_name = NULL; | ||
3020 | 495 | if(!out_bin) | ||
3021 | 496 | { | ||
3022 | 497 | if (sigkey) | ||
3023 | 498 | { | ||
3024 | 499 | const EVP_PKEY_ASN1_METHOD *ameth; | ||
3025 | 500 | ameth = EVP_PKEY_get0_asn1(sigkey); | ||
3026 | 501 | if (ameth) | ||
3027 | 502 | EVP_PKEY_asn1_get0_info(NULL, NULL, | ||
3028 | 503 | NULL, NULL, &sig_name, ameth); | ||
3029 | 504 | } | ||
3030 | 505 | md_name = EVP_MD_name(md); | ||
3031 | 506 | } | ||
3032 | 507 | err = 0; | ||
3033 | 508 | for (i=0; i<argc; i++) | ||
3034 | 509 | { | ||
3035 | 510 | int r; | ||
3036 | 511 | if (BIO_read_filename(in,argv[i]) <= 0) | ||
3037 | 512 | { | ||
3038 | 513 | perror(argv[i]); | ||
3039 | 514 | err++; | ||
3040 | 515 | continue; | ||
3041 | 516 | } | ||
3042 | 517 | else | ||
3043 | 518 | r=do_fp(out,buf,inp,separator,out_bin,sigkey,sigbuf, | ||
3044 | 519 | siglen,sig_name,md_name, argv[i],bmd); | ||
3045 | 520 | if(r) | ||
3046 | 521 | err=r; | ||
3047 | 522 | (void)BIO_reset(bmd); | ||
3048 | 523 | } | ||
3049 | 524 | } | ||
3050 | 525 | end: | ||
3051 | 526 | if (buf != NULL) | ||
3052 | 527 | { | ||
3053 | 528 | OPENSSL_cleanse(buf,BUFSIZE); | ||
3054 | 529 | OPENSSL_free(buf); | ||
3055 | 530 | } | ||
3056 | 531 | if (in != NULL) BIO_free(in); | ||
3057 | 532 | if (passin) | ||
3058 | 533 | OPENSSL_free(passin); | ||
3059 | 534 | BIO_free_all(out); | ||
3060 | 535 | EVP_PKEY_free(sigkey); | ||
3061 | 536 | if (sigopts) | ||
3062 | 537 | sk_OPENSSL_STRING_free(sigopts); | ||
3063 | 538 | if (macopts) | ||
3064 | 539 | sk_OPENSSL_STRING_free(macopts); | ||
3065 | 540 | if(sigbuf) OPENSSL_free(sigbuf); | ||
3066 | 541 | if (bmd != NULL) BIO_free(bmd); | ||
3067 | 542 | apps_shutdown(); | ||
3068 | 543 | OPENSSL_EXIT(err); | ||
3069 | 544 | } | ||
3070 | 545 | |||
3071 | 546 | int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout, | ||
3072 | 547 | EVP_PKEY *key, unsigned char *sigin, int siglen, | ||
3073 | 548 | const char *sig_name, const char *md_name, | ||
3074 | 549 | const char *file,BIO *bmd) | ||
3075 | 550 | { | ||
3076 | 551 | size_t len; | ||
3077 | 552 | int i; | ||
3078 | 553 | |||
3079 | 554 | for (;;) | ||
3080 | 555 | { | ||
3081 | 556 | i=BIO_read(bp,(char *)buf,BUFSIZE); | ||
3082 | 557 | if(i < 0) | ||
3083 | 558 | { | ||
3084 | 559 | BIO_printf(bio_err, "Read Error in %s\n",file); | ||
3085 | 560 | ERR_print_errors(bio_err); | ||
3086 | 561 | return 1; | ||
3087 | 562 | } | ||
3088 | 563 | if (i == 0) break; | ||
3089 | 564 | } | ||
3090 | 565 | if(sigin) | ||
3091 | 566 | { | ||
3092 | 567 | EVP_MD_CTX *ctx; | ||
3093 | 568 | BIO_get_md_ctx(bp, &ctx); | ||
3094 | 569 | i = EVP_DigestVerifyFinal(ctx, sigin, (unsigned int)siglen); | ||
3095 | 570 | if(i > 0) | ||
3096 | 571 | BIO_printf(out, "Verified OK\n"); | ||
3097 | 572 | else if(i == 0) | ||
3098 | 573 | { | ||
3099 | 574 | BIO_printf(out, "Verification Failure\n"); | ||
3100 | 575 | return 1; | ||
3101 | 576 | } | ||
3102 | 577 | else | ||
3103 | 578 | { | ||
3104 | 579 | BIO_printf(bio_err, "Error Verifying Data\n"); | ||
3105 | 580 | ERR_print_errors(bio_err); | ||
3106 | 581 | return 1; | ||
3107 | 582 | } | ||
3108 | 583 | return 0; | ||
3109 | 584 | } | ||
3110 | 585 | if(key) | ||
3111 | 586 | { | ||
3112 | 587 | EVP_MD_CTX *ctx; | ||
3113 | 588 | BIO_get_md_ctx(bp, &ctx); | ||
3114 | 589 | len = BUFSIZE; | ||
3115 | 590 | if(!EVP_DigestSignFinal(ctx, buf, &len)) | ||
3116 | 591 | { | ||
3117 | 592 | BIO_printf(bio_err, "Error Signing Data\n"); | ||
3118 | 593 | ERR_print_errors(bio_err); | ||
3119 | 594 | return 1; | ||
3120 | 595 | } | ||
3121 | 596 | } | ||
3122 | 597 | else | ||
3123 | 598 | { | ||
3124 | 599 | len=BIO_gets(bp,(char *)buf,BUFSIZE); | ||
3125 | 600 | if ((int)len <0) | ||
3126 | 601 | { | ||
3127 | 602 | ERR_print_errors(bio_err); | ||
3128 | 603 | return 1; | ||
3129 | 604 | } | ||
3130 | 605 | } | ||
3131 | 606 | |||
3132 | 607 | if(binout) BIO_write(out, buf, len); | ||
3133 | 608 | else if (sep == 2) | ||
3134 | 609 | { | ||
3135 | 610 | for (i=0; i<(int)len; i++) | ||
3136 | 611 | BIO_printf(out, "%02x",buf[i]); | ||
3137 | 612 | BIO_printf(out, " *%s\n", file); | ||
3138 | 613 | } | ||
3139 | 614 | else | ||
3140 | 615 | { | ||
3141 | 616 | if (sig_name) | ||
3142 | 617 | BIO_printf(out, "%s-%s(%s)= ", sig_name, md_name, file); | ||
3143 | 618 | else if (md_name) | ||
3144 | 619 | BIO_printf(out, "%s(%s)= ", md_name, file); | ||
3145 | 620 | else | ||
3146 | 621 | BIO_printf(out, "(%s)= ", file); | ||
3147 | 622 | for (i=0; i<(int)len; i++) | ||
3148 | 623 | { | ||
3149 | 624 | if (sep && (i != 0)) | ||
3150 | 625 | BIO_printf(out, ":"); | ||
3151 | 626 | BIO_printf(out, "%02x",buf[i]); | ||
3152 | 627 | } | ||
3153 | 628 | BIO_printf(out, "\n"); | ||
3154 | 629 | } | ||
3155 | 630 | return 0; | ||
3156 | 631 | } | ||
3157 | 632 | |||
3158 | 0 | 633 | ||
3159 | === added directory '.pc/dgst_hmac.patch/doc' | |||
3160 | === added directory '.pc/dgst_hmac.patch/doc/apps' | |||
3161 | === added file '.pc/dgst_hmac.patch/doc/apps/dgst.pod' | |||
3162 | --- .pc/dgst_hmac.patch/doc/apps/dgst.pod 1970-01-01 00:00:00 +0000 | |||
3163 | +++ .pc/dgst_hmac.patch/doc/apps/dgst.pod 2011-09-15 05:17:15 +0000 | |||
3164 | @@ -0,0 +1,162 @@ | |||
3165 | 1 | =pod | ||
3166 | 2 | |||
3167 | 3 | =head1 NAME | ||
3168 | 4 | |||
3169 | 5 | dgst, md5, md4, md2, sha1, sha, mdc2, ripemd160 - message digests | ||
3170 | 6 | |||
3171 | 7 | =head1 SYNOPSIS | ||
3172 | 8 | |||
3173 | 9 | B<openssl> B<dgst> | ||
3174 | 10 | [B<-md5|-md4|-md2|-sha1|-sha|-mdc2|-ripemd160|-dss1>] | ||
3175 | 11 | [B<-c>] | ||
3176 | 12 | [B<-d>] | ||
3177 | 13 | [B<-hex>] | ||
3178 | 14 | [B<-binary>] | ||
3179 | 15 | [B<-out filename>] | ||
3180 | 16 | [B<-sign filename>] | ||
3181 | 17 | [B<-keyform arg>] | ||
3182 | 18 | [B<-passin arg>] | ||
3183 | 19 | [B<-verify filename>] | ||
3184 | 20 | [B<-prverify filename>] | ||
3185 | 21 | [B<-signature filename>] | ||
3186 | 22 | [B<-hmac key>] | ||
3187 | 23 | [B<file...>] | ||
3188 | 24 | |||
3189 | 25 | [B<md5|md4|md2|sha1|sha|mdc2|ripemd160>] | ||
3190 | 26 | [B<-c>] | ||
3191 | 27 | [B<-d>] | ||
3192 | 28 | [B<file...>] | ||
3193 | 29 | |||
3194 | 30 | =head1 DESCRIPTION | ||
3195 | 31 | |||
3196 | 32 | The digest functions output the message digest of a supplied file or files | ||
3197 | 33 | in hexadecimal form. They can also be used for digital signing and verification. | ||
3198 | 34 | |||
3199 | 35 | =head1 OPTIONS | ||
3200 | 36 | |||
3201 | 37 | =over 4 | ||
3202 | 38 | |||
3203 | 39 | =item B<-c> | ||
3204 | 40 | |||
3205 | 41 | print out the digest in two digit groups separated by colons, only relevant if | ||
3206 | 42 | B<hex> format output is used. | ||
3207 | 43 | |||
3208 | 44 | =item B<-d> | ||
3209 | 45 | |||
3210 | 46 | print out BIO debugging information. | ||
3211 | 47 | |||
3212 | 48 | =item B<-hex> | ||
3213 | 49 | |||
3214 | 50 | digest is to be output as a hex dump. This is the default case for a "normal" | ||
3215 | 51 | digest as opposed to a digital signature. | ||
3216 | 52 | |||
3217 | 53 | =item B<-binary> | ||
3218 | 54 | |||
3219 | 55 | output the digest or signature in binary form. | ||
3220 | 56 | |||
3221 | 57 | =item B<-out filename> | ||
3222 | 58 | |||
3223 | 59 | filename to output to, or standard output by default. | ||
3224 | 60 | |||
3225 | 61 | =item B<-sign filename> | ||
3226 | 62 | |||
3227 | 63 | digitally sign the digest using the private key in "filename". | ||
3228 | 64 | |||
3229 | 65 | =item B<-keyform arg> | ||
3230 | 66 | |||
3231 | 67 | Specifies the key format to sign digest with. Only PEM and ENGINE | ||
3232 | 68 | formats are supported by the B<dgst> command. | ||
3233 | 69 | |||
3234 | 70 | =item B<-engine id> | ||
3235 | 71 | |||
3236 | 72 | Use engine B<id> for operations (including private key storage). | ||
3237 | 73 | This engine is not used as source for digest algorithms, unless it is | ||
3238 | 74 | also specified in the configuration file. | ||
3239 | 75 | |||
3240 | 76 | =item B<-sigopt nm:v> | ||
3241 | 77 | |||
3242 | 78 | Pass options to the signature algorithm during sign or verify operations. | ||
3243 | 79 | Names and values of these options are algorithm-specific. | ||
3244 | 80 | |||
3245 | 81 | |||
3246 | 82 | =item B<-passin arg> | ||
3247 | 83 | |||
3248 | 84 | the private key password source. For more information about the format of B<arg> | ||
3249 | 85 | see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>. | ||
3250 | 86 | |||
3251 | 87 | =item B<-verify filename> | ||
3252 | 88 | |||
3253 | 89 | verify the signature using the the public key in "filename". | ||
3254 | 90 | The output is either "Verification OK" or "Verification Failure". | ||
3255 | 91 | |||
3256 | 92 | =item B<-prverify filename> | ||
3257 | 93 | |||
3258 | 94 | verify the signature using the the private key in "filename". | ||
3259 | 95 | |||
3260 | 96 | =item B<-signature filename> | ||
3261 | 97 | |||
3262 | 98 | the actual signature to verify. | ||
3263 | 99 | |||
3264 | 100 | =item B<-hmac key> | ||
3265 | 101 | |||
3266 | 102 | create a hashed MAC using "key". | ||
3267 | 103 | |||
3268 | 104 | =item B<-mac alg> | ||
3269 | 105 | |||
3270 | 106 | create MAC (keyed Message Authentication Code). The most popular MAC | ||
3271 | 107 | algorithm is HMAC (hash-based MAC), but there are other MAC algorithms | ||
3272 | 108 | which are not based on hash, for instance B<gost-mac> algorithm, | ||
3273 | 109 | supported by B<ccgost> engine. MAC keys and other options should be set | ||
3274 | 110 | via B<-macopt> parameter. | ||
3275 | 111 | |||
3276 | 112 | =item B<-macopt nm:v> | ||
3277 | 113 | |||
3278 | 114 | Passes options to MAC algorithm, specified by B<-mac> key. | ||
3279 | 115 | Following options are supported by both by B<HMAC> and B<gost-mac>: | ||
3280 | 116 | |||
3281 | 117 | =over 8 | ||
3282 | 118 | |||
3283 | 119 | =item B<key:string> | ||
3284 | 120 | |||
3285 | 121 | Specifies MAC key as alphnumeric string (use if key contain printable | ||
3286 | 122 | characters only). String length must conform to any restrictions of | ||
3287 | 123 | the MAC algorithm for example exactly 32 chars for gost-mac. | ||
3288 | 124 | |||
3289 | 125 | =item B<hexkey:string> | ||
3290 | 126 | |||
3291 | 127 | Specifies MAC key in hexadecimal form (two hex digits per byte). | ||
3292 | 128 | Key length must conform to any restrictions of the MAC algorithm | ||
3293 | 129 | for example exactly 32 chars for gost-mac. | ||
3294 | 130 | |||
3295 | 131 | =back | ||
3296 | 132 | |||
3297 | 133 | =item B<-rand file(s)> | ||
3298 | 134 | |||
3299 | 135 | a file or files containing random data used to seed the random number | ||
3300 | 136 | generator, or an EGD socket (see L<RAND_egd(3)|RAND_egd(3)>). | ||
3301 | 137 | Multiple files can be specified separated by a OS-dependent character. | ||
3302 | 138 | The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for | ||
3303 | 139 | all others. | ||
3304 | 140 | |||
3305 | 141 | =item B<file...> | ||
3306 | 142 | |||
3307 | 143 | file or files to digest. If no files are specified then standard input is | ||
3308 | 144 | used. | ||
3309 | 145 | |||
3310 | 146 | =back | ||
3311 | 147 | |||
3312 | 148 | =head1 NOTES | ||
3313 | 149 | |||
3314 | 150 | The digest of choice for all new applications is SHA1. Other digests are | ||
3315 | 151 | however still widely used. | ||
3316 | 152 | |||
3317 | 153 | If you wish to sign or verify data using the DSA algorithm then the dss1 | ||
3318 | 154 | digest must be used. | ||
3319 | 155 | |||
3320 | 156 | A source of random numbers is required for certain signing algorithms, in | ||
3321 | 157 | particular DSA. | ||
3322 | 158 | |||
3323 | 159 | The signing and verify options should only be used if a single file is | ||
3324 | 160 | being signed or verified. | ||
3325 | 161 | |||
3326 | 162 | =cut | ||
3327 | 0 | 163 | ||
3328 | === modified file '.pc/engines-path.patch/Configure' | |||
3329 | --- .pc/engines-path.patch/Configure 2010-12-19 16:24:16 +0000 | |||
3330 | +++ .pc/engines-path.patch/Configure 2011-09-15 05:17:15 +0000 | |||
3331 | @@ -362,6 +362,7 @@ | |||
3332 | 362 | "debian-powerpcspe","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", | 362 | "debian-powerpcspe","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", |
3333 | 363 | "debian-ppc64","gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", | 363 | "debian-ppc64","gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", |
3334 | 364 | "debian-s390","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", | 364 | "debian-s390","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", |
3335 | 365 | "debian-s390x","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", | ||
3336 | 365 | "debian-sh3", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", | 366 | "debian-sh3", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", |
3337 | 366 | "debian-sh4", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", | 367 | "debian-sh4", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", |
