Ubuntu
openssl package

Merge lp:~sbeattie/ubuntu/oneiric/openssl/lp850608 into lp:ubuntu/oneiric/openssl

  1. Oneiric (11.10)
  2. lp850608
  3. Merge into oneiric
Proposed by Steve Beattie
Status: Merged
Merged at revision: 58
Proposed branch: lp:~sbeattie/ubuntu/oneiric/openssl/lp850608
Merge into: lp:ubuntu/oneiric/openssl
Diff against target: 27465 lines (+20613/-1941)
206 files modified
.pc/Bsymbolic-functions.patch/Configure (+2/-1)
.pc/aesni.patch/Configure (+2/-1)
.pc/aesni.patch/util/libeay.num (+5/-0)
.pc/applied-patches (+12/-0)
.pc/block_diginotar.patch/crypto/x509/x509_vfy.c (+2219/-0)
.pc/c_rehash-multi.patch/tools/c_rehash.in (+192/-0)
.pc/config-hurd.patch/config (+4/-0)
.pc/dgst_hmac.patch/apps/dgst.c (+632/-0)
.pc/dgst_hmac.patch/doc/apps/dgst.pod (+162/-0)
.pc/engines-path.patch/Configure (+2/-1)
.pc/gnu_source.patch/crypto/dso/dso_dlfcn.c (+1/-0)
.pc/libdoc-manpgs-pod-spell.patch/doc/crypto/ASN1_generate_nconf.pod (+265/-0)
.pc/libdoc-manpgs-pod-spell.patch/doc/crypto/BN_BLINDING_new.pod (+115/-0)
.pc/libdoc-manpgs-pod-spell.patch/doc/crypto/EVP_BytesToKey.pod (+67/-0)
.pc/libdoc-manpgs-pod-spell.patch/doc/crypto/EVP_EncryptInit.pod (+511/-0)
.pc/libdoc-manpgs-pod-spell.patch/doc/crypto/EVP_PKEY_cmp.pod (+61/-0)
.pc/libdoc-manpgs-pod-spell.patch/doc/crypto/X509_STORE_CTX_get_error.pod (+303/-0)
.pc/libdoc-manpgs-pod-spell.patch/doc/crypto/pem.pod (+476/-0)
.pc/libdoc-manpgs-pod-spell.patch/doc/ssl/SSL_CTX_set_client_CA_list.pod (+94/-0)
.pc/libdoc-manpgs-pod-spell.patch/doc/ssl/SSL_CTX_set_verify.pod (+294/-0)
.pc/libdoc-manpgs-pod-spell.patch/doc/ssl/SSL_CTX_use_psk_identity_hint.pod (+102/-0)
.pc/libdoc-manpgs-pod-spell.patch/doc/ssl/SSL_accept.pod (+76/-0)
.pc/libdoc-manpgs-pod-spell.patch/doc/ssl/SSL_connect.pod (+73/-0)
.pc/libdoc-manpgs-pod-spell.patch/doc/ssl/SSL_do_handshake.pod (+75/-0)
.pc/libdoc-manpgs-pod-spell.patch/doc/ssl/SSL_shutdown.pod (+125/-0)
.pc/libssl-misspell.patch/crypto/asn1/asn1_err.c (+329/-0)
.pc/openssl-pod-misspell.patch/apps/ca.c (+2985/-0)
.pc/openssl-pod-misspell.patch/apps/ecparam.c (+731/-0)
.pc/openssl-pod-misspell.patch/crypto/evp/encode.c (+445/-0)
.pc/openssl-pod-misspell.patch/doc/apps/config.pod (+279/-0)
.pc/openssl-pod-misspell.patch/doc/apps/genpkey.pod (+213/-0)
.pc/openssl-pod-misspell.patch/doc/apps/openssl.pod (+422/-0)
.pc/openssl-pod-misspell.patch/doc/apps/req.pod (+678/-0)
.pc/openssl-pod-misspell.patch/doc/apps/ts.pod (+594/-0)
.pc/openssl-pod-misspell.patch/doc/apps/tsget.pod (+194/-0)
.pc/openssl-pod-misspell.patch/doc/apps/x509v3_config.pod (+529/-0)
.pc/pic.patch/crypto/perlasm/cbc.pl (+0/-2)
.pc/pkcs12-doc.patch/doc/apps/pkcs12.pod (+363/-0)
.pc/pod_ec.misspell.patch/doc/apps/ec.pod (+190/-0)
.pc/pod_pksc12.misspell.patch/doc/apps/pkcs12.pod (+363/-0)
.pc/pod_req_misspell2.patch/doc/apps/req.pod (+678/-0)
.pc/pod_s_server.misspell.patch/doc/apps/s_server.pod (+355/-0)
.pc/pod_x509setflags.misspell.patch/doc/crypto/X509_VERIFY_PARAM_set_flags.pod (+171/-0)
.pc/shared-lib-ext.patch/Configure (+2/-1)
.pc/version-script.patch/Configure (+2/-1)
CHANGES (+42/-1)
Configure (+2/-1)
FAQ (+1/-1)
INSTALL.VMS (+24/-30)
Makefile (+1/-1)
Makefile.bak (+640/-0)
NEWS (+8/-0)
README (+1/-1)
VMS/install-vms.com (+67/-0)
VMS/install.com (+0/-79)
VMS/mkshared.com (+163/-99)
VMS/openssl_startup.com (+108/-0)
VMS/openssl_undo.com (+20/-0)
apps/CA.com (+58/-42)
apps/apps.c (+6/-0)
apps/asn1pars.c (+1/-0)
apps/ca.c (+1/-1)
apps/dgst.c (+2/-0)
apps/ecparam.c (+2/-2)
apps/enc.c (+4/-0)
apps/install-apps.com (+107/-0)
apps/install.com (+0/-65)
apps/makeapps.com (+231/-118)
apps/openssl.c (+62/-2)
apps/pkcs12.c (+1/-1)
apps/speed.c (+2/-0)
apps/vms_decc_init.c (+188/-0)
config (+4/-0)
crypto/LPdir_vms.c (+28/-21)
crypto/alphacpuid.pl (+3/-5)
crypto/asn1/a_object.c (+2/-2)
crypto/asn1/asn1_err.c (+1/-1)
crypto/asn1/bio_ndef.c (+0/-3)
crypto/asn1/x_name.c (+5/-2)
crypto/bio/b_sock.c (+28/-1)
crypto/bio/bss_dgram.c (+12/-6)
crypto/bio/bss_log.c (+29/-3)
crypto/bn/asm/alpha-mont.pl (+1/-1)
crypto/bn/asm/s390x-mont.pl (+2/-2)
crypto/bn/bn.h (+18/-0)
crypto/bn/bn_gf2m.c (+1/-0)
crypto/bn/bn_mont.c (+1/-1)
crypto/bn/bn_nist.c (+36/-28)
crypto/conf/conf_api.c (+1/-0)
crypto/cryptlib.c (+0/-1)
crypto/crypto-lib.com (+241/-129)
crypto/dsa/dsa_pmeth.c (+1/-0)
crypto/dso/dso_dlfcn.c (+1/-0)
crypto/dso/dso_vms.c (+103/-82)
crypto/ecdsa/ecdsatest.c (+2/-3)
crypto/ecdsa/ecs_ossl.c (+8/-0)
crypto/evp/encode.c (+1/-1)
crypto/evp/evp_test.c (+1/-0)
crypto/hmac/hm_pmeth.c (+2/-0)
crypto/install-crypto.com (+196/-0)
crypto/install.com (+0/-150)
crypto/o_time.c (+14/-8)
crypto/ocsp/ocsp_lib.c (+4/-4)
crypto/opensslv.h (+3/-3)
crypto/perlasm/cbc.pl (+0/-2)
crypto/rand/rand_vms.c (+14/-2)
crypto/rand/randfile.c (+2/-0)
crypto/rsa/rsa_oaep.c (+13/-7)
crypto/stack/safestack.h (+25/-25)
crypto/vms_rms.h (+51/-0)
crypto/x509/x509_vfy.c (+31/-0)
debian/changelog (+77/-0)
debian/libssl1.0.0.postinst (+5/-1)
debian/patches/Bsymbolic-functions.patch (+7/-3)
debian/patches/aesni.patch (+29/-14)
debian/patches/block_diginotar.patch (+64/-0)
debian/patches/c_rehash-multi.patch (+86/-0)
debian/patches/debian-targets.patch (+3/-2)
debian/patches/dgst_hmac.patch (+51/-0)
debian/patches/libdoc-manpgs-pod-spell.patch (+236/-0)
debian/patches/libssl-misspell.patch (+11/-0)
debian/patches/openssl-pod-misspell.patch (+137/-0)
debian/patches/pkcs12-doc.patch (+36/-0)
debian/patches/pod_ec.misspell.patch (+11/-0)
debian/patches/pod_pksc12.misspell.patch (+11/-0)
debian/patches/pod_req_misspell2.patch (+12/-0)
debian/patches/pod_s_server.misspell.patch (+11/-0)
debian/patches/pod_x509setflags.misspell.patch (+11/-0)
debian/patches/rehash_pod.patch (+2/-2)
debian/patches/series (+12/-0)
debian/patches/version-script.patch (+22/-4)
debian/rules (+3/-1)
doc/apps/c_rehash.pod (+2/-2)
doc/apps/config.pod (+1/-1)
doc/apps/dgst.pod (+10/-0)
doc/apps/ec.pod (+1/-1)
doc/apps/genpkey.pod (+2/-0)
doc/apps/openssl.pod (+2/-2)
doc/apps/pkcs12.pod (+7/-2)
doc/apps/req.pod (+2/-2)
doc/apps/s_server.pod (+1/-1)
doc/apps/ts.pod (+2/-2)
doc/apps/tsget.pod (+1/-1)
doc/apps/x509v3_config.pod (+1/-1)
doc/crypto/ASN1_generate_nconf.pod (+1/-1)
doc/crypto/BN_BLINDING_new.pod (+1/-1)
doc/crypto/EVP_BytesToKey.pod (+1/-1)
doc/crypto/EVP_EncryptInit.pod (+1/-1)
doc/crypto/EVP_PKEY_cmp.pod (+1/-1)
doc/crypto/X509_STORE_CTX_get_error.pod (+2/-0)
doc/crypto/X509_VERIFY_PARAM_set_flags.pod (+1/-1)
doc/crypto/pem.pod (+1/-1)
doc/ssl/SSL_CTX_set_client_CA_list.pod (+4/-0)
doc/ssl/SSL_CTX_set_verify.pod (+2/-2)
doc/ssl/SSL_CTX_use_psk_identity_hint.pod (+8/-0)
doc/ssl/SSL_accept.pod (+8/-0)
doc/ssl/SSL_connect.pod (+11/-11)
doc/ssl/SSL_do_handshake.pod (+8/-0)
doc/ssl/SSL_shutdown.pod (+8/-0)
doc/ssl/ssl.pod (+1/-1)
engines/ccgost/gost_crypt.c (+2/-1)
engines/ccgost/openssl.ld (+10/-0)
engines/e_capi_err.h (+4/-0)
engines/makeengines.com (+215/-111)
engines/openssl.ld (+3/-0)
install.com (+127/-92)
makevms.com (+274/-152)
ms/uplink.c (+2/-1)
openssl.spec (+1/-1)
ssl/bio_ssl.c (+4/-0)
ssl/d1_both.c (+10/-18)
ssl/d1_clnt.c (+4/-2)
ssl/d1_lib.c (+57/-8)
ssl/d1_pkt.c (+11/-9)
ssl/d1_srvr.c (+19/-7)
ssl/install-ssl.com (+136/-0)
ssl/install.com (+0/-90)
ssl/s3_clnt.c (+2/-0)
ssl/s3_lib.c (+6/-0)
ssl/s3_pkt.c (+4/-2)
ssl/s3_srvr.c (+16/-7)
ssl/ssl-lib.com (+213/-115)
ssl/ssl_lib.c (+13/-19)
test/bntest.com (+7/-0)
test/clean_test.com (+35/-0)
test/cms-test.pl (+2/-2)
test/maketests.com (+210/-111)
test/tcrl.com (+10/-7)
test/testca.com (+5/-3)
test/testenc.com (+8/-5)
test/testgen.com (+13/-9)
test/tests.com (+65/-38)
test/testss.com (+10/-7)
test/testssl.com (+12/-8)
test/testtsa.com (+38/-35)
test/tpkcs7.com (+10/-7)
test/tpkcs7d.com (+10/-7)
test/treq.com (+10/-7)
test/trsa.com (+8/-5)
test/tsid.com (+10/-7)
test/tverify.com (+6/-4)
test/tx509.com (+10/-7)
tools/c_rehash.in (+44/-28)
util/libeay.num (+6/-1)
util/mkdef.pl (+2/-0)
util/mkerr.pl (+1/-1)
To merge this branch: bzr merge lp:~sbeattie/ubuntu/oneiric/openssl/lp850608
Reviewer Review Type Date Requested Status
Marc Deslauriers Approve
Ubuntu branches Pending
Review via email: mp+75477@code.launchpad.net

Description of the change

This branch merges openssl-1.0.0e-2 from Debian unstable to fix security issues. Both the debian changes from 1.0.0d-2 and the upstream release 1.0.0e are bugfix only releases. This merge also includes an added fix for LP: #244250 (reduce spurious reboot warnings on desktop installs) by checking for a running X server to determine whether or not to issue the reboot notification.

To post a comment you must log in.
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Looks good. Uploaded.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file '.pc/Bsymbolic-functions.patch/Configure'
--- .pc/Bsymbolic-functions.patch/Configure 2011-05-01 23:51:53 +0000
+++ .pc/Bsymbolic-functions.patch/Configure 2011-09-15 05:17:15 +0000
@@ -362,6 +362,7 @@
362"debian-powerpcspe","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",362"debian-powerpcspe","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
363"debian-ppc64","gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",363"debian-ppc64","gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
364"debian-s390","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", 364"debian-s390","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
365"debian-s390x","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
365"debian-sh3", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",366"debian-sh3", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
366"debian-sh4", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",367"debian-sh4", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
367"debian-sh3eb", "gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",368"debian-sh3eb", "gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
@@ -370,7 +371,7 @@
370"debian-sparc","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",371"debian-sparc","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
371"debian-sparc-v8","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -mcpu=v8 -g -Wall -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",372"debian-sparc-v8","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -mcpu=v8 -g -Wall -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
372"debian-sparc-v9","gcc:-DB_ENDIAN -DTERMIO -O3 -mcpu=v9 -Wa,--noexecstack -Wa,-Av8plus -g -Wall -DULTRASPARC -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",373"debian-sparc-v9","gcc:-DB_ENDIAN -DTERMIO -O3 -mcpu=v9 -Wa,--noexecstack -Wa,-Av8plus -g -Wall -DULTRASPARC -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
373"debian-sparc64","gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall -DULTRASPARC -DBN_DIV2W::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",374"debian-sparc64","gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall -DULTRASPARC -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
374375
375####376####
376#### Variety of LINUX:-)377#### Variety of LINUX:-)
377378
=== modified file '.pc/aesni.patch/Configure'
--- .pc/aesni.patch/Configure 2011-05-01 23:51:53 +0000
+++ .pc/aesni.patch/Configure 2011-09-15 05:17:15 +0000
@@ -362,6 +362,7 @@
362"debian-powerpcspe","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",362"debian-powerpcspe","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
363"debian-ppc64","gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",363"debian-ppc64","gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
364"debian-s390","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", 364"debian-s390","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
365"debian-s390x","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
365"debian-sh3", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",366"debian-sh3", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
366"debian-sh4", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",367"debian-sh4", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
367"debian-sh3eb", "gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",368"debian-sh3eb", "gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
@@ -370,7 +371,7 @@
370"debian-sparc","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",371"debian-sparc","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
371"debian-sparc-v8","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -mcpu=v8 -g -Wall -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",372"debian-sparc-v8","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -mcpu=v8 -g -Wall -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
372"debian-sparc-v9","gcc:-DB_ENDIAN -DTERMIO -O3 -mcpu=v9 -Wa,--noexecstack -Wa,-Av8plus -g -Wall -DULTRASPARC -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",373"debian-sparc-v9","gcc:-DB_ENDIAN -DTERMIO -O3 -mcpu=v9 -Wa,--noexecstack -Wa,-Av8plus -g -Wall -DULTRASPARC -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
373"debian-sparc64","gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall -DULTRASPARC -DBN_DIV2W::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",374"debian-sparc64","gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall -DULTRASPARC -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
374375
375####376####
376#### Variety of LINUX:-)377#### Variety of LINUX:-)
377378
=== modified file '.pc/aesni.patch/util/libeay.num'
--- .pc/aesni.patch/util/libeay.num 2011-05-01 23:51:53 +0000
+++ .pc/aesni.patch/util/libeay.num 2011-09-15 05:17:15 +0000
@@ -4189,3 +4189,8 @@
4189CRYPTO_cbc128_decrypt 4561 EXIST::FUNCTION:4189CRYPTO_cbc128_decrypt 4561 EXIST::FUNCTION:
4190CRYPTO_cfb128_encrypt 4562 EXIST::FUNCTION:4190CRYPTO_cfb128_encrypt 4562 EXIST::FUNCTION:
4191CRYPTO_cfb128_8_encrypt 4563 EXIST::FUNCTION:4191CRYPTO_cfb128_8_encrypt 4563 EXIST::FUNCTION:
4192OPENSSL_strcasecmp 4564 EXIST::FUNCTION:
4193OPENSSL_memcmp 4565 EXIST::FUNCTION:
4194OPENSSL_strncasecmp 4566 EXIST::FUNCTION:
4195OPENSSL_gmtime 4567 EXIST::FUNCTION:
4196OPENSSL_gmtime_adj 4568 EXIST::FUNCTION:
41924197
=== modified file '.pc/applied-patches'
--- .pc/applied-patches 2011-05-01 23:51:53 +0000
+++ .pc/applied-patches 2011-09-15 05:17:15 +0000
@@ -18,6 +18,18 @@
18version-script.patch18version-script.patch
19gnu_source.patch19gnu_source.patch
20c_rehash-compat.patch20c_rehash-compat.patch
21libdoc-manpgs-pod-spell.patch
22libssl-misspell.patch
23openssl-pod-misspell.patch
24pod_req_misspell2.patch
25pod_pksc12.misspell.patch
26pod_s_server.misspell.patch
27pod_x509setflags.misspell.patch
28pod_ec.misspell.patch
29pkcs12-doc.patch
30dgst_hmac.patch
31block_diginotar.patch
32c_rehash-multi.patch
21aesni.patch33aesni.patch
22perlpath-quilt.patch34perlpath-quilt.patch
23Bsymbolic-functions.patch35Bsymbolic-functions.patch
2436
=== added directory '.pc/block_diginotar.patch'
=== added directory '.pc/block_diginotar.patch/crypto'
=== added directory '.pc/block_diginotar.patch/crypto/x509'
=== added file '.pc/block_diginotar.patch/crypto/x509/x509_vfy.c'
--- .pc/block_diginotar.patch/crypto/x509/x509_vfy.c 1970-01-01 00:00:00 +0000
+++ .pc/block_diginotar.patch/crypto/x509/x509_vfy.c 2011-09-15 05:17:15 +0000
@@ -0,0 +1,2219 @@
1/* crypto/x509/x509_vfy.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <time.h>
61#include <errno.h>
62
63#include "cryptlib.h"
64#include <openssl/crypto.h>
65#include <openssl/lhash.h>
66#include <openssl/buffer.h>
67#include <openssl/evp.h>
68#include <openssl/asn1.h>
69#include <openssl/x509.h>
70#include <openssl/x509v3.h>
71#include <openssl/objects.h>
72
73/* CRL score values */
74
75/* No unhandled critical extensions */
76
77#define CRL_SCORE_NOCRITICAL 0x100
78
79/* certificate is within CRL scope */
80
81#define CRL_SCORE_SCOPE 0x080
82
83/* CRL times valid */
84
85#define CRL_SCORE_TIME 0x040
86
87/* Issuer name matches certificate */
88
89#define CRL_SCORE_ISSUER_NAME 0x020
90
91/* If this score or above CRL is probably valid */
92
93#define CRL_SCORE_VALID (CRL_SCORE_NOCRITICAL|CRL_SCORE_TIME|CRL_SCORE_SCOPE)
94
95/* CRL issuer is certificate issuer */
96
97#define CRL_SCORE_ISSUER_CERT 0x018
98
99/* CRL issuer is on certificate path */
100
101#define CRL_SCORE_SAME_PATH 0x008
102
103/* CRL issuer matches CRL AKID */
104
105#define CRL_SCORE_AKID 0x004
106
107/* Have a delta CRL with valid times */
108
109#define CRL_SCORE_TIME_DELTA 0x002
110
111static int null_callback(int ok,X509_STORE_CTX *e);
112static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer);
113static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x);
114static int check_chain_extensions(X509_STORE_CTX *ctx);
115static int check_name_constraints(X509_STORE_CTX *ctx);
116static int check_trust(X509_STORE_CTX *ctx);
117static int check_revocation(X509_STORE_CTX *ctx);
118static int check_cert(X509_STORE_CTX *ctx);
119static int check_policy(X509_STORE_CTX *ctx);
120
121static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer,
122 unsigned int *preasons,
123 X509_CRL *crl, X509 *x);
124static int get_crl_delta(X509_STORE_CTX *ctx,
125 X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x);
126static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pcrl_score,
127 X509_CRL *base, STACK_OF(X509_CRL) *crls);
128static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl,
129 X509 **pissuer, int *pcrl_score);
130static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score,
131 unsigned int *preasons);
132static int check_crl_path(X509_STORE_CTX *ctx, X509 *x);
133static int check_crl_chain(X509_STORE_CTX *ctx,
134 STACK_OF(X509) *cert_path,
135 STACK_OF(X509) *crl_path);
136
137static int internal_verify(X509_STORE_CTX *ctx);
138const char X509_version[]="X.509" OPENSSL_VERSION_PTEXT;
139
140
141static int null_callback(int ok, X509_STORE_CTX *e)
142 {
143 return ok;
144 }
145
146#if 0
147static int x509_subject_cmp(X509 **a, X509 **b)
148 {
149 return X509_subject_name_cmp(*a,*b);
150 }
151#endif
152
153int X509_verify_cert(X509_STORE_CTX *ctx)
154 {
155 X509 *x,*xtmp,*chain_ss=NULL;
156 X509_NAME *xn;
157 int bad_chain = 0;
158 X509_VERIFY_PARAM *param = ctx->param;
159 int depth,i,ok=0;
160 int num;
161 int (*cb)(int xok,X509_STORE_CTX *xctx);
162 STACK_OF(X509) *sktmp=NULL;
163 if (ctx->cert == NULL)
164 {
165 X509err(X509_F_X509_VERIFY_CERT,X509_R_NO_CERT_SET_FOR_US_TO_VERIFY);
166 return -1;
167 }
168
169 cb=ctx->verify_cb;
170
171 /* first we make sure the chain we are going to build is
172 * present and that the first entry is in place */
173 if (ctx->chain == NULL)
174 {
175 if ( ((ctx->chain=sk_X509_new_null()) == NULL) ||
176 (!sk_X509_push(ctx->chain,ctx->cert)))
177 {
178 X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
179 goto end;
180 }
181 CRYPTO_add(&ctx->cert->references,1,CRYPTO_LOCK_X509);
182 ctx->last_untrusted=1;
183 }
184
185 /* We use a temporary STACK so we can chop and hack at it */
186 if (ctx->untrusted != NULL
187 && (sktmp=sk_X509_dup(ctx->untrusted)) == NULL)
188 {
189 X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
190 goto end;
191 }
192
193 num=sk_X509_num(ctx->chain);
194 x=sk_X509_value(ctx->chain,num-1);
195 depth=param->depth;
196
197
198 for (;;)
199 {
200 /* If we have enough, we break */
201 if (depth < num) break; /* FIXME: If this happens, we should take
202 * note of it and, if appropriate, use the
203 * X509_V_ERR_CERT_CHAIN_TOO_LONG error
204 * code later.