3338 | 367 | "debian-sh3eb", "gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", | 368 | "debian-sh3eb", "gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", |
3339 | @@ -370,7 +371,7 @@ | |||
3340 | 370 | "debian-sparc","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", | 371 | "debian-sparc","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", |
3341 | 371 | "debian-sparc-v8","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -mcpu=v8 -g -Wall -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", | 372 | "debian-sparc-v8","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -mcpu=v8 -g -Wall -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", |
3342 | 372 | "debian-sparc-v9","gcc:-DB_ENDIAN -DTERMIO -O3 -mcpu=v9 -Wa,--noexecstack -Wa,-Av8plus -g -Wall -DULTRASPARC -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", | 373 | "debian-sparc-v9","gcc:-DB_ENDIAN -DTERMIO -O3 -mcpu=v9 -Wa,--noexecstack -Wa,-Av8plus -g -Wall -DULTRASPARC -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", |
3344 | 373 | "debian-sparc64","gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall -DULTRASPARC -DBN_DIV2W::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", | 374 | "debian-sparc64","gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall -DULTRASPARC -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", |
3345 | 374 | 375 | ||
3346 | 375 | #### | 376 | #### |
3347 | 376 | #### Variety of LINUX:-) | 377 | #### Variety of LINUX:-) |
3348 | 377 | 378 | ||
3349 | === modified file '.pc/gnu_source.patch/crypto/dso/dso_dlfcn.c' | |||
3350 | --- .pc/gnu_source.patch/crypto/dso/dso_dlfcn.c 2010-12-19 16:24:16 +0000 | |||
3351 | +++ .pc/gnu_source.patch/crypto/dso/dso_dlfcn.c 2011-09-15 05:17:15 +0000 | |||
3352 | @@ -85,6 +85,7 @@ | |||
3353 | 85 | # define HAVE_DLINFO 1 | 85 | # define HAVE_DLINFO 1 |
3354 | 86 | # if defined(_AIX) || defined(__CYGWIN__) || \ | 86 | # if defined(_AIX) || defined(__CYGWIN__) || \ |
3355 | 87 | defined(__SCO_VERSION__) || defined(_SCO_ELF) || \ | 87 | defined(__SCO_VERSION__) || defined(_SCO_ELF) || \ |
3356 | 88 | (defined(__osf__) && !defined(RTLD_NEXT)) || \ | ||
3357 | 88 | (defined(__OpenBSD__) && !defined(RTLD_SELF)) | 89 | (defined(__OpenBSD__) && !defined(RTLD_SELF)) |
3358 | 89 | # undef HAVE_DLINFO | 90 | # undef HAVE_DLINFO |
3359 | 90 | # endif | 91 | # endif |
3360 | 91 | 92 | ||
3361 | === added directory '.pc/libdoc-manpgs-pod-spell.patch' | |||
3362 | === added directory '.pc/libdoc-manpgs-pod-spell.patch/doc' | |||
3363 | === added directory '.pc/libdoc-manpgs-pod-spell.patch/doc/crypto' | |||
3364 | === added file '.pc/libdoc-manpgs-pod-spell.patch/doc/crypto/ASN1_generate_nconf.pod' | |||
3365 | --- .pc/libdoc-manpgs-pod-spell.patch/doc/crypto/ASN1_generate_nconf.pod 1970-01-01 00:00:00 +0000 | |||
3366 | +++ .pc/libdoc-manpgs-pod-spell.patch/doc/crypto/ASN1_generate_nconf.pod 2011-09-15 05:17:15 +0000 | |||
3367 | @@ -0,0 +1,265 @@ | |||
3368 | 1 | =pod | ||
3369 | 2 | |||
3370 | 3 | =head1 NAME | ||
3371 | 4 | |||
3372 | 5 | ASN1_generate_nconf, ASN1_generate_v3 - ASN1 generation functions | ||
3373 | 6 | |||
3374 | 7 | =head1 SYNOPSIS | ||
3375 | 8 | |||
3376 | 9 | #include <openssl/asn1.h> | ||
3377 | 10 | |||
3378 | 11 | ASN1_TYPE *ASN1_generate_nconf(char *str, CONF *nconf); | ||
3379 | 12 | ASN1_TYPE *ASN1_generate_v3(char *str, X509V3_CTX *cnf); | ||
3380 | 13 | |||
3381 | 14 | =head1 DESCRIPTION | ||
3382 | 15 | |||
3383 | 16 | These functions generate the ASN1 encoding of a string | ||
3384 | 17 | in an B<ASN1_TYPE> structure. | ||
3385 | 18 | |||
3386 | 19 | B<str> contains the string to encode B<nconf> or B<cnf> contains | ||
3387 | 20 | the optional configuration information where additional strings | ||
3388 | 21 | will be read from. B<nconf> will typically come from a config | ||
3389 | 22 | file wherease B<cnf> is obtained from an B<X509V3_CTX> structure | ||
3390 | 23 | which will typically be used by X509 v3 certificate extension | ||
3391 | 24 | functions. B<cnf> or B<nconf> can be set to B<NULL> if no additional | ||
3392 | 25 | configuration will be used. | ||
3393 | 26 | |||
3394 | 27 | =head1 GENERATION STRING FORMAT | ||
3395 | 28 | |||
3396 | 29 | The actual data encoded is determined by the string B<str> and | ||
3397 | 30 | the configuration information. The general format of the string | ||
3398 | 31 | is: | ||
3399 | 32 | |||
3400 | 33 | =over 2 | ||
3401 | 34 | |||
3402 | 35 | =item B<[modifier,]type[:value]> | ||
3403 | 36 | |||
3404 | 37 | =back | ||
3405 | 38 | |||
3406 | 39 | That is zero or more comma separated modifiers followed by a type | ||
3407 | 40 | followed by an optional colon and a value. The formats of B<type>, | ||
3408 | 41 | B<value> and B<modifier> are explained below. | ||
3409 | 42 | |||
3410 | 43 | =head2 SUPPORTED TYPES | ||
3411 | 44 | |||
3412 | 45 | The supported types are listed below. Unless otherwise specified | ||
3413 | 46 | only the B<ASCII> format is permissible. | ||
3414 | 47 | |||
3415 | 48 | =over 2 | ||
3416 | 49 | |||
3417 | 50 | =item B<BOOLEAN>, B<BOOL> | ||
3418 | 51 | |||
3419 | 52 | This encodes a boolean type. The B<value> string is mandatory and | ||
3420 | 53 | should be B<TRUE> or B<FALSE>. Additionally B<TRUE>, B<true>, B<Y>, | ||
3421 | 54 | B<y>, B<YES>, B<yes>, B<FALSE>, B<false>, B<N>, B<n>, B<NO> and B<no> | ||
3422 | 55 | are acceptable. | ||
3423 | 56 | |||
3424 | 57 | =item B<NULL> | ||
3425 | 58 | |||
3426 | 59 | Encode the B<NULL> type, the B<value> string must not be present. | ||
3427 | 60 | |||
3428 | 61 | =item B<INTEGER>, B<INT> | ||
3429 | 62 | |||
3430 | 63 | Encodes an ASN1 B<INTEGER> type. The B<value> string represents | ||
3431 | 64 | the value of the integer, it can be preceeded by a minus sign and | ||
3432 | 65 | is normally interpreted as a decimal value unless the prefix B<0x> | ||
3433 | 66 | is included. | ||
3434 | 67 | |||
3435 | 68 | =item B<ENUMERATED>, B<ENUM> | ||
3436 | 69 | |||
3437 | 70 | Encodes the ASN1 B<ENUMERATED> type, it is otherwise identical to | ||
3438 | 71 | B<INTEGER>. | ||
3439 | 72 | |||
3440 | 73 | =item B<OBJECT>, B<OID> | ||
3441 | 74 | |||
3442 | 75 | Encodes an ASN1 B<OBJECT IDENTIFIER>, the B<value> string can be | ||
3443 | 76 | a short name, a long name or numerical format. | ||
3444 | 77 | |||
3445 | 78 | =item B<UTCTIME>, B<UTC> | ||
3446 | 79 | |||
3447 | 80 | Encodes an ASN1 B<UTCTime> structure, the value should be in | ||
3448 | 81 | the format B<YYMMDDHHMMSSZ>. | ||
3449 | 82 | |||
3450 | 83 | =item B<GENERALIZEDTIME>, B<GENTIME> | ||
3451 | 84 | |||
3452 | 85 | Encodes an ASN1 B<GeneralizedTime> structure, the value should be in | ||
3453 | 86 | the format B<YYYYMMDDHHMMSSZ>. | ||
3454 | 87 | |||
3455 | 88 | =item B<OCTETSTRING>, B<OCT> | ||
3456 | 89 | |||
3457 | 90 | Encodes an ASN1 B<OCTET STRING>. B<value> represents the contents | ||
3458 | 91 | of this structure, the format strings B<ASCII> and B<HEX> can be | ||
3459 | 92 | used to specify the format of B<value>. | ||
3460 | 93 | |||
3461 | 94 | =item B<BITSTRING>, B<BITSTR> | ||
3462 | 95 | |||
3463 | 96 | Encodes an ASN1 B<BIT STRING>. B<value> represents the contents | ||
3464 | 97 | of this structure, the format strings B<ASCII>, B<HEX> and B<BITLIST> | ||
3465 | 98 | can be used to specify the format of B<value>. | ||
3466 | 99 | |||
3467 | 100 | If the format is anything other than B<BITLIST> the number of unused | ||
3468 | 101 | bits is set to zero. | ||
3469 | 102 | |||
3470 | 103 | =item B<UNIVERSALSTRING>, B<UNIV>, B<IA5>, B<IA5STRING>, B<UTF8>, | ||
3471 | 104 | B<UTF8String>, B<BMP>, B<BMPSTRING>, B<VISIBLESTRING>, | ||
3472 | 105 | B<VISIBLE>, B<PRINTABLESTRING>, B<PRINTABLE>, B<T61>, | ||
3473 | 106 | B<T61STRING>, B<TELETEXSTRING>, B<GeneralString>, B<NUMERICSTRING>, | ||
3474 | 107 | B<NUMERIC> | ||
3475 | 108 | |||
3476 | 109 | These encode the corresponding string types. B<value> represents the | ||
3477 | 110 | contents of this structure. The format can be B<ASCII> or B<UTF8>. | ||
3478 | 111 | |||
3479 | 112 | =item B<SEQUENCE>, B<SEQ>, B<SET> | ||
3480 | 113 | |||
3481 | 114 | Formats the result as an ASN1 B<SEQUENCE> or B<SET> type. B<value> | ||
3482 | 115 | should be a section name which will contain the contents. The | ||
3483 | 116 | field names in the section are ignored and the values are in the | ||
3484 | 117 | generated string format. If B<value> is absent then an empty SEQUENCE | ||
3485 | 118 | will be encoded. | ||
3486 | 119 | |||
3487 | 120 | =back | ||
3488 | 121 | |||
3489 | 122 | =head2 MODIFIERS | ||
3490 | 123 | |||
3491 | 124 | Modifiers affect the following structure, they can be used to | ||
3492 | 125 | add EXPLICIT or IMPLICIT tagging, add wrappers or to change | ||
3493 | 126 | the string format of the final type and value. The supported | ||
3494 | 127 | formats are documented below. | ||
3495 | 128 | |||
3496 | 129 | =over 2 | ||
3497 | 130 | |||
3498 | 131 | =item B<EXPLICIT>, B<EXP> | ||
3499 | 132 | |||
3500 | 133 | Add an explicit tag to the following structure. This string | ||
3501 | 134 | should be followed by a colon and the tag value to use as a | ||
3502 | 135 | decimal value. | ||
3503 | 136 | |||
3504 | 137 | By following the number with B<U>, B<A>, B<P> or B<C> UNIVERSAL, | ||
3505 | 138 | APPLICATION, PRIVATE or CONTEXT SPECIFIC tagging can be used, | ||
3506 | 139 | the default is CONTEXT SPECIFIC. | ||
3507 | 140 | |||
3508 | 141 | =item B<IMPLICIT>, B<IMP> | ||
3509 | 142 | |||
3510 | 143 | This is the same as B<EXPLICIT> except IMPLICIT tagging is used | ||
3511 | 144 | instead. | ||
3512 | 145 | |||
3513 | 146 | =item B<OCTWRAP>, B<SEQWRAP>, B<SETWRAP>, B<BITWRAP> | ||
3514 | 147 | |||
3515 | 148 | The following structure is surrounded by an OCTET STRING, a SEQUENCE, | ||
3516 | 149 | a SET or a BIT STRING respectively. For a BIT STRING the number of unused | ||
3517 | 150 | bits is set to zero. | ||
3518 | 151 | |||
3519 | 152 | =item B<FORMAT> | ||
3520 | 153 | |||
3521 | 154 | This specifies the format of the ultimate value. It should be followed | ||
3522 | 155 | by a colon and one of the strings B<ASCII>, B<UTF8>, B<HEX> or B<BITLIST>. | ||
3523 | 156 | |||
3524 | 157 | If no format specifier is included then B<ASCII> is used. If B<UTF8> is | ||
3525 | 158 | specified then the value string must be a valid B<UTF8> string. For B<HEX> the | ||
3526 | 159 | output must be a set of hex digits. B<BITLIST> (which is only valid for a BIT | ||
3527 | 160 | STRING) is a comma separated list of the indices of the set bits, all other | ||
3528 | 161 | bits are zero. | ||
3529 | 162 | |||
3530 | 163 | =back | ||
3531 | 164 | |||
3532 | 165 | =head1 EXAMPLES | ||
3533 | 166 | |||
3534 | 167 | A simple IA5String: | ||
3535 | 168 | |||
3536 | 169 | IA5STRING:Hello World | ||
3537 | 170 | |||
3538 | 171 | An IA5String explicitly tagged: | ||
3539 | 172 | |||
3540 | 173 | EXPLICIT:0,IA5STRING:Hello World | ||
3541 | 174 | |||
3542 | 175 | An IA5String explicitly tagged using APPLICATION tagging: | ||
3543 | 176 | |||
3544 | 177 | EXPLICIT:0A,IA5STRING:Hello World | ||
3545 | 178 | |||
3546 | 179 | A BITSTRING with bits 1 and 5 set and all others zero: | ||
3547 | 180 | |||
3548 | 181 | FORMAT:BITLIST,BITSTRING:1,5 | ||
3549 | 182 | |||
3550 | 183 | A more complex example using a config file to produce a | ||
3551 | 184 | SEQUENCE consiting of a BOOL an OID and a UTF8String: | ||
3552 | 185 | |||
3553 | 186 | asn1 = SEQUENCE:seq_section | ||
3554 | 187 | |||
3555 | 188 | [seq_section] | ||
3556 | 189 | |||
3557 | 190 | field1 = BOOLEAN:TRUE | ||
3558 | 191 | field2 = OID:commonName | ||
3559 | 192 | field3 = UTF8:Third field | ||
3560 | 193 | |||
3561 | 194 | This example produces an RSAPrivateKey structure, this is the | ||
3562 | 195 | key contained in the file client.pem in all OpenSSL distributions | ||
3563 | 196 | (note: the field names such as 'coeff' are ignored and are present just | ||
3564 | 197 | for clarity): | ||
3565 | 198 | |||
3566 | 199 | asn1=SEQUENCE:private_key | ||
3567 | 200 | [private_key] | ||
3568 | 201 | version=INTEGER:0 | ||
3569 | 202 | |||
3570 | 203 | n=INTEGER:0xBB6FE79432CC6EA2D8F970675A5A87BFBE1AFF0BE63E879F2AFFB93644\ | ||
3571 | 204 | D4D2C6D000430DEC66ABF47829E74B8C5108623A1C0EE8BE217B3AD8D36D5EB4FCA1D9 | ||
3572 | 205 | |||
3573 | 206 | e=INTEGER:0x010001 | ||
3574 | 207 | |||
3575 | 208 | d=INTEGER:0x6F05EAD2F27FFAEC84BEC360C4B928FD5F3A9865D0FCAAD291E2A52F4A\ | ||
3576 | 209 | F810DC6373278C006A0ABBA27DC8C63BF97F7E666E27C5284D7D3B1FFFE16B7A87B51D | ||
3577 | 210 | |||
3578 | 211 | p=INTEGER:0xF3929B9435608F8A22C208D86795271D54EBDFB09DDEF539AB083DA912\ | ||
3579 | 212 | D4BD57 | ||
3580 | 213 | |||
3581 | 214 | q=INTEGER:0xC50016F89DFF2561347ED1186A46E150E28BF2D0F539A1594BBD7FE467\ | ||
3582 | 215 | 46EC4F | ||
3583 | 216 | |||
3584 | 217 | exp1=INTEGER:0x9E7D4326C924AFC1DEA40B45650134966D6F9DFA3A7F9D698CD4ABEA\ | ||
3585 | 218 | 9C0A39B9 | ||
3586 | 219 | |||
3587 | 220 | exp2=INTEGER:0xBA84003BB95355AFB7C50DF140C60513D0BA51D637272E355E397779\ | ||
3588 | 221 | E7B2458F | ||