205 */
206
207 /* If we are self signed, we break */
208 xn=X509_get_issuer_name(x);
209 if (ctx->check_issued(ctx, x,x)) break;
210
211 /* If we were passed a cert chain, use it first */
212 if (ctx->untrusted != NULL)
213 {
214 xtmp=find_issuer(ctx, sktmp,x);
215 if (xtmp != NULL)
216 {
217 if (!sk_X509_push(ctx->chain,xtmp))
218 {
219 X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
220 goto end;
221 }
222 CRYPTO_add(&xtmp->references,1,CRYPTO_LOCK_X509);
223 (void)sk_X509_delete_ptr(sktmp,xtmp);
224 ctx->last_untrusted++;
225 x=xtmp;
226 num++;
227 /* reparse the full chain for
228 * the next one */
229 continue;
230 }
231 }
232 break;
233 }
234
235 /* at this point, chain should contain a list of untrusted
236 * certificates. We now need to add at least one trusted one,
237 * if possible, otherwise we complain. */
238
239 /* Examine last certificate in chain and see if it
240 * is self signed.
241 */
242
243 i=sk_X509_num(ctx->chain);
244 x=sk_X509_value(ctx->chain,i-1);
245 xn = X509_get_subject_name(x);
246 if (ctx->check_issued(ctx, x, x))
247 {
248 /* we have a self signed certificate */
249 if (sk_X509_num(ctx->chain) == 1)
250 {
251 /* We have a single self signed certificate: see if
252 * we can find it in the store. We must have an exact
253 * match to avoid possible impersonation.
254 */
255 ok = ctx->get_issuer(&xtmp, ctx, x);
256 if ((ok <= 0) || X509_cmp(x, xtmp))
257 {
258 ctx->error=X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT;
259 ctx->current_cert=x;
260 ctx->error_depth=i-1;
261 if (ok == 1) X509_free(xtmp);
262 bad_chain = 1;
263 ok=cb(0,ctx);
264 if (!ok) goto end;
265 }
266 else
267 {
268 /* We have a match: replace certificate with store version
269 * so we get any trust settings.
270 */
271 X509_free(x);
272 x = xtmp;
273 (void)sk_X509_set(ctx->chain, i - 1, x);
274 ctx->last_untrusted=0;
275 }
276 }
277 else
278 {
279 /* extract and save self signed certificate for later use */
280 chain_ss=sk_X509_pop(ctx->chain);
281 ctx->last_untrusted--;
282 num--;
283 x=sk_X509_value(ctx->chain,num-1);
284 }
285 }
286
287 /* We now lookup certs from the certificate store */
288 for (;;)
289 {
290 /* If we have enough, we break */
291 if (depth < num) break;
292
293 /* If we are self signed, we break */
294 xn=X509_get_issuer_name(x);
295 if (ctx->check_issued(ctx,x,x)) break;
296
297 ok = ctx->get_issuer(&xtmp, ctx, x);
298
299 if (ok < 0) return ok;
300 if (ok == 0) break;
301
302 x = xtmp;
303 if (!sk_X509_push(ctx->chain,x))
304 {
305 X509_free(xtmp);
306 X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
307 return 0;
308 }
309 num++;
310 }
311
312 /* we now have our chain, lets check it... */
313 xn=X509_get_issuer_name(x);
314
315 /* Is last certificate looked up self signed? */
316 if (!ctx->check_issued(ctx,x,x))
317 {
318 if ((chain_ss == NULL) || !ctx->check_issued(ctx, x, chain_ss))
319 {
320 if (ctx->last_untrusted >= num)
321 ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;
322 else
323 ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT;
324 ctx->current_cert=x;
325 }
326 else
327 {
328
329 sk_X509_push(ctx->chain,chain_ss);
330 num++;
331 ctx->last_untrusted=num;
332 ctx->current_cert=chain_ss;
333 ctx->error=X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN;
334 chain_ss=NULL;
335 }
336
337 ctx->error_depth=num-1;
338 bad_chain = 1;
339 ok=cb(0,ctx);
340 if (!ok) goto end;
341 }
342
343 /* We have the chain complete: now we need to check its purpose */
344 ok = check_chain_extensions(ctx);
345
346 if (!ok) goto end;
347
348 /* Check name constraints */
349
350 ok = check_name_constraints(ctx);
351
352 if (!ok) goto end;
353
354 /* The chain extensions are OK: check trust */
355
356 if (param->trust > 0) ok = check_trust(ctx);
357
358 if (!ok) goto end;
359
360 /* We may as well copy down any DSA parameters that are required */
361 X509_get_pubkey_parameters(NULL,ctx->chain);
362
363 /* Check revocation status: we do this after copying parameters
364 * because they may be needed for CRL signature verification.
365 */
366
367 ok = ctx->check_revocation(ctx);
368 if(!ok) goto end;
369
370 /* At this point, we have a chain and need to verify it */
371 if (ctx->verify != NULL)
372 ok=ctx->verify(ctx);
373 else
374 ok=internal_verify(ctx);
375 if(!ok) goto end;
376
377#ifndef OPENSSL_NO_RFC3779
378 /* RFC 3779 path validation, now that CRL check has been done */
379 ok = v3_asid_validate_path(ctx);
380 if (!ok) goto end;
381 ok = v3_addr_validate_path(ctx);
382 if (!ok) goto end;
383#endif
384
385 /* If we get this far evaluate policies */
386 if (!bad_chain && (ctx->param->flags & X509_V_FLAG_POLICY_CHECK))
387 ok = ctx->check_policy(ctx);
388 if(!ok) goto end;
389 if (0)
390 {
391end:
392 X509_get_pubkey_parameters(NULL,ctx->chain);
393 }
394 if (sktmp != NULL) sk_X509_free(sktmp);
395 if (chain_ss != NULL) X509_free(chain_ss);
396 return ok;
397 }
398
399
400/* Given a STACK_OF(X509) find the issuer of cert (if any)
401 */
402
403static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x)
404{
405 int i;
406 X509 *issuer;
407 for (i = 0; i < sk_X509_num(sk); i++)
408 {
409 issuer = sk_X509_value(sk, i);
410 if (ctx->check_issued(ctx, x, issuer))
411 return issuer;
412 }
413 return NULL;
414}
415
416/* Given a possible certificate and issuer check them */
417
418static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer)
419{
420 int ret;
421 ret = X509_check_issued(issuer, x);
422 if (ret == X509_V_OK)
423 return 1;
424 /* If we haven't asked for issuer errors don't set ctx */
425 if (!(ctx->param->flags & X509_V_FLAG_CB_ISSUER_CHECK))
426 return 0;
427
428 ctx->error = ret;
429 ctx->current_cert = x;
430 ctx->current_issuer = issuer;
431 return ctx->verify_cb(0, ctx);
432 return 0;
433}
434
435/* Alternative lookup method: look from a STACK stored in other_ctx */
436
437static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
438{
439 *issuer = find_issuer(ctx, ctx->other_ctx, x);
440 if (*issuer)
441 {
442 CRYPTO_add(&(*issuer)->references,1,CRYPTO_LOCK_X509);
443 return 1;
444 }
445 else
446 return 0;
447}
448
449
450/* Check a certificate chains extensions for consistency
451 * with the supplied purpose
452 */
453
454static int check_chain_extensions(X509_STORE_CTX *ctx)
455{
456#ifdef OPENSSL_NO_CHAIN_VERIFY
457 return 1;
458#else
459 int i, ok=0, must_be_ca, plen = 0;
460 X509 *x;
461 int (*cb)(int xok,X509_STORE_CTX *xctx);
462 int proxy_path_length = 0;
463 int purpose;
464 int allow_proxy_certs;
465 cb=ctx->verify_cb;
466
467 /* must_be_ca can have 1 of 3 values:
468 -1: we accept both CA and non-CA certificates, to allow direct
469 use of self-signed certificates (which are marked as CA).
470 0: we only accept non-CA certificates. This is currently not
471 used, but the possibility is present for future extensions.
472 1: we only accept CA certificates. This is currently used for
473 all certificates in the chain except the leaf certificate.
474 */
475 must_be_ca = -1;
476
477 /* CRL path validation */
478 if (ctx->parent)
479 {
480 allow_proxy_certs = 0;
481 purpose = X509_PURPOSE_CRL_SIGN;
482 }
483 else
484 {
485 allow_proxy_certs =
486 !!(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS);
487 /* A hack to keep people who don't want to modify their
488 software happy */
489 if (getenv("OPENSSL_ALLOW_PROXY_CERTS"))
490 allow_proxy_certs = 1;
491 purpose = ctx->param->purpose;
492 }
493
494 /* Check all untrusted certificates */
495 for (i = 0; i < ctx->last_untrusted; i++)
496 {
497 int ret;
498 x = sk_X509_value(ctx->chain, i);
499 if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL)
500 && (x->ex_flags & EXFLAG_CRITICAL))
501 {
502 ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION;
503 ctx->error_depth = i;
504 ctx->current_cert = x;
505 ok=cb(0,ctx);
506 if (!ok) goto end;
507 }
508 if (!allow_proxy_certs && (x->ex_flags & EXFLAG_PROXY))
509 {
510 ctx->error = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED;
511 ctx->error_depth = i;
512 ctx->current_cert = x;
513 ok=cb(0,ctx);
514 if (!ok) goto end;
515 }
516 ret = X509_check_ca(x);
517 switch(must_be_ca)
518 {
519 case -1:
520 if ((ctx->param->flags & X509_V_FLAG_X509_STRICT)
521 && (ret != 1) && (ret != 0))
522 {
523 ret = 0;
524 ctx->error = X509_V_ERR_INVALID_CA;
525 }
526 else
527 ret = 1;
528 break;
529 case 0:
530 if (ret != 0)
531 {
532 ret = 0;
533 ctx->error = X509_V_ERR_INVALID_NON_CA;
534 }
535 else
536 ret = 1;
537 break;
538 default:
539 if ((ret == 0)
540 || ((ctx->param->flags & X509_V_FLAG_X509_STRICT)
541 && (ret != 1)))
542 {
543 ret = 0;
544 ctx->error = X509_V_ERR_INVALID_CA;
545 }
546 else
547 ret = 1;
548 break;
549 }
550 if (ret == 0)
551 {
552 ctx->error_depth = i;
553 ctx->current_cert = x;
554 ok=cb(0,ctx);
555 if (!ok) goto end;
556 }
557 if (ctx->param->purpose > 0)
558 {
559 ret = X509_check_purpose(x, purpose, must_be_ca > 0);
560 if ((ret == 0)
561 || ((ctx->param->flags & X509_V_FLAG_X509_STRICT)
562 && (ret != 1)))
563 {
564 ctx->error = X509_V_ERR_INVALID_PURPOSE;
565 ctx->error_depth = i;
566 ctx->current_cert = x;
567 ok=cb(0,ctx);
568 if (!ok) goto end;
569 }
570 }
571 /* Check pathlen if not self issued */
572 if ((i > 1) && !(x->ex_flags & EXFLAG_SI)
573 && (x->ex_pathlen != -1)
574 && (plen > (x->ex_pathlen + proxy_path_length + 1)))
575 {
576 ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED;
577 ctx->error_depth = i;
578 ctx->current_cert = x;
579 ok=cb(0,ctx);
580 if (!ok) goto end;
581 }
582 /* Increment path length if not self issued */
583 if (!(x->ex_flags & EXFLAG_SI))
584 plen++;
585 /* If this certificate is a proxy certificate, the next
586 certificate must be another proxy certificate or a EE
587 certificate. If not, the next certificate must be a
588 CA certificate. */
589 if (x->ex_flags & EXFLAG_PROXY)
590 {
591 if (x->ex_pcpathlen != -1 && i > x->ex_pcpathlen)
592 {
593 ctx->error =
594 X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED;
595 ctx->error_depth = i;
596 ctx->current_cert = x;
597 ok=cb(0,ctx);
598 if (!ok) goto end;
599 }
600 proxy_path_length++;
601 must_be_ca = 0;
602 }
603 else
604 must_be_ca = 1;
605 }
606 ok = 1;
607 end:
608 return ok;
609#endif
610}
611
612static int check_name_constraints(X509_STORE_CTX *ctx)
613 {
614 X509 *x;
615 int i, j, rv;
616 /* Check name constraints for all certificates */
617 for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--)
618 {
619 x = sk_X509_value(ctx->chain, i);
620 /* Ignore self issued certs unless last in chain */
621 if (i && (x->ex_flags & EXFLAG_SI))
622 continue;
623 /* Check against constraints for all certificates higher in
624 * chain including trust anchor. Trust anchor not strictly
625 * speaking needed but if it includes constraints it is to be
626 * assumed it expects them to be obeyed.
627 */
628 for (j = sk_X509_num(ctx->chain) - 1; j > i; j--)
629 {
630 NAME_CONSTRAINTS *nc = sk_X509_value(ctx->chain, j)->nc;
631 if (nc)
632 {
633 rv = NAME_CONSTRAINTS_check(x, nc);
634 if (rv != X509_V_OK)
635 {
636 ctx->error = rv;
637 ctx->error_depth = i;
638 ctx->current_cert = x;
639 if (!ctx->verify_cb(0,ctx))
640 return 0;
641 }
642 }
643 }
644 }
645 return 1;
646 }
647
648static int check_trust(X509_STORE_CTX *ctx)
649{
650#ifdef OPENSSL_NO_CHAIN_VERIFY
651 return 1;
652#else
653 int i, ok;
654 X509 *x;
655 int (*cb)(int xok,X509_STORE_CTX *xctx);
656 cb=ctx->verify_cb;
657/* For now just check the last certificate in the chain */
658 i = sk_X509_num(ctx->chain) - 1;
659 x = sk_X509_value(ctx->chain, i);
660 ok = X509_check_trust(x, ctx->param->trust, 0);
661 if (ok == X509_TRUST_TRUSTED)
662 return 1;
663 ctx->error_depth = i;
664 ctx->current_cert = x;
665 if (ok == X509_TRUST_REJECTED)
666 ctx->error = X509_V_ERR_CERT_REJECTED;
667 else
668 ctx->error = X509_V_ERR_CERT_UNTRUSTED;
669 ok = cb(0, ctx);
670 return ok;
671#endif
672}
673
674static int check_revocation(X509_STORE_CTX *ctx)
675 {
676 int i, last, ok;
677 if (!(ctx->param->flags & X509_V_FLAG_CRL_CHECK))
678 return 1;
679 if (ctx->param->flags & X509_V_FLAG_CRL_CHECK_ALL)
680 last = sk_X509_num(ctx->chain) - 1;
681 else
682 {
683 /* If checking CRL paths this isn't the EE certificate */
684 if (ctx->parent)
685 return 1;
686 last = 0;
687 }
688 for(i = 0; i <= last; i++)
689 {
690 ctx->error_depth = i;
691 ok = check_cert(ctx);
692 if (!ok) return ok;
693 }
694 return 1;
695 }
696
697static int check_cert(X509_STORE_CTX *ctx)
698 {
699 X509_CRL *crl = NULL, *dcrl = NULL;
700 X509 *x;
701 int ok, cnum;
702 cnum = ctx->error_depth;
703 x = sk_X509_value(ctx->chain, cnum);
704 ctx->current_cert = x;
705 ctx->current_issuer = NULL;
706 ctx->current_crl_score = 0;
707 ctx->current_reasons = 0;
708 while (ctx->current_reasons != CRLDP_ALL_REASONS)
709 {
710 /* Try to retrieve relevant CRL */
711 if (ctx->get_crl)
712 ok = ctx->get_crl(ctx, &crl, x);
713 else
714 ok = get_crl_delta(ctx, &crl, &dcrl, x);
715 /* If error looking up CRL, nothing we can do except
716 * notify callback
717 */
718 if(!ok)
719 {
720 ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL;
721 ok = ctx->verify_cb(0, ctx);
722 goto err;
723 }
724 ctx->current_crl = crl;
725 ok = ctx->check_crl(ctx, crl);
726 if (!ok)
727 goto err;
728
729 if (dcrl)
730 {
731 ok = ctx->check_crl(ctx, dcrl);
732 if (!ok)
733 goto err;
734 ok = ctx->cert_crl(ctx, dcrl, x);
735 if (!ok)
736 goto err;
737 }
738 else
739 ok = 1;
740
741 /* Don't look in full CRL if delta reason is removefromCRL */
742 if (ok != 2)
743 {
744 ok = ctx->cert_crl(ctx, crl, x);
745 if (!ok)
746 goto err;
747 }
748
749 X509_CRL_free(crl);
750 X509_CRL_free(dcrl);
751 crl = NULL;
752 dcrl = NULL;
753 }
754 err:
755 X509_CRL_free(crl);
756 X509_CRL_free(dcrl);
757
758 ctx->current_crl = NULL;
759 return ok;
760
761 }
762
763/* Check CRL times against values in X509_STORE_CTX */
764
765static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
766 {
767 time_t *ptime;
768 int i;
769 if (notify)
770 ctx->current_crl = crl;
771 if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)
772 ptime = &ctx->param->check_time;
773 else
774 ptime = NULL;
775
776 i=X509_cmp_time(X509_CRL_get_lastUpdate(crl), ptime);
777 if (i == 0)
778 {
779 if (!notify)
780 return 0;
781 ctx->error=X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD;
782 if (!ctx->verify_cb(0, ctx))
783 return 0;
784 }
785
786 if (i > 0)
787 {
788 if (!notify)
789 return 0;
790 ctx->error=X509_V_ERR_CRL_NOT_YET_VALID;
791 if (!ctx->verify_cb(0, ctx))
792 return 0;
793 }
794
795 if(X509_CRL_get_nextUpdate(crl))
796 {
797 i=X509_cmp_time(X509_CRL_get_nextUpdate(crl), ptime);
798
799 if (i == 0)
800 {
801 if (!notify)
802 return 0;
803 ctx->error=X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD;
804 if (!ctx->verify_cb(0, ctx))
805 return 0;
806 }
807 /* Ignore expiry of base CRL is delta is valid */
808 if ((i < 0) && !(ctx->current_crl_score & CRL_SCORE_TIME_DELTA))
809 {
810 if (!notify)
811 return 0;
812 ctx->error=X509_V_ERR_CRL_HAS_EXPIRED;
813 if (!ctx->verify_cb(0, ctx))
814 return 0;
815 }
816 }
817
818 if (notify)
819 ctx->current_crl = NULL;
820
821 return 1;
822 }
823
824static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl,
825 X509 **pissuer, int *pscore, unsigned int *preasons,
826 STACK_OF(X509_CRL) *crls)
827 {
828 int i, crl_score, best_score = *pscore;
829 unsigned int reasons, best_reasons = 0;
830 X509 *x = ctx->current_cert;
831 X509_CRL *crl, *best_crl = NULL;
832 X509 *crl_issuer = NULL, *best_crl_issuer = NULL;
833
834 for (i = 0; i < sk_X509_CRL_num(crls); i++)
835 {
836 crl = sk_X509_CRL_value(crls, i);
837 reasons = *preasons;
838 crl_score = get_crl_score(ctx, &crl_issuer, &reasons, crl, x);
839
840 if (crl_score > best_score)
841 {
842 best_crl = crl;
843 best_crl_issuer = crl_issuer;
844 best_score = crl_score;
845 best_reasons = reasons;
846 }
847 }
848
849 if (best_crl)
850 {
851 if (*pcrl)
852 X509_CRL_free(*pcrl);
853 *pcrl = best_crl;
854 *pissuer = best_crl_issuer;
855 *pscore = best_score;
856 *preasons = best_reasons;
857 CRYPTO_add(&best_crl->references, 1, CRYPTO_LOCK_X509_CRL);
858 if (*pdcrl)
859 {
860 X509_CRL_free(*pdcrl);
861 *pdcrl = NULL;
862 }
863 get_delta_sk(ctx, pdcrl, pscore, best_crl, crls);
864 }
865
866 if (best_score >= CRL_SCORE_VALID)
867 return 1;
868
869 return 0;
870 }
871
872/* Compare two CRL extensions for delta checking purposes. They should be
873 * both present or both absent. If both present all fields must be identical.
874 */
875
876static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid)
877 {
878 ASN1_OCTET_STRING *exta, *extb;
879 int i;
880 i = X509_CRL_get_ext_by_NID(a, nid, 0);
881 if (i >= 0)
882 {
883 /* Can't have multiple occurrences */
884 if (X509_CRL_get_ext_by_NID(a, nid, i) != -1)
885 return 0;
886 exta = X509_EXTENSION_get_data(X509_CRL_get_ext(a, i));
887 }
888 else
889 exta = NULL;
890
891 i = X509_CRL_get_ext_by_NID(b, nid, 0);
892
893 if (i >= 0)
894 {
895
896 if (X509_CRL_get_ext_by_NID(b, nid, i) != -1)
897 return 0;
898 extb = X509_EXTENSION_get_data(X509_CRL_get_ext(b, i));
899 }
900 else
901 extb = NULL;
902
903 if (!exta && !extb)
904 return 1;
905
906 if (!exta || !extb)
907 return 0;
908
909
910 if (ASN1_OCTET_STRING_cmp(exta, extb))
911 return 0;
912
913 return 1;
914 }
915
916/* See if a base and delta are compatible */
917
918static int check_delta_base(X509_CRL *delta, X509_CRL *base)
919 {
920 /* Delta CRL must be a delta */
921 if (!delta->base_crl_number)
922 return 0;
923 /* Base must have a CRL number */
924 if (!base->crl_number)
925 return 0;
926 /* Issuer names must match */
927 if (X509_NAME_cmp(X509_CRL_get_issuer(base),
928 X509_CRL_get_issuer(delta)))
929 return 0;
930 /* AKID and IDP must match */
931 if (!crl_extension_match(delta, base, NID_authority_key_identifier))
932 return 0;
933 if (!crl_extension_match(delta, base, NID_issuing_distribution_point))
934 return 0;
935 /* Delta CRL base number must not exceed Full CRL number. */
936 if (ASN1_INTEGER_cmp(delta->base_crl_number, base->crl_number) > 0)
937 return 0;
938 /* Delta CRL number must exceed full CRL number */
939 if (ASN1_INTEGER_cmp(delta->crl_number, base->crl_number) > 0)
940 return 1;
941 return 0;
942 }
943
944/* For a given base CRL find a delta... maybe extend to delta scoring
945 * or retrieve a chain of deltas...
946 */
947
948static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pscore,
949 X509_CRL *base, STACK_OF(X509_CRL) *crls)
950 {
951 X509_CRL *delta;
952 int i;
953 if (!(ctx->param->flags & X509_V_FLAG_USE_DELTAS))
954 return;
955 if (!((ctx->current_cert->ex_flags | base->flags) & EXFLAG_FRESHEST))
956 return;
957 for (i = 0; i < sk_X509_CRL_num(crls); i++)
958 {
959 delta = sk_X509_CRL_value(crls, i);
960 if (check_delta_base(delta, base))
961 {
962 if (check_crl_time(ctx, delta, 0))
963 *pscore |= CRL_SCORE_TIME_DELTA;
964 CRYPTO_add(&delta->references, 1, CRYPTO_LOCK_X509_CRL);
965 *dcrl = delta;
966 return;
967 }
968 }
969 *dcrl = NULL;
970 }
971
972/* For a given CRL return how suitable it is for the supplied certificate 'x'.
973 * The return value is a mask of several criteria.
974 * If the issuer is not the certificate issuer this is returned in *pissuer.
975 * The reasons mask is also used to determine if the CRL is suitable: if
976 * no new reasons the CRL is rejected, otherwise reasons is updated.
977 */
978
979static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer,
980 unsigned int *preasons,
981 X509_CRL *crl, X509 *x)
982 {
983
984 int crl_score = 0;
985 unsigned int tmp_reasons = *preasons, crl_reasons;
986
987 /* First see if we can reject CRL straight away */
988
989 /* Invalid IDP cannot be processed */
990 if (crl->idp_flags & IDP_INVALID)
991 return 0;
992 /* Reason codes or indirect CRLs need extended CRL support */
993 if (!(ctx->param->flags & X509_V_FLAG_EXTENDED_CRL_SUPPORT))
994 {
995 if (crl->idp_flags & (IDP_INDIRECT | IDP_REASONS))
996 return 0;
997 }
998 else if (crl->idp_flags & IDP_REASONS)
999 {
1000 /* If no new reasons reject */
1001 if (!(crl->idp_reasons & ~tmp_reasons))
1002 return 0;
1003 }
1004 /* Don't process deltas at this stage */
1005 else if (crl->base_crl_number)
1006 return 0;
1007 /* If issuer name doesn't match certificate need indirect CRL */
1008 if (X509_NAME_cmp(X509_get_issuer_name(x), X509_CRL_get_issuer(crl)))
1009 {
1010 if (!(crl->idp_flags & IDP_INDIRECT))
1011 return 0;
1012 }
1013 else
1014 crl_score |= CRL_SCORE_ISSUER_NAME;
1015
1016 if (!(crl->flags & EXFLAG_CRITICAL))
1017 crl_score |= CRL_SCORE_NOCRITICAL;
1018
1019 /* Check expiry */
1020 if (check_crl_time(ctx, crl, 0))
1021 crl_score |= CRL_SCORE_TIME;
1022
1023 /* Check authority key ID and locate certificate issuer */
1024 crl_akid_check(ctx, crl, pissuer, &crl_score);
1025
1026 /* If we can't locate certificate issuer at this point forget it */
1027
1028 if (!(crl_score & CRL_SCORE_AKID))
1029 return 0;
1030
1031 /* Check cert for matching CRL distribution points */
1032
1033 if (crl_crldp_check(x, crl, crl_score, &crl_reasons))
1034 {
1035 /* If no new reasons reject */
1036 if (!(crl_reasons & ~tmp_reasons))
1037 return 0;
1038 tmp_reasons |= crl_reasons;
1039 crl_score |= CRL_SCORE_SCOPE;
1040 }
1041
1042 *preasons = tmp_reasons;
1043
1044 return crl_score;
1045
1046 }
1047
1048static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl,
1049 X509 **pissuer, int *pcrl_score)
1050 {
1051 X509 *crl_issuer = NULL;
1052 X509_NAME *cnm = X509_CRL_get_issuer(crl);
1053 int cidx = ctx->error_depth;
1054 int i;
1055
1056 if (cidx != sk_X509_num(ctx->chain) - 1)
1057 cidx++;
1058
1059 crl_issuer = sk_X509_value(ctx->chain, cidx);
1060
1061 if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK)
1062 {
1063 if (*pcrl_score & CRL_SCORE_ISSUER_NAME)
1064 {
1065 *pcrl_score |= CRL_SCORE_AKID|CRL_SCORE_ISSUER_CERT;
1066 *pissuer = crl_issuer;
1067 return;
1068 }
1069 }
1070
1071 for (cidx++; cidx < sk_X509_num(ctx->chain); cidx++)
1072 {
1073 crl_issuer = sk_X509_value(ctx->chain, cidx);
1074 if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm))
1075 continue;
1076 if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK)
1077 {
1078 *pcrl_score |= CRL_SCORE_AKID|CRL_SCORE_SAME_PATH;
1079 *pissuer = crl_issuer;
1080 return;
1081 }
1082 }
1083
1084 /* Anything else needs extended CRL support */
1085
1086 if (!(ctx->param->flags & X509_V_FLAG_EXTENDED_CRL_SUPPORT))
1087 return;
1088
1089 /* Otherwise the CRL issuer is not on the path. Look for it in the
1090 * set of untrusted certificates.
1091 */
1092 for (i = 0; i < sk_X509_num(ctx->untrusted); i++)
1093 {
1094 crl_issuer = sk_X509_value(ctx->untrusted, i);
1095 if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm))
1096 continue;
1097 if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK)
1098 {
1099 *pissuer = crl_issuer;
1100 *pcrl_score |= CRL_SCORE_AKID;
1101 return;
1102 }
1103 }
1104 }
1105
1106/* Check the path of a CRL issuer certificate. This creates a new
1107 * X509_STORE_CTX and populates it with most of the parameters from the
1108 * parent. This could be optimised somewhat since a lot of path checking
1109 * will be duplicated by the parent, but this will rarely be used in
1110 * practice.
1111 */
1112
1113static int check_crl_path(X509_STORE_CTX *ctx, X509 *x)
1114 {
1115 X509_STORE_CTX crl_ctx;
1116 int ret;
1117 /* Don't allow recursive CRL path validation */
1118 if (ctx->parent)
1119 return 0;
1120 if (!X509_STORE_CTX_init(&crl_ctx, ctx->ctx, x, ctx->untrusted))
1121 return -1;
1122
1123 crl_ctx.crls = ctx->crls;
1124 /* Copy verify params across */
1125 X509_STORE_CTX_set0_param(&crl_ctx, ctx->param);
1126
1127 crl_ctx.parent = ctx;
1128 crl_ctx.verify_cb = ctx->verify_cb;
1129
1130 /* Verify CRL issuer */
1131 ret = X509_verify_cert(&crl_ctx);
1132
1133 if (ret <= 0)
1134 goto err;
1135
1136 /* Check chain is acceptable */
1137
1138 ret = check_crl_chain(ctx, ctx->chain, crl_ctx.chain);
1139 err:
1140 X509_STORE_CTX_cleanup(&crl_ctx);
1141 return ret;
1142 }
1143
1144/* RFC3280 says nothing about the relationship between CRL path
1145 * and certificate path, which could lead to situations where a
1146 * certificate could be revoked or validated by a CA not authorised
1147 * to do so. RFC5280 is more strict and states that the two paths must
1148 * end in the same trust anchor, though some discussions remain...
1149 * until this is resolved we use the RFC5280 version
1150 */
1151
1152static int check_crl_chain(X509_STORE_CTX *ctx,
1153 STACK_OF(X509) *cert_path,
1154 STACK_OF(X509) *crl_path)
1155 {
1156 X509 *cert_ta, *crl_ta;
1157 cert_ta = sk_X509_value(cert_path, sk_X509_num(cert_path) - 1);
1158 crl_ta = sk_X509_value(crl_path, sk_X509_num(crl_path) - 1);
1159 if (!X509_cmp(cert_ta, crl_ta))
1160 return 1;
1161 return 0;
1162 }
1163
1164/* Check for match between two dist point names: three separate cases.
1165 * 1. Both are relative names and compare X509_NAME types.
1166 * 2. One full, one relative. Compare X509_NAME to GENERAL_NAMES.
1167 * 3. Both are full names and compare two GENERAL_NAMES.
1168 * 4. One is NULL: automatic match.
1169 */
1170
1171
1172static int idp_check_dp(DIST_POINT_NAME *a, DIST_POINT_NAME *b)
1173 {
1174 X509_NAME *nm = NULL;
1175 GENERAL_NAMES *gens = NULL;
1176 GENERAL_NAME *gena, *genb;
1177 int i, j;
1178 if (!a || !b)
1179 return 1;
1180 if (a->type == 1)
1181 {
1182 if (!a->dpname)
1183 return 0;
1184 /* Case 1: two X509_NAME */
1185 if (b->type == 1)
1186 {
1187 if (!b->dpname)
1188 return 0;
1189 if (!X509_NAME_cmp(a->dpname, b->dpname))
1190 return 1;
1191 else
1192 return 0;
1193 }
1194 /* Case 2: set name and GENERAL_NAMES appropriately */
1195 nm = a->dpname;
1196 gens = b->name.fullname;
1197 }
1198 else if (b->type == 1)
1199 {
1200 if (!b->dpname)
1201 return 0;
1202 /* Case 2: set name and GENERAL_NAMES appropriately */
1203 gens = a->name.fullname;
1204 nm = b->dpname;
1205 }
1206
1207 /* Handle case 2 with one GENERAL_NAMES and one X509_NAME */
1208 if (nm)
1209 {
1210 for (i = 0; i < sk_GENERAL_NAME_num(gens); i++)
1211 {
1212 gena = sk_GENERAL_NAME_value(gens, i);
1213 if (gena->type != GEN_DIRNAME)
1214 continue;
1215 if (!X509_NAME_cmp(nm, gena->d.directoryName))
1216 return 1;
1217 }
1218 return 0;
1219 }
1220
1221 /* Else case 3: two GENERAL_NAMES */
1222
1223 for (i = 0; i < sk_GENERAL_NAME_num(a->name.fullname); i++)
1224 {
1225 gena = sk_GENERAL_NAME_value(a->name.fullname, i);
1226 for (j = 0; j < sk_GENERAL_NAME_num(b->name.fullname); j++)
1227 {
1228 genb = sk_GENERAL_NAME_value(b->name.fullname, j);
1229 if (!GENERAL_NAME_cmp(gena, genb))
1230 return 1;
1231 }
1232 }
1233
1234 return 0;
1235
1236 }
1237
1238static int crldp_check_crlissuer(DIST_POINT *dp, X509_CRL *crl, int crl_score)
1239 {
1240 int i;
1241 X509_NAME *nm = X509_CRL_get_issuer(crl);
1242 /* If no CRLissuer return is successful iff don't need a match */
1243 if (!dp->CRLissuer)
1244 return !!(crl_score & CRL_SCORE_ISSUER_NAME);
1245 for (i = 0; i < sk_GENERAL_NAME_num(dp->CRLissuer); i++)
1246 {
1247 GENERAL_NAME *gen = sk_GENERAL_NAME_value(dp->CRLissuer, i);
1248 if (gen->type != GEN_DIRNAME)
1249 continue;
1250 if (!X509_NAME_cmp(gen->d.directoryName, nm))
1251 return 1;
1252 }
1253 return 0;
1254 }
1255
1256/* Check CRLDP and IDP */
1257
1258static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score,
1259 unsigned int *preasons)
1260 {
1261 int i;
1262 if (crl->idp_flags & IDP_ONLYATTR)
1263 return 0;
1264 if (x->ex_flags & EXFLAG_CA)
1265 {
1266 if (crl->idp_flags & IDP_ONLYUSER)
1267 return 0;
1268 }
1269 else
1270 {
1271 if (crl->idp_flags & IDP_ONLYCA)
1272 return 0;
1273 }
1274 *preasons = crl->idp_reasons;
1275 for (i = 0; i < sk_DIST_POINT_num(x->crldp); i++)
1276 {
1277 DIST_POINT *dp = sk_DIST_POINT_value(x->crldp, i);
1278 if (crldp_check_crlissuer(dp, crl, crl_score))
1279 {
1280 if (!crl->idp ||
1281 idp_check_dp(dp->distpoint, crl->idp->distpoint))
1282 {
1283 *preasons &= dp->dp_reasons;
1284 return 1;
1285 }
1286 }
1287 }
1288 if ((!crl->idp || !crl->idp->distpoint) && (crl_score & CRL_SCORE_ISSUER_NAME))
1289 return 1;
1290 return 0;
1291 }
1292
1293/* Retrieve CRL corresponding to current certificate.
1294 * If deltas enabled try to find a delta CRL too
1295 */
1296
1297static int get_crl_delta(X509_STORE_CTX *ctx,
1298 X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x)
1299 {
1300 int ok;
1301 X509 *issuer = NULL;
1302 int crl_score = 0;
1303 unsigned int reasons;
1304 X509_CRL *crl = NULL, *dcrl = NULL;
1305 STACK_OF(X509_CRL) *skcrl;
1306 X509_NAME *nm = X509_get_issuer_name(x);
1307 reasons = ctx->current_reasons;
1308 ok = get_crl_sk(ctx, &crl, &dcrl,
1309 &issuer, &crl_score, &reasons, ctx->crls);
1310
1311 if (ok)
1312 goto done;
1313
1314 /* Lookup CRLs from store */
1315
1316 skcrl = ctx->lookup_crls(ctx, nm);
1317
1318 /* If no CRLs found and a near match from get_crl_sk use that */
1319 if (!skcrl && crl)
1320 goto done;
1321
1322 get_crl_sk(ctx, &crl, &dcrl, &issuer, &crl_score, &reasons, skcrl);
1323
1324 sk_X509_CRL_pop_free(skcrl, X509_CRL_free);
1325
1326 done:
1327
1328 /* If we got any kind of CRL use it and return success */
1329 if (crl)
1330 {
1331 ctx->current_issuer = issuer;
1332 ctx->current_crl_score = crl_score;
1333 ctx->current_reasons = reasons;
1334 *pcrl = crl;
1335 *pdcrl = dcrl;
1336 return 1;
1337 }
1338
1339 return 0;
1340 }
1341
1342/* Check CRL validity */
1343static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl)
1344 {
1345 X509 *issuer = NULL;
1346 EVP_PKEY *ikey = NULL;
1347 int ok = 0, chnum, cnum;
1348 cnum = ctx->error_depth;
1349 chnum = sk_X509_num(ctx->chain) - 1;
1350 /* if we have an alternative CRL issuer cert use that */
1351 if (ctx->current_issuer)
1352 issuer = ctx->current_issuer;
1353
1354 /* Else find CRL issuer: if not last certificate then issuer
1355 * is next certificate in chain.
1356 */
1357 else if (cnum < chnum)
1358 issuer = sk_X509_value(ctx->chain, cnum + 1);
1359 else
1360 {
1361 issuer = sk_X509_value(ctx->chain, chnum);
1362 /* If not self signed, can't check signature */
1363 if(!ctx->check_issued(ctx, issuer, issuer))
1364 {
1365 ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER;
1366 ok = ctx->verify_cb(0, ctx);
1367 if(!ok) goto err;
1368 }
1369 }
1370
1371 if(issuer)
1372 {
1373 /* Skip most tests for deltas because they have already
1374 * been done
1375 */
1376 if (!crl->base_crl_number)
1377 {
1378 /* Check for cRLSign bit if keyUsage present */
1379 if ((issuer->ex_flags & EXFLAG_KUSAGE) &&
1380 !(issuer->ex_kusage & KU_CRL_SIGN))
1381 {
1382 ctx->error = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN;
1383 ok = ctx->verify_cb(0, ctx);
1384 if(!ok) goto err;
1385 }
1386
1387 if (!(ctx->current_crl_score & CRL_SCORE_SCOPE))
1388 {
1389 ctx->error = X509_V_ERR_DIFFERENT_CRL_SCOPE;
1390 ok = ctx->verify_cb(0, ctx);
1391 if(!ok) goto err;
1392 }
1393
1394 if (!(ctx->current_crl_score & CRL_SCORE_SAME_PATH))
1395 {
1396 if (check_crl_path(ctx, ctx->current_issuer) <= 0)
1397 {
1398 ctx->error = X509_V_ERR_CRL_PATH_VALIDATION_ERROR;
1399 ok = ctx->verify_cb(0, ctx);
1400 if(!ok) goto err;
1401 }
1402 }
1403
1404 if (crl->idp_flags & IDP_INVALID)
1405 {
1406 ctx->error = X509_V_ERR_INVALID_EXTENSION;
1407 ok = ctx->verify_cb(0, ctx);
1408 if(!ok) goto err;
1409 }
1410
1411
1412 }
1413
1414 if (!(ctx->current_crl_score & CRL_SCORE_TIME))
1415 {
1416 ok = check_crl_time(ctx, crl, 1);
1417 if (!ok)
1418 goto err;
1419 }
1420
1421 /* Attempt to get issuer certificate public key */
1422 ikey = X509_get_pubkey(issuer);
1423
1424 if(!ikey)
1425 {
1426 ctx->error=X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
1427 ok = ctx->verify_cb(0, ctx);
1428 if (!ok) goto err;
1429 }
1430 else
1431 {
1432 /* Verify CRL signature */
1433 if(X509_CRL_verify(crl, ikey) <= 0)
1434 {
1435 ctx->error=X509_V_ERR_CRL_SIGNATURE_FAILURE;
1436 ok = ctx->verify_cb(0, ctx);
1437 if (!ok) goto err;
1438 }
1439 }
1440 }
1441
1442 ok = 1;
1443
1444 err:
1445 EVP_PKEY_free(ikey);
1446 return ok;
1447 }
1448
1449/* Check certificate against CRL */
1450static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
1451 {
1452 int ok;
1453 X509_REVOKED *rev;
1454 /* The rules changed for this... previously if a CRL contained
1455 * unhandled critical extensions it could still be used to indicate
1456 * a certificate was revoked. This has since been changed since
1457 * critical extension can change the meaning of CRL entries.
1458 */
1459 if (crl->flags & EXFLAG_CRITICAL)
1460 {
1461 if (ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL)
1462 return 1;
1463 ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION;
1464 ok = ctx->verify_cb(0, ctx);
1465 if(!ok)
1466 return 0;
1467 }
1468 /* Look for serial number of certificate in CRL
1469 * If found make sure reason is not removeFromCRL.
1470 */
1471 if (X509_CRL_get0_by_cert(crl, &rev, x))
1472 {
1473 if (rev->reason == CRL_REASON_REMOVE_FROM_CRL)
1474 return 2;
1475 ctx->error = X509_V_ERR_CERT_REVOKED;
1476 ok = ctx->verify_cb(0, ctx);
1477 if (!ok)
1478 return 0;
1479 }
1480
1481 return 1;
1482 }
1483
1484static int check_policy(X509_STORE_CTX *ctx)
1485 {
1486 int ret;
1487 if (ctx->parent)
1488 return 1;
1489 ret = X509_policy_check(&ctx->tree, &ctx->explicit_policy, ctx->chain,
1490 ctx->param->policies, ctx->param->flags);
1491 if (ret == 0)
1492 {
1493 X509err(X509_F_CHECK_POLICY,ERR_R_MALLOC_FAILURE);
1494 return 0;
1495 }
1496 /* Invalid or inconsistent extensions */
1497 if (ret == -1)
1498 {
1499 /* Locate certificates with bad extensions and notify
1500 * callback.
1501 */
1502 X509 *x;
1503 int i;
1504 for (i = 1; i < sk_X509_num(ctx->chain); i++)
1505 {
1506 x = sk_X509_value(ctx->chain, i);
1507 if (!(x->ex_flags & EXFLAG_INVALID_POLICY))
1508 continue;
1509 ctx->current_cert = x;
1510 ctx->error = X509_V_ERR_INVALID_POLICY_EXTENSION;
1511 if(!ctx->verify_cb(0, ctx))
1512 return 0;
1513 }
1514 return 1;
1515 }
1516 if (ret == -2)
1517 {
1518 ctx->current_cert = NULL;
1519 ctx->error = X509_V_ERR_NO_EXPLICIT_POLICY;
1520 return ctx->verify_cb(0, ctx);
1521 }
1522
1523 if (ctx->param->flags & X509_V_FLAG_NOTIFY_POLICY)
1524 {
1525 ctx->current_cert = NULL;
1526 ctx->error = X509_V_OK;
1527 if (!ctx->verify_cb(2, ctx))
1528 return 0;
1529 }
1530
1531 return 1;
1532 }
1533
1534static int check_cert_time(X509_STORE_CTX *ctx, X509 *x)
1535 {
1536 time_t *ptime;
1537 int i;
1538
1539 if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)
1540 ptime = &ctx->param->check_time;
1541 else
1542 ptime = NULL;
1543
1544 i=X509_cmp_time(X509_get_notBefore(x), ptime);
1545 if (i == 0)
1546 {
1547 ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD;
1548 ctx->current_cert=x;
1549 if (!ctx->verify_cb(0, ctx))
1550 return 0;
1551 }
1552
1553 if (i > 0)
1554 {
1555 ctx->error=X509_V_ERR_CERT_NOT_YET_VALID;
1556 ctx->current_cert=x;
1557 if (!ctx->verify_cb(0, ctx))
1558 return 0;
1559 }
1560
1561 i=X509_cmp_time(X509_get_notAfter(x), ptime);
1562 if (i == 0)
1563 {
1564 ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD;
1565 ctx->current_cert=x;
1566 if (!ctx->verify_cb(0, ctx))
1567 return 0;
1568 }
1569
1570 if (i < 0)
1571 {
1572 ctx->error=X509_V_ERR_CERT_HAS_EXPIRED;
1573 ctx->current_cert=x;
1574 if (!ctx->verify_cb(0, ctx))
1575 return 0;
1576 }
1577
1578 return 1;
1579 }
1580
1581static int internal_verify(X509_STORE_CTX *ctx)
1582 {
1583 int ok=0,n;
1584 X509 *xs,*xi;
1585 EVP_PKEY *pkey=NULL;
1586 int (*cb)(int xok,X509_STORE_CTX *xctx);
1587
1588 cb=ctx->verify_cb;
1589
1590 n=sk_X509_num(ctx->chain);
1591 ctx->error_depth=n-1;
1592 n--;
1593 xi=sk_X509_value(ctx->chain,n);
1594
1595 if (ctx->check_issued(ctx, xi, xi))
1596 xs=xi;
1597 else
1598 {
1599 if (n <= 0)
1600 {
1601 ctx->error=X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE;
1602 ctx->current_cert=xi;
1603 ok=cb(0,ctx);
1604 goto end;
1605 }
1606 else
1607 {
1608 n--;
1609 ctx->error_depth=n;
1610 xs=sk_X509_value(ctx->chain,n);
1611 }
1612 }
1613
1614/* ctx->error=0; not needed */
1615 while (n >= 0)
1616 {
1617 ctx->error_depth=n;
1618
1619 /* Skip signature check for self signed certificates unless
1620 * explicitly asked for. It doesn't add any security and
1621 * just wastes time.