3589 | 222 | |||
3590 | 223 | coeff=INTEGER:0x30B9E4F2AFA5AC679F920FC83F1F2DF1BAF1779CF989447FABC2F5\ | ||
3591 | 224 | 628657053A | ||
3592 | 225 | |||
3593 | 226 | This example is the corresponding public key in a SubjectPublicKeyInfo | ||
3594 | 227 | structure: | ||
3595 | 228 | |||
3596 | 229 | # Start with a SEQUENCE | ||
3597 | 230 | asn1=SEQUENCE:pubkeyinfo | ||
3598 | 231 | |||
3599 | 232 | # pubkeyinfo contains an algorithm identifier and the public key wrapped | ||
3600 | 233 | # in a BIT STRING | ||
3601 | 234 | [pubkeyinfo] | ||
3602 | 235 | algorithm=SEQUENCE:rsa_alg | ||
3603 | 236 | pubkey=BITWRAP,SEQUENCE:rsapubkey | ||
3604 | 237 | |||
3605 | 238 | # algorithm ID for RSA is just an OID and a NULL | ||
3606 | 239 | [rsa_alg] | ||
3607 | 240 | algorithm=OID:rsaEncryption | ||
3608 | 241 | parameter=NULL | ||
3609 | 242 | |||
3610 | 243 | # Actual public key: modulus and exponent | ||
3611 | 244 | [rsapubkey] | ||
3612 | 245 | n=INTEGER:0xBB6FE79432CC6EA2D8F970675A5A87BFBE1AFF0BE63E879F2AFFB93644\ | ||
3613 | 246 | D4D2C6D000430DEC66ABF47829E74B8C5108623A1C0EE8BE217B3AD8D36D5EB4FCA1D9 | ||
3614 | 247 | |||
3615 | 248 | e=INTEGER:0x010001 | ||
3616 | 249 | |||
3617 | 250 | =head1 RETURN VALUES | ||
3618 | 251 | |||
3619 | 252 | ASN1_generate_nconf() and ASN1_generate_v3() return the encoded | ||
3620 | 253 | data as an B<ASN1_TYPE> structure or B<NULL> if an error occurred. | ||
3621 | 254 | |||
3622 | 255 | The error codes that can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>. | ||
3623 | 256 | |||
3624 | 257 | =head1 SEE ALSO | ||
3625 | 258 | |||
3626 | 259 | L<ERR_get_error(3)|ERR_get_error(3)> | ||
3627 | 260 | |||
3628 | 261 | =head1 HISTORY | ||
3629 | 262 | |||
3630 | 263 | ASN1_generate_nconf() and ASN1_generate_v3() were added to OpenSSL 0.9.8 | ||
3631 | 264 | |||
3632 | 265 | =cut | ||
3633 | 0 | 266 | ||
3634 | === added file '.pc/libdoc-manpgs-pod-spell.patch/doc/crypto/BN_BLINDING_new.pod' | |||
3635 | --- .pc/libdoc-manpgs-pod-spell.patch/doc/crypto/BN_BLINDING_new.pod 1970-01-01 00:00:00 +0000 | |||
3636 | +++ .pc/libdoc-manpgs-pod-spell.patch/doc/crypto/BN_BLINDING_new.pod 2011-09-15 05:17:15 +0000 | |||
3637 | @@ -0,0 +1,115 @@ | |||
3638 | 1 | =pod | ||
3639 | 2 | |||
3640 | 3 | =head1 NAME | ||
3641 | 4 | |||
3642 | 5 | BN_BLINDING_new, BN_BLINDING_free, BN_BLINDING_update, BN_BLINDING_convert, | ||
3643 | 6 | BN_BLINDING_invert, BN_BLINDING_convert_ex, BN_BLINDING_invert_ex, | ||
3644 | 7 | BN_BLINDING_get_thread_id, BN_BLINDING_set_thread_id, BN_BLINDING_get_flags, | ||
3645 | 8 | BN_BLINDING_set_flags, BN_BLINDING_create_param - blinding related BIGNUM | ||
3646 | 9 | functions. | ||
3647 | 10 | |||
3648 | 11 | =head1 SYNOPSIS | ||
3649 | 12 | |||
3650 | 13 | #include <openssl/bn.h> | ||
3651 | 14 | |||
3652 | 15 | BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai, | ||
3653 | 16 | BIGNUM *mod); | ||
3654 | 17 | void BN_BLINDING_free(BN_BLINDING *b); | ||
3655 | 18 | int BN_BLINDING_update(BN_BLINDING *b,BN_CTX *ctx); | ||
3656 | 19 | int BN_BLINDING_convert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx); | ||
3657 | 20 | int BN_BLINDING_invert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx); | ||
3658 | 21 | int BN_BLINDING_convert_ex(BIGNUM *n, BIGNUM *r, BN_BLINDING *b, | ||
3659 | 22 | BN_CTX *ctx); | ||
3660 | 23 | int BN_BLINDING_invert_ex(BIGNUM *n, const BIGNUM *r, BN_BLINDING *b, | ||
3661 | 24 | BN_CTX *ctx); | ||
3662 | 25 | #ifndef OPENSSL_NO_DEPRECATED | ||
3663 | 26 | unsigned long BN_BLINDING_get_thread_id(const BN_BLINDING *); | ||
3664 | 27 | void BN_BLINDING_set_thread_id(BN_BLINDING *, unsigned long); | ||
3665 | 28 | #endif | ||
3666 | 29 | CRYPTO_THREADID *BN_BLINDING_thread_id(BN_BLINDING *); | ||
3667 | 30 | unsigned long BN_BLINDING_get_flags(const BN_BLINDING *); | ||
3668 | 31 | void BN_BLINDING_set_flags(BN_BLINDING *, unsigned long); | ||
3669 | 32 | BN_BLINDING *BN_BLINDING_create_param(BN_BLINDING *b, | ||
3670 | 33 | const BIGNUM *e, BIGNUM *m, BN_CTX *ctx, | ||
3671 | 34 | int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, | ||
3672 | 35 | const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx), | ||
3673 | 36 | BN_MONT_CTX *m_ctx); | ||
3674 | 37 | |||
3675 | 38 | =head1 DESCRIPTION | ||
3676 | 39 | |||
3677 | 40 | BN_BLINDING_new() allocates a new B<BN_BLINDING> structure and copies | ||
3678 | 41 | the B<A> and B<Ai> values into the newly created B<BN_BLINDING> object. | ||
3679 | 42 | |||
3680 | 43 | BN_BLINDING_free() frees the B<BN_BLINDING> structure. | ||
3681 | 44 | |||
3682 | 45 | BN_BLINDING_update() updates the B<BN_BLINDING> parameters by squaring | ||
3683 | 46 | the B<A> and B<Ai> or, after specific number of uses and if the | ||
3684 | 47 | necessary parameters are set, by re-creating the blinding parameters. | ||
3685 | 48 | |||
3686 | 49 | BN_BLINDING_convert_ex() multiplies B<n> with the blinding factor B<A>. | ||
3687 | 50 | If B<r> is not NULL a copy the inverse blinding factor B<Ai> will be | ||
3688 | 51 | returned in B<r> (this is useful if a B<RSA> object is shared amoung | ||
3689 | 52 | several threads). BN_BLINDING_invert_ex() multiplies B<n> with the | ||
3690 | 53 | inverse blinding factor B<Ai>. If B<r> is not NULL it will be used as | ||
3691 | 54 | the inverse blinding. | ||
3692 | 55 | |||
3693 | 56 | BN_BLINDING_convert() and BN_BLINDING_invert() are wrapper | ||
3694 | 57 | functions for BN_BLINDING_convert_ex() and BN_BLINDING_invert_ex() | ||
3695 | 58 | with B<r> set to NULL. | ||
3696 | 59 | |||
3697 | 60 | BN_BLINDING_thread_id() provides access to the B<CRYPTO_THREADID> | ||
3698 | 61 | object within the B<BN_BLINDING> structure. This is to help users | ||
3699 | 62 | provide proper locking if needed for multi-threaded use. The "thread | ||
3700 | 63 | id" object of a newly allocated B<BN_BLINDING> structure is | ||
3701 | 64 | initialised to the thread id in which BN_BLINDING_new() was called. | ||
3702 | 65 | |||
3703 | 66 | BN_BLINDING_get_flags() returns the BN_BLINDING flags. Currently | ||
3704 | 67 | there are two supported flags: B<BN_BLINDING_NO_UPDATE> and | ||
3705 | 68 | B<BN_BLINDING_NO_RECREATE>. B<BN_BLINDING_NO_UPDATE> inhibits the | ||
3706 | 69 | automatic update of the B<BN_BLINDING> parameters after each use | ||
3707 | 70 | and B<BN_BLINDING_NO_RECREATE> inhibits the automatic re-creation | ||
3708 | 71 | of the B<BN_BLINDING> parameters after a fixed number of uses (currently | ||
3709 | 72 | 32). In newly allocated B<BN_BLINDING> objects no flags are set. | ||
3710 | 73 | BN_BLINDING_set_flags() sets the B<BN_BLINDING> parameters flags. | ||
3711 | 74 | |||
3712 | 75 | BN_BLINDING_create_param() creates new B<BN_BLINDING> parameters | ||
3713 | 76 | using the exponent B<e> and the modulus B<m>. B<bn_mod_exp> and | ||
3714 | 77 | B<m_ctx> can be used to pass special functions for exponentiation | ||
3715 | 78 | (normally BN_mod_exp_mont() and B<BN_MONT_CTX>). | ||
3716 | 79 | |||
3717 | 80 | =head1 RETURN VALUES | ||
3718 | 81 | |||
3719 | 82 | BN_BLINDING_new() returns the newly allocated B<BN_BLINDING> structure | ||
3720 | 83 | or NULL in case of an error. | ||
3721 | 84 | |||
3722 | 85 | BN_BLINDING_update(), BN_BLINDING_convert(), BN_BLINDING_invert(), | ||
3723 | 86 | BN_BLINDING_convert_ex() and BN_BLINDING_invert_ex() return 1 on | ||
3724 | 87 | success and 0 if an error occured. | ||
3725 | 88 | |||
3726 | 89 | BN_BLINDING_thread_id() returns a pointer to the thread id object | ||
3727 | 90 | within a B<BN_BLINDING> object. | ||
3728 | 91 | |||
3729 | 92 | BN_BLINDING_get_flags() returns the currently set B<BN_BLINDING> flags | ||
3730 | 93 | (a B<unsigned long> value). | ||
3731 | 94 | |||
3732 | 95 | BN_BLINDING_create_param() returns the newly created B<BN_BLINDING> | ||
3733 | 96 | parameters or NULL on error. | ||
3734 | 97 | |||
3735 | 98 | =head1 SEE ALSO | ||
3736 | 99 | |||
3737 | 100 | L<bn(3)|bn(3)> | ||
3738 | 101 | |||
3739 | 102 | =head1 HISTORY | ||
3740 | 103 | |||
3741 | 104 | BN_BLINDING_thread_id was first introduced in OpenSSL 1.0.0, and it | ||
3742 | 105 | deprecates BN_BLINDING_set_thread_id and BN_BLINDING_get_thread_id. | ||
3743 | 106 | |||
3744 | 107 | BN_BLINDING_convert_ex, BN_BLINDIND_invert_ex, BN_BLINDING_get_thread_id, | ||
3745 | 108 | BN_BLINDING_set_thread_id, BN_BLINDING_set_flags, BN_BLINDING_get_flags | ||
3746 | 109 | and BN_BLINDING_create_param were first introduced in OpenSSL 0.9.8 | ||
3747 | 110 | |||
3748 | 111 | =head1 AUTHOR | ||
3749 | 112 | |||
3750 | 113 | Nils Larsch for the OpenSSL project (http://www.openssl.org). | ||
3751 | 114 | |||
3752 | 115 | =cut | ||
3753 | 0 | 116 | ||
3754 | === added file '.pc/libdoc-manpgs-pod-spell.patch/doc/crypto/EVP_BytesToKey.pod' | |||
3755 | --- .pc/libdoc-manpgs-pod-spell.patch/doc/crypto/EVP_BytesToKey.pod 1970-01-01 00:00:00 +0000 | |||
3756 | +++ .pc/libdoc-manpgs-pod-spell.patch/doc/crypto/EVP_BytesToKey.pod 2011-09-15 05:17:15 +0000 | |||
3757 | @@ -0,0 +1,67 @@ | |||
3758 | 1 | =pod | ||
3759 | 2 | |||
3760 | 3 | =head1 NAME | ||
3761 | 4 | |||
3762 | 5 | EVP_BytesToKey - password based encryption routine | ||
3763 | 6 | |||
3764 | 7 | =head1 SYNOPSIS | ||
3765 | 8 | |||
3766 | 9 | #include <openssl/evp.h> | ||
3767 | 10 | |||
3768 | 11 | int EVP_BytesToKey(const EVP_CIPHER *type,const EVP_MD *md, | ||
3769 | 12 | const unsigned char *salt, | ||
3770 | 13 | const unsigned char *data, int datal, int count, | ||
3771 | 14 | unsigned char *key,unsigned char *iv); | ||
3772 | 15 | |||
3773 | 16 | =head1 DESCRIPTION | ||
3774 | 17 | |||
3775 | 18 | EVP_BytesToKey() derives a key and IV from various parameters. B<type> is | ||
3776 | 19 | the cipher to derive the key and IV for. B<md> is the message digest to use. | ||
3777 | 20 | The B<salt> paramter is used as a salt in the derivation: it should point to | ||
3778 | 21 | an 8 byte buffer or NULL if no salt is used. B<data> is a buffer containing | ||
3779 | 22 | B<datal> bytes which is used to derive the keying data. B<count> is the | ||
3780 | 23 | iteration count to use. The derived key and IV will be written to B<key> | ||
3781 | 24 | and B<iv> respectively. | ||
3782 | 25 | |||
3783 | 26 | =head1 NOTES | ||
3784 | 27 | |||
3785 | 28 | A typical application of this function is to derive keying material for an | ||
3786 | 29 | encryption algorithm from a password in the B<data> parameter. | ||
3787 | 30 | |||
3788 | 31 | Increasing the B<count> parameter slows down the algorithm which makes it | ||
3789 | 32 | harder for an attacker to peform a brute force attack using a large number | ||
3790 | 33 | of candidate passwords. | ||
3791 | 34 | |||
3792 | 35 | If the total key and IV length is less than the digest length and | ||
3793 | 36 | B<MD5> is used then the derivation algorithm is compatible with PKCS#5 v1.5 | ||
3794 | 37 | otherwise a non standard extension is used to derive the extra data. | ||
3795 | 38 | |||
3796 | 39 | Newer applications should use more standard algorithms such as PKCS#5 | ||
3797 | 40 | v2.0 for key derivation. | ||
3798 | 41 | |||
3799 | 42 | =head1 KEY DERIVATION ALGORITHM | ||
3800 | 43 | |||
3801 | 44 | The key and IV is derived by concatenating D_1, D_2, etc until | ||
3802 | 45 | enough data is available for the key and IV. D_i is defined as: | ||
3803 | 46 | |||
3804 | 47 | D_i = HASH^count(D_(i-1) || data || salt) | ||
3805 | 48 | |||
3806 | 49 | where || denotes concatentaion, D_0 is empty, HASH is the digest | ||
3807 | 50 | algorithm in use, HASH^1(data) is simply HASH(data), HASH^2(data) | ||
3808 | 51 | is HASH(HASH(data)) and so on. | ||
3809 | 52 | |||
3810 | 53 | The initial bytes are used for the key and the subsequent bytes for | ||
3811 | 54 | the IV. | ||
3812 | 55 | |||
3813 | 56 | =head1 RETURN VALUES | ||
3814 | 57 | |||
3815 | 58 | EVP_BytesToKey() returns the size of the derived key in bytes. | ||
3816 | 59 | |||
3817 | 60 | =head1 SEE ALSO | ||
3818 | 61 | |||
3819 | 62 | L<evp(3)|evp(3)>, L<rand(3)|rand(3)>, | ||
3820 | 63 | L<EVP_EncryptInit(3)|EVP_EncryptInit(3)> | ||
3821 | 64 | |||
3822 | 65 | =head1 HISTORY | ||
3823 | 66 | |||
3824 | 67 | =cut | ||
3825 | 0 | 68 | ||
3826 | === added file '.pc/libdoc-manpgs-pod-spell.patch/doc/crypto/EVP_EncryptInit.pod' | |||
3827 | --- .pc/libdoc-manpgs-pod-spell.patch/doc/crypto/EVP_EncryptInit.pod 1970-01-01 00:00:00 +0000 | |||
3828 | +++ .pc/libdoc-manpgs-pod-spell.patch/doc/crypto/EVP_EncryptInit.pod 2011-09-15 05:17:15 +0000 | |||
3829 | @@ -0,0 +1,511 @@ | |||
3830 | 1 | =pod | ||
3831 | 2 | |||
3832 | 3 | =head1 NAME | ||
3833 | 4 | |||
3834 | 5 | EVP_CIPHER_CTX_init, EVP_EncryptInit_ex, EVP_EncryptUpdate, | ||
3835 | 6 | EVP_EncryptFinal_ex, EVP_DecryptInit_ex, EVP_DecryptUpdate, | ||
3836 | 7 | EVP_DecryptFinal_ex, EVP_CipherInit_ex, EVP_CipherUpdate, | ||
3837 | 8 | EVP_CipherFinal_ex, EVP_CIPHER_CTX_set_key_length, | ||
3838 | 9 | EVP_CIPHER_CTX_ctrl, EVP_CIPHER_CTX_cleanup, EVP_EncryptInit, | ||
3839 | 10 | EVP_EncryptFinal, EVP_DecryptInit, EVP_DecryptFinal, | ||
3840 | 11 | EVP_CipherInit, EVP_CipherFinal, EVP_get_cipherbyname, | ||
3841 | 12 | EVP_get_cipherbynid, EVP_get_cipherbyobj, EVP_CIPHER_nid, | ||
3842 | 13 | EVP_CIPHER_block_size, EVP_CIPHER_key_length, EVP_CIPHER_iv_length, | ||
3843 | 14 | EVP_CIPHER_flags, EVP_CIPHER_mode, EVP_CIPHER_type, EVP_CIPHER_CTX_cipher, | ||
3844 | 15 | EVP_CIPHER_CTX_nid, EVP_CIPHER_CTX_block_size, EVP_CIPHER_CTX_key_length, | ||
3845 | 16 | EVP_CIPHER_CTX_iv_length, EVP_CIPHER_CTX_get_app_data, | ||
3846 | 17 | EVP_CIPHER_CTX_set_app_data, EVP_CIPHER_CTX_type, EVP_CIPHER_CTX_flags, | ||
3847 | 18 | EVP_CIPHER_CTX_mode, EVP_CIPHER_param_to_asn1, EVP_CIPHER_asn1_to_param, | ||
3848 | 19 | EVP_CIPHER_CTX_set_padding - EVP cipher routines | ||
3849 | 20 | |||
3850 | 21 | =head1 SYNOPSIS | ||
3851 | 22 | |||
3852 | 23 | #include <openssl/evp.h> | ||
3853 | 24 | |||
3854 | 25 | void EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *a); | ||
3855 | 26 | |||
3856 | 27 | int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, | ||
3857 | 28 | ENGINE *impl, unsigned char *key, unsigned char *iv); | ||
3858 | 29 | int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, | ||
3859 | 30 | int *outl, unsigned char *in, int inl); | ||
3860 | 31 | int EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, | ||
3861 | 32 | int *outl); | ||
3862 | 33 | |||
3863 | 34 | int EVP_DecryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, | ||
3864 | 35 | ENGINE *impl, unsigned char *key, unsigned char *iv); | ||
3865 | 36 | int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, | ||
3866 | 37 | int *outl, unsigned char *in, int inl); | ||
3867 | 38 | int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm, | ||
3868 | 39 | int *outl); | ||
3869 | 40 | |||
3870 | 41 | int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, | ||
3871 | 42 | ENGINE *impl, unsigned char *key, unsigned char *iv, int enc); | ||
3872 | 43 | int EVP_CipherUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, | ||
3873 | 44 | int *outl, unsigned char *in, int inl); | ||
3874 | 45 | int EVP_CipherFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm, | ||
3875 | 46 | int *outl); | ||
3876 | 47 | |||
3877 | 48 | int EVP_EncryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, | ||
3878 | 49 | unsigned char *key, unsigned char *iv); | ||
3879 | 50 | int EVP_EncryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, | ||
3880 | 51 | int *outl); | ||
3881 | 52 | |||
3882 | 53 | int EVP_DecryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, | ||
3883 | 54 | unsigned char *key, unsigned char *iv); | ||
3884 | 55 | int EVP_DecryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *outm, | ||
3885 | 56 | int *outl); | ||
3886 | 57 | |||
3887 | 58 | int EVP_CipherInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, | ||
3888 | 59 | unsigned char *key, unsigned char *iv, int enc); | ||
3889 | 60 | int EVP_CipherFinal(EVP_CIPHER_CTX *ctx, unsigned char *outm, | ||
3890 | 61 | int *outl); | ||
3891 | 62 | |||
3892 | 63 | int EVP_CIPHER_CTX_set_padding(EVP_CIPHER_CTX *x, int padding); | ||
3893 | 64 | int EVP_CIPHER_CTX_set_key_length(EVP_CIPHER_CTX *x, int keylen); | ||
3894 | 65 | int EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr); | ||
3895 | 66 | int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *a); | ||
3896 | 67 | |||
3897 | 68 | const EVP_CIPHER *EVP_get_cipherbyname(const char *name); | ||
3898 | 69 | #define EVP_get_cipherbynid(a) EVP_get_cipherbyname(OBJ_nid2sn(a)) | ||
3899 | 70 | #define EVP_get_cipherbyobj(a) EVP_get_cipherbynid(OBJ_obj2nid(a)) | ||
3900 | 71 | |||
3901 | 72 | #define EVP_CIPHER_nid(e) ((e)->nid) | ||
3902 | 73 | #define EVP_CIPHER_block_size(e) ((e)->block_size) | ||
3903 | 74 | #define EVP_CIPHER_key_length(e) ((e)->key_len) | ||
3904 | 75 | #define EVP_CIPHER_iv_length(e) ((e)->iv_len) | ||
3905 | 76 | #define EVP_CIPHER_flags(e) ((e)->flags) | ||
3906 | 77 | #define EVP_CIPHER_mode(e) ((e)->flags) & EVP_CIPH_MODE) | ||
3907 | 78 | int EVP_CIPHER_type(const EVP_CIPHER *ctx); | ||
3908 | 79 | |||
3909 | 80 | #define EVP_CIPHER_CTX_cipher(e) ((e)->cipher) | ||
3910 | 81 | #define EVP_CIPHER_CTX_nid(e) ((e)->cipher->nid) | ||
3911 | 82 | #define EVP_CIPHER_CTX_block_size(e) ((e)->cipher->block_size) | ||
3912 | 83 | #define EVP_CIPHER_CTX_key_length(e) ((e)->key_len) | ||
3913 | 84 | #define EVP_CIPHER_CTX_iv_length(e) ((e)->cipher->iv_len) | ||
3914 | 85 | #define EVP_CIPHER_CTX_get_app_data(e) ((e)->app_data) | ||
3915 | 86 | #define EVP_CIPHER_CTX_set_app_data(e,d) ((e)->app_data=(char *)(d)) | ||
3916 | 87 | #define EVP_CIPHER_CTX_type(c) EVP_CIPHER_type(EVP_CIPHER_CTX_cipher(c)) | ||
3917 | 88 | #define EVP_CIPHER_CTX_flags(e) ((e)->cipher->flags) | ||
3918 | 89 | #define EVP_CIPHER_CTX_mode(e) ((e)->cipher->flags & EVP_CIPH_MODE) | ||
3919 | 90 | |||
3920 | 91 | int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type); | ||
3921 | 92 | int EVP_CIPHER_asn1_to_param(EVP_CIPHER_CTX *c, ASN1_TYPE *type); | ||
3922 | 93 | |||
3923 | 94 | =head1 DESCRIPTION | ||
3924 | 95 | |||
3925 | 96 | The EVP cipher routines are a high level interface to certain | ||
3926 | 97 | symmetric ciphers. | ||
3927 | 98 | |||
3928 | 99 | EVP_CIPHER_CTX_init() initializes cipher contex B<ctx>. | ||
3929 | 100 | |||
3930 | 101 | EVP_EncryptInit_ex() sets up cipher context B<ctx> for encryption | ||
3931 | 102 | with cipher B<type> from ENGINE B<impl>. B<ctx> must be initialized | ||
3932 | 103 | before calling this function. B<type> is normally supplied | ||
3933 | 104 | by a function such as EVP_des_cbc(). If B<impl> is NULL then the | ||
3934 | 105 | default implementation is used. B<key> is the symmetric key to use | ||
3935 | 106 | and B<iv> is the IV to use (if necessary), the actual number of bytes | ||
3936 | 107 | used for the key and IV depends on the cipher. It is possible to set | ||
3937 | 108 | all parameters to NULL except B<type> in an initial call and supply | ||
3938 | 109 | the remaining parameters in subsequent calls, all of which have B<type> | ||
3939 | 110 | set to NULL. This is done when the default cipher parameters are not | ||
3940 | 111 | appropriate. | ||
3941 | 112 | |||
3942 | 113 | EVP_EncryptUpdate() encrypts B<inl> bytes from the buffer B<in> and | ||
3943 | 114 | writes the encrypted version to B<out>. This function can be called | ||
3944 | 115 | multiple times to encrypt successive blocks of data. The amount | ||
3945 | 116 | of data written depends on the block alignment of the encrypted data: | ||
3946 | 117 | as a result the amount of data written may be anything from zero bytes | ||
3947 | 118 | to (inl + cipher_block_size - 1) so B<outl> should contain sufficient | ||
3948 | 119 | room. The actual number of bytes written is placed in B<outl>. | ||
3949 | 120 | |||
3950 | 121 | If padding is enabled (the default) then EVP_EncryptFinal_ex() encrypts | ||
3951 | 122 | the "final" data, that is any data that remains in a partial block. | ||
3952 | 123 | It uses L<standard block padding|/NOTES> (aka PKCS padding). The encrypted | ||
3953 | 124 | final data is written to B<out> which should have sufficient space for | ||
3954 | 125 | one cipher block. The number of bytes written is placed in B<outl>. After | ||
3955 | 126 | this function is called the encryption operation is finished and no further | ||
3956 | 127 | calls to EVP_EncryptUpdate() should be made. | ||
3957 | 128 | |||
3958 | 129 | If padding is disabled then EVP_EncryptFinal_ex() will not encrypt any more | ||
3959 | 130 | data and it will return an error if any data remains in a partial block: | ||
3960 | 131 | that is if the total data length is not a multiple of the block size. | ||
3961 | 132 | |||
3962 | 133 | EVP_DecryptInit_ex(), EVP_DecryptUpdate() and EVP_DecryptFinal_ex() are the | ||
3963 | 134 | corresponding decryption operations. EVP_DecryptFinal() will return an | ||
3964 | 135 | error code if padding is enabled and the final block is not correctly | ||
3965 | 136 | formatted. The parameters and restrictions are identical to the encryption | ||
3966 | 137 | operations except that if padding is enabled the decrypted data buffer B<out> | ||
3967 | 138 | passed to EVP_DecryptUpdate() should have sufficient room for | ||
3968 | 139 | (B<inl> + cipher_block_size) bytes unless the cipher block size is 1 in | ||
3969 | 140 | which case B<inl> bytes is sufficient. | ||
3970 | 141 | |||
3971 | 142 | EVP_CipherInit_ex(), EVP_CipherUpdate() and EVP_CipherFinal_ex() are | ||
3972 | 143 | functions that can be used for decryption or encryption. The operation | ||
3973 | 144 | performed depends on the value of the B<enc> parameter. It should be set | ||
3974 | 145 | to 1 for encryption, 0 for decryption and -1 to leave the value unchanged | ||
3975 | 146 | (the actual value of 'enc' being supplied in a previous call). | ||
3976 | 147 | |||
3977 | 148 | EVP_CIPHER_CTX_cleanup() clears all information from a cipher context | ||
3978 | 149 | and free up any allocated memory associate with it. It should be called | ||
3979 | 150 | after all operations using a cipher are complete so sensitive information | ||
3980 | 151 | does not remain in memory. | ||
3981 | 152 | |||
3982 | 153 | EVP_EncryptInit(), EVP_DecryptInit() and EVP_CipherInit() behave in a | ||
3983 | 154 | similar way to EVP_EncryptInit_ex(), EVP_DecryptInit_ex and | ||
3984 | 155 | EVP_CipherInit_ex() except the B<ctx> paramter does not need to be | ||
3985 | 156 | initialized and they always use the default cipher implementation. | ||
3986 | 157 | |||
3987 | 158 | EVP_EncryptFinal(), EVP_DecryptFinal() and EVP_CipherFinal() behave in a | ||
3988 | 159 | similar way to EVP_EncryptFinal_ex(), EVP_DecryptFinal_ex() and | ||
3989 | 160 | EVP_CipherFinal_ex() except B<ctx> is automatically cleaned up | ||
3990 | 161 | after the call. | ||
3991 | 162 | |||
3992 | 163 | EVP_get_cipherbyname(), EVP_get_cipherbynid() and EVP_get_cipherbyobj() | ||
3993 | 164 | return an EVP_CIPHER structure when passed a cipher name, a NID or an | ||
3994 | 165 | ASN1_OBJECT structure. | ||
3995 | 166 | |||
3996 | 167 | EVP_CIPHER_nid() and EVP_CIPHER_CTX_nid() return the NID of a cipher when | ||
3997 | 168 | passed an B<EVP_CIPHER> or B<EVP_CIPHER_CTX> structure. The actual NID | ||
3998 | 169 | value is an internal value which may not have a corresponding OBJECT | ||
3999 | 170 | IDENTIFIER. | ||
4000 | 171 | |||
4001 | 172 | EVP_CIPHER_CTX_set_padding() enables or disables padding. By default | ||
4002 | 173 | encryption operations are padded using standard block padding and the | ||
4003 | 174 | padding is checked and removed when decrypting. If the B<pad> parameter | ||
4004 | 175 | is zero then no padding is performed, the total amount of data encrypted | ||
4005 | 176 | or decrypted must then be a multiple of the block size or an error will | ||
4006 | 177 | occur. | ||
4007 | 178 | |||
4008 | 179 | EVP_CIPHER_key_length() and EVP_CIPHER_CTX_key_length() return the key | ||
4009 | 180 | length of a cipher when passed an B<EVP_CIPHER> or B<EVP_CIPHER_CTX> | ||
4010 | 181 | structure. The constant B<EVP_MAX_KEY_LENGTH> is the maximum key length | ||
4011 | 182 | for all ciphers. Note: although EVP_CIPHER_key_length() is fixed for a | ||
4012 | 183 | given cipher, the value of EVP_CIPHER_CTX_key_length() may be different | ||
4013 | 184 | for variable key length ciphers. | ||
4014 | 185 | |||
4015 | 186 | EVP_CIPHER_CTX_set_key_length() sets the key length of the cipher ctx. | ||
4016 | 187 | If the cipher is a fixed length cipher then attempting to set the key | ||
4017 | 188 | length to any value other than the fixed value is an error. | ||
4018 | 189 | |||
4019 | 190 | EVP_CIPHER_iv_length() and EVP_CIPHER_CTX_iv_length() return the IV | ||
4020 | 191 | length of a cipher when passed an B<EVP_CIPHER> or B<EVP_CIPHER_CTX>. | ||
4021 | 192 | It will return zero if the cipher does not use an IV. The constant | ||
4022 | 193 | B<EVP_MAX_IV_LENGTH> is the maximum IV length for all ciphers. | ||
4023 | 194 | |||
4024 | 195 | EVP_CIPHER_block_size() and EVP_CIPHER_CTX_block_size() return the block | ||
4025 | 196 | size of a cipher when passed an B<EVP_CIPHER> or B<EVP_CIPHER_CTX> | ||
4026 | 197 | structure. The constant B<EVP_MAX_IV_LENGTH> is also the maximum block | ||
4027 | 198 | length for all ciphers. | ||
4028 | 199 | |||
4029 | 200 | EVP_CIPHER_type() and EVP_CIPHER_CTX_type() return the type of the passed | ||
4030 | 201 | cipher or context. This "type" is the actual NID of the cipher OBJECT | ||
4031 | 202 | IDENTIFIER as such it ignores the cipher parameters and 40 bit RC2 and | ||
4032 | 203 | 128 bit RC2 have the same NID. If the cipher does not have an object | ||
4033 | 204 | identifier or does not have ASN1 support this function will return | ||
4034 | 205 | B<NID_undef>. | ||
4035 | 206 | |||
4036 | 207 | EVP_CIPHER_CTX_cipher() returns the B<EVP_CIPHER> structure when passed | ||
4037 | 208 | an B<EVP_CIPHER_CTX> structure. | ||
4038 | 209 | |||
4039 | 210 | EVP_CIPHER_mode() and EVP_CIPHER_CTX_mode() return the block cipher mode: | ||