1622 */
1623 if (!xs->valid && (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE)))
1624 {
1625 if ((pkey=X509_get_pubkey(xi)) == NULL)
1626 {
1627 ctx->error=X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
1628 ctx->current_cert=xi;
1629 ok=(*cb)(0,ctx);
1630 if (!ok) goto end;
1631 }
1632 else if (X509_verify(xs,pkey) <= 0)
1633 {
1634 ctx->error=X509_V_ERR_CERT_SIGNATURE_FAILURE;
1635 ctx->current_cert=xs;
1636 ok=(*cb)(0,ctx);
1637 if (!ok)
1638 {
1639 EVP_PKEY_free(pkey);
1640 goto end;
1641 }
1642 }
1643 EVP_PKEY_free(pkey);
1644 pkey=NULL;
1645 }
1646
1647 xs->valid = 1;
1648
1649 ok = check_cert_time(ctx, xs);
1650 if (!ok)
1651 goto end;
1652
1653 /* The last error (if any) is still in the error value */
1654 ctx->current_issuer=xi;
1655 ctx->current_cert=xs;
1656 ok=(*cb)(1,ctx);
1657 if (!ok) goto end;
1658
1659 n--;
1660 if (n >= 0)
1661 {
1662 xi=xs;
1663 xs=sk_X509_value(ctx->chain,n);
1664 }
1665 }
1666 ok=1;
1667end:
1668 return ok;
1669 }
1670
1671int X509_cmp_current_time(const ASN1_TIME *ctm)
1672{
1673 return X509_cmp_time(ctm, NULL);
1674}
1675
1676int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time)
1677 {
1678 char *str;
1679 ASN1_TIME atm;
1680 long offset;
1681 char buff1[24],buff2[24],*p;
1682 int i,j;
1683
1684 p=buff1;
1685 i=ctm->length;
1686 str=(char *)ctm->data;
1687 if (ctm->type == V_ASN1_UTCTIME)
1688 {
1689 if ((i < 11) || (i > 17)) return 0;
1690 memcpy(p,str,10);
1691 p+=10;
1692 str+=10;
1693 }
1694 else
1695 {
1696 if (i < 13) return 0;
1697 memcpy(p,str,12);
1698 p+=12;
1699 str+=12;
1700 }
1701
1702 if ((*str == 'Z') || (*str == '-') || (*str == '+'))
1703 { *(p++)='0'; *(p++)='0'; }
1704 else
1705 {
1706 *(p++)= *(str++);
1707 *(p++)= *(str++);
1708 /* Skip any fractional seconds... */
1709 if (*str == '.')
1710 {
1711 str++;
1712 while ((*str >= '0') && (*str <= '9')) str++;
1713 }
1714
1715 }
1716 *(p++)='Z';
1717 *(p++)='\0';
1718
1719 if (*str == 'Z')
1720 offset=0;
1721 else
1722 {
1723 if ((*str != '+') && (*str != '-'))
1724 return 0;
1725 offset=((str[1]-'0')*10+(str[2]-'0'))*60;
1726 offset+=(str[3]-'0')*10+(str[4]-'0');
1727 if (*str == '-')
1728 offset= -offset;
1729 }
1730 atm.type=ctm->type;
1731 atm.flags = 0;
1732 atm.length=sizeof(buff2);
1733 atm.data=(unsigned char *)buff2;
1734
1735 if (X509_time_adj(&atm,-offset*60, cmp_time) == NULL)
1736 return 0;
1737
1738 if (ctm->type == V_ASN1_UTCTIME)
1739 {
1740 i=(buff1[0]-'0')*10+(buff1[1]-'0');
1741 if (i < 50) i+=100; /* cf. RFC 2459 */
1742 j=(buff2[0]-'0')*10+(buff2[1]-'0');
1743 if (j < 50) j+=100;
1744
1745 if (i < j) return -1;
1746 if (i > j) return 1;
1747 }
1748 i=strcmp(buff1,buff2);
1749 if (i == 0) /* wait a second then return younger :-) */
1750 return -1;
1751 else
1752 return i;
1753 }
1754
1755ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj)
1756{
1757 return X509_time_adj(s, adj, NULL);
1758}
1759
1760ASN1_TIME *X509_time_adj(ASN1_TIME *s, long offset_sec, time_t *in_tm)
1761 {
1762 return X509_time_adj_ex(s, 0, offset_sec, in_tm);
1763 }
1764
1765ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s,
1766 int offset_day, long offset_sec, time_t *in_tm)
1767 {
1768 time_t t;
1769
1770 if (in_tm) t = *in_tm;
1771 else time(&t);
1772
1773 if (s && !(s->flags & ASN1_STRING_FLAG_MSTRING))
1774 {
1775 if (s->type == V_ASN1_UTCTIME)
1776 return ASN1_UTCTIME_adj(s,t, offset_day, offset_sec);
1777 if (s->type == V_ASN1_GENERALIZEDTIME)
1778 return ASN1_GENERALIZEDTIME_adj(s, t, offset_day,
1779 offset_sec);
1780 }
1781 return ASN1_TIME_adj(s, t, offset_day, offset_sec);
1782 }
1783
1784int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain)
1785 {
1786 EVP_PKEY *ktmp=NULL,*ktmp2;
1787 int i,j;
1788
1789 if ((pkey != NULL) && !EVP_PKEY_missing_parameters(pkey)) return 1;
1790
1791 for (i=0; i<sk_X509_num(chain); i++)
1792 {
1793 ktmp=X509_get_pubkey(sk_X509_value(chain,i));
1794 if (ktmp == NULL)
1795 {
1796 X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY);
1797 return 0;
1798 }
1799 if (!EVP_PKEY_missing_parameters(ktmp))
1800 break;
1801 else
1802 {
1803 EVP_PKEY_free(ktmp);
1804 ktmp=NULL;
1805 }
1806 }
1807 if (ktmp == NULL)
1808 {
1809 X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN);
1810 return 0;
1811 }
1812
1813 /* first, populate the other certs */
1814 for (j=i-1; j >= 0; j--)
1815 {
1816 ktmp2=X509_get_pubkey(sk_X509_value(chain,j));
1817 EVP_PKEY_copy_parameters(ktmp2,ktmp);
1818 EVP_PKEY_free(ktmp2);
1819 }
1820
1821 if (pkey != NULL) EVP_PKEY_copy_parameters(pkey,ktmp);
1822 EVP_PKEY_free(ktmp);
1823 return 1;
1824 }
1825
1826int X509_STORE_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
1827 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
1828 {
1829 /* This function is (usually) called only once, by
1830 * SSL_get_ex_data_X509_STORE_CTX_idx (ssl/ssl_cert.c). */
1831 return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_X509_STORE_CTX, argl, argp,
1832 new_func, dup_func, free_func);
1833 }
1834
1835int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, void *data)
1836 {
1837 return CRYPTO_set_ex_data(&ctx->ex_data,idx,data);
1838 }
1839
1840void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx)
1841 {
1842 return CRYPTO_get_ex_data(&ctx->ex_data,idx);
1843 }
1844
1845int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx)
1846 {
1847 return ctx->error;
1848 }
1849
1850void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int err)
1851 {
1852 ctx->error=err;
1853 }
1854
1855int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx)
1856 {
1857 return ctx->error_depth;
1858 }
1859
1860X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx)
1861 {
1862 return ctx->current_cert;
1863 }
1864
1865STACK_OF(X509) *X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx)
1866 {
1867 return ctx->chain;
1868 }
1869
1870STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx)
1871 {
1872 int i;
1873 X509 *x;
1874 STACK_OF(X509) *chain;
1875 if (!ctx->chain || !(chain = sk_X509_dup(ctx->chain))) return NULL;
1876 for (i = 0; i < sk_X509_num(chain); i++)
1877 {
1878 x = sk_X509_value(chain, i);
1879 CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
1880 }
1881 return chain;
1882 }
1883
1884X509 *X509_STORE_CTX_get0_current_issuer(X509_STORE_CTX *ctx)
1885 {
1886 return ctx->current_issuer;
1887 }
1888
1889X509_CRL *X509_STORE_CTX_get0_current_crl(X509_STORE_CTX *ctx)
1890 {
1891 return ctx->current_crl;
1892 }
1893
1894X509_STORE_CTX *X509_STORE_CTX_get0_parent_ctx(X509_STORE_CTX *ctx)
1895 {
1896 return ctx->parent;
1897 }
1898
1899void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *x)
1900 {
1901 ctx->cert=x;
1902 }
1903
1904void X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
1905 {
1906 ctx->untrusted=sk;
1907 }
1908
1909void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk)
1910 {
1911 ctx->crls=sk;
1912 }
1913
1914int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose)
1915 {
1916 return X509_STORE_CTX_purpose_inherit(ctx, 0, purpose, 0);
1917 }
1918
1919int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust)
1920 {
1921 return X509_STORE_CTX_purpose_inherit(ctx, 0, 0, trust);
1922 }
1923
1924/* This function is used to set the X509_STORE_CTX purpose and trust
1925 * values. This is intended to be used when another structure has its
1926 * own trust and purpose values which (if set) will be inherited by
1927 * the ctx. If they aren't set then we will usually have a default
1928 * purpose in mind which should then be used to set the trust value.
1929 * An example of this is SSL use: an SSL structure will have its own
1930 * purpose and trust settings which the application can set: if they
1931 * aren't set then we use the default of SSL client/server.
1932 */
1933
1934int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose,
1935 int purpose, int trust)
1936{
1937 int idx;
1938 /* If purpose not set use default */
1939 if (!purpose) purpose = def_purpose;
1940 /* If we have a purpose then check it is valid */
1941 if (purpose)
1942 {
1943 X509_PURPOSE *ptmp;
1944 idx = X509_PURPOSE_get_by_id(purpose);
1945 if (idx == -1)
1946 {
1947 X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT,
1948 X509_R_UNKNOWN_PURPOSE_ID);
1949 return 0;
1950 }
1951 ptmp = X509_PURPOSE_get0(idx);
1952 if (ptmp->trust == X509_TRUST_DEFAULT)
1953 {
1954 idx = X509_PURPOSE_get_by_id(def_purpose);
1955 if (idx == -1)
1956 {
1957 X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT,
1958 X509_R_UNKNOWN_PURPOSE_ID);
1959 return 0;
1960 }
1961 ptmp = X509_PURPOSE_get0(idx);
1962 }
1963 /* If trust not set then get from purpose default */
1964 if (!trust) trust = ptmp->trust;
1965 }
1966 if (trust)
1967 {
1968 idx = X509_TRUST_get_by_id(trust);
1969 if (idx == -1)
1970 {
1971 X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT,
1972 X509_R_UNKNOWN_TRUST_ID);
1973 return 0;
1974 }
1975 }
1976
1977 if (purpose && !ctx->param->purpose) ctx->param->purpose = purpose;
1978 if (trust && !ctx->param->trust) ctx->param->trust = trust;
1979 return 1;
1980}
1981
1982X509_STORE_CTX *X509_STORE_CTX_new(void)
1983{
1984 X509_STORE_CTX *ctx;
1985 ctx = (X509_STORE_CTX *)OPENSSL_malloc(sizeof(X509_STORE_CTX));
1986 if (!ctx)
1987 {
1988 X509err(X509_F_X509_STORE_CTX_NEW,ERR_R_MALLOC_FAILURE);
1989 return NULL;
1990 }
1991 memset(ctx, 0, sizeof(X509_STORE_CTX));
1992 return ctx;
1993}
1994
1995void X509_STORE_CTX_free(X509_STORE_CTX *ctx)
1996{
1997 X509_STORE_CTX_cleanup(ctx);
1998 OPENSSL_free(ctx);
1999}
2000
2001int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
2002 STACK_OF(X509) *chain)
2003 {
2004 int ret = 1;
2005 ctx->ctx=store;
2006 ctx->current_method=0;
2007 ctx->cert=x509;
2008 ctx->untrusted=chain;
2009 ctx->crls = NULL;
2010 ctx->last_untrusted=0;
2011 ctx->other_ctx=NULL;
2012 ctx->valid=0;
2013 ctx->chain=NULL;
2014 ctx->error=0;
2015 ctx->explicit_policy=0;
2016 ctx->error_depth=0;
2017 ctx->current_cert=NULL;
2018 ctx->current_issuer=NULL;
2019 ctx->current_crl=NULL;
2020 ctx->current_crl_score=0;
2021 ctx->current_reasons=0;
2022 ctx->tree = NULL;
2023 ctx->parent = NULL;
2024
2025 ctx->param = X509_VERIFY_PARAM_new();
2026
2027 if (!ctx->param)
2028 {
2029 X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE);
2030 return 0;
2031 }
2032
2033 /* Inherit callbacks and flags from X509_STORE if not set
2034 * use defaults.
2035 */
2036
2037
2038 if (store)
2039 ret = X509_VERIFY_PARAM_inherit(ctx->param, store->param);
2040 else
2041 ctx->param->inh_flags |= X509_VP_FLAG_DEFAULT|X509_VP_FLAG_ONCE;
2042
2043 if (store)
2044 {
2045 ctx->verify_cb = store->verify_cb;
2046 ctx->cleanup = store->cleanup;
2047 }
2048 else
2049 ctx->cleanup = 0;
2050
2051 if (ret)
2052 ret = X509_VERIFY_PARAM_inherit(ctx->param,
2053 X509_VERIFY_PARAM_lookup("default"));
2054
2055 if (ret == 0)
2056 {
2057 X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE);
2058 return 0;
2059 }
2060
2061 if (store && store->check_issued)
2062 ctx->check_issued = store->check_issued;
2063 else
2064 ctx->check_issued = check_issued;
2065
2066 if (store && store->get_issuer)
2067 ctx->get_issuer = store->get_issuer;
2068 else
2069 ctx->get_issuer = X509_STORE_CTX_get1_issuer;
2070
2071 if (store && store->verify_cb)
2072 ctx->verify_cb = store->verify_cb;
2073 else
2074 ctx->verify_cb = null_callback;
2075
2076 if (store && store->verify)
2077 ctx->verify = store->verify;
2078 else
2079 ctx->verify = internal_verify;
2080
2081 if (store && store->check_revocation)
2082 ctx->check_revocation = store->check_revocation;
2083 else
2084 ctx->check_revocation = check_revocation;
2085
2086 if (store && store->get_crl)
2087 ctx->get_crl = store->get_crl;
2088 else
2089 ctx->get_crl = NULL;
2090
2091 if (store && store->check_crl)
2092 ctx->check_crl = store->check_crl;
2093 else
2094 ctx->check_crl = check_crl;
2095
2096 if (store && store->cert_crl)
2097 ctx->cert_crl = store->cert_crl;
2098 else
2099 ctx->cert_crl = cert_crl;
2100
2101 if (store && store->lookup_certs)
2102 ctx->lookup_certs = store->lookup_certs;
2103 else
2104 ctx->lookup_certs = X509_STORE_get1_certs;
2105
2106 if (store && store->lookup_crls)
2107 ctx->lookup_crls = store->lookup_crls;
2108 else
2109 ctx->lookup_crls = X509_STORE_get1_crls;
2110
2111 ctx->check_policy = check_policy;
2112
2113
2114 /* This memset() can't make any sense anyway, so it's removed. As
2115 * X509_STORE_CTX_cleanup does a proper "free" on the ex_data, we put a
2116 * corresponding "new" here and remove this bogus initialisation. */
2117 /* memset(&(ctx->ex_data),0,sizeof(CRYPTO_EX_DATA)); */
2118 if(!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx,
2119 &(ctx->ex_data)))
2120 {
2121 OPENSSL_free(ctx);
2122 X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE);
2123 return 0;
2124 }
2125 return 1;
2126 }
2127
2128/* Set alternative lookup method: just a STACK of trusted certificates.
2129 * This avoids X509_STORE nastiness where it isn't needed.
2130 */
2131
2132void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
2133{
2134 ctx->other_ctx = sk;
2135 ctx->get_issuer = get_issuer_sk;
2136}
2137
2138void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx)
2139 {
2140 if (ctx->cleanup) ctx->cleanup(ctx);
2141 if (ctx->param != NULL)
2142 {
2143 if (ctx->parent == NULL)
2144 X509_VERIFY_PARAM_free(ctx->param);
2145 ctx->param=NULL;
2146 }
2147 if (ctx->tree != NULL)
2148 {
2149 X509_policy_tree_free(ctx->tree);
2150 ctx->tree=NULL;
2151 }
2152 if (ctx->chain != NULL)
2153 {
2154 sk_X509_pop_free(ctx->chain,X509_free);
2155 ctx->chain=NULL;
2156 }
2157 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx, &(ctx->ex_data));
2158 memset(&ctx->ex_data,0,sizeof(CRYPTO_EX_DATA));
2159 }
2160
2161void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth)
2162 {
2163 X509_VERIFY_PARAM_set_depth(ctx->param, depth);
2164 }
2165
2166void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, unsigned long flags)
2167 {
2168 X509_VERIFY_PARAM_set_flags(ctx->param, flags);
2169 }
2170
2171void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags, time_t t)
2172 {
2173 X509_VERIFY_PARAM_set_time(ctx->param, t);
2174 }
2175
2176void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx,
2177 int (*verify_cb)(int, X509_STORE_CTX *))
2178 {
2179 ctx->verify_cb=verify_cb;
2180 }
2181
2182X509_POLICY_TREE *X509_STORE_CTX_get0_policy_tree(X509_STORE_CTX *ctx)
2183 {
2184 return ctx->tree;
2185 }
2186
2187int X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx)
2188 {
2189 return ctx->explicit_policy;
2190 }
2191
2192int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name)
2193 {
2194 const X509_VERIFY_PARAM *param;
2195 param = X509_VERIFY_PARAM_lookup(name);
2196 if (!param)
2197 return 0;
2198 return X509_VERIFY_PARAM_inherit(ctx->param, param);
2199 }
2200
2201X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx)
2202 {
2203 return ctx->param;
2204 }
2205
2206void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param)
2207 {
2208 if (ctx->param)
2209 X509_VERIFY_PARAM_free(ctx->param);
2210 ctx->param = param;
2211 }
2212
2213IMPLEMENT_STACK_OF(X509)
2214IMPLEMENT_ASN1_SET_OF(X509)
2215
2216IMPLEMENT_STACK_OF(X509_NAME)
2217
2218IMPLEMENT_STACK_OF(X509_ATTRIBUTE)
2219IMPLEMENT_ASN1_SET_OF(X509_ATTRIBUTE)
02220
=== added directory '.pc/c_rehash-multi.patch'
=== added directory '.pc/c_rehash-multi.patch/tools'
=== added file '.pc/c_rehash-multi.patch/tools/c_rehash.in'
--- .pc/c_rehash-multi.patch/tools/c_rehash.in 1970-01-01 00:00:00 +0000
+++ .pc/c_rehash-multi.patch/tools/c_rehash.in 2011-09-15 05:17:15 +0000
@@ -0,0 +1,192 @@
1#!/usr/local/bin/perl
2
3
4# Perl c_rehash script, scan all files in a directory
5# and add symbolic links to their hash values.
6
7my $openssl;
8
9my $dir;
10my $prefix;
11
12if(defined $ENV{OPENSSL}) {
13 $openssl = $ENV{OPENSSL};
14} else {
15 $openssl = "openssl";
16 $ENV{OPENSSL} = $openssl;
17}
18
19my $pwd;
20eval "require Cwd";
21if (defined(&Cwd::getcwd)) {
22 $pwd=Cwd::getcwd();
23} else {
24 $pwd=`pwd`; chomp($pwd);
25}
26my $path_delim = ($pwd =~ /^[a-z]\:/i) ? ';' : ':'; # DOS/Win32 or Unix delimiter?
27
28$ENV{PATH} = "$prefix/bin" . ($ENV{PATH} ? $path_delim . $ENV{PATH} : ""); # prefix our path
29
30if(! -x $openssl) {
31 my $found = 0;
32 foreach (split /$path_delim/, $ENV{PATH}) {
33 if(-x "$_/$openssl") {
34 $found = 1;
35 $openssl = "$_/$openssl";
36 last;
37 }
38 }
39 if($found == 0) {
40 print STDERR "c_rehash: rehashing skipped ('openssl' program not available)\n";
41 exit 0;
42 }
43}
44
45if(@ARGV) {
46 @dirlist = @ARGV;
47} elsif($ENV{SSL_CERT_DIR}) {
48 @dirlist = split /$path_delim/, $ENV{SSL_CERT_DIR};
49} else {
50 $dirlist[0] = "$dir/certs";
51}
52
53if (-d $dirlist[0]) {
54 chdir $dirlist[0];
55 $openssl="$pwd/$openssl" if (!-x $openssl);
56 chdir $pwd;
57}
58
59foreach (@dirlist) {
60 if(-d $_ and -w $_) {
61 hash_dir($_);
62 }
63}
64
65sub hash_dir {
66 my %hashlist;
67 print "Doing $_[0]\n";
68 chdir $_[0];
69 opendir(DIR, ".");
70 my @flist = readdir(DIR);
71 # Delete any existing symbolic links
72 foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) {
73 if(-l $_) {
74 unlink $_;
75 }
76 }
77 closedir DIR;
78 FILE: foreach $fname (grep {/\.pem$|\.crt$/} @flist) {
79 # Check to see if certificates and/or CRLs present.