4040 | 211 | EVP_CIPH_ECB_MODE, EVP_CIPH_CBC_MODE, EVP_CIPH_CFB_MODE or | ||
4041 | 212 | EVP_CIPH_OFB_MODE. If the cipher is a stream cipher then | ||
4042 | 213 | EVP_CIPH_STREAM_CIPHER is returned. | ||
4043 | 214 | |||
4044 | 215 | EVP_CIPHER_param_to_asn1() sets the AlgorithmIdentifier "parameter" based | ||
4045 | 216 | on the passed cipher. This will typically include any parameters and an | ||
4046 | 217 | IV. The cipher IV (if any) must be set when this call is made. This call | ||
4047 | 218 | should be made before the cipher is actually "used" (before any | ||
4048 | 219 | EVP_EncryptUpdate(), EVP_DecryptUpdate() calls for example). This function | ||
4049 | 220 | may fail if the cipher does not have any ASN1 support. | ||
4050 | 221 | |||
4051 | 222 | EVP_CIPHER_asn1_to_param() sets the cipher parameters based on an ASN1 | ||
4052 | 223 | AlgorithmIdentifier "parameter". The precise effect depends on the cipher | ||
4053 | 224 | In the case of RC2, for example, it will set the IV and effective key length. | ||
4054 | 225 | This function should be called after the base cipher type is set but before | ||
4055 | 226 | the key is set. For example EVP_CipherInit() will be called with the IV and | ||
4056 | 227 | key set to NULL, EVP_CIPHER_asn1_to_param() will be called and finally | ||
4057 | 228 | EVP_CipherInit() again with all parameters except the key set to NULL. It is | ||
4058 | 229 | possible for this function to fail if the cipher does not have any ASN1 support | ||
4059 | 230 | or the parameters cannot be set (for example the RC2 effective key length | ||
4060 | 231 | is not supported. | ||
4061 | 232 | |||
4062 | 233 | EVP_CIPHER_CTX_ctrl() allows various cipher specific parameters to be determined | ||
4063 | 234 | and set. Currently only the RC2 effective key length and the number of rounds of | ||
4064 | 235 | RC5 can be set. | ||
4065 | 236 | |||
4066 | 237 | =head1 RETURN VALUES | ||
4067 | 238 | |||
4068 | 239 | EVP_EncryptInit_ex(), EVP_EncryptUpdate() and EVP_EncryptFinal_ex() | ||
4069 | 240 | return 1 for success and 0 for failure. | ||
4070 | 241 | |||
4071 | 242 | EVP_DecryptInit_ex() and EVP_DecryptUpdate() return 1 for success and 0 for failure. | ||
4072 | 243 | EVP_DecryptFinal_ex() returns 0 if the decrypt failed or 1 for success. | ||
4073 | 244 | |||
4074 | 245 | EVP_CipherInit_ex() and EVP_CipherUpdate() return 1 for success and 0 for failure. | ||
4075 | 246 | EVP_CipherFinal_ex() returns 0 for a decryption failure or 1 for success. | ||
4076 | 247 | |||
4077 | 248 | EVP_CIPHER_CTX_cleanup() returns 1 for success and 0 for failure. | ||
4078 | 249 | |||
4079 | 250 | EVP_get_cipherbyname(), EVP_get_cipherbynid() and EVP_get_cipherbyobj() | ||
4080 | 251 | return an B<EVP_CIPHER> structure or NULL on error. | ||
4081 | 252 | |||
4082 | 253 | EVP_CIPHER_nid() and EVP_CIPHER_CTX_nid() return a NID. | ||
4083 | 254 | |||
4084 | 255 | EVP_CIPHER_block_size() and EVP_CIPHER_CTX_block_size() return the block | ||
4085 | 256 | size. | ||
4086 | 257 | |||
4087 | 258 | EVP_CIPHER_key_length() and EVP_CIPHER_CTX_key_length() return the key | ||
4088 | 259 | length. | ||
4089 | 260 | |||
4090 | 261 | EVP_CIPHER_CTX_set_padding() always returns 1. | ||
4091 | 262 | |||
4092 | 263 | EVP_CIPHER_iv_length() and EVP_CIPHER_CTX_iv_length() return the IV | ||
4093 | 264 | length or zero if the cipher does not use an IV. | ||
4094 | 265 | |||
4095 | 266 | EVP_CIPHER_type() and EVP_CIPHER_CTX_type() return the NID of the cipher's | ||
4096 | 267 | OBJECT IDENTIFIER or NID_undef if it has no defined OBJECT IDENTIFIER. | ||
4097 | 268 | |||
4098 | 269 | EVP_CIPHER_CTX_cipher() returns an B<EVP_CIPHER> structure. | ||
4099 | 270 | |||
4100 | 271 | EVP_CIPHER_param_to_asn1() and EVP_CIPHER_asn1_to_param() return 1 for | ||
4101 | 272 | success or zero for failure. | ||
4102 | 273 | |||
4103 | 274 | =head1 CIPHER LISTING | ||
4104 | 275 | |||
4105 | 276 | All algorithms have a fixed key length unless otherwise stated. | ||
4106 | 277 | |||
4107 | 278 | =over 4 | ||
4108 | 279 | |||
4109 | 280 | =item EVP_enc_null() | ||
4110 | 281 | |||
4111 | 282 | Null cipher: does nothing. | ||
4112 | 283 | |||
4113 | 284 | =item EVP_des_cbc(void), EVP_des_ecb(void), EVP_des_cfb(void), EVP_des_ofb(void) | ||
4114 | 285 | |||
4115 | 286 | DES in CBC, ECB, CFB and OFB modes respectively. | ||
4116 | 287 | |||
4117 | 288 | =item EVP_des_ede_cbc(void), EVP_des_ede(), EVP_des_ede_ofb(void), EVP_des_ede_cfb(void) | ||
4118 | 289 | |||
4119 | 290 | Two key triple DES in CBC, ECB, CFB and OFB modes respectively. | ||
4120 | 291 | |||
4121 | 292 | =item EVP_des_ede3_cbc(void), EVP_des_ede3(), EVP_des_ede3_ofb(void), EVP_des_ede3_cfb(void) | ||
4122 | 293 | |||
4123 | 294 | Three key triple DES in CBC, ECB, CFB and OFB modes respectively. | ||
4124 | 295 | |||
4125 | 296 | =item EVP_desx_cbc(void) | ||
4126 | 297 | |||
4127 | 298 | DESX algorithm in CBC mode. | ||
4128 | 299 | |||
4129 | 300 | =item EVP_rc4(void) | ||
4130 | 301 | |||
4131 | 302 | RC4 stream cipher. This is a variable key length cipher with default key length 128 bits. | ||
4132 | 303 | |||
4133 | 304 | =item EVP_rc4_40(void) | ||
4134 | 305 | |||
4135 | 306 | RC4 stream cipher with 40 bit key length. This is obsolete and new code should use EVP_rc4() | ||
4136 | 307 | and the EVP_CIPHER_CTX_set_key_length() function. | ||
4137 | 308 | |||
4138 | 309 | =item EVP_idea_cbc() EVP_idea_ecb(void), EVP_idea_cfb(void), EVP_idea_ofb(void), EVP_idea_cbc(void) | ||
4139 | 310 | |||
4140 | 311 | IDEA encryption algorithm in CBC, ECB, CFB and OFB modes respectively. | ||
4141 | 312 | |||
4142 | 313 | =item EVP_rc2_cbc(void), EVP_rc2_ecb(void), EVP_rc2_cfb(void), EVP_rc2_ofb(void) | ||
4143 | 314 | |||
4144 | 315 | RC2 encryption algorithm in CBC, ECB, CFB and OFB modes respectively. This is a variable key | ||
4145 | 316 | length cipher with an additional parameter called "effective key bits" or "effective key length". | ||
4146 | 317 | By default both are set to 128 bits. | ||
4147 | 318 | |||
4148 | 319 | =item EVP_rc2_40_cbc(void), EVP_rc2_64_cbc(void) | ||
4149 | 320 | |||
4150 | 321 | RC2 algorithm in CBC mode with a default key length and effective key length of 40 and 64 bits. | ||
4151 | 322 | These are obsolete and new code should use EVP_rc2_cbc(), EVP_CIPHER_CTX_set_key_length() and | ||
4152 | 323 | EVP_CIPHER_CTX_ctrl() to set the key length and effective key length. | ||
4153 | 324 | |||
4154 | 325 | =item EVP_bf_cbc(void), EVP_bf_ecb(void), EVP_bf_cfb(void), EVP_bf_ofb(void); | ||
4155 | 326 | |||
4156 | 327 | Blowfish encryption algorithm in CBC, ECB, CFB and OFB modes respectively. This is a variable key | ||
4157 | 328 | length cipher. | ||
4158 | 329 | |||
4159 | 330 | =item EVP_cast5_cbc(void), EVP_cast5_ecb(void), EVP_cast5_cfb(void), EVP_cast5_ofb(void) | ||
4160 | 331 | |||
4161 | 332 | CAST encryption algorithm in CBC, ECB, CFB and OFB modes respectively. This is a variable key | ||
4162 | 333 | length cipher. | ||
4163 | 334 | |||
4164 | 335 | =item EVP_rc5_32_12_16_cbc(void), EVP_rc5_32_12_16_ecb(void), EVP_rc5_32_12_16_cfb(void), EVP_rc5_32_12_16_ofb(void) | ||
4165 | 336 | |||
4166 | 337 | RC5 encryption algorithm in CBC, ECB, CFB and OFB modes respectively. This is a variable key length | ||
4167 | 338 | cipher with an additional "number of rounds" parameter. By default the key length is set to 128 | ||
4168 | 339 | bits and 12 rounds. | ||
4169 | 340 | |||
4170 | 341 | =back | ||
4171 | 342 | |||
4172 | 343 | =head1 NOTES | ||
4173 | 344 | |||
4174 | 345 | Where possible the B<EVP> interface to symmetric ciphers should be used in | ||
4175 | 346 | preference to the low level interfaces. This is because the code then becomes | ||
4176 | 347 | transparent to the cipher used and much more flexible. | ||
4177 | 348 | |||
4178 | 349 | PKCS padding works by adding B<n> padding bytes of value B<n> to make the total | ||
4179 | 350 | length of the encrypted data a multiple of the block size. Padding is always | ||
4180 | 351 | added so if the data is already a multiple of the block size B<n> will equal | ||
4181 | 352 | the block size. For example if the block size is 8 and 11 bytes are to be | ||
4182 | 353 | encrypted then 5 padding bytes of value 5 will be added. | ||
4183 | 354 | |||
4184 | 355 | When decrypting the final block is checked to see if it has the correct form. | ||
4185 | 356 | |||
4186 | 357 | Although the decryption operation can produce an error if padding is enabled, | ||
4187 | 358 | it is not a strong test that the input data or key is correct. A random block | ||
4188 | 359 | has better than 1 in 256 chance of being of the correct format and problems with | ||
4189 | 360 | the input data earlier on will not produce a final decrypt error. | ||
4190 | 361 | |||
4191 | 362 | If padding is disabled then the decryption operation will always succeed if | ||
4192 | 363 | the total amount of data decrypted is a multiple of the block size. | ||
4193 | 364 | |||
4194 | 365 | The functions EVP_EncryptInit(), EVP_EncryptFinal(), EVP_DecryptInit(), | ||
4195 | 366 | EVP_CipherInit() and EVP_CipherFinal() are obsolete but are retained for | ||
4196 | 367 | compatibility with existing code. New code should use EVP_EncryptInit_ex(), | ||
4197 | 368 | EVP_EncryptFinal_ex(), EVP_DecryptInit_ex(), EVP_DecryptFinal_ex(), | ||
4198 | 369 | EVP_CipherInit_ex() and EVP_CipherFinal_ex() because they can reuse an | ||
4199 | 370 | existing context without allocating and freeing it up on each call. | ||
4200 | 371 | |||
4201 | 372 | =head1 BUGS | ||
4202 | 373 | |||
4203 | 374 | For RC5 the number of rounds can currently only be set to 8, 12 or 16. This is | ||
4204 | 375 | a limitation of the current RC5 code rather than the EVP interface. | ||
4205 | 376 | |||
4206 | 377 | EVP_MAX_KEY_LENGTH and EVP_MAX_IV_LENGTH only refer to the internal ciphers with | ||
4207 | 378 | default key lengths. If custom ciphers exceed these values the results are | ||
4208 | 379 | unpredictable. This is because it has become standard practice to define a | ||
4209 | 380 | generic key as a fixed unsigned char array containing EVP_MAX_KEY_LENGTH bytes. | ||
4210 | 381 | |||
4211 | 382 | The ASN1 code is incomplete (and sometimes inaccurate) it has only been tested | ||
4212 | 383 | for certain common S/MIME ciphers (RC2, DES, triple DES) in CBC mode. | ||
4213 | 384 | |||
4214 | 385 | =head1 EXAMPLES | ||
4215 | 386 | |||
4216 | 387 | Get the number of rounds used in RC5: | ||
4217 | 388 | |||
4218 | 389 | int nrounds; | ||
4219 | 390 | EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GET_RC5_ROUNDS, 0, &nrounds); | ||
4220 | 391 | |||
4221 | 392 | Get the RC2 effective key length: | ||
4222 | 393 | |||
4223 | 394 | int key_bits; | ||
4224 | 395 | EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GET_RC2_KEY_BITS, 0, &key_bits); | ||
4225 | 396 | |||
4226 | 397 | Set the number of rounds used in RC5: | ||
4227 | 398 | |||
4228 | 399 | int nrounds; | ||
4229 | 400 | EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_SET_RC5_ROUNDS, nrounds, NULL); | ||
4230 | 401 | |||
4231 | 402 | Set the effective key length used in RC2: | ||
4232 | 403 | |||
4233 | 404 | int key_bits; | ||
4234 | 405 | EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_SET_RC2_KEY_BITS, key_bits, NULL); | ||
4235 | 406 | |||
4236 | 407 | Encrypt a string using blowfish: | ||
4237 | 408 | |||
4238 | 409 | int do_crypt(char *outfile) | ||
4239 | 410 | { | ||
4240 | 411 | unsigned char outbuf[1024]; | ||
4241 | 412 | int outlen, tmplen; | ||
4242 | 413 | /* Bogus key and IV: we'd normally set these from | ||
4243 | 414 | * another source. | ||
4244 | 415 | */ | ||
4245 | 416 | unsigned char key[] = {0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15}; | ||
4246 | 417 | unsigned char iv[] = {1,2,3,4,5,6,7,8}; | ||
4247 | 418 | char intext[] = "Some Crypto Text"; | ||
4248 | 419 | EVP_CIPHER_CTX ctx; | ||
4249 | 420 | FILE *out; | ||
4250 | 421 | EVP_CIPHER_CTX_init(&ctx); | ||
4251 | 422 | EVP_EncryptInit_ex(&ctx, EVP_bf_cbc(), NULL, key, iv); | ||
4252 | 423 | |||
4253 | 424 | if(!EVP_EncryptUpdate(&ctx, outbuf, &outlen, intext, strlen(intext))) | ||
4254 | 425 | { | ||
4255 | 426 | /* Error */ | ||
4256 | 427 | return 0; | ||
4257 | 428 | } | ||
4258 | 429 | /* Buffer passed to EVP_EncryptFinal() must be after data just | ||
4259 | 430 | * encrypted to avoid overwriting it. | ||
4260 | 431 | */ | ||
4261 | 432 | if(!EVP_EncryptFinal_ex(&ctx, outbuf + outlen, &tmplen)) | ||
4262 | 433 | { | ||
4263 | 434 | /* Error */ | ||
4264 | 435 | return 0; | ||
4265 | 436 | } | ||
4266 | 437 | outlen += tmplen; | ||
4267 | 438 | EVP_CIPHER_CTX_cleanup(&ctx); | ||
4268 | 439 | /* Need binary mode for fopen because encrypted data is | ||
4269 | 440 | * binary data. Also cannot use strlen() on it because | ||
4270 | 441 | * it wont be null terminated and may contain embedded | ||
4271 | 442 | * nulls. | ||
4272 | 443 | */ | ||
4273 | 444 | out = fopen(outfile, "wb"); | ||
4274 | 445 | fwrite(outbuf, 1, outlen, out); | ||
4275 | 446 | fclose(out); | ||
4276 | 447 | return 1; | ||
4277 | 448 | } | ||
4278 | 449 | |||
4279 | 450 | The ciphertext from the above example can be decrypted using the B<openssl> | ||
4280 | 451 | utility with the command line: | ||
4281 | 452 | |||
4282 | 453 | S<openssl bf -in cipher.bin -K 000102030405060708090A0B0C0D0E0F -iv 0102030405060708 -d> | ||
4283 | 454 | |||
4284 | 455 | General encryption, decryption function example using FILE I/O and RC2 with an | ||
4285 | 456 | 80 bit key: | ||
4286 | 457 | |||
4287 | 458 | int do_crypt(FILE *in, FILE *out, int do_encrypt) | ||
4288 | 459 | { | ||
4289 | 460 | /* Allow enough space in output buffer for additional block */ | ||
4290 | 461 | inbuf[1024], outbuf[1024 + EVP_MAX_BLOCK_LENGTH]; | ||
4291 | 462 | int inlen, outlen; | ||
4292 | 463 | /* Bogus key and IV: we'd normally set these from | ||
4293 | 464 | * another source. | ||
4294 | 465 | */ | ||
4295 | 466 | unsigned char key[] = "0123456789"; | ||
4296 | 467 | unsigned char iv[] = "12345678"; | ||
4297 | 468 | /* Don't set key or IV because we will modify the parameters */ | ||
4298 | 469 | EVP_CIPHER_CTX_init(&ctx); | ||
4299 | 470 | EVP_CipherInit_ex(&ctx, EVP_rc2(), NULL, NULL, NULL, do_encrypt); | ||
4300 | 471 | EVP_CIPHER_CTX_set_key_length(&ctx, 10); | ||
4301 | 472 | /* We finished modifying parameters so now we can set key and IV */ | ||
4302 | 473 | EVP_CipherInit_ex(&ctx, NULL, NULL, key, iv, do_encrypt); | ||
4303 | 474 | |||
4304 | 475 | for(;;) | ||
4305 | 476 | { | ||
4306 | 477 | inlen = fread(inbuf, 1, 1024, in); | ||
4307 | 478 | if(inlen <= 0) break; | ||
4308 | 479 | if(!EVP_CipherUpdate(&ctx, outbuf, &outlen, inbuf, inlen)) | ||
4309 | 480 | { | ||
4310 | 481 | /* Error */ | ||
4311 | 482 | EVP_CIPHER_CTX_cleanup(&ctx); | ||
4312 | 483 | return 0; | ||
4313 | 484 | } | ||
4314 | 485 | fwrite(outbuf, 1, outlen, out); | ||
4315 | 486 | } | ||
4316 | 487 | if(!EVP_CipherFinal_ex(&ctx, outbuf, &outlen)) | ||
4317 | 488 | { | ||
4318 | 489 | /* Error */ | ||
4319 | 490 | EVP_CIPHER_CTX_cleanup(&ctx); | ||
4320 | 491 | return 0; | ||
4321 | 492 | } | ||
4322 | 493 | fwrite(outbuf, 1, outlen, out); | ||
4323 | 494 | |||
4324 | 495 | EVP_CIPHER_CTX_cleanup(&ctx); | ||
4325 | 496 | return 1; | ||
4326 | 497 | } | ||
4327 | 498 | |||
4328 | 499 | |||
4329 | 500 | =head1 SEE ALSO | ||
4330 | 501 | |||
4331 | 502 | L<evp(3)|evp(3)> | ||
4332 | 503 | |||
4333 | 504 | =head1 HISTORY | ||
4334 | 505 | |||
4335 | 506 | EVP_CIPHER_CTX_init(), EVP_EncryptInit_ex(), EVP_EncryptFinal_ex(), | ||
4336 | 507 | EVP_DecryptInit_ex(), EVP_DecryptFinal_ex(), EVP_CipherInit_ex(), | ||
4337 | 508 | EVP_CipherFinal_ex() and EVP_CIPHER_CTX_set_padding() appeared in | ||
4338 | 509 | OpenSSL 0.9.7. | ||
4339 | 510 | |||
4340 | 511 | =cut | ||
4341 | 0 | 512 | ||
4342 | === added file '.pc/libdoc-manpgs-pod-spell.patch/doc/crypto/EVP_PKEY_cmp.pod' | |||
4343 | --- .pc/libdoc-manpgs-pod-spell.patch/doc/crypto/EVP_PKEY_cmp.pod 1970-01-01 00:00:00 +0000 | |||
4344 | +++ .pc/libdoc-manpgs-pod-spell.patch/doc/crypto/EVP_PKEY_cmp.pod 2011-09-15 05:17:15 +0000 | |||
4345 | @@ -0,0 +1,61 @@ | |||
4346 | 1 | =pod | ||
4347 | 2 | |||
4348 | 3 | =head1 NAME | ||
4349 | 4 | |||
4350 | 5 | EVP_PKEY_copy_parameters, EVP_PKEY_missing_parameters, EVP_PKEY_cmp_parameters, EVP_PKEY_cmp - public key parameter and comparison functions | ||
4351 | 6 | |||
4352 | 7 | =head1 SYNOPSIS | ||
4353 | 8 | |||
4354 | 9 | #include <openssl/evp.h> | ||
4355 | 10 | |||
4356 | 11 | int EVP_PKEY_missing_parameters(const EVP_PKEY *pkey); | ||
4357 | 12 | int EVP_PKEY_copy_parameters(EVP_PKEY *to, const EVP_PKEY *from); | ||
4358 | 13 | |||
4359 | 14 | int EVP_PKEY_cmp_parameters(const EVP_PKEY *a, const EVP_PKEY *b); | ||
4360 | 15 | int EVP_PKEY_cmp(const EVP_PKEY *a, const EVP_PKEY *b); | ||
4361 | 16 | |||
4362 | 17 | =head1 DESCRIPTION | ||
4363 | 18 | |||
4364 | 19 | The function EVP_PKEY_missing_parameters() returns 1 if the public key | ||
4365 | 20 | parameters of B<pkey> are missing and 0 if they are present or the algorithm | ||
4366 | 21 | doesn't use parameters. | ||
4367 | 22 | |||
4368 | 23 | The function EVP_PKEY_copy_parameters() copies the parameters from key | ||
4369 | 24 | B<from> to key B<to>. | ||
4370 | 25 | |||
4371 | 26 | The funcion EVP_PKEY_cmp_parameters() compares the parameters of keys | ||
4372 | 27 | B<a> and B<b>. | ||
4373 | 28 | |||
4374 | 29 | The funcion EVP_PKEY_cmp() compares the public key components and paramters | ||
4375 | 30 | (if present) of keys B<a> and B<b>. | ||
4376 | 31 | |||
4377 | 32 | =head1 NOTES | ||
4378 | 33 | |||
4379 | 34 | The main purpose of the functions EVP_PKEY_missing_parameters() and | ||
4380 | 35 | EVP_PKEY_copy_parameters() is to handle public keys in certificates where the | ||
4381 | 36 | parameters are sometimes omitted from a public key if they are inherited from | ||
4382 | 37 | the CA that signed it. | ||
4383 | 38 | |||
4384 | 39 | Since OpenSSL private keys contain public key components too the function | ||
4385 | 40 | EVP_PKEY_cmp() can also be used to determine if a private key matches | ||
4386 | 41 | a public key. | ||
4387 | 42 | |||
4388 | 43 | =head1 RETURN VALUES | ||
4389 | 44 | |||
4390 | 45 | The function EVP_PKEY_missing_parameters() returns 1 if the public key | ||
4391 | 46 | parameters of B<pkey> are missing and 0 if they are present or the algorithm | ||
4392 | 47 | doesn't use parameters. | ||
4393 | 48 | |||
4394 | 49 | These functions EVP_PKEY_copy_parameters() returns 1 for success and 0 for | ||
4395 | 50 | failure. | ||
4396 | 51 | |||
4397 | 52 | The function EVP_PKEY_cmp_parameters() and EVP_PKEY_cmp() return 1 if the | ||
4398 | 53 | keys match, 0 if they don't match, -1 if the key types are different and | ||
4399 | 54 | -2 if the operation is not supported. | ||
4400 | 55 | |||
4401 | 56 | =head1 SEE ALSO | ||
4402 | 57 | |||
4403 | 58 | L<EVP_PKEY_CTX_new(3)|EVP_PKEY_CTX_new(3)>, | ||
4404 | 59 | L<EVP_PKEY_keygen(3)|EVP_PKEY_keygen(3)> | ||
4405 | 60 | |||
4406 | 61 | =cut | ||
4407 | 0 | 62 | ||
4408 | === added file '.pc/libdoc-manpgs-pod-spell.patch/doc/crypto/X509_STORE_CTX_get_error.pod' | |||
4409 | --- .pc/libdoc-manpgs-pod-spell.patch/doc/crypto/X509_STORE_CTX_get_error.pod 1970-01-01 00:00:00 +0000 | |||
4410 | +++ .pc/libdoc-manpgs-pod-spell.patch/doc/crypto/X509_STORE_CTX_get_error.pod 2011-09-15 05:17:15 +0000 | |||
4411 | @@ -0,0 +1,303 @@ | |||
4412 | 1 | =pod | ||
4413 | 2 | |||
4414 | 3 | =head1 NAME | ||
4415 | 4 | |||
4416 | 5 | X509_STORE_CTX_get_error, X509_STORE_CTX_set_error, X509_STORE_CTX_get_error_depth, X509_STORE_CTX_get_current_cert, X509_STORE_CTX_get1_chain, X509_verify_cert_error_string - get or set certificate verification status information | ||
4417 | 6 | |||
4418 | 7 | =head1 SYNOPSIS | ||
4419 | 8 | |||
4420 | 9 | #include <openssl/x509.h> | ||
4421 | 10 | #include <openssl/x509_vfy.h> | ||
4422 | 11 | |||
4423 | 12 | int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx); | ||
4424 | 13 | void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx,int s); | ||
4425 | 14 | int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx); | ||
4426 | 15 | X509 * X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx); | ||
4427 | 16 | |||
4428 | 17 | STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx); | ||
4429 | 18 | |||
4430 | 19 | const char *X509_verify_cert_error_string(long n); | ||
4431 | 20 | |||
4432 | 21 | =head1 DESCRIPTION | ||
4433 | 22 | |||
4434 | 23 | These functions are typically called after X509_verify_cert() has indicated | ||
4435 | 24 | an error or in a verification callback to determine the nature of an error. | ||
4436 | 25 | |||
4437 | 26 | X509_STORE_CTX_get_error() returns the error code of B<ctx>, see | ||
4438 | 27 | the B<ERROR CODES> section for a full description of all error codes. | ||
4439 | 28 | |||
4440 | 29 | X509_STORE_CTX_set_error() sets the error code of B<ctx> to B<s>. For example | ||
4441 | 30 | it might be used in a verification callback to set an error based on additional | ||
4442 | 31 | checks. | ||
4443 | 32 | |||
4444 | 33 | X509_STORE_CTX_get_error_depth() returns the B<depth> of the error. This is a | ||
4445 | 34 | non-negative integer representing where in the certificate chain the error | ||
4446 | 35 | occurred. If it is zero it occured in the end entity certificate, one if | ||
4447 | 36 | it is the certificate which signed the end entity certificate and so on. | ||
4448 | 37 | |||
4449 | 38 | X509_STORE_CTX_get_current_cert() returns the certificate in B<ctx> which | ||
4450 | 39 | caused the error or B<NULL> if no certificate is relevant. | ||
4451 | 40 | |||
4452 | 41 | X509_STORE_CTX_get1_chain() returns a complete validate chain if a previous | ||
4453 | 42 | call to X509_verify_cert() is successful. If the call to X509_verify_cert() | ||
4454 | 43 | is B<not> successful the returned chain may be incomplete or invalid. The | ||
4455 | 44 | returned chain persists after the B<ctx> structure is freed, when it is | ||
4456 | 45 | no longer needed it should be free up using: | ||
4457 | 46 | |||
4458 | 47 | sk_X509_pop_free(chain, X509_free); | ||
4459 | 48 | |||
4460 | 49 | X509_verify_cert_error_string() returns a human readable error string for | ||
4461 | 50 | verification error B<n>. | ||
4462 | 51 | |||
4463 | 52 | =head1 RETURN VALUES | ||
4464 | 53 | |||
4465 | 54 | X509_STORE_CTX_get_error() returns B<X509_V_OK> or an error code. | ||
4466 | 55 | |||
4467 | 56 | X509_STORE_CTX_get_error_depth() returns a non-negative error depth. | ||
4468 | 57 | |||
4469 | 58 | X509_STORE_CTX_get_current_cert() returns the cerificate which caused the | ||
4470 | 59 | error or B<NULL> if no certificate is relevant to the error. | ||
4471 | 60 | |||
4472 | 61 | X509_verify_cert_error_string() returns a human readable error string for | ||
4473 | 62 | verification error B<n>. | ||
4474 | 63 | |||
4475 | 64 | =head1 ERROR CODES | ||
4476 | 65 | |||
4477 | 66 | A list of error codes and messages is shown below. Some of the | ||
4478 | 67 | error codes are defined but currently never returned: these are described as | ||
4479 | 68 | "unused". | ||
4480 | 69 | |||
4481 | 70 | =over 4 | ||
4482 | 71 | |||
4483 | 72 | =item B<X509_V_OK: ok> | ||
4484 | 73 | |||
4485 | 74 | the operation was successful. | ||
4486 | 75 | |||
4487 | 76 | =item B<X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: unable to get issuer certificate> | ||
4488 | 77 | |||
4489 | 78 | the issuer certificate could not be found: this occurs if the issuer certificate | ||
4490 | 79 | of an untrusted certificate cannot be found. | ||
4491 | 80 | |||
4492 | 81 | =item B<X509_V_ERR_UNABLE_TO_GET_CRL: unable to get certificate CRL> | ||
4493 | 82 | |||
4494 | 83 | the CRL of a certificate could not be found. | ||
4495 | 84 | |||
4496 | 85 | =item B<X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: unable to decrypt certificate's signature> | ||
4497 | 86 | |||
4498 | 87 | the certificate signature could not be decrypted. This means that the actual | ||
4499 | 88 | signature value could not be determined rather than it not matching the | ||
4500 | 89 | expected value, this is only meaningful for RSA keys. | ||
4501 | 90 | |||
4502 | 91 | =item B<X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: unable to decrypt CRL's signature> | ||
4503 | 92 | |||
4504 | 93 | the CRL signature could not be decrypted: this means that the actual signature | ||
4505 | 94 | value could not be determined rather than it not matching the expected value. | ||
4506 | 95 | Unused. | ||
4507 | 96 | |||
4508 | 97 | =item B<X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: unable to decode issuer public key> | ||
4509 | 98 | |||
4510 | 99 | the public key in the certificate SubjectPublicKeyInfo could not be read. | ||
4511 | 100 | |||
4512 | 101 | =item B<X509_V_ERR_CERT_SIGNATURE_FAILURE: certificate signature failure> | ||
4513 | 102 | |||
4514 | 103 | the signature of the certificate is invalid. | ||
4515 | 104 | |||
4516 | 105 | =item B<X509_V_ERR_CRL_SIGNATURE_FAILURE: CRL signature failure> | ||
4517 | 106 | |||
4518 | 107 | the signature of the certificate is invalid. | ||
4519 | 108 | |||
4520 | 109 | =item B<X509_V_ERR_CERT_NOT_YET_VALID: certificate is not yet valid> | ||
4521 | 110 | |||
4522 | 111 | the certificate is not yet valid: the notBefore date is after the current time. | ||
4523 | 112 | |||
4524 | 113 | =item B<X509_V_ERR_CERT_HAS_EXPIRED: certificate has expired> | ||
4525 | 114 | |||
4526 | 115 | the certificate has expired: that is the notAfter date is before the current time. | ||
4527 | 116 | |||
4528 | 117 | =item B<X509_V_ERR_CRL_NOT_YET_VALID: CRL is not yet valid> | ||
4529 | 118 | |||
4530 | 119 | the CRL is not yet valid. | ||
4531 | 120 | |||
4532 | 121 | =item B<X509_V_ERR_CRL_HAS_EXPIRED: CRL has expired> | ||
4533 | 122 | |||
4534 | 123 | the CRL has expired. | ||
4535 | 124 | |||
4536 | 125 | =item B<X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: format error in certificate's notBefore field> | ||