80 my ($cert, $crl) = check_file($fname);
81 if(!$cert && !$crl) {
82 ($cert, $crl) = check_file("$openssl x509 -in \"$fname\" -inform der -outform pem | ");
83 if(!$cert && !$crl) {
84 print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n";
85 next;
86 }
87 }
88 link_hash_cert($fname) if($cert);
89 link_hash_cert_old($fname) if($cert);
90 link_hash_crl($fname) if($crl);
91 }
92}
93
94sub check_file {
95 my ($is_cert, $is_crl) = (0,0);
96 my $fname = $_[0];
97 open IN, $fname;
98 while(<IN>) {
99 if(/^-----BEGIN (.*)-----/) {
100 my $hdr = $1;
101 if($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) {
102 $is_cert = 1;
103 last if($is_crl);
104 } elsif($hdr eq "X509 CRL") {
105 $is_crl = 1;
106 last if($is_cert);
107 }
108 }
109 }
110 close IN;
111 return ($is_cert, $is_crl);
112}
113
114
115# Link a certificate to its subject name hash value, each hash is of
116# the form <hash>.<n> where n is an integer. If the hash value already exists
117# then we need to up the value of n, unless its a duplicate in which
118# case we skip the link. We check for duplicates by comparing the
119# certificate fingerprints
120
121sub link_hash_cert {
122 my $fname = $_[0];
123 my $hashopt = $_[1] || '-subject_hash';
124 $fname =~ s/'/'\\''/g;
125 my ($hash, $fprint) = `"$openssl" x509 $hashopt -fingerprint -noout -in "$fname"`;
126 chomp $hash;
127 chomp $fprint;
128 $fprint =~ s/^.*=//;
129 $fprint =~ tr/://d;
130 my $suffix = 0;
131 # Search for an unused hash filename
132 while(exists $hashlist{"$hash.$suffix"}) {
133 # Hash matches: if fingerprint matches its a duplicate cert
134 if($hashlist{"$hash.$suffix"} eq $fprint) {
135 print STDERR "WARNING: Skipping duplicate certificate $fname\n";
136 return;
137 }
138 $suffix++;
139 }
140 $hash .= ".$suffix";
141 print "$fname => $hash\n";
142 $symlink_exists=eval {symlink("",""); 1};
143 if ($symlink_exists) {
144 symlink $fname, $hash;
145 } else {
146 open IN,"<$fname" or die "can't open $fname for read";
147 open OUT,">$hash" or die "can't open $hash for write";
148 print OUT <IN>; # does the job for small text files
149 close OUT;
150 close IN;
151 }
152 $hashlist{$hash} = $fprint;
153}
154
155sub link_hash_cert_old {
156 link_hash_cert($_[0], '-subject_hash_old');
157}
158
159# Same as above except for a CRL. CRL links are of the form <hash>.r<n>
160
161sub link_hash_crl {
162 my $fname = $_[0];
163 $fname =~ s/'/'\\''/g;
164 my ($hash, $fprint) = `"$openssl" crl -hash -fingerprint -noout -in '$fname'`;
165 if(!$hash || !fprint) {
166 ($hash, $fprint) = `"$openssl" crl -hash -fingerprint -noout -in '$fname' -inform der`;
167 }
168 chomp $hash;
169 chomp $fprint;
170 $fprint =~ s/^.*=//;
171 $fprint =~ tr/://d;
172 my $suffix = 0;
173 # Search for an unused hash filename
174 while(exists $hashlist{"$hash.r$suffix"}) {
175 # Hash matches: if fingerprint matches its a duplicate cert
176 if($hashlist{"$hash.r$suffix"} eq $fprint) {
177 print STDERR "WARNING: Skipping duplicate CRL $fname\n";
178 return;
179 }
180 $suffix++;
181 }
182 $hash .= ".r$suffix";
183 print "$fname => $hash\n";
184 $symlink_exists=eval {symlink("",""); 1};
185 if ($symlink_exists) {
186 symlink $fname, $hash;
187 } else {
188 system ("cp", $fname, $hash);
189 }
190 $hashlist{$hash} = $fprint;
191}
192
0193
=== modified file '.pc/config-hurd.patch/config'
--- .pc/config-hurd.patch/config 2010-12-12 15:37:21 +0000
+++ .pc/config-hurd.patch/config 2011-09-15 05:17:15 +0000
@@ -825,6 +825,10 @@
825# options="$options -DATALLA"825# options="$options -DATALLA"
826#fi826#fi
827827
828($CC -Wa,--help -c -o /dev/null -x assembler /dev/null 2>&1 | \
829 grep \\--noexecstack) 2>&1 > /dev/null && \
830 options="$options -Wa,--noexecstack"
831
828# gcc < 2.8 does not support -march=ultrasparc832# gcc < 2.8 does not support -march=ultrasparc
829if [ "$OUT" = solaris-sparcv9-gcc -a $GCCVER -lt 28 ]833if [ "$OUT" = solaris-sparcv9-gcc -a $GCCVER -lt 28 ]
830then834then
831835
=== added directory '.pc/dgst_hmac.patch'
=== added directory '.pc/dgst_hmac.patch/apps'
=== added file '.pc/dgst_hmac.patch/apps/dgst.c'
--- .pc/dgst_hmac.patch/apps/dgst.c 1970-01-01 00:00:00 +0000
+++ .pc/dgst_hmac.patch/apps/dgst.c 2011-09-15 05:17:15 +0000
@@ -0,0 +1,632 @@
1/* apps/dgst.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <string.h>
61#include <stdlib.h>
62#include "apps.h"
63#include <openssl/bio.h>
64#include <openssl/err.h>
65#include <openssl/evp.h>
66#include <openssl/objects.h>
67#include <openssl/x509.h>
68#include <openssl/pem.h>
69#include <openssl/hmac.h>
70
71#undef BUFSIZE
72#define BUFSIZE 1024*8
73
74#undef PROG
75#define PROG dgst_main
76
77int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
78 EVP_PKEY *key, unsigned char *sigin, int siglen,
79 const char *sig_name, const char *md_name,
80 const char *file,BIO *bmd);
81
82static void list_md_fn(const EVP_MD *m,
83 const char *from, const char *to, void *arg)
84 {
85 const char *mname;
86 /* Skip aliases */
87 if (!m)
88 return;
89 mname = OBJ_nid2ln(EVP_MD_type(m));
90 /* Skip shortnames */
91 if (strcmp(from, mname))
92 return;
93 /* Skip clones */
94 if (EVP_MD_flags(m) & EVP_MD_FLAG_PKEY_DIGEST)
95 return;
96 if (strchr(mname, ' '))
97 mname= EVP_MD_name(m);
98 BIO_printf(arg, "-%-14s to use the %s message digest algorithm\n",
99 mname, mname);
100 }
101
102int MAIN(int, char **);
103
104int MAIN(int argc, char **argv)
105 {
106 ENGINE *e = NULL;
107 unsigned char *buf=NULL;
108 int i,err=1;
109 const EVP_MD *md=NULL,*m;
110 BIO *in=NULL,*inp;
111 BIO *bmd=NULL;
112 BIO *out = NULL;
113#define PROG_NAME_SIZE 39
114 char pname[PROG_NAME_SIZE+1];
115 int separator=0;
116 int debug=0;
117 int keyform=FORMAT_PEM;
118 const char *outfile = NULL, *keyfile = NULL;
119 const char *sigfile = NULL, *randfile = NULL;
120 int out_bin = -1, want_pub = 0, do_verify = 0;
121 EVP_PKEY *sigkey = NULL;
122 unsigned char *sigbuf = NULL;
123 int siglen = 0;
124 char *passargin = NULL, *passin = NULL;
125#ifndef OPENSSL_NO_ENGINE
126 char *engine=NULL;
127#endif
128 char *hmac_key=NULL;
129 char *mac_name=NULL;
130 STACK_OF(OPENSSL_STRING) *sigopts = NULL, *macopts = NULL;
131
132 apps_startup();
133
134 if ((buf=(unsigned char *)OPENSSL_malloc(BUFSIZE)) == NULL)
135 {
136 BIO_printf(bio_err,"out of memory\n");
137 goto end;
138 }
139 if (bio_err == NULL)
140 if ((bio_err=BIO_new(BIO_s_file())) != NULL)
141 BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
142
143 if (!load_config(bio_err, NULL))
144 goto end;
145
146 /* first check the program name */
147 program_name(argv[0],pname,sizeof pname);
148
149 md=EVP_get_digestbyname(pname);
150
151 argc--;
152 argv++;
153 while (argc > 0)
154 {
155 if ((*argv)[0] != '-') break;
156 if (strcmp(*argv,"-c") == 0)
157 separator=1;
158 else if (strcmp(*argv,"-r") == 0)
159 separator=2;
160 else if (strcmp(*argv,"-rand") == 0)
161 {
162 if (--argc < 1) break;
163 randfile=*(++argv);
164 }
165 else if (strcmp(*argv,"-out") == 0)
166 {
167 if (--argc < 1) break;
168 outfile=*(++argv);
169 }
170 else if (strcmp(*argv,"-sign") == 0)
171 {
172 if (--argc < 1) break;
173 keyfile=*(++argv);
174 }
175 else if (!strcmp(*argv,"-passin"))
176 {
177 if (--argc < 1)
178 break;
179 passargin=*++argv;
180 }
181 else if (strcmp(*argv,"-verify") == 0)
182 {
183 if (--argc < 1) break;
184 keyfile=*(++argv);
185 want_pub = 1;
186 do_verify = 1;
187 }
188 else if (strcmp(*argv,"-prverify") == 0)
189 {
190 if (--argc < 1) break;
191 keyfile=*(++argv);
192 do_verify = 1;
193 }
194 else if (strcmp(*argv,"-signature") == 0)
195 {
196 if (--argc < 1) break;
197 sigfile=*(++argv);
198 }
199 else if (strcmp(*argv,"-keyform") == 0)
200 {
201 if (--argc < 1) break;
202 keyform=str2fmt(*(++argv));
203 }
204#ifndef OPENSSL_NO_ENGINE
205 else if (strcmp(*argv,"-engine") == 0)
206 {
207 if (--argc < 1) break;
208 engine= *(++argv);
209 e = setup_engine(bio_err, engine, 0);
210 }
211#endif
212 else if (strcmp(*argv,"-hex") == 0)
213 out_bin = 0;
214 else if (strcmp(*argv,"-binary") == 0)
215 out_bin = 1;
216 else if (strcmp(*argv,"-d") == 0)
217 debug=1;
218 else if (!strcmp(*argv,"-hmac"))
219 {
220 if (--argc < 1)
221 break;
222 hmac_key=*++argv;
223 }
224 else if (!strcmp(*argv,"-mac"))
225 {
226 if (--argc < 1)
227 break;
228 mac_name=*++argv;
229 }
230 else if (strcmp(*argv,"-sigopt") == 0)
231 {
232 if (--argc < 1)
233 break;
234 if (!sigopts)
235 sigopts = sk_OPENSSL_STRING_new_null();
236 if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, *(++argv)))
237 break;
238 }
239 else if (strcmp(*argv,"-macopt") == 0)
240 {
241 if (--argc < 1)
242 break;
243 if (!macopts)
244 macopts = sk_OPENSSL_STRING_new_null();
245 if (!macopts || !sk_OPENSSL_STRING_push(macopts, *(++argv)))
246 break;
247 }
248 else if ((m=EVP_get_digestbyname(&((*argv)[1]))) != NULL)
249 md=m;
250 else
251 break;
252 argc--;
253 argv++;
254 }
255
256
257 if(do_verify && !sigfile) {
258 BIO_printf(bio_err, "No signature to verify: use the -signature option\n");
259 goto end;
260 }
261
262 if ((argc > 0) && (argv[0][0] == '-')) /* bad option */
263 {
264 BIO_printf(bio_err,"unknown option '%s'\n",*argv);
265 BIO_printf(bio_err,"options are\n");
266 BIO_printf(bio_err,"-c to output the digest with separating colons\n");
267 BIO_printf(bio_err,"-r to output the digest in coreutils format\n");
268 BIO_printf(bio_err,"-d to output debug info\n");
269 BIO_printf(bio_err,"-hex output as hex dump\n");
270 BIO_printf(bio_err,"-binary output in binary form\n");
271 BIO_printf(bio_err,"-sign file sign digest using private key in file\n");
272 BIO_printf(bio_err,"-verify file verify a signature using public key in file\n");
273 BIO_printf(bio_err,"-prverify file verify a signature using private key in file\n");
274 BIO_printf(bio_err,"-keyform arg key file format (PEM or ENGINE)\n");
275 BIO_printf(bio_err,"-out filename output to filename rather than stdout\n");
276 BIO_printf(bio_err,"-signature file signature to verify\n");
277 BIO_printf(bio_err,"-sigopt nm:v signature parameter\n");
278 BIO_printf(bio_err,"-hmac key create hashed MAC with key\n");
279 BIO_printf(bio_err,"-mac algorithm create MAC (not neccessarily HMAC)\n");
280 BIO_printf(bio_err,"-macopt nm:v MAC algorithm parameters or key\n");
281#ifndef OPENSSL_NO_ENGINE
282 BIO_printf(bio_err,"-engine e use engine e, possibly a hardware device.\n");
283#endif
284
285 EVP_MD_do_all_sorted(list_md_fn, bio_err);
286 goto end;
287 }
288
289 in=BIO_new(BIO_s_file());
290 bmd=BIO_new(BIO_f_md());
291 if (debug)
292 {
293 BIO_set_callback(in,BIO_debug_callback);
294 /* needed for windows 3.1 */
295 BIO_set_callback_arg(in,(char *)bio_err);
296 }
297
298 if(!app_passwd(bio_err, passargin, NULL, &passin, NULL))
299 {
300 BIO_printf(bio_err, "Error getting password\n");
301 goto end;
302 }
303
304 if ((in == NULL) || (bmd == NULL))
305 {
306 ERR_print_errors(bio_err);
307 goto end;
308 }
309
310 if(out_bin == -1) {
311 if(keyfile)
312 out_bin = 1;
313 else
314 out_bin = 0;
315 }
316
317 if(randfile)
318 app_RAND_load_file(randfile, bio_err, 0);
319
320 if(outfile) {
321 if(out_bin)
322 out = BIO_new_file(outfile, "wb");
323 else out = BIO_new_file(outfile, "w");
324 } else {
325 out = BIO_new_fp(stdout, BIO_NOCLOSE);
326#ifdef OPENSSL_SYS_VMS
327 {
328 BIO *tmpbio = BIO_new(BIO_f_linebuffer());
329 out = BIO_push(tmpbio, out);
330 }
331#endif
332 }
333
334 if(!out) {
335 BIO_printf(bio_err, "Error opening output file %s\n",
336 outfile ? outfile : "(stdout)");
337 ERR_print_errors(bio_err);
338 goto end;
339 }
340 if ((!!mac_name + !!keyfile + !!hmac_key) > 1)
341 {
342 BIO_printf(bio_err, "MAC and Signing key cannot both be specified\n");
343 goto end;
344 }
345
346 if(keyfile)
347 {
348 if (want_pub)
349 sigkey = load_pubkey(bio_err, keyfile, keyform, 0, NULL,
350 e, "key file");
351 else
352 sigkey = load_key(bio_err, keyfile, keyform, 0, passin,
353 e, "key file");
354 if (!sigkey)
355 {
356 /* load_[pub]key() has already printed an appropriate
357 message */
358 goto end;
359 }
360 }
361
362 if (mac_name)
363 {
364 EVP_PKEY_CTX *mac_ctx = NULL;
365 int r = 0;
366 if (!init_gen_str(bio_err, &mac_ctx, mac_name,e, 0))
367 goto mac_end;
368 if (macopts)
369 {
370 char *macopt;
371 for (i = 0; i < sk_OPENSSL_STRING_num(macopts); i++)
372 {
373 macopt = sk_OPENSSL_STRING_value(macopts, i);
374 if (pkey_ctrl_string(mac_ctx, macopt) <= 0)
375 {
376 BIO_printf(bio_err,
377 "MAC parameter error \"%s\"\n",
378 macopt);
379 ERR_print_errors(bio_err);
380 goto mac_end;
381 }
382 }
383 }
384 if (EVP_PKEY_keygen(mac_ctx, &sigkey) <= 0)
385 {
386 BIO_puts(bio_err, "Error generating key\n");
387 ERR_print_errors(bio_err);
388 goto mac_end;
389 }
390 r = 1;
391 mac_end:
392 if (mac_ctx)
393 EVP_PKEY_CTX_free(mac_ctx);
394 if (r == 0)
395 goto end;
396 }
397
398 if (hmac_key)
399 {
400 sigkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, e,
401 (unsigned char *)hmac_key, -1);
402 if (!sigkey)
403 goto end;
404 }
405
406 if (sigkey)
407 {
408 EVP_MD_CTX *mctx = NULL;
409 EVP_PKEY_CTX *pctx = NULL;
410 int r;
411 if (!BIO_get_md_ctx(bmd, &mctx))
412 {
413 BIO_printf(bio_err, "Error getting context\n");
414 ERR_print_errors(bio_err);
415 goto end;
416 }
417 if (do_verify)
418 r = EVP_DigestVerifyInit(mctx, &pctx, md, e, sigkey);
419 else
420 r = EVP_DigestSignInit(mctx, &pctx, md, e, sigkey);
421 if (!r)
422 {
423 BIO_printf(bio_err, "Error setting context\n");
424 ERR_print_errors(bio_err);
425 goto end;
426 }
427 if (sigopts)
428 {
429 char *sigopt;
430 for (i = 0; i < sk_OPENSSL_STRING_num(sigopts); i++)
431 {
432 sigopt = sk_OPENSSL_STRING_value(sigopts, i);
433 if (pkey_ctrl_string(pctx, sigopt) <= 0)
434 {
435 BIO_printf(bio_err,
436 "parameter error \"%s\"\n",
437 sigopt);
438 ERR_print_errors(bio_err);
439 goto end;
440 }
441 }
442 }
443 }
444 /* we use md as a filter, reading from 'in' */
445 else
446 {
447 if (md == NULL)
448 md = EVP_md5();
449 if (!BIO_set_md(bmd,md))
450 {
451 BIO_printf(bio_err, "Error setting digest %s\n", pname);
452 ERR_print_errors(bio_err);
453 goto end;
454 }
455 }
456
457 if(sigfile && sigkey) {
458 BIO *sigbio;
459 sigbio = BIO_new_file(sigfile, "rb");
460 siglen = EVP_PKEY_size(sigkey);
461 sigbuf = OPENSSL_malloc(siglen);
462 if(!sigbio) {
463 BIO_printf(bio_err, "Error opening signature file %s\n",
464 sigfile);
465 ERR_print_errors(bio_err);
466 goto end;
467 }
468 siglen = BIO_read(sigbio, sigbuf, siglen);
469 BIO_free(sigbio);
470 if(siglen <= 0) {
471 BIO_printf(bio_err, "Error reading signature file %s\n",
472 sigfile);
473 ERR_print_errors(bio_err);
474 goto end;
475 }
476 }
477 inp=BIO_push(bmd,in);
478
479 if (md == NULL)
480 {
481 EVP_MD_CTX *tctx;
482 BIO_get_md_ctx(bmd, &tctx);
483 md = EVP_MD_CTX_md(tctx);
484 }
485
486 if (argc == 0)
487 {
488 BIO_set_fp(in,stdin,BIO_NOCLOSE);
489 err=do_fp(out, buf,inp,separator, out_bin, sigkey, sigbuf,
490 siglen,NULL,NULL,"stdin",bmd);
491 }
492 else
493 {
494 const char *md_name = NULL, *sig_name = NULL;
495 if(!out_bin)
496 {
497 if (sigkey)
498 {
499 const EVP_PKEY_ASN1_METHOD *ameth;
500 ameth = EVP_PKEY_get0_asn1(sigkey);
501 if (ameth)
502 EVP_PKEY_asn1_get0_info(NULL, NULL,
503 NULL, NULL, &sig_name, ameth);
504 }
505 md_name = EVP_MD_name(md);
506 }
507 err = 0;
508 for (i=0; i<argc; i++)
509 {
510 int r;
511 if (BIO_read_filename(in,argv[i]) <= 0)
512 {
513 perror(argv[i]);
514 err++;
515 continue;
516 }
517 else
518 r=do_fp(out,buf,inp,separator,out_bin,sigkey,sigbuf,
519 siglen,sig_name,md_name, argv[i],bmd);
520 if(r)
521 err=r;
522 (void)BIO_reset(bmd);
523 }
524 }
525end:
526 if (buf != NULL)
527 {
528 OPENSSL_cleanse(buf,BUFSIZE);
529 OPENSSL_free(buf);
530 }
531 if (in != NULL) BIO_free(in);
532 if (passin)
533 OPENSSL_free(passin);
534 BIO_free_all(out);
535 EVP_PKEY_free(sigkey);
536 if (sigopts)
537 sk_OPENSSL_STRING_free(sigopts);
538 if (macopts)
539 sk_OPENSSL_STRING_free(macopts);
540 if(sigbuf) OPENSSL_free(sigbuf);
541 if (bmd != NULL) BIO_free(bmd);
542 apps_shutdown();
543 OPENSSL_EXIT(err);
544 }
545
546int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
547 EVP_PKEY *key, unsigned char *sigin, int siglen,
548 const char *sig_name, const char *md_name,
549 const char *file,BIO *bmd)
550 {
551 size_t len;
552 int i;
553
554 for (;;)
555 {
556 i=BIO_read(bp,(char *)buf,BUFSIZE);
557 if(i < 0)
558 {
559 BIO_printf(bio_err, "Read Error in %s\n",file);
560 ERR_print_errors(bio_err);
561 return 1;
562 }
563 if (i == 0) break;
564 }
565 if(sigin)
566 {
567 EVP_MD_CTX *ctx;
568 BIO_get_md_ctx(bp, &ctx);
569 i = EVP_DigestVerifyFinal(ctx, sigin, (unsigned int)siglen);
570 if(i > 0)
571 BIO_printf(out, "Verified OK\n");
572 else if(i == 0)
573 {
574 BIO_printf(out, "Verification Failure\n");
575 return 1;
576 }
577 else
578 {
579 BIO_printf(bio_err, "Error Verifying Data\n");
580 ERR_print_errors(bio_err);
581 return 1;
582 }
583 return 0;
584 }
585 if(key)
586 {
587 EVP_MD_CTX *ctx;
588 BIO_get_md_ctx(bp, &ctx);
589 len = BUFSIZE;
590 if(!EVP_DigestSignFinal(ctx, buf, &len))
591 {
592 BIO_printf(bio_err, "Error Signing Data\n");
593 ERR_print_errors(bio_err);
594 return 1;
595 }
596 }
597 else
598 {
599 len=BIO_gets(bp,(char *)buf,BUFSIZE);
600 if ((int)len <0)
601 {
602 ERR_print_errors(bio_err);
603 return 1;
604 }
605 }
606
607 if(binout) BIO_write(out, buf, len);
608 else if (sep == 2)
609 {
610 for (i=0; i<(int)len; i++)
611 BIO_printf(out, "%02x",buf[i]);
612 BIO_printf(out, " *%s\n", file);
613 }
614 else
615 {
616 if (sig_name)
617 BIO_printf(out, "%s-%s(%s)= ", sig_name, md_name, file);
618 else if (md_name)
619 BIO_printf(out, "%s(%s)= ", md_name, file);
620 else
621 BIO_printf(out, "(%s)= ", file);
622 for (i=0; i<(int)len; i++)
623 {
624 if (sep && (i != 0))
625 BIO_printf(out, ":");
626 BIO_printf(out, "%02x",buf[i]);
627 }
628 BIO_printf(out, "\n");
629 }
630 return 0;
631 }
632
0633
=== added directory '.pc/dgst_hmac.patch/doc'
=== added directory '.pc/dgst_hmac.patch/doc/apps'
=== added file '.pc/dgst_hmac.patch/doc/apps/dgst.pod'
--- .pc/dgst_hmac.patch/doc/apps/dgst.pod 1970-01-01 00:00:00 +0000
+++ .pc/dgst_hmac.patch/doc/apps/dgst.pod 2011-09-15 05:17:15 +0000
@@ -0,0 +1,162 @@
1=pod
2
3=head1 NAME
4
5dgst, md5, md4, md2, sha1, sha, mdc2, ripemd160 - message digests
6
7=head1 SYNOPSIS
8
9B<openssl> B<dgst>
10[B<-md5|-md4|-md2|-sha1|-sha|-mdc2|-ripemd160|-dss1>]
11[B<-c>]
12[B<-d>]
13[B<-hex>]
14[B<-binary>]
15[B<-out filename>]
16[B<-sign filename>]
17[B<-keyform arg>]
18[B<-passin arg>]
19[B<-verify filename>]
20[B<-prverify filename>]
21[B<-signature filename>]
22[B<-hmac key>]
23[B<file...>]
24
25[B<md5|md4|md2|sha1|sha|mdc2|ripemd160>]
26[B<-c>]
27[B<-d>]
28[B<file...>]
29
30=head1 DESCRIPTION
31
32The digest functions output the message digest of a supplied file or files
33in hexadecimal form. They can also be used for digital signing and verification.
34
35=head1 OPTIONS
36
37=over 4
38
39=item B<-c>
40
41print out the digest in two digit groups separated by colons, only relevant if
42B<hex> format output is used.
43
44=item B<-d>
45
46print out BIO debugging information.
47
48=item B<-hex>
49
50digest is to be output as a hex dump. This is the default case for a "normal"
51digest as opposed to a digital signature.
52
53=item B<-binary>
54
55output the digest or signature in binary form.
56
57=item B<-out filename>
58
59filename to output to, or standard output by default.
60
61=item B<-sign filename>
62
63digitally sign the digest using the private key in "filename".
64
65=item B<-keyform arg>
66
67Specifies the key format to sign digest with. Only PEM and ENGINE
68formats are supported by the B<dgst> command.
69
70=item B<-engine id>
71
72Use engine B<id> for operations (including private key storage).
73This engine is not used as source for digest algorithms, unless it is
74also specified in the configuration file.
75
76=item B<-sigopt nm:v>
77
78Pass options to the signature algorithm during sign or verify operations.
79Names and values of these options are algorithm-specific.
80
81
82=item B<-passin arg>
83
84the private key password source. For more information about the format of B<arg>
85see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
86
87=item B<-verify filename>
88
89verify the signature using the the public key in "filename".
90The output is either "Verification OK" or "Verification Failure".
91
92=item B<-prverify filename>
93
94verify the signature using the the private key in "filename".
95
96=item B<-signature filename>
97
98the actual signature to verify.
99
100=item B<-hmac key>
101
102create a hashed MAC using "key".
103
104=item B<-mac alg>
105
106create MAC (keyed Message Authentication Code). The most popular MAC
107algorithm is HMAC (hash-based MAC), but there are other MAC algorithms
108which are not based on hash, for instance B<gost-mac> algorithm,
109supported by B<ccgost> engine. MAC keys and other options should be set
110via B<-macopt> parameter.
111
112=item B<-macopt nm:v>
113
114Passes options to MAC algorithm, specified by B<-mac> key.
115Following options are supported by both by B<HMAC> and B<gost-mac>:
116
117=over 8
118
119=item B<key:string>
120
121Specifies MAC key as alphnumeric string (use if key contain printable
122characters only). String length must conform to any restrictions of
123the MAC algorithm for example exactly 32 chars for gost-mac.
124
125=item B<hexkey:string>
126
127Specifies MAC key in hexadecimal form (two hex digits per byte).
128Key length must conform to any restrictions of the MAC algorithm
129for example exactly 32 chars for gost-mac.
130
131=back
132
133=item B<-rand file(s)>
134
135a file or files containing random data used to seed the random number
136generator, or an EGD socket (see L<RAND_egd(3)|RAND_egd(3)>).
137Multiple files can be specified separated by a OS-dependent character.
138The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
139all others.
140
141=item B<file...>
142
143file or files to digest. If no files are specified then standard input is
144used.
145
146=back
147
148=head1 NOTES
149
150The digest of choice for all new applications is SHA1. Other digests are
151however still widely used.
152
153If you wish to sign or verify data using the DSA algorithm then the dss1
154digest must be used.
155
156A source of random numbers is required for certain signing algorithms, in
157particular DSA.
158
159The signing and verify options should only be used if a single file is
160being signed or verified.
161
162=cut
0163
=== modified file '.pc/engines-path.patch/Configure'
--- .pc/engines-path.patch/Configure 2010-12-19 16:24:16 +0000
+++ .pc/engines-path.patch/Configure 2011-09-15 05:17:15 +0000
@@ -362,6 +362,7 @@
362"debian-powerpcspe","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",362"debian-powerpcspe","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
363"debian-ppc64","gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",363"debian-ppc64","gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
364"debian-s390","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", 364"debian-s390","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
365"debian-s390x","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
365"debian-sh3", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",366"debian-sh3", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
366"debian-sh4", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",367"debian-sh4", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
367"debian-sh3eb", "gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",368"debian-sh3eb", "gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
@@ -370,7 +371,7 @@
370"debian-sparc","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",371"debian-sparc","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
371"debian-sparc-v8","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -mcpu=v8 -g -Wall -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",372"debian-sparc-v8","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -mcpu=v8 -g -Wall -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
372"debian-sparc-v9","gcc:-DB_ENDIAN -DTERMIO -O3 -mcpu=v9 -Wa,--noexecstack -Wa,-Av8plus -g -Wall -DULTRASPARC -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",373"debian-sparc-v9","gcc:-DB_ENDIAN -DTERMIO -O3 -mcpu=v9 -Wa,--noexecstack -Wa,-Av8plus -g -Wall -DULTRASPARC -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
373"debian-sparc64","gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall -DULTRASPARC -DBN_DIV2W::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",374"debian-sparc64","gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall -DULTRASPARC -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
374375
375####376####
376#### Variety of LINUX:-)377#### Variety of LINUX:-)
377378
=== modified file '.pc/gnu_source.patch/crypto/dso/dso_dlfcn.c'
--- .pc/gnu_source.patch/crypto/dso/dso_dlfcn.c 2010-12-19 16:24:16 +0000
+++ .pc/gnu_source.patch/crypto/dso/dso_dlfcn.c 2011-09-15 05:17:15 +0000
@@ -85,6 +85,7 @@
85# define HAVE_DLINFO 185# define HAVE_DLINFO 1
86# if defined(_AIX) || defined(__CYGWIN__) || \86# if defined(_AIX) || defined(__CYGWIN__) || \
87 defined(__SCO_VERSION__) || defined(_SCO_ELF) || \87 defined(__SCO_VERSION__) || defined(_SCO_ELF) || \
88 (defined(__osf__) && !defined(RTLD_NEXT)) || \
88 (defined(__OpenBSD__) && !defined(RTLD_SELF))89 (defined(__OpenBSD__) && !defined(RTLD_SELF))
89# undef HAVE_DLINFO90# undef HAVE_DLINFO
90# endif91# endif
9192
=== added directory '.pc/libdoc-manpgs-pod-spell.patch'
=== added directory '.pc/libdoc-manpgs-pod-spell.patch/doc'
=== added directory '.pc/libdoc-manpgs-pod-spell.patch/doc/crypto'
=== added file '.pc/libdoc-manpgs-pod-spell.patch/doc/crypto/ASN1_generate_nconf.pod'
--- .pc/libdoc-manpgs-pod-spell.patch/doc/crypto/ASN1_generate_nconf.pod 1970-01-01 00:00:00 +0000
+++ .pc/libdoc-manpgs-pod-spell.patch/doc/crypto/ASN1_generate_nconf.pod 2011-09-15 05:17:15 +0000
@@ -0,0 +1,265 @@
1=pod
2
3=head1 NAME
4
5ASN1_generate_nconf, ASN1_generate_v3 - ASN1 generation functions
6
7=head1 SYNOPSIS
8
9 #include <openssl/asn1.h>
10
11 ASN1_TYPE *ASN1_generate_nconf(char *str, CONF *nconf);
12 ASN1_TYPE *ASN1_generate_v3(char *str, X509V3_CTX *cnf);
13
14=head1 DESCRIPTION
15
16These functions generate the ASN1 encoding of a string
17in an B<ASN1_TYPE> structure.
18
19B<str> contains the string to encode B<nconf> or B<cnf> contains
20the optional configuration information where additional strings
21will be read from. B<nconf> will typically come from a config
22file wherease B<cnf> is obtained from an B<X509V3_CTX> structure
23which will typically be used by X509 v3 certificate extension
24functions. B<cnf> or B<nconf> can be set to B<NULL> if no additional
25configuration will be used.
26
27=head1 GENERATION STRING FORMAT
28
29The actual data encoded is determined by the string B<str> and
30the configuration information. The general format of the string
31is:
32
33=over 2
34
35=item B<[modifier,]type[:value]>
36
37=back
38
39That is zero or more comma separated modifiers followed by a type
40followed by an optional colon and a value. The formats of B<type>,
41B<value> and B<modifier> are explained below.
42
43=head2 SUPPORTED TYPES
44
45The supported types are listed below. Unless otherwise specified
46only the B<ASCII> format is permissible.
47
48=over 2
49
50=item B<BOOLEAN>, B<BOOL>
51
52This encodes a boolean type. The B<value> string is mandatory and
53should be B<TRUE> or B<FALSE>. Additionally B<TRUE>, B<true>, B<Y>,
54B<y>, B<YES>, B<yes>, B<FALSE>, B<false>, B<N>, B<n>, B<NO> and B<no>
55are acceptable.
56
57=item B<NULL>
58
59Encode the B<NULL> type, the B<value> string must not be present.
60
61=item B<INTEGER>, B<INT>
62
63Encodes an ASN1 B<INTEGER> type. The B<value> string represents
64the value of the integer, it can be preceeded by a minus sign and
65is normally interpreted as a decimal value unless the prefix B<0x>
66is included.
67
68=item B<ENUMERATED>, B<ENUM>
69
70Encodes the ASN1 B<ENUMERATED> type, it is otherwise identical to
71B<INTEGER>.
72
73=item B<OBJECT>, B<OID>
74
75Encodes an ASN1 B<OBJECT IDENTIFIER>, the B<value> string can be
76a short name, a long name or numerical format.
77
78=item B<UTCTIME>, B<UTC>
79
80Encodes an ASN1 B<UTCTime> structure, the value should be in
81the format B<YYMMDDHHMMSSZ>.
82
83=item B<GENERALIZEDTIME>, B<GENTIME>
84
85Encodes an ASN1 B<GeneralizedTime> structure, the value should be in
86the format B<YYYYMMDDHHMMSSZ>.
87
88=item B<OCTETSTRING>, B<OCT>
89
90Encodes an ASN1 B<OCTET STRING>. B<value> represents the contents
91of this structure, the format strings B<ASCII> and B<HEX> can be
92used to specify the format of B<value>.
93
94=item B<BITSTRING>, B<BITSTR>
95
96Encodes an ASN1 B<BIT STRING>. B<value> represents the contents
97of this structure, the format strings B<ASCII>, B<HEX> and B<BITLIST>
98can be used to specify the format of B<value>.
99
100If the format is anything other than B<BITLIST> the number of unused
101bits is set to zero.
102
103=item B<UNIVERSALSTRING>, B<UNIV>, B<IA5>, B<IA5STRING>, B<UTF8>,
104B<UTF8String>, B<BMP>, B<BMPSTRING>, B<VISIBLESTRING>,
105B<VISIBLE>, B<PRINTABLESTRING>, B<PRINTABLE>, B<T61>,
106B<T61STRING>, B<TELETEXSTRING>, B<GeneralString>, B<NUMERICSTRING>,
107B<NUMERIC>
108
109These encode the corresponding string types. B<value> represents the
110contents of this structure. The format can be B<ASCII> or B<UTF8>.
111
112=item B<SEQUENCE>, B<SEQ>, B<SET>
113
114Formats the result as an ASN1 B<SEQUENCE> or B<SET> type. B<value>
115should be a section name which will contain the contents. The
116field names in the section are ignored and the values are in the
117generated string format. If B<value> is absent then an empty SEQUENCE
118will be encoded.
119
120=back
121
122=head2 MODIFIERS
123
124Modifiers affect the following structure, they can be used to
125add EXPLICIT or IMPLICIT tagging, add wrappers or to change
126the string format of the final type and value. The supported
127formats are documented below.
128
129=over 2
130
131=item B<EXPLICIT>, B<EXP>
132
133Add an explicit tag to the following structure. This string
134should be followed by a colon and the tag value to use as a
135decimal value.
136
137By following the number with B<U>, B<A>, B<P> or B<C> UNIVERSAL,
138APPLICATION, PRIVATE or CONTEXT SPECIFIC tagging can be used,
139the default is CONTEXT SPECIFIC.
140
141=item B<IMPLICIT>, B<IMP>
142
143This is the same as B<EXPLICIT> except IMPLICIT tagging is used
144instead.
145
146=item B<OCTWRAP>, B<SEQWRAP>, B<SETWRAP>, B<BITWRAP>
147
148The following structure is surrounded by an OCTET STRING, a SEQUENCE,
149a SET or a BIT STRING respectively. For a BIT STRING the number of unused
150bits is set to zero.
151
152=item B<FORMAT>
153
154This specifies the format of the ultimate value. It should be followed
155by a colon and one of the strings B<ASCII>, B<UTF8>, B<HEX> or B<BITLIST>.
156
157If no format specifier is included then B<ASCII> is used. If B<UTF8> is
158specified then the value string must be a valid B<UTF8> string. For B<HEX> the
159output must be a set of hex digits. B<BITLIST> (which is only valid for a BIT
160STRING) is a comma separated list of the indices of the set bits, all other
161bits are zero.
162
163=back
164
165=head1 EXAMPLES
166
167A simple IA5String:
168
169 IA5STRING:Hello World
170
171An IA5String explicitly tagged:
172
173 EXPLICIT:0,IA5STRING:Hello World
174
175An IA5String explicitly tagged using APPLICATION tagging:
176
177 EXPLICIT:0A,IA5STRING:Hello World
178
179A BITSTRING with bits 1 and 5 set and all others zero:
180
181 FORMAT:BITLIST,BITSTRING:1,5
182
183A more complex example using a config file to produce a
184SEQUENCE consiting of a BOOL an OID and a UTF8String:
185
186 asn1 = SEQUENCE:seq_section
187
188 [seq_section]
189
190 field1 = BOOLEAN:TRUE
191 field2 = OID:commonName
192 field3 = UTF8:Third field
193
194This example produces an RSAPrivateKey structure, this is the
195key contained in the file client.pem in all OpenSSL distributions
196(note: the field names such as 'coeff' are ignored and are present just
197for clarity):
198
199 asn1=SEQUENCE:private_key
200 [private_key]
201 version=INTEGER:0
202
203 n=INTEGER:0xBB6FE79432CC6EA2D8F970675A5A87BFBE1AFF0BE63E879F2AFFB93644\
204 D4D2C6D000430DEC66ABF47829E74B8C5108623A1C0EE8BE217B3AD8D36D5EB4FCA1D9
205
206 e=INTEGER:0x010001
207
208 d=INTEGER:0x6F05EAD2F27FFAEC84BEC360C4B928FD5F3A9865D0FCAAD291E2A52F4A\
209 F810DC6373278C006A0ABBA27DC8C63BF97F7E666E27C5284D7D3B1FFFE16B7A87B51D
210
211 p=INTEGER:0xF3929B9435608F8A22C208D86795271D54EBDFB09DDEF539AB083DA912\
212 D4BD57
213
214 q=INTEGER:0xC50016F89DFF2561347ED1186A46E150E28BF2D0F539A1594BBD7FE467\
215 46EC4F
216
217 exp1=INTEGER:0x9E7D4326C924AFC1DEA40B45650134966D6F9DFA3A7F9D698CD4ABEA\
218 9C0A39B9
219
220 exp2=INTEGER:0xBA84003BB95355AFB7C50DF140C60513D0BA51D637272E355E397779\
221 E7B2458F
222
223 coeff=INTEGER:0x30B9E4F2AFA5AC679F920FC83F1F2DF1BAF1779CF989447FABC2F5\
224 628657053A
225
226This example is the corresponding public key in a SubjectPublicKeyInfo
227structure:
228
229 # Start with a SEQUENCE
230 asn1=SEQUENCE:pubkeyinfo
231
232 # pubkeyinfo contains an algorithm identifier and the public key wrapped
233 # in a BIT STRING
234 [pubkeyinfo]
235 algorithm=SEQUENCE:rsa_alg
236 pubkey=BITWRAP,SEQUENCE:rsapubkey
237
238 # algorithm ID for RSA is just an OID and a NULL
239 [rsa_alg]
240 algorithm=OID:rsaEncryption
241 parameter=NULL
242
243 # Actual public key: modulus and exponent
244 [rsapubkey]
245 n=INTEGER:0xBB6FE79432CC6EA2D8F970675A5A87BFBE1AFF0BE63E879F2AFFB93644\
246 D4D2C6D000430DEC66ABF47829E74B8C5108623A1C0EE8BE217B3AD8D36D5EB4FCA1D9
247
248 e=INTEGER:0x010001
249
250=head1 RETURN VALUES
251
252ASN1_generate_nconf() and ASN1_generate_v3() return the encoded
253data as an B<ASN1_TYPE> structure or B<NULL> if an error occurred.
254
255The error codes that can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
256
257=head1 SEE ALSO
258
259L<ERR_get_error(3)|ERR_get_error(3)>
260
261=head1 HISTORY
262
263ASN1_generate_nconf() and ASN1_generate_v3() were added to OpenSSL 0.9.8
264
265=cut
0266
=== added file '.pc/libdoc-manpgs-pod-spell.patch/doc/crypto/BN_BLINDING_new.pod'
--- .pc/libdoc-manpgs-pod-spell.patch/doc/crypto/BN_BLINDING_new.pod 1970-01-01 00:00:00 +0000
+++ .pc/libdoc-manpgs-pod-spell.patch/doc/crypto/BN_BLINDING_new.pod 2011-09-15 05:17:15 +0000
@@ -0,0 +1,115 @@
1=pod
2
3=head1 NAME
4
5BN_BLINDING_new, BN_BLINDING_free, BN_BLINDING_update, BN_BLINDING_convert,
6BN_BLINDING_invert, BN_BLINDING_convert_ex, BN_BLINDING_invert_ex,
7BN_BLINDING_get_thread_id, BN_BLINDING_set_thread_id, BN_BLINDING_get_flags,
8BN_BLINDING_set_flags, BN_BLINDING_create_param - blinding related BIGNUM
9functions.
10
11=head1 SYNOPSIS
12
13 #include <openssl/bn.h>
14
15 BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai,
16 BIGNUM *mod);
17 void BN_BLINDING_free(BN_BLINDING *b);
18 int BN_BLINDING_update(BN_BLINDING *b,BN_CTX *ctx);
19 int BN_BLINDING_convert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx);
20 int BN_BLINDING_invert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx);
21 int BN_BLINDING_convert_ex(BIGNUM *n, BIGNUM *r, BN_BLINDING *b,
22 BN_CTX *ctx);
23 int BN_BLINDING_invert_ex(BIGNUM *n, const BIGNUM *r, BN_BLINDING *b,
24 BN_CTX *ctx);
25 #ifndef OPENSSL_NO_DEPRECATED
26 unsigned long BN_BLINDING_get_thread_id(const BN_BLINDING *);
27 void BN_BLINDING_set_thread_id(BN_BLINDING *, unsigned long);
28 #endif
29 CRYPTO_THREADID *BN_BLINDING_thread_id(BN_BLINDING *);
30 unsigned long BN_BLINDING_get_flags(const BN_BLINDING *);
31 void BN_BLINDING_set_flags(BN_BLINDING *, unsigned long);
32 BN_BLINDING *BN_BLINDING_create_param(BN_BLINDING *b,
33 const BIGNUM *e, BIGNUM *m, BN_CTX *ctx,
34 int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
35 const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx),
36 BN_MONT_CTX *m_ctx);
37
38=head1 DESCRIPTION
39
40BN_BLINDING_new() allocates a new B<BN_BLINDING> structure and copies
41the B<A> and B<Ai> values into the newly created B<BN_BLINDING> object.
42
43BN_BLINDING_free() frees the B<BN_BLINDING> structure.
44
45BN_BLINDING_update() updates the B<BN_BLINDING> parameters by squaring
46the B<A> and B<Ai> or, after specific number of uses and if the
47necessary parameters are set, by re-creating the blinding parameters.
48
49BN_BLINDING_convert_ex() multiplies B<n> with the blinding factor B<A>.
50If B<r> is not NULL a copy the inverse blinding factor B<Ai> will be
51returned in B<r> (this is useful if a B<RSA> object is shared amoung
52several threads). BN_BLINDING_invert_ex() multiplies B<n> with the
53inverse blinding factor B<Ai>. If B<r> is not NULL it will be used as
54the inverse blinding.
55
56BN_BLINDING_convert() and BN_BLINDING_invert() are wrapper
57functions for BN_BLINDING_convert_ex() and BN_BLINDING_invert_ex()
58with B<r> set to NULL.
59
60BN_BLINDING_thread_id() provides access to the B<CRYPTO_THREADID>
61object within the B<BN_BLINDING> structure. This is to help users
62provide proper locking if needed for multi-threaded use. The "thread
63id" object of a newly allocated B<BN_BLINDING> structure is
64initialised to the thread id in which BN_BLINDING_new() was called.
65
66BN_BLINDING_get_flags() returns the BN_BLINDING flags. Currently
67there are two supported flags: B<BN_BLINDING_NO_UPDATE> and
68B<BN_BLINDING_NO_RECREATE>. B<BN_BLINDING_NO_UPDATE> inhibits the
69automatic update of the B<BN_BLINDING> parameters after each use
70and B<BN_BLINDING_NO_RECREATE> inhibits the automatic re-creation
71of the B<BN_BLINDING> parameters after a fixed number of uses (currently
7232). In newly allocated B<BN_BLINDING> objects no flags are set.
73BN_BLINDING_set_flags() sets the B<BN_BLINDING> parameters flags.
74
75BN_BLINDING_create_param() creates new B<BN_BLINDING> parameters
76using the exponent B<e> and the modulus B<m>. B<bn_mod_exp> and
77B<m_ctx> can be used to pass special functions for exponentiation
78(normally BN_mod_exp_mont() and B<BN_MONT_CTX>).
79
80=head1 RETURN VALUES
81
82BN_BLINDING_new() returns the newly allocated B<BN_BLINDING> structure
83or NULL in case of an error.
84
85BN_BLINDING_update(), BN_BLINDING_convert(), BN_BLINDING_invert(),
86BN_BLINDING_convert_ex() and BN_BLINDING_invert_ex() return 1 on
87success and 0 if an error occured.
88
89BN_BLINDING_thread_id() returns a pointer to the thread id object
90within a B<BN_BLINDING> object.
91
92BN_BLINDING_get_flags() returns the currently set B<BN_BLINDING> flags
93(a B<unsigned long> value).
94
95BN_BLINDING_create_param() returns the newly created B<BN_BLINDING>
96parameters or NULL on error.
97
98=head1 SEE ALSO
99
100L<bn(3)|bn(3)>
101
102=head1 HISTORY
103
104BN_BLINDING_thread_id was first introduced in OpenSSL 1.0.0, and it
105deprecates BN_BLINDING_set_thread_id and BN_BLINDING_get_thread_id.
106
107BN_BLINDING_convert_ex, BN_BLINDIND_invert_ex, BN_BLINDING_get_thread_id,
108BN_BLINDING_set_thread_id, BN_BLINDING_set_flags, BN_BLINDING_get_flags
109and BN_BLINDING_create_param were first introduced in OpenSSL 0.9.8
110
111=head1 AUTHOR
112
113Nils Larsch for the OpenSSL project (http://www.openssl.org).
114
115=cut
0116
=== added file '.pc/libdoc-manpgs-pod-spell.patch/doc/crypto/EVP_BytesToKey.pod'
--- .pc/libdoc-manpgs-pod-spell.patch/doc/crypto/EVP_BytesToKey.pod 1970-01-01 00:00:00 +0000
+++ .pc/libdoc-manpgs-pod-spell.patch/doc/crypto/EVP_BytesToKey.pod 2011-09-15 05:17:15 +0000
@@ -0,0 +1,67 @@
1=pod
2
3=head1 NAME
4
5EVP_BytesToKey - password based encryption routine
6
7=head1 SYNOPSIS
8
9 #include <openssl/evp.h>
10
11 int EVP_BytesToKey(const EVP_CIPHER *type,const EVP_MD *md,
12 const unsigned char *salt,
13 const unsigned char *data, int datal, int count,
14 unsigned char *key,unsigned char *iv);
15
16=head1 DESCRIPTION
17
18EVP_BytesToKey() derives a key and IV from various parameters. B<type> is
19the cipher to derive the key and IV for. B<md> is the message digest to use.