4537 | 126 | |||
4538 | 127 | the certificate notBefore field contains an invalid time. | ||
4539 | 128 | |||
4540 | 129 | =item B<X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: format error in certificate's notAfter field> | ||
4541 | 130 | |||
4542 | 131 | the certificate notAfter field contains an invalid time. | ||
4543 | 132 | |||
4544 | 133 | =item B<X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: format error in CRL's lastUpdate field> | ||
4545 | 134 | |||
4546 | 135 | the CRL lastUpdate field contains an invalid time. | ||
4547 | 136 | |||
4548 | 137 | =item B<X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: format error in CRL's nextUpdate field> | ||
4549 | 138 | |||
4550 | 139 | the CRL nextUpdate field contains an invalid time. | ||
4551 | 140 | |||
4552 | 141 | =item B<X509_V_ERR_OUT_OF_MEM: out of memory> | ||
4553 | 142 | |||
4554 | 143 | an error occurred trying to allocate memory. This should never happen. | ||
4555 | 144 | |||
4556 | 145 | =item B<X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: self signed certificate> | ||
4557 | 146 | |||
4558 | 147 | the passed certificate is self signed and the same certificate cannot be found | ||
4559 | 148 | in the list of trusted certificates. | ||
4560 | 149 | |||
4561 | 150 | =item B<X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: self signed certificate in certificate chain> | ||
4562 | 151 | |||
4563 | 152 | the certificate chain could be built up using the untrusted certificates but | ||
4564 | 153 | the root could not be found locally. | ||
4565 | 154 | |||
4566 | 155 | =item B<X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer certificate> | ||
4567 | 156 | |||
4568 | 157 | the issuer certificate of a locally looked up certificate could not be found. | ||
4569 | 158 | This normally means the list of trusted certificates is not complete. | ||
4570 | 159 | |||
4571 | 160 | =item B<X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: unable to verify the first certificate> | ||
4572 | 161 | |||
4573 | 162 | no signatures could be verified because the chain contains only one certificate | ||
4574 | 163 | and it is not self signed. | ||
4575 | 164 | |||
4576 | 165 | =item B<X509_V_ERR_CERT_CHAIN_TOO_LONG: certificate chain too long> | ||
4577 | 166 | |||
4578 | 167 | the certificate chain length is greater than the supplied maximum depth. Unused. | ||
4579 | 168 | |||
4580 | 169 | =item B<X509_V_ERR_CERT_REVOKED: certificate revoked> | ||
4581 | 170 | |||
4582 | 171 | the certificate has been revoked. | ||
4583 | 172 | |||
4584 | 173 | =item B<X509_V_ERR_INVALID_CA: invalid CA certificate> | ||
4585 | 174 | |||
4586 | 175 | a CA certificate is invalid. Either it is not a CA or its extensions are not | ||
4587 | 176 | consistent with the supplied purpose. | ||
4588 | 177 | |||
4589 | 178 | =item B<X509_V_ERR_PATH_LENGTH_EXCEEDED: path length constraint exceeded> | ||
4590 | 179 | |||
4591 | 180 | the basicConstraints pathlength parameter has been exceeded. | ||
4592 | 181 | |||
4593 | 182 | =item B<X509_V_ERR_INVALID_PURPOSE: unsupported certificate purpose> | ||
4594 | 183 | |||
4595 | 184 | the supplied certificate cannot be used for the specified purpose. | ||
4596 | 185 | |||
4597 | 186 | =item B<X509_V_ERR_CERT_UNTRUSTED: certificate not trusted> | ||
4598 | 187 | |||
4599 | 188 | the root CA is not marked as trusted for the specified purpose. | ||
4600 | 189 | |||
4601 | 190 | =item B<X509_V_ERR_CERT_REJECTED: certificate rejected> | ||
4602 | 191 | |||
4603 | 192 | the root CA is marked to reject the specified purpose. | ||
4604 | 193 | |||
4605 | 194 | =item B<X509_V_ERR_SUBJECT_ISSUER_MISMATCH: subject issuer mismatch> | ||
4606 | 195 | |||
4607 | 196 | the current candidate issuer certificate was rejected because its subject name | ||
4608 | 197 | did not match the issuer name of the current certificate. This is only set | ||
4609 | 198 | if issuer check debugging is enabled it is used for status notification and | ||
4610 | 199 | is B<not> in itself an error. | ||
4611 | 200 | |||
4612 | 201 | =item B<X509_V_ERR_AKID_SKID_MISMATCH: authority and subject key identifier mismatch> | ||
4613 | 202 | |||
4614 | 203 | the current candidate issuer certificate was rejected because its subject key | ||
4615 | 204 | identifier was present and did not match the authority key identifier current | ||
4616 | 205 | certificate. This is only set if issuer check debugging is enabled it is used | ||
4617 | 206 | for status notification and is B<not> in itself an error. | ||
4618 | 207 | |||
4619 | 208 | =item B<X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH: authority and issuer serial number mismatch> | ||
4620 | 209 | |||
4621 | 210 | the current candidate issuer certificate was rejected because its issuer name | ||
4622 | 211 | and serial number was present and did not match the authority key identifier of | ||
4623 | 212 | the current certificate. This is only set if issuer check debugging is enabled | ||
4624 | 213 | it is used for status notification and is B<not> in itself an error. | ||
4625 | 214 | |||
4626 | 215 | =item B<X509_V_ERR_KEYUSAGE_NO_CERTSIGN:key usage does not include certificate signing> | ||
4627 | 216 | |||
4628 | 217 | the current candidate issuer certificate was rejected because its keyUsage | ||
4629 | 218 | extension does not permit certificate signing. This is only set if issuer check | ||
4630 | 219 | debugging is enabled it is used for status notification and is B<not> in itself | ||
4631 | 220 | an error. | ||
4632 | 221 | |||
4633 | 222 | =item B<X509_V_ERR_INVALID_EXTENSION: invalid or inconsistent certificate extension> | ||
4634 | 223 | |||
4635 | 224 | A certificate extension had an invalid value (for example an incorrect | ||
4636 | 225 | encoding) or some value inconsistent with other extensions. | ||
4637 | 226 | |||
4638 | 227 | |||
4639 | 228 | =item B<X509_V_ERR_INVALID_POLICY_EXTENSION: invalid or inconsistent certificate policy extension> | ||
4640 | 229 | |||
4641 | 230 | A certificate policies extension had an invalid value (for example an incorrect | ||
4642 | 231 | encoding) or some value inconsistent with other extensions. This error only | ||
4643 | 232 | occurs if policy processing is enabled. | ||
4644 | 233 | |||
4645 | 234 | =item B<X509_V_ERR_NO_EXPLICIT_POLICY: no explicit policy> | ||
4646 | 235 | |||
4647 | 236 | The verification flags were set to require and explicit policy but none was | ||
4648 | 237 | present. | ||
4649 | 238 | |||
4650 | 239 | =item B<X509_V_ERR_DIFFERENT_CRL_SCOPE: Different CRL scope> | ||
4651 | 240 | |||
4652 | 241 | The only CRLs that could be found did not match the scope of the certificate. | ||
4653 | 242 | |||
4654 | 243 | =item B<X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE: Unsupported extension feature> | ||
4655 | 244 | |||
4656 | 245 | Some feature of a certificate extension is not supported. Unused. | ||
4657 | 246 | |||
4658 | 247 | =item B<X509_V_ERR_PERMITTED_VIOLATION: permitted subtree violation> | ||
4659 | 248 | |||
4660 | 249 | A name constraint violation occured in the permitted subtrees. | ||
4661 | 250 | |||
4662 | 251 | =item B<X509_V_ERR_EXCLUDED_VIOLATION: excluded subtree violation> | ||
4663 | 252 | |||
4664 | 253 | A name constraint violation occured in the excluded subtrees. | ||
4665 | 254 | |||
4666 | 255 | =item B<X509_V_ERR_SUBTREE_MINMAX: name constraints minimum and maximum not supported> | ||
4667 | 256 | |||
4668 | 257 | A certificate name constraints extension included a minimum or maximum field: | ||
4669 | 258 | this is not supported. | ||
4670 | 259 | |||
4671 | 260 | =item B<X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE: unsupported name constraint type> | ||
4672 | 261 | |||
4673 | 262 | An unsupported name constraint type was encountered. OpenSSL currently only | ||
4674 | 263 | supports directory name, DNS name, email and URI types. | ||
4675 | 264 | |||
4676 | 265 | =item B<X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX: unsupported or invalid name constraint syntax> | ||
4677 | 266 | |||
4678 | 267 | The format of the name constraint is not recognised: for example an email | ||
4679 | 268 | address format of a form not mentioned in RFC3280. This could be caused by | ||
4680 | 269 | a garbage extension or some new feature not currently supported. | ||
4681 | 270 | |||
4682 | 271 | =item B<X509_V_ERR_CRL_PATH_VALIDATION_ERROR: CRL path validation error> | ||
4683 | 272 | |||
4684 | 273 | An error occured when attempting to verify the CRL path. This error can only | ||
4685 | 274 | happen if extended CRL checking is enabled. | ||
4686 | 275 | |||
4687 | 276 | =item B<X509_V_ERR_APPLICATION_VERIFICATION: application verification failure> | ||
4688 | 277 | |||
4689 | 278 | an application specific error. This will never be returned unless explicitly | ||
4690 | 279 | set by an application. | ||
4691 | 280 | |||
4692 | 281 | =head1 NOTES | ||
4693 | 282 | |||
4694 | 283 | The above functions should be used instead of directly referencing the fields | ||
4695 | 284 | in the B<X509_VERIFY_CTX> structure. | ||
4696 | 285 | |||
4697 | 286 | In versions of OpenSSL before 1.0 the current certificate returned by | ||
4698 | 287 | X509_STORE_CTX_get_current_cert() was never B<NULL>. Applications should | ||
4699 | 288 | check the return value before printing out any debugging information relating | ||
4700 | 289 | to the current certificate. | ||
4701 | 290 | |||
4702 | 291 | If an unrecognised error code is passed to X509_verify_cert_error_string() the | ||
4703 | 292 | numerical value of the unknown code is returned in a static buffer. This is not | ||
4704 | 293 | thread safe but will never happen unless an invalid code is passed. | ||
4705 | 294 | |||
4706 | 295 | =head1 SEE ALSO | ||
4707 | 296 | |||
4708 | 297 | L<X509_verify_cert(3)|X509_verify_cert(3)> | ||
4709 | 298 | |||
4710 | 299 | =head1 HISTORY | ||
4711 | 300 | |||
4712 | 301 | TBA | ||
4713 | 302 | |||
4714 | 303 | =cut | ||
4715 | 0 | 304 | ||
4716 | === added file '.pc/libdoc-manpgs-pod-spell.patch/doc/crypto/pem.pod' | |||
4717 | --- .pc/libdoc-manpgs-pod-spell.patch/doc/crypto/pem.pod 1970-01-01 00:00:00 +0000 | |||
4718 | +++ .pc/libdoc-manpgs-pod-spell.patch/doc/crypto/pem.pod 2011-09-15 05:17:15 +0000 | |||
4719 | @@ -0,0 +1,476 @@ | |||
4720 | 1 | =pod | ||
4721 | 2 | |||
4722 | 3 | =head1 NAME | ||
4723 | 4 | |||
4724 | 5 | PEM, PEM_read_bio_PrivateKey, PEM_read_PrivateKey, PEM_write_bio_PrivateKey, PEM_write_PrivateKey, PEM_write_bio_PKCS8PrivateKey, PEM_write_PKCS8PrivateKey, PEM_write_bio_PKCS8PrivateKey_nid, PEM_write_PKCS8PrivateKey_nid, PEM_read_bio_PUBKEY, PEM_read_PUBKEY, PEM_write_bio_PUBKEY, PEM_write_PUBKEY, PEM_read_bio_RSAPrivateKey, PEM_read_RSAPrivateKey, PEM_write_bio_RSAPrivateKey, PEM_write_RSAPrivateKey, PEM_read_bio_RSAPublicKey, PEM_read_RSAPublicKey, PEM_write_bio_RSAPublicKey, PEM_write_RSAPublicKey, PEM_read_bio_RSA_PUBKEY, PEM_read_RSA_PUBKEY, PEM_write_bio_RSA_PUBKEY, PEM_write_RSA_PUBKEY, PEM_read_bio_DSAPrivateKey, PEM_read_DSAPrivateKey, PEM_write_bio_DSAPrivateKey, PEM_write_DSAPrivateKey, PEM_read_bio_DSA_PUBKEY, PEM_read_DSA_PUBKEY, PEM_write_bio_DSA_PUBKEY, PEM_write_DSA_PUBKEY, PEM_read_bio_DSAparams, PEM_read_DSAparams, PEM_write_bio_DSAparams, PEM_write_DSAparams, PEM_read_bio_DHparams, PEM_read_DHparams, PEM_write_bio_DHparams, PEM_write_DHparams, PEM_read_bio_X509, PEM_read_X509, PEM_write_bio_X509, PEM_write_X509, PEM_read_bio_X509_AUX, PEM_read_X509_AUX, PEM_write_bio_X509_AUX, PEM_write_X509_AUX, PEM_read_bio_X509_REQ, PEM_read_X509_REQ, PEM_write_bio_X509_REQ, PEM_write_X509_REQ, PEM_write_bio_X509_REQ_NEW, PEM_write_X509_REQ_NEW, PEM_read_bio_X509_CRL, PEM_read_X509_CRL, PEM_write_bio_X509_CRL, PEM_write_X509_CRL, PEM_read_bio_PKCS7, PEM_read_PKCS7, PEM_write_bio_PKCS7, PEM_write_PKCS7, PEM_read_bio_NETSCAPE_CERT_SEQUENCE, PEM_read_NETSCAPE_CERT_SEQUENCE, PEM_write_bio_NETSCAPE_CERT_SEQUENCE, PEM_write_NETSCAPE_CERT_SEQUENCE - PEM routines | ||
4725 | 6 | |||
4726 | 7 | =head1 SYNOPSIS | ||
4727 | 8 | |||
4728 | 9 | #include <openssl/pem.h> | ||
4729 | 10 | |||
4730 | 11 | EVP_PKEY *PEM_read_bio_PrivateKey(BIO *bp, EVP_PKEY **x, | ||
4731 | 12 | pem_password_cb *cb, void *u); | ||
4732 | 13 | |||
4733 | 14 | EVP_PKEY *PEM_read_PrivateKey(FILE *fp, EVP_PKEY **x, | ||
4734 | 15 | pem_password_cb *cb, void *u); | ||
4735 | 16 | |||
4736 | 17 | int PEM_write_bio_PrivateKey(BIO *bp, EVP_PKEY *x, const EVP_CIPHER *enc, | ||
4737 | 18 | unsigned char *kstr, int klen, | ||
4738 | 19 | pem_password_cb *cb, void *u); | ||
4739 | 20 | |||
4740 | 21 | int PEM_write_PrivateKey(FILE *fp, EVP_PKEY *x, const EVP_CIPHER *enc, | ||
4741 | 22 | unsigned char *kstr, int klen, | ||
4742 | 23 | pem_password_cb *cb, void *u); | ||
4743 | 24 | |||
4744 | 25 | int PEM_write_bio_PKCS8PrivateKey(BIO *bp, EVP_PKEY *x, const EVP_CIPHER *enc, | ||
4745 | 26 | char *kstr, int klen, | ||
4746 | 27 | pem_password_cb *cb, void *u); | ||