20The B<salt> paramter is used as a salt in the derivation: it should point to
21an 8 byte buffer or NULL if no salt is used. B<data> is a buffer containing
22B<datal> bytes which is used to derive the keying data. B<count> is the
23iteration count to use. The derived key and IV will be written to B<key>
24and B<iv> respectively.
25
26=head1 NOTES
27
28A typical application of this function is to derive keying material for an
29encryption algorithm from a password in the B<data> parameter.
30
31Increasing the B<count> parameter slows down the algorithm which makes it
32harder for an attacker to peform a brute force attack using a large number
33of candidate passwords.
34
35If the total key and IV length is less than the digest length and
36B<MD5> is used then the derivation algorithm is compatible with PKCS#5 v1.5
37otherwise a non standard extension is used to derive the extra data.
38
39Newer applications should use more standard algorithms such as PKCS#5
40v2.0 for key derivation.
41
42=head1 KEY DERIVATION ALGORITHM
43
44The key and IV is derived by concatenating D_1, D_2, etc until
45enough data is available for the key and IV. D_i is defined as:
46
47 D_i = HASH^count(D_(i-1) || data || salt)
48
49where || denotes concatentaion, D_0 is empty, HASH is the digest
50algorithm in use, HASH^1(data) is simply HASH(data), HASH^2(data)
51is HASH(HASH(data)) and so on.
52
53The initial bytes are used for the key and the subsequent bytes for
54the IV.
55
56=head1 RETURN VALUES
57
58EVP_BytesToKey() returns the size of the derived key in bytes.
59
60=head1 SEE ALSO
61
62L<evp(3)|evp(3)>, L<rand(3)|rand(3)>,
63L<EVP_EncryptInit(3)|EVP_EncryptInit(3)>
64
65=head1 HISTORY
66
67=cut
068
=== added file '.pc/libdoc-manpgs-pod-spell.patch/doc/crypto/EVP_EncryptInit.pod'
--- .pc/libdoc-manpgs-pod-spell.patch/doc/crypto/EVP_EncryptInit.pod 1970-01-01 00:00:00 +0000
+++ .pc/libdoc-manpgs-pod-spell.patch/doc/crypto/EVP_EncryptInit.pod 2011-09-15 05:17:15 +0000
@@ -0,0 +1,511 @@
1=pod
2
3=head1 NAME
4
5EVP_CIPHER_CTX_init, EVP_EncryptInit_ex, EVP_EncryptUpdate,
6EVP_EncryptFinal_ex, EVP_DecryptInit_ex, EVP_DecryptUpdate,
7EVP_DecryptFinal_ex, EVP_CipherInit_ex, EVP_CipherUpdate,
8EVP_CipherFinal_ex, EVP_CIPHER_CTX_set_key_length,
9EVP_CIPHER_CTX_ctrl, EVP_CIPHER_CTX_cleanup, EVP_EncryptInit,
10EVP_EncryptFinal, EVP_DecryptInit, EVP_DecryptFinal,
11EVP_CipherInit, EVP_CipherFinal, EVP_get_cipherbyname,
12EVP_get_cipherbynid, EVP_get_cipherbyobj, EVP_CIPHER_nid,
13EVP_CIPHER_block_size, EVP_CIPHER_key_length, EVP_CIPHER_iv_length,
14EVP_CIPHER_flags, EVP_CIPHER_mode, EVP_CIPHER_type, EVP_CIPHER_CTX_cipher,
15EVP_CIPHER_CTX_nid, EVP_CIPHER_CTX_block_size, EVP_CIPHER_CTX_key_length,
16EVP_CIPHER_CTX_iv_length, EVP_CIPHER_CTX_get_app_data,
17EVP_CIPHER_CTX_set_app_data, EVP_CIPHER_CTX_type, EVP_CIPHER_CTX_flags,
18EVP_CIPHER_CTX_mode, EVP_CIPHER_param_to_asn1, EVP_CIPHER_asn1_to_param,
19EVP_CIPHER_CTX_set_padding - EVP cipher routines
20
21=head1 SYNOPSIS
22
23 #include <openssl/evp.h>
24
25 void EVP_CIPHER_CTX_init(EVP_CIPHER_CTX *a);
26
27 int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
28 ENGINE *impl, unsigned char *key, unsigned char *iv);
29 int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
30 int *outl, unsigned char *in, int inl);
31 int EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out,
32 int *outl);
33
34 int EVP_DecryptInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
35 ENGINE *impl, unsigned char *key, unsigned char *iv);
36 int EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
37 int *outl, unsigned char *in, int inl);
38 int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm,
39 int *outl);
40
41 int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
42 ENGINE *impl, unsigned char *key, unsigned char *iv, int enc);
43 int EVP_CipherUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
44 int *outl, unsigned char *in, int inl);
45 int EVP_CipherFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm,
46 int *outl);
47
48 int EVP_EncryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
49 unsigned char *key, unsigned char *iv);
50 int EVP_EncryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out,
51 int *outl);
52
53 int EVP_DecryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
54 unsigned char *key, unsigned char *iv);
55 int EVP_DecryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *outm,
56 int *outl);
57
58 int EVP_CipherInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type,
59 unsigned char *key, unsigned char *iv, int enc);
60 int EVP_CipherFinal(EVP_CIPHER_CTX *ctx, unsigned char *outm,
61 int *outl);
62
63 int EVP_CIPHER_CTX_set_padding(EVP_CIPHER_CTX *x, int padding);
64 int EVP_CIPHER_CTX_set_key_length(EVP_CIPHER_CTX *x, int keylen);
65 int EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr);
66 int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *a);
67
68 const EVP_CIPHER *EVP_get_cipherbyname(const char *name);
69 #define EVP_get_cipherbynid(a) EVP_get_cipherbyname(OBJ_nid2sn(a))
70 #define EVP_get_cipherbyobj(a) EVP_get_cipherbynid(OBJ_obj2nid(a))
71
72 #define EVP_CIPHER_nid(e) ((e)->nid)
73 #define EVP_CIPHER_block_size(e) ((e)->block_size)
74 #define EVP_CIPHER_key_length(e) ((e)->key_len)
75 #define EVP_CIPHER_iv_length(e) ((e)->iv_len)
76 #define EVP_CIPHER_flags(e) ((e)->flags)
77 #define EVP_CIPHER_mode(e) ((e)->flags) & EVP_CIPH_MODE)
78 int EVP_CIPHER_type(const EVP_CIPHER *ctx);
79
80 #define EVP_CIPHER_CTX_cipher(e) ((e)->cipher)
81 #define EVP_CIPHER_CTX_nid(e) ((e)->cipher->nid)
82 #define EVP_CIPHER_CTX_block_size(e) ((e)->cipher->block_size)
83 #define EVP_CIPHER_CTX_key_length(e) ((e)->key_len)
84 #define EVP_CIPHER_CTX_iv_length(e) ((e)->cipher->iv_len)
85 #define EVP_CIPHER_CTX_get_app_data(e) ((e)->app_data)
86 #define EVP_CIPHER_CTX_set_app_data(e,d) ((e)->app_data=(char *)(d))
87 #define EVP_CIPHER_CTX_type(c) EVP_CIPHER_type(EVP_CIPHER_CTX_cipher(c))
88 #define EVP_CIPHER_CTX_flags(e) ((e)->cipher->flags)
89 #define EVP_CIPHER_CTX_mode(e) ((e)->cipher->flags & EVP_CIPH_MODE)
90
91 int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type);
92 int EVP_CIPHER_asn1_to_param(EVP_CIPHER_CTX *c, ASN1_TYPE *type);
93
94=head1 DESCRIPTION
95
96The EVP cipher routines are a high level interface to certain
97symmetric ciphers.
98
99EVP_CIPHER_CTX_init() initializes cipher contex B<ctx>.
100
101EVP_EncryptInit_ex() sets up cipher context B<ctx> for encryption
102with cipher B<type> from ENGINE B<impl>. B<ctx> must be initialized
103before calling this function. B<type> is normally supplied
104by a function such as EVP_des_cbc(). If B<impl> is NULL then the
105default implementation is used. B<key> is the symmetric key to use
106and B<iv> is the IV to use (if necessary), the actual number of bytes
107used for the key and IV depends on the cipher. It is possible to set
108all parameters to NULL except B<type> in an initial call and supply
109the remaining parameters in subsequent calls, all of which have B<type>
110set to NULL. This is done when the default cipher parameters are not
111appropriate.
112
113EVP_EncryptUpdate() encrypts B<inl> bytes from the buffer B<in> and
114writes the encrypted version to B<out>. This function can be called
115multiple times to encrypt successive blocks of data. The amount
116of data written depends on the block alignment of the encrypted data:
117as a result the amount of data written may be anything from zero bytes
118to (inl + cipher_block_size - 1) so B<outl> should contain sufficient
119room. The actual number of bytes written is placed in B<outl>.
120
121If padding is enabled (the default) then EVP_EncryptFinal_ex() encrypts
122the "final" data, that is any data that remains in a partial block.
123It uses L<standard block padding|/NOTES> (aka PKCS padding). The encrypted
124final data is written to B<out> which should have sufficient space for
125one cipher block. The number of bytes written is placed in B<outl>. After
126this function is called the encryption operation is finished and no further
127calls to EVP_EncryptUpdate() should be made.
128
129If padding is disabled then EVP_EncryptFinal_ex() will not encrypt any more
130data and it will return an error if any data remains in a partial block:
131that is if the total data length is not a multiple of the block size.
132
133EVP_DecryptInit_ex(), EVP_DecryptUpdate() and EVP_DecryptFinal_ex() are the
134corresponding decryption operations. EVP_DecryptFinal() will return an
135error code if padding is enabled and the final block is not correctly
136formatted. The parameters and restrictions are identical to the encryption
137operations except that if padding is enabled the decrypted data buffer B<out>
138passed to EVP_DecryptUpdate() should have sufficient room for
139(B<inl> + cipher_block_size) bytes unless the cipher block size is 1 in
140which case B<inl> bytes is sufficient.
141
142EVP_CipherInit_ex(), EVP_CipherUpdate() and EVP_CipherFinal_ex() are
143functions that can be used for decryption or encryption. The operation
144performed depends on the value of the B<enc> parameter. It should be set
145to 1 for encryption, 0 for decryption and -1 to leave the value unchanged
146(the actual value of 'enc' being supplied in a previous call).
147
148EVP_CIPHER_CTX_cleanup() clears all information from a cipher context
149and free up any allocated memory associate with it. It should be called
150after all operations using a cipher are complete so sensitive information
151does not remain in memory.
152
153EVP_EncryptInit(), EVP_DecryptInit() and EVP_CipherInit() behave in a
154similar way to EVP_EncryptInit_ex(), EVP_DecryptInit_ex and
155EVP_CipherInit_ex() except the B<ctx> paramter does not need to be
156initialized and they always use the default cipher implementation.
157
158EVP_EncryptFinal(), EVP_DecryptFinal() and EVP_CipherFinal() behave in a
159similar way to EVP_EncryptFinal_ex(), EVP_DecryptFinal_ex() and
160EVP_CipherFinal_ex() except B<ctx> is automatically cleaned up
161after the call.
162
163EVP_get_cipherbyname(), EVP_get_cipherbynid() and EVP_get_cipherbyobj()
164return an EVP_CIPHER structure when passed a cipher name, a NID or an
165ASN1_OBJECT structure.
166
167EVP_CIPHER_nid() and EVP_CIPHER_CTX_nid() return the NID of a cipher when
168passed an B<EVP_CIPHER> or B<EVP_CIPHER_CTX> structure. The actual NID
169value is an internal value which may not have a corresponding OBJECT
170IDENTIFIER.
171
172EVP_CIPHER_CTX_set_padding() enables or disables padding. By default
173encryption operations are padded using standard block padding and the
174padding is checked and removed when decrypting. If the B<pad> parameter
175is zero then no padding is performed, the total amount of data encrypted
176or decrypted must then be a multiple of the block size or an error will
177occur.
178
179EVP_CIPHER_key_length() and EVP_CIPHER_CTX_key_length() return the key
180length of a cipher when passed an B<EVP_CIPHER> or B<EVP_CIPHER_CTX>
181structure. The constant B<EVP_MAX_KEY_LENGTH> is the maximum key length
182for all ciphers. Note: although EVP_CIPHER_key_length() is fixed for a
183given cipher, the value of EVP_CIPHER_CTX_key_length() may be different
184for variable key length ciphers.
185
186EVP_CIPHER_CTX_set_key_length() sets the key length of the cipher ctx.
187If the cipher is a fixed length cipher then attempting to set the key
188length to any value other than the fixed value is an error.
189
190EVP_CIPHER_iv_length() and EVP_CIPHER_CTX_iv_length() return the IV
191length of a cipher when passed an B<EVP_CIPHER> or B<EVP_CIPHER_CTX>.
192It will return zero if the cipher does not use an IV. The constant
193B<EVP_MAX_IV_LENGTH> is the maximum IV length for all ciphers.
194
195EVP_CIPHER_block_size() and EVP_CIPHER_CTX_block_size() return the block
196size of a cipher when passed an B<EVP_CIPHER> or B<EVP_CIPHER_CTX>
197structure. The constant B<EVP_MAX_IV_LENGTH> is also the maximum block
198length for all ciphers.
199
200EVP_CIPHER_type() and EVP_CIPHER_CTX_type() return the type of the passed
201cipher or context. This "type" is the actual NID of the cipher OBJECT
202IDENTIFIER as such it ignores the cipher parameters and 40 bit RC2 and
203128 bit RC2 have the same NID. If the cipher does not have an object
204identifier or does not have ASN1 support this function will return
205B<NID_undef>.
206
207EVP_CIPHER_CTX_cipher() returns the B<EVP_CIPHER> structure when passed
208an B<EVP_CIPHER_CTX> structure.
209
210EVP_CIPHER_mode() and EVP_CIPHER_CTX_mode() return the block cipher mode:
211EVP_CIPH_ECB_MODE, EVP_CIPH_CBC_MODE, EVP_CIPH_CFB_MODE or
212EVP_CIPH_OFB_MODE. If the cipher is a stream cipher then
213EVP_CIPH_STREAM_CIPHER is returned.
214
215EVP_CIPHER_param_to_asn1() sets the AlgorithmIdentifier "parameter" based
216on the passed cipher. This will typically include any parameters and an
217IV. The cipher IV (if any) must be set when this call is made. This call
218should be made before the cipher is actually "used" (before any
219EVP_EncryptUpdate(), EVP_DecryptUpdate() calls for example). This function
220may fail if the cipher does not have any ASN1 support.
221
222EVP_CIPHER_asn1_to_param() sets the cipher parameters based on an ASN1
223AlgorithmIdentifier "parameter". The precise effect depends on the cipher
224In the case of RC2, for example, it will set the IV and effective key length.
225This function should be called after the base cipher type is set but before
226the key is set. For example EVP_CipherInit() will be called with the IV and
227key set to NULL, EVP_CIPHER_asn1_to_param() will be called and finally
228EVP_CipherInit() again with all parameters except the key set to NULL. It is
229possible for this function to fail if the cipher does not have any ASN1 support
230or the parameters cannot be set (for example the RC2 effective key length
231is not supported.
232
233EVP_CIPHER_CTX_ctrl() allows various cipher specific parameters to be determined
234and set. Currently only the RC2 effective key length and the number of rounds of
235RC5 can be set.
236
237=head1 RETURN VALUES
238
239EVP_EncryptInit_ex(), EVP_EncryptUpdate() and EVP_EncryptFinal_ex()
240return 1 for success and 0 for failure.
241
242EVP_DecryptInit_ex() and EVP_DecryptUpdate() return 1 for success and 0 for failure.
243EVP_DecryptFinal_ex() returns 0 if the decrypt failed or 1 for success.
244
245EVP_CipherInit_ex() and EVP_CipherUpdate() return 1 for success and 0 for failure.
246EVP_CipherFinal_ex() returns 0 for a decryption failure or 1 for success.
247
248EVP_CIPHER_CTX_cleanup() returns 1 for success and 0 for failure.
249
250EVP_get_cipherbyname(), EVP_get_cipherbynid() and EVP_get_cipherbyobj()
251return an B<EVP_CIPHER> structure or NULL on error.
252
253EVP_CIPHER_nid() and EVP_CIPHER_CTX_nid() return a NID.
254
255EVP_CIPHER_block_size() and EVP_CIPHER_CTX_block_size() return the block
256size.
257
258EVP_CIPHER_key_length() and EVP_CIPHER_CTX_key_length() return the key
259length.
260
261EVP_CIPHER_CTX_set_padding() always returns 1.
262
263EVP_CIPHER_iv_length() and EVP_CIPHER_CTX_iv_length() return the IV
264length or zero if the cipher does not use an IV.
265
266EVP_CIPHER_type() and EVP_CIPHER_CTX_type() return the NID of the cipher's
267OBJECT IDENTIFIER or NID_undef if it has no defined OBJECT IDENTIFIER.
268
269EVP_CIPHER_CTX_cipher() returns an B<EVP_CIPHER> structure.
270
271EVP_CIPHER_param_to_asn1() and EVP_CIPHER_asn1_to_param() return 1 for
272success or zero for failure.
273
274=head1 CIPHER LISTING
275
276All algorithms have a fixed key length unless otherwise stated.
277
278=over 4
279
280=item EVP_enc_null()
281
282Null cipher: does nothing.
283
284=item EVP_des_cbc(void), EVP_des_ecb(void), EVP_des_cfb(void), EVP_des_ofb(void)
285
286DES in CBC, ECB, CFB and OFB modes respectively.
287
288=item EVP_des_ede_cbc(void), EVP_des_ede(), EVP_des_ede_ofb(void), EVP_des_ede_cfb(void)
289
290Two key triple DES in CBC, ECB, CFB and OFB modes respectively.
291
292=item EVP_des_ede3_cbc(void), EVP_des_ede3(), EVP_des_ede3_ofb(void), EVP_des_ede3_cfb(void)
293
294Three key triple DES in CBC, ECB, CFB and OFB modes respectively.
295
296=item EVP_desx_cbc(void)
297
298DESX algorithm in CBC mode.
299
300=item EVP_rc4(void)
301
302RC4 stream cipher. This is a variable key length cipher with default key length 128 bits.
303
304=item EVP_rc4_40(void)
305
306RC4 stream cipher with 40 bit key length. This is obsolete and new code should use EVP_rc4()
307and the EVP_CIPHER_CTX_set_key_length() function.
308
309=item EVP_idea_cbc() EVP_idea_ecb(void), EVP_idea_cfb(void), EVP_idea_ofb(void), EVP_idea_cbc(void)
310
311IDEA encryption algorithm in CBC, ECB, CFB and OFB modes respectively.
312
313=item EVP_rc2_cbc(void), EVP_rc2_ecb(void), EVP_rc2_cfb(void), EVP_rc2_ofb(void)
314
315RC2 encryption algorithm in CBC, ECB, CFB and OFB modes respectively. This is a variable key
316length cipher with an additional parameter called "effective key bits" or "effective key length".
317By default both are set to 128 bits.
318
319=item EVP_rc2_40_cbc(void), EVP_rc2_64_cbc(void)
320
321RC2 algorithm in CBC mode with a default key length and effective key length of 40 and 64 bits.
322These are obsolete and new code should use EVP_rc2_cbc(), EVP_CIPHER_CTX_set_key_length() and
323EVP_CIPHER_CTX_ctrl() to set the key length and effective key length.
324
325=item EVP_bf_cbc(void), EVP_bf_ecb(void), EVP_bf_cfb(void), EVP_bf_ofb(void);
326
327Blowfish encryption algorithm in CBC, ECB, CFB and OFB modes respectively. This is a variable key
328length cipher.
329
330=item EVP_cast5_cbc(void), EVP_cast5_ecb(void), EVP_cast5_cfb(void), EVP_cast5_ofb(void)
331
332CAST encryption algorithm in CBC, ECB, CFB and OFB modes respectively. This is a variable key
333length cipher.
334
335=item EVP_rc5_32_12_16_cbc(void), EVP_rc5_32_12_16_ecb(void), EVP_rc5_32_12_16_cfb(void), EVP_rc5_32_12_16_ofb(void)
336
337RC5 encryption algorithm in CBC, ECB, CFB and OFB modes respectively. This is a variable key length
338cipher with an additional "number of rounds" parameter. By default the key length is set to 128
339bits and 12 rounds.
340
341=back
342
343=head1 NOTES
344
345Where possible the B<EVP> interface to symmetric ciphers should be used in
346preference to the low level interfaces. This is because the code then becomes
347transparent to the cipher used and much more flexible.
348
349PKCS padding works by adding B<n> padding bytes of value B<n> to make the total
350length of the encrypted data a multiple of the block size. Padding is always
351added so if the data is already a multiple of the block size B<n> will equal
352the block size. For example if the block size is 8 and 11 bytes are to be
353encrypted then 5 padding bytes of value 5 will be added.
354
355When decrypting the final block is checked to see if it has the correct form.
356
357Although the decryption operation can produce an error if padding is enabled,
358it is not a strong test that the input data or key is correct. A random block
359has better than 1 in 256 chance of being of the correct format and problems with
360the input data earlier on will not produce a final decrypt error.
361
362If padding is disabled then the decryption operation will always succeed if
363the total amount of data decrypted is a multiple of the block size.
364
365The functions EVP_EncryptInit(), EVP_EncryptFinal(), EVP_DecryptInit(),
366EVP_CipherInit() and EVP_CipherFinal() are obsolete but are retained for
367compatibility with existing code. New code should use EVP_EncryptInit_ex(),
368EVP_EncryptFinal_ex(), EVP_DecryptInit_ex(), EVP_DecryptFinal_ex(),
369EVP_CipherInit_ex() and EVP_CipherFinal_ex() because they can reuse an
370existing context without allocating and freeing it up on each call.
371
372=head1 BUGS
373
374For RC5 the number of rounds can currently only be set to 8, 12 or 16. This is
375a limitation of the current RC5 code rather than the EVP interface.
376
377EVP_MAX_KEY_LENGTH and EVP_MAX_IV_LENGTH only refer to the internal ciphers with
378default key lengths. If custom ciphers exceed these values the results are
379unpredictable. This is because it has become standard practice to define a
380generic key as a fixed unsigned char array containing EVP_MAX_KEY_LENGTH bytes.
381
382The ASN1 code is incomplete (and sometimes inaccurate) it has only been tested
383for certain common S/MIME ciphers (RC2, DES, triple DES) in CBC mode.
384
385=head1 EXAMPLES
386
387Get the number of rounds used in RC5:
388
389 int nrounds;
390 EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GET_RC5_ROUNDS, 0, &nrounds);
391
392Get the RC2 effective key length:
393
394 int key_bits;
395 EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GET_RC2_KEY_BITS, 0, &key_bits);
396
397Set the number of rounds used in RC5:
398
399 int nrounds;
400 EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_SET_RC5_ROUNDS, nrounds, NULL);
401
402Set the effective key length used in RC2:
403
404 int key_bits;
405 EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_SET_RC2_KEY_BITS, key_bits, NULL);
406
407Encrypt a string using blowfish:
408
409 int do_crypt(char *outfile)
410 {
411 unsigned char outbuf[1024];
412 int outlen, tmplen;
413 /* Bogus key and IV: we'd normally set these from
414 * another source.