4747 | 28 | |||
4748 | 29 | int PEM_write_PKCS8PrivateKey(FILE *fp, EVP_PKEY *x, const EVP_CIPHER *enc, | ||
4749 | 30 | char *kstr, int klen, | ||
4750 | 31 | pem_password_cb *cb, void *u); | ||
4751 | 32 | |||
4752 | 33 | int PEM_write_bio_PKCS8PrivateKey_nid(BIO *bp, EVP_PKEY *x, int nid, | ||
4753 | 34 | char *kstr, int klen, | ||
4754 | 35 | pem_password_cb *cb, void *u); | ||
4755 | 36 | |||
4756 | 37 | int PEM_write_PKCS8PrivateKey_nid(FILE *fp, EVP_PKEY *x, int nid, | ||
4757 | 38 | char *kstr, int klen, | ||
4758 | 39 | pem_password_cb *cb, void *u); | ||
4759 | 40 | |||
4760 | 41 | EVP_PKEY *PEM_read_bio_PUBKEY(BIO *bp, EVP_PKEY **x, | ||
4761 | 42 | pem_password_cb *cb, void *u); | ||
4762 | 43 | |||
4763 | 44 | EVP_PKEY *PEM_read_PUBKEY(FILE *fp, EVP_PKEY **x, | ||
4764 | 45 | pem_password_cb *cb, void *u); | ||
4765 | 46 | |||
4766 | 47 | int PEM_write_bio_PUBKEY(BIO *bp, EVP_PKEY *x); | ||
4767 | 48 | int PEM_write_PUBKEY(FILE *fp, EVP_PKEY *x); | ||
4768 | 49 | |||
4769 | 50 | RSA *PEM_read_bio_RSAPrivateKey(BIO *bp, RSA **x, | ||
4770 | 51 | pem_password_cb *cb, void *u); | ||
4771 | 52 | |||
4772 | 53 | RSA *PEM_read_RSAPrivateKey(FILE *fp, RSA **x, | ||
4773 | 54 | pem_password_cb *cb, void *u); | ||
4774 | 55 | |||
4775 | 56 | int PEM_write_bio_RSAPrivateKey(BIO *bp, RSA *x, const EVP_CIPHER *enc, | ||
4776 | 57 | unsigned char *kstr, int klen, | ||
4777 | 58 | pem_password_cb *cb, void *u); | ||
4778 | 59 | |||
4779 | 60 | int PEM_write_RSAPrivateKey(FILE *fp, RSA *x, const EVP_CIPHER *enc, | ||
4780 | 61 | unsigned char *kstr, int klen, | ||
4781 | 62 | pem_password_cb *cb, void *u); | ||
4782 | 63 | |||
4783 | 64 | RSA *PEM_read_bio_RSAPublicKey(BIO *bp, RSA **x, | ||
4784 | 65 | pem_password_cb *cb, void *u); | ||
4785 | 66 | |||
4786 | 67 | RSA *PEM_read_RSAPublicKey(FILE *fp, RSA **x, | ||
4787 | 68 | pem_password_cb *cb, void *u); | ||
4788 | 69 | |||
4789 | 70 | int PEM_write_bio_RSAPublicKey(BIO *bp, RSA *x); | ||
4790 | 71 | |||
4791 | 72 | int PEM_write_RSAPublicKey(FILE *fp, RSA *x); | ||
4792 | 73 | |||
4793 | 74 | RSA *PEM_read_bio_RSA_PUBKEY(BIO *bp, RSA **x, | ||
4794 | 75 | pem_password_cb *cb, void *u); | ||
4795 | 76 | |||
4796 | 77 | RSA *PEM_read_RSA_PUBKEY(FILE *fp, RSA **x, | ||
4797 | 78 | pem_password_cb *cb, void *u); | ||
4798 | 79 | |||
4799 | 80 | int PEM_write_bio_RSA_PUBKEY(BIO *bp, RSA *x); | ||
4800 | 81 | |||
4801 | 82 | int PEM_write_RSA_PUBKEY(FILE *fp, RSA *x); | ||
4802 | 83 | |||
4803 | 84 | DSA *PEM_read_bio_DSAPrivateKey(BIO *bp, DSA **x, | ||
4804 | 85 | pem_password_cb *cb, void *u); | ||
4805 | 86 | |||
4806 | 87 | DSA *PEM_read_DSAPrivateKey(FILE *fp, DSA **x, | ||
4807 | 88 | pem_password_cb *cb, void *u); | ||
4808 | 89 | |||
4809 | 90 | int PEM_write_bio_DSAPrivateKey(BIO *bp, DSA *x, const EVP_CIPHER *enc, | ||
4810 | 91 | unsigned char *kstr, int klen, | ||
4811 | 92 | pem_password_cb *cb, void *u); | ||
4812 | 93 | |||
4813 | 94 | int PEM_write_DSAPrivateKey(FILE *fp, DSA *x, const EVP_CIPHER *enc, | ||
4814 | 95 | unsigned char *kstr, int klen, | ||
4815 | 96 | pem_password_cb *cb, void *u); | ||
4816 | 97 | |||
4817 | 98 | DSA *PEM_read_bio_DSA_PUBKEY(BIO *bp, DSA **x, | ||
4818 | 99 | pem_password_cb *cb, void *u); | ||
4819 | 100 | |||
4820 | 101 | DSA *PEM_read_DSA_PUBKEY(FILE *fp, DSA **x, | ||
4821 | 102 | pem_password_cb *cb, void *u); | ||
4822 | 103 | |||
4823 | 104 | int PEM_write_bio_DSA_PUBKEY(BIO *bp, DSA *x); | ||
4824 | 105 | |||
4825 | 106 | int PEM_write_DSA_PUBKEY(FILE *fp, DSA *x); | ||
4826 | 107 | |||
4827 | 108 | DSA *PEM_read_bio_DSAparams(BIO *bp, DSA **x, pem_password_cb *cb, void *u); | ||
4828 | 109 | |||
4829 | 110 | DSA *PEM_read_DSAparams(FILE *fp, DSA **x, pem_password_cb *cb, void *u); | ||
4830 | 111 | |||
4831 | 112 | int PEM_write_bio_DSAparams(BIO *bp, DSA *x); | ||
4832 | 113 | |||
4833 | 114 | int PEM_write_DSAparams(FILE *fp, DSA *x); | ||
4834 | 115 | |||
4835 | 116 | DH *PEM_read_bio_DHparams(BIO *bp, DH **x, pem_password_cb *cb, void *u); | ||
4836 | 117 | |||
4837 | 118 | DH *PEM_read_DHparams(FILE *fp, DH **x, pem_password_cb *cb, void *u); | ||
4838 | 119 | |||
4839 | 120 | int PEM_write_bio_DHparams(BIO *bp, DH *x); | ||
4840 | 121 | |||
4841 | 122 | int PEM_write_DHparams(FILE *fp, DH *x); | ||
4842 | 123 | |||
4843 | 124 | X509 *PEM_read_bio_X509(BIO *bp, X509 **x, pem_password_cb *cb, void *u); | ||
4844 | 125 | |||
4845 | 126 | X509 *PEM_read_X509(FILE *fp, X509 **x, pem_password_cb *cb, void *u); | ||
4846 | 127 | |||
4847 | 128 | int PEM_write_bio_X509(BIO *bp, X509 *x); | ||
4848 | 129 | |||
4849 | 130 | int PEM_write_X509(FILE *fp, X509 *x); | ||
4850 | 131 | |||
4851 | 132 | X509 *PEM_read_bio_X509_AUX(BIO *bp, X509 **x, pem_password_cb *cb, void *u); | ||
4852 | 133 | |||
4853 | 134 | X509 *PEM_read_X509_AUX(FILE *fp, X509 **x, pem_password_cb *cb, void *u); | ||
4854 | 135 | |||
4855 | 136 | int PEM_write_bio_X509_AUX(BIO *bp, X509 *x); | ||
4856 | 137 | |||
4857 | 138 | int PEM_write_X509_AUX(FILE *fp, X509 *x); | ||
4858 | 139 | |||
4859 | 140 | X509_REQ *PEM_read_bio_X509_REQ(BIO *bp, X509_REQ **x, | ||
4860 | 141 | pem_password_cb *cb, void *u); | ||
4861 | 142 | |||
4862 | 143 | X509_REQ *PEM_read_X509_REQ(FILE *fp, X509_REQ **x, | ||
4863 | 144 | pem_password_cb *cb, void *u); | ||
4864 | 145 | |||
4865 | 146 | int PEM_write_bio_X509_REQ(BIO *bp, X509_REQ *x); | ||
4866 | 147 | |||
4867 | 148 | int PEM_write_X509_REQ(FILE *fp, X509_REQ *x); | ||
4868 | 149 | |||
4869 | 150 | int PEM_write_bio_X509_REQ_NEW(BIO *bp, X509_REQ *x); | ||
4870 | 151 | |||
4871 | 152 | int PEM_write_X509_REQ_NEW(FILE *fp, X509_REQ *x); | ||
4872 | 153 | |||
4873 | 154 | X509_CRL *PEM_read_bio_X509_CRL(BIO *bp, X509_CRL **x, | ||
4874 | 155 | pem_password_cb *cb, void *u); | ||
4875 | 156 | X509_CRL *PEM_read_X509_CRL(FILE *fp, X509_CRL **x, | ||
4876 | 157 | pem_password_cb *cb, void *u); | ||
4877 | 158 | int PEM_write_bio_X509_CRL(BIO *bp, X509_CRL *x); | ||
4878 | 159 | int PEM_write_X509_CRL(FILE *fp, X509_CRL *x); | ||
4879 | 160 | |||
4880 | 161 | PKCS7 *PEM_read_bio_PKCS7(BIO *bp, PKCS7 **x, pem_password_cb *cb, void *u); | ||
4881 | 162 | |||
4882 | 163 | PKCS7 *PEM_read_PKCS7(FILE *fp, PKCS7 **x, pem_password_cb *cb, void *u); | ||
4883 | 164 | |||
4884 | 165 | int PEM_write_bio_PKCS7(BIO *bp, PKCS7 *x); | ||
4885 | 166 | |||
4886 | 167 | int PEM_write_PKCS7(FILE *fp, PKCS7 *x); | ||
4887 | 168 | |||
4888 | 169 | NETSCAPE_CERT_SEQUENCE *PEM_read_bio_NETSCAPE_CERT_SEQUENCE(BIO *bp, | ||
4889 | 170 | NETSCAPE_CERT_SEQUENCE **x, | ||
4890 | 171 | pem_password_cb *cb, void *u); | ||
4891 | 172 | |||
4892 | 173 | NETSCAPE_CERT_SEQUENCE *PEM_read_NETSCAPE_CERT_SEQUENCE(FILE *fp, | ||
4893 | 174 | NETSCAPE_CERT_SEQUENCE **x, | ||
4894 | 175 | pem_password_cb *cb, void *u); | ||
4895 | 176 | |||
4896 | 177 | int PEM_write_bio_NETSCAPE_CERT_SEQUENCE(BIO *bp, NETSCAPE_CERT_SEQUENCE *x); | ||
4897 | 178 | |||
4898 | 179 | int PEM_write_NETSCAPE_CERT_SEQUENCE(FILE *fp, NETSCAPE_CERT_SEQUENCE *x); | ||
4899 | 180 | |||
4900 | 181 | =head1 DESCRIPTION | ||
4901 | 182 | |||
4902 | 183 | The PEM functions read or write structures in PEM format. In | ||
4903 | 184 | this sense PEM format is simply base64 encoded data surrounded | ||
4904 | 185 | by header lines. | ||
4905 | 186 | |||
4906 | 187 | For more details about the meaning of arguments see the | ||
4907 | 188 | B<PEM FUNCTION ARGUMENTS> section. | ||
4908 | 189 | |||
4909 | 190 | Each operation has four functions associated with it. For | ||
4910 | 191 | clarity the term "B<foobar> functions" will be used to collectively | ||
4911 | 192 | refer to the PEM_read_bio_foobar(), PEM_read_foobar(), | ||
4912 | 193 | PEM_write_bio_foobar() and PEM_write_foobar() functions. | ||
4913 | 194 | |||
4914 | 195 | The B<PrivateKey> functions read or write a private key in | ||
4915 | 196 | PEM format using an EVP_PKEY structure. The write routines use | ||
4916 | 197 | "traditional" private key format and can handle both RSA and DSA | ||
4917 | 198 | private keys. The read functions can additionally transparently | ||
4918 | 199 | handle PKCS#8 format encrypted and unencrypted keys too. | ||
4919 | 200 | |||
4920 | 201 | PEM_write_bio_PKCS8PrivateKey() and PEM_write_PKCS8PrivateKey() | ||
4921 | 202 | write a private key in an EVP_PKEY structure in PKCS#8 | ||
4922 | 203 | EncryptedPrivateKeyInfo format using PKCS#5 v2.0 password based encryption | ||
4923 | 204 | algorithms. The B<cipher> argument specifies the encryption algoritm to | ||
4924 | 205 | use: unlike all other PEM routines the encryption is applied at the | ||
4925 | 206 | PKCS#8 level and not in the PEM headers. If B<cipher> is NULL then no | ||
4926 | 207 | encryption is used and a PKCS#8 PrivateKeyInfo structure is used instead. | ||
4927 | 208 | |||
4928 | 209 | PEM_write_bio_PKCS8PrivateKey_nid() and PEM_write_PKCS8PrivateKey_nid() | ||
4929 | 210 | also write out a private key as a PKCS#8 EncryptedPrivateKeyInfo however | ||
4930 | 211 | it uses PKCS#5 v1.5 or PKCS#12 encryption algorithms instead. The algorithm | ||
4931 | 212 | to use is specified in the B<nid> parameter and should be the NID of the | ||
4932 | 213 | corresponding OBJECT IDENTIFIER (see NOTES section). | ||
4933 | 214 | |||
4934 | 215 | The B<PUBKEY> functions process a public key using an EVP_PKEY | ||
4935 | 216 | structure. The public key is encoded as a SubjectPublicKeyInfo | ||
4936 | 217 | structure. | ||
4937 | 218 | |||
4938 | 219 | The B<RSAPrivateKey> functions process an RSA private key using an | ||
4939 | 220 | RSA structure. It handles the same formats as the B<PrivateKey> | ||
4940 | 221 | functions but an error occurs if the private key is not RSA. | ||
4941 | 222 | |||
4942 | 223 | The B<RSAPublicKey> functions process an RSA public key using an | ||
4943 | 224 | RSA structure. The public key is encoded using a PKCS#1 RSAPublicKey | ||
4944 | 225 | structure. | ||
4945 | 226 | |||
4946 | 227 | The B<RSA_PUBKEY> functions also process an RSA public key using | ||
4947 | 228 | an RSA structure. However the public key is encoded using a | ||
4948 | 229 | SubjectPublicKeyInfo structure and an error occurs if the public | ||
4949 | 230 | key is not RSA. | ||
4950 | 231 | |||
4951 | 232 | The B<DSAPrivateKey> functions process a DSA private key using a | ||
4952 | 233 | DSA structure. It handles the same formats as the B<PrivateKey> | ||
4953 | 234 | functions but an error occurs if the private key is not DSA. | ||
4954 | 235 | |||
4955 | 236 | The B<DSA_PUBKEY> functions process a DSA public key using | ||
4956 | 237 | a DSA structure. The public key is encoded using a | ||
4957 | 238 | SubjectPublicKeyInfo structure and an error occurs if the public | ||
4958 | 239 | key is not DSA. | ||
4959 | 240 | |||
4960 | 241 | The B<DSAparams> functions process DSA parameters using a DSA | ||
4961 | 242 | structure. The parameters are encoded using a foobar structure. | ||
4962 | 243 | |||
4963 | 244 | The B<DHparams> functions process DH parameters using a DH | ||
4964 | 245 | structure. The parameters are encoded using a PKCS#3 DHparameter | ||
4965 | 246 | structure. | ||
4966 | 247 | |||
4967 | 248 | The B<X509> functions process an X509 certificate using an X509 | ||
4968 | 249 | structure. They will also process a trusted X509 certificate but | ||
4969 | 250 | any trust settings are discarded. | ||
4970 | 251 | |||
4971 | 252 | The B<X509_AUX> functions process a trusted X509 certificate using | ||
4972 | 253 | an X509 structure. | ||
4973 | 254 | |||
4974 | 255 | The B<X509_REQ> and B<X509_REQ_NEW> functions process a PKCS#10 | ||
4975 | 256 | certificate request using an X509_REQ structure. The B<X509_REQ> | ||
4976 | 257 | write functions use B<CERTIFICATE REQUEST> in the header whereas | ||
4977 | 258 | the B<X509_REQ_NEW> functions use B<NEW CERTIFICATE REQUEST> | ||
4978 | 259 | (as required by some CAs). The B<X509_REQ> read functions will | ||
4979 | 260 | handle either form so there are no B<X509_REQ_NEW> read functions. | ||
4980 | 261 | |||
4981 | 262 | The B<X509_CRL> functions process an X509 CRL using an X509_CRL | ||
4982 | 263 | structure. | ||
4983 | 264 | |||
4984 | 265 | The B<PKCS7> functions process a PKCS#7 ContentInfo using a PKCS7 | ||
4985 | 266 | structure. | ||
4986 | 267 | |||
4987 | 268 | The B<NETSCAPE_CERT_SEQUENCE> functions process a Netscape Certificate | ||
4988 | 269 | Sequence using a NETSCAPE_CERT_SEQUENCE structure. | ||
4989 | 270 | |||
4990 | 271 | =head1 PEM FUNCTION ARGUMENTS | ||
4991 | 272 | |||
4992 | 273 | The PEM functions have many common arguments. | ||
4993 | 274 | |||
4994 | 275 | The B<bp> BIO parameter (if present) specifies the BIO to read from | ||
4995 | 276 | or write to. | ||
4996 | 277 | |||
4997 | 278 | The B<fp> FILE parameter (if present) specifies the FILE pointer to | ||
4998 | 279 | read from or write to. | ||
4999 | 280 | |||
5000 | 281 | The PEM read functions all take an argument B<TYPE **x> and return |
The diff has been truncated for viewing.
Looks good. Uploaded.