415 */
416 unsigned char key[] = {0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15};
417 unsigned char iv[] = {1,2,3,4,5,6,7,8};
418 char intext[] = "Some Crypto Text";
419 EVP_CIPHER_CTX ctx;
420 FILE *out;
421 EVP_CIPHER_CTX_init(&ctx);
422 EVP_EncryptInit_ex(&ctx, EVP_bf_cbc(), NULL, key, iv);
423
424 if(!EVP_EncryptUpdate(&ctx, outbuf, &outlen, intext, strlen(intext)))
425 {
426 /* Error */
427 return 0;
428 }
429 /* Buffer passed to EVP_EncryptFinal() must be after data just
430 * encrypted to avoid overwriting it.
431 */
432 if(!EVP_EncryptFinal_ex(&ctx, outbuf + outlen, &tmplen))
433 {
434 /* Error */
435 return 0;
436 }
437 outlen += tmplen;
438 EVP_CIPHER_CTX_cleanup(&ctx);
439 /* Need binary mode for fopen because encrypted data is
440 * binary data. Also cannot use strlen() on it because
441 * it wont be null terminated and may contain embedded
442 * nulls.
443 */
444 out = fopen(outfile, "wb");
445 fwrite(outbuf, 1, outlen, out);
446 fclose(out);
447 return 1;
448 }
449
450The ciphertext from the above example can be decrypted using the B<openssl>
451utility with the command line:
452
453 S<openssl bf -in cipher.bin -K 000102030405060708090A0B0C0D0E0F -iv 0102030405060708 -d>
454
455General encryption, decryption function example using FILE I/O and RC2 with an
45680 bit key:
457
458 int do_crypt(FILE *in, FILE *out, int do_encrypt)
459 {
460 /* Allow enough space in output buffer for additional block */
461 inbuf[1024], outbuf[1024 + EVP_MAX_BLOCK_LENGTH];
462 int inlen, outlen;
463 /* Bogus key and IV: we'd normally set these from
464 * another source.
465 */
466 unsigned char key[] = "0123456789";
467 unsigned char iv[] = "12345678";
468 /* Don't set key or IV because we will modify the parameters */
469 EVP_CIPHER_CTX_init(&ctx);
470 EVP_CipherInit_ex(&ctx, EVP_rc2(), NULL, NULL, NULL, do_encrypt);
471 EVP_CIPHER_CTX_set_key_length(&ctx, 10);
472 /* We finished modifying parameters so now we can set key and IV */
473 EVP_CipherInit_ex(&ctx, NULL, NULL, key, iv, do_encrypt);
474
475 for(;;)
476 {
477 inlen = fread(inbuf, 1, 1024, in);
478 if(inlen <= 0) break;
479 if(!EVP_CipherUpdate(&ctx, outbuf, &outlen, inbuf, inlen))
480 {
481 /* Error */
482 EVP_CIPHER_CTX_cleanup(&ctx);
483 return 0;
484 }
485 fwrite(outbuf, 1, outlen, out);
486 }
487 if(!EVP_CipherFinal_ex(&ctx, outbuf, &outlen))
488 {
489 /* Error */
490 EVP_CIPHER_CTX_cleanup(&ctx);
491 return 0;
492 }
493 fwrite(outbuf, 1, outlen, out);
494
495 EVP_CIPHER_CTX_cleanup(&ctx);
496 return 1;
497 }
498
499
500=head1 SEE ALSO
501
502L<evp(3)|evp(3)>
503
504=head1 HISTORY
505
506EVP_CIPHER_CTX_init(), EVP_EncryptInit_ex(), EVP_EncryptFinal_ex(),
507EVP_DecryptInit_ex(), EVP_DecryptFinal_ex(), EVP_CipherInit_ex(),
508EVP_CipherFinal_ex() and EVP_CIPHER_CTX_set_padding() appeared in
509OpenSSL 0.9.7.
510
511=cut
0512
=== added file '.pc/libdoc-manpgs-pod-spell.patch/doc/crypto/EVP_PKEY_cmp.pod'
--- .pc/libdoc-manpgs-pod-spell.patch/doc/crypto/EVP_PKEY_cmp.pod 1970-01-01 00:00:00 +0000
+++ .pc/libdoc-manpgs-pod-spell.patch/doc/crypto/EVP_PKEY_cmp.pod 2011-09-15 05:17:15 +0000
@@ -0,0 +1,61 @@
1=pod
2
3=head1 NAME
4
5EVP_PKEY_copy_parameters, EVP_PKEY_missing_parameters, EVP_PKEY_cmp_parameters, EVP_PKEY_cmp - public key parameter and comparison functions
6
7=head1 SYNOPSIS
8
9 #include <openssl/evp.h>
10
11 int EVP_PKEY_missing_parameters(const EVP_PKEY *pkey);
12 int EVP_PKEY_copy_parameters(EVP_PKEY *to, const EVP_PKEY *from);
13
14 int EVP_PKEY_cmp_parameters(const EVP_PKEY *a, const EVP_PKEY *b);
15 int EVP_PKEY_cmp(const EVP_PKEY *a, const EVP_PKEY *b);
16
17=head1 DESCRIPTION
18
19The function EVP_PKEY_missing_parameters() returns 1 if the public key
20parameters of B<pkey> are missing and 0 if they are present or the algorithm
21doesn't use parameters.
22
23The function EVP_PKEY_copy_parameters() copies the parameters from key
24B<from> to key B<to>.
25
26The funcion EVP_PKEY_cmp_parameters() compares the parameters of keys
27B<a> and B<b>.
28
29The funcion EVP_PKEY_cmp() compares the public key components and paramters
30(if present) of keys B<a> and B<b>.
31
32=head1 NOTES
33
34The main purpose of the functions EVP_PKEY_missing_parameters() and
35EVP_PKEY_copy_parameters() is to handle public keys in certificates where the
36parameters are sometimes omitted from a public key if they are inherited from
37the CA that signed it.
38
39Since OpenSSL private keys contain public key components too the function
40EVP_PKEY_cmp() can also be used to determine if a private key matches
41a public key.
42
43=head1 RETURN VALUES
44
45The function EVP_PKEY_missing_parameters() returns 1 if the public key
46parameters of B<pkey> are missing and 0 if they are present or the algorithm
47doesn't use parameters.
48
49These functions EVP_PKEY_copy_parameters() returns 1 for success and 0 for
50failure.
51
52The function EVP_PKEY_cmp_parameters() and EVP_PKEY_cmp() return 1 if the
53keys match, 0 if they don't match, -1 if the key types are different and
54-2 if the operation is not supported.
55
56=head1 SEE ALSO
57
58L<EVP_PKEY_CTX_new(3)|EVP_PKEY_CTX_new(3)>,
59L<EVP_PKEY_keygen(3)|EVP_PKEY_keygen(3)>
60
61=cut
062
=== added file '.pc/libdoc-manpgs-pod-spell.patch/doc/crypto/X509_STORE_CTX_get_error.pod'
--- .pc/libdoc-manpgs-pod-spell.patch/doc/crypto/X509_STORE_CTX_get_error.pod 1970-01-01 00:00:00 +0000
+++ .pc/libdoc-manpgs-pod-spell.patch/doc/crypto/X509_STORE_CTX_get_error.pod 2011-09-15 05:17:15 +0000
@@ -0,0 +1,303 @@
1=pod
2
3=head1 NAME
4
5X509_STORE_CTX_get_error, X509_STORE_CTX_set_error, X509_STORE_CTX_get_error_depth, X509_STORE_CTX_get_current_cert, X509_STORE_CTX_get1_chain, X509_verify_cert_error_string - get or set certificate verification status information
6
7=head1 SYNOPSIS
8
9 #include <openssl/x509.h>
10 #include <openssl/x509_vfy.h>
11
12 int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx);
13 void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx,int s);
14 int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx);
15 X509 * X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx);
16
17 STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx);
18
19 const char *X509_verify_cert_error_string(long n);
20
21=head1 DESCRIPTION
22
23These functions are typically called after X509_verify_cert() has indicated
24an error or in a verification callback to determine the nature of an error.
25
26X509_STORE_CTX_get_error() returns the error code of B<ctx>, see
27the B<ERROR CODES> section for a full description of all error codes.
28
29X509_STORE_CTX_set_error() sets the error code of B<ctx> to B<s>. For example
30it might be used in a verification callback to set an error based on additional
31checks.
32
33X509_STORE_CTX_get_error_depth() returns the B<depth> of the error. This is a
34non-negative integer representing where in the certificate chain the error
35occurred. If it is zero it occured in the end entity certificate, one if
36it is the certificate which signed the end entity certificate and so on.
37
38X509_STORE_CTX_get_current_cert() returns the certificate in B<ctx> which
39caused the error or B<NULL> if no certificate is relevant.
40
41X509_STORE_CTX_get1_chain() returns a complete validate chain if a previous
42call to X509_verify_cert() is successful. If the call to X509_verify_cert()
43is B<not> successful the returned chain may be incomplete or invalid. The
44returned chain persists after the B<ctx> structure is freed, when it is
45no longer needed it should be free up using:
46
47 sk_X509_pop_free(chain, X509_free);
48
49X509_verify_cert_error_string() returns a human readable error string for
50verification error B<n>.
51
52=head1 RETURN VALUES
53
54X509_STORE_CTX_get_error() returns B<X509_V_OK> or an error code.
55
56X509_STORE_CTX_get_error_depth() returns a non-negative error depth.
57
58X509_STORE_CTX_get_current_cert() returns the cerificate which caused the
59error or B<NULL> if no certificate is relevant to the error.
60
61X509_verify_cert_error_string() returns a human readable error string for
62verification error B<n>.
63
64=head1 ERROR CODES
65
66A list of error codes and messages is shown below. Some of the
67error codes are defined but currently never returned: these are described as
68"unused".
69
70=over 4
71
72=item B<X509_V_OK: ok>
73
74the operation was successful.
75
76=item B<X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: unable to get issuer certificate>
77
78the issuer certificate could not be found: this occurs if the issuer certificate
79of an untrusted certificate cannot be found.
80
81=item B<X509_V_ERR_UNABLE_TO_GET_CRL: unable to get certificate CRL>
82
83the CRL of a certificate could not be found.
84
85=item B<X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: unable to decrypt certificate's signature>
86
87the certificate signature could not be decrypted. This means that the actual
88signature value could not be determined rather than it not matching the
89expected value, this is only meaningful for RSA keys.
90
91=item B<X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: unable to decrypt CRL's signature>
92
93the CRL signature could not be decrypted: this means that the actual signature
94value could not be determined rather than it not matching the expected value.
95Unused.
96
97=item B<X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: unable to decode issuer public key>
98
99the public key in the certificate SubjectPublicKeyInfo could not be read.
100
101=item B<X509_V_ERR_CERT_SIGNATURE_FAILURE: certificate signature failure>
102
103the signature of the certificate is invalid.
104
105=item B<X509_V_ERR_CRL_SIGNATURE_FAILURE: CRL signature failure>
106
107the signature of the certificate is invalid.
108
109=item B<X509_V_ERR_CERT_NOT_YET_VALID: certificate is not yet valid>
110
111the certificate is not yet valid: the notBefore date is after the current time.
112
113=item B<X509_V_ERR_CERT_HAS_EXPIRED: certificate has expired>
114
115the certificate has expired: that is the notAfter date is before the current time.
116
117=item B<X509_V_ERR_CRL_NOT_YET_VALID: CRL is not yet valid>
118
119the CRL is not yet valid.
120
121=item B<X509_V_ERR_CRL_HAS_EXPIRED: CRL has expired>
122
123the CRL has expired.
124
125=item B<X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: format error in certificate's notBefore field>
126
127the certificate notBefore field contains an invalid time.
128
129=item B<X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: format error in certificate's notAfter field>
130
131the certificate notAfter field contains an invalid time.
132
133=item B<X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: format error in CRL's lastUpdate field>
134
135the CRL lastUpdate field contains an invalid time.
136
137=item B<X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: format error in CRL's nextUpdate field>
138
139the CRL nextUpdate field contains an invalid time.
140
141=item B<X509_V_ERR_OUT_OF_MEM: out of memory>
142
143an error occurred trying to allocate memory. This should never happen.
144
145=item B<X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: self signed certificate>
146
147the passed certificate is self signed and the same certificate cannot be found
148in the list of trusted certificates.
149
150=item B<X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: self signed certificate in certificate chain>
151
152the certificate chain could be built up using the untrusted certificates but
153the root could not be found locally.
154
155=item B<X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer certificate>
156
157the issuer certificate of a locally looked up certificate could not be found.
158This normally means the list of trusted certificates is not complete.
159
160=item B<X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: unable to verify the first certificate>
161
162no signatures could be verified because the chain contains only one certificate
163and it is not self signed.
164
165=item B<X509_V_ERR_CERT_CHAIN_TOO_LONG: certificate chain too long>
166
167the certificate chain length is greater than the supplied maximum depth. Unused.
168
169=item B<X509_V_ERR_CERT_REVOKED: certificate revoked>
170
171the certificate has been revoked.
172
173=item B<X509_V_ERR_INVALID_CA: invalid CA certificate>
174
175a CA certificate is invalid. Either it is not a CA or its extensions are not
176consistent with the supplied purpose.
177
178=item B<X509_V_ERR_PATH_LENGTH_EXCEEDED: path length constraint exceeded>
179
180the basicConstraints pathlength parameter has been exceeded.
181
182=item B<X509_V_ERR_INVALID_PURPOSE: unsupported certificate purpose>
183
184the supplied certificate cannot be used for the specified purpose.
185
186=item B<X509_V_ERR_CERT_UNTRUSTED: certificate not trusted>
187
188the root CA is not marked as trusted for the specified purpose.
189
190=item B<X509_V_ERR_CERT_REJECTED: certificate rejected>
191
192the root CA is marked to reject the specified purpose.
193
194=item B<X509_V_ERR_SUBJECT_ISSUER_MISMATCH: subject issuer mismatch>
195
196the current candidate issuer certificate was rejected because its subject name
197did not match the issuer name of the current certificate. This is only set
198if issuer check debugging is enabled it is used for status notification and
199is B<not> in itself an error.
200
201=item B<X509_V_ERR_AKID_SKID_MISMATCH: authority and subject key identifier mismatch>
202
203the current candidate issuer certificate was rejected because its subject key
204identifier was present and did not match the authority key identifier current
205certificate. This is only set if issuer check debugging is enabled it is used
206for status notification and is B<not> in itself an error.
207
208=item B<X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH: authority and issuer serial number mismatch>
209
210the current candidate issuer certificate was rejected because its issuer name
211and serial number was present and did not match the authority key identifier of
212the current certificate. This is only set if issuer check debugging is enabled
213it is used for status notification and is B<not> in itself an error.
214
215=item B<X509_V_ERR_KEYUSAGE_NO_CERTSIGN:key usage does not include certificate signing>
216
217the current candidate issuer certificate was rejected because its keyUsage
218extension does not permit certificate signing. This is only set if issuer check
219debugging is enabled it is used for status notification and is B<not> in itself
220an error.
221
222=item B<X509_V_ERR_INVALID_EXTENSION: invalid or inconsistent certificate extension>
223
224A certificate extension had an invalid value (for example an incorrect
225encoding) or some value inconsistent with other extensions.
226
227
228=item B<X509_V_ERR_INVALID_POLICY_EXTENSION: invalid or inconsistent certificate policy extension>
229
230A certificate policies extension had an invalid value (for example an incorrect
231encoding) or some value inconsistent with other extensions. This error only
232occurs if policy processing is enabled.
233
234=item B<X509_V_ERR_NO_EXPLICIT_POLICY: no explicit policy>
235
236The verification flags were set to require and explicit policy but none was
237present.
238
239=item B<X509_V_ERR_DIFFERENT_CRL_SCOPE: Different CRL scope>
240
241The only CRLs that could be found did not match the scope of the certificate.
242
243=item B<X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE: Unsupported extension feature>
244
245Some feature of a certificate extension is not supported. Unused.
246
247=item B<X509_V_ERR_PERMITTED_VIOLATION: permitted subtree violation>
248
249A name constraint violation occured in the permitted subtrees.
250
251=item B<X509_V_ERR_EXCLUDED_VIOLATION: excluded subtree violation>
252
253A name constraint violation occured in the excluded subtrees.
254
255=item B<X509_V_ERR_SUBTREE_MINMAX: name constraints minimum and maximum not supported>
256
257A certificate name constraints extension included a minimum or maximum field:
258this is not supported.
259
260=item B<X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE: unsupported name constraint type>
261
262An unsupported name constraint type was encountered. OpenSSL currently only
263supports directory name, DNS name, email and URI types.
264
265=item B<X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX: unsupported or invalid name constraint syntax>
266
267The format of the name constraint is not recognised: for example an email
268address format of a form not mentioned in RFC3280. This could be caused by
269a garbage extension or some new feature not currently supported.
270
271=item B<X509_V_ERR_CRL_PATH_VALIDATION_ERROR: CRL path validation error>
272
273An error occured when attempting to verify the CRL path. This error can only
274happen if extended CRL checking is enabled.
275
276=item B<X509_V_ERR_APPLICATION_VERIFICATION: application verification failure>
277
278an application specific error. This will never be returned unless explicitly
279set by an application.
280
281=head1 NOTES
282
283The above functions should be used instead of directly referencing the fields
284in the B<X509_VERIFY_CTX> structure.
285
286In versions of OpenSSL before 1.0 the current certificate returned by
287X509_STORE_CTX_get_current_cert() was never B<NULL>. Applications should
288check the return value before printing out any debugging information relating
289to the current certificate.
290
291If an unrecognised error code is passed to X509_verify_cert_error_string() the
292numerical value of the unknown code is returned in a static buffer. This is not
293thread safe but will never happen unless an invalid code is passed.
294
295=head1 SEE ALSO
296
297L<X509_verify_cert(3)|X509_verify_cert(3)>
298
299=head1 HISTORY
300
301TBA
302
303=cut
0304
=== added file '.pc/libdoc-manpgs-pod-spell.patch/doc/crypto/pem.pod'
--- .pc/libdoc-manpgs-pod-spell.patch/doc/crypto/pem.pod 1970-01-01 00:00:00 +0000
+++ .pc/libdoc-manpgs-pod-spell.patch/doc/crypto/pem.pod 2011-09-15 05:17:15 +0000
@@ -0,0 +1,476 @@
1=pod
2
3=head1 NAME
4
5PEM, PEM_read_bio_PrivateKey, PEM_read_PrivateKey, PEM_write_bio_PrivateKey, PEM_write_PrivateKey, PEM_write_bio_PKCS8PrivateKey, PEM_write_PKCS8PrivateKey, PEM_write_bio_PKCS8PrivateKey_nid, PEM_write_PKCS8PrivateKey_nid, PEM_read_bio_PUBKEY, PEM_read_PUBKEY, PEM_write_bio_PUBKEY, PEM_write_PUBKEY, PEM_read_bio_RSAPrivateKey, PEM_read_RSAPrivateKey, PEM_write_bio_RSAPrivateKey, PEM_write_RSAPrivateKey, PEM_read_bio_RSAPublicKey, PEM_read_RSAPublicKey, PEM_write_bio_RSAPublicKey, PEM_write_RSAPublicKey, PEM_read_bio_RSA_PUBKEY, PEM_read_RSA_PUBKEY, PEM_write_bio_RSA_PUBKEY, PEM_write_RSA_PUBKEY, PEM_read_bio_DSAPrivateKey, PEM_read_DSAPrivateKey, PEM_write_bio_DSAPrivateKey, PEM_write_DSAPrivateKey, PEM_read_bio_DSA_PUBKEY, PEM_read_DSA_PUBKEY, PEM_write_bio_DSA_PUBKEY, PEM_write_DSA_PUBKEY, PEM_read_bio_DSAparams, PEM_read_DSAparams, PEM_write_bio_DSAparams, PEM_write_DSAparams, PEM_read_bio_DHparams, PEM_read_DHparams, PEM_write_bio_DHparams, PEM_write_DHparams, PEM_read_bio_X509, PEM_read_X509, PEM_write_bio_X509, PEM_write_X509, PEM_read_bio_X509_AUX, PEM_read_X509_AUX, PEM_write_bio_X509_AUX, PEM_write_X509_AUX, PEM_read_bio_X509_REQ, PEM_read_X509_REQ, PEM_write_bio_X509_REQ, PEM_write_X509_REQ, PEM_write_bio_X509_REQ_NEW, PEM_write_X509_REQ_NEW, PEM_read_bio_X509_CRL, PEM_read_X509_CRL, PEM_write_bio_X509_CRL, PEM_write_X509_CRL, PEM_read_bio_PKCS7, PEM_read_PKCS7, PEM_write_bio_PKCS7, PEM_write_PKCS7, PEM_read_bio_NETSCAPE_CERT_SEQUENCE, PEM_read_NETSCAPE_CERT_SEQUENCE, PEM_write_bio_NETSCAPE_CERT_SEQUENCE, PEM_write_NETSCAPE_CERT_SEQUENCE - PEM routines
6
7=head1 SYNOPSIS
8
9 #include <openssl/pem.h>
10
11 EVP_PKEY *PEM_read_bio_PrivateKey(BIO *bp, EVP_PKEY **x,
12 pem_password_cb *cb, void *u);
13
14 EVP_PKEY *PEM_read_PrivateKey(FILE *fp, EVP_PKEY **x,
15 pem_password_cb *cb, void *u);
16
17 int PEM_write_bio_PrivateKey(BIO *bp, EVP_PKEY *x, const EVP_CIPHER *enc,
18 unsigned char *kstr, int klen,
19 pem_password_cb *cb, void *u);
20
21 int PEM_write_PrivateKey(FILE *fp, EVP_PKEY *x, const EVP_CIPHER *enc,
22 unsigned char *kstr, int klen,
23 pem_password_cb *cb, void *u);
24
25 int PEM_write_bio_PKCS8PrivateKey(BIO *bp, EVP_PKEY *x, const EVP_CIPHER *enc,
26 char *kstr, int klen,
27 pem_password_cb *cb, void *u);
28
29 int PEM_write_PKCS8PrivateKey(FILE *fp, EVP_PKEY *x, const EVP_CIPHER *enc,
30 char *kstr, int klen,
31 pem_password_cb *cb, void *u);
32
33 int PEM_write_bio_PKCS8PrivateKey_nid(BIO *bp, EVP_PKEY *x, int nid,
34 char *kstr, int klen,
35 pem_password_cb *cb, void *u);
36
37 int PEM_write_PKCS8PrivateKey_nid(FILE *fp, EVP_PKEY *x, int nid,
38 char *kstr, int klen,
39 pem_password_cb *cb, void *u);
40
41 EVP_PKEY *PEM_read_bio_PUBKEY(BIO *bp, EVP_PKEY **x,
42 pem_password_cb *cb, void *u);
43
44 EVP_PKEY *PEM_read_PUBKEY(FILE *fp, EVP_PKEY **x,
45 pem_password_cb *cb, void *u);
46
47 int PEM_write_bio_PUBKEY(BIO *bp, EVP_PKEY *x);
48 int PEM_write_PUBKEY(FILE *fp, EVP_PKEY *x);
49
50 RSA *PEM_read_bio_RSAPrivateKey(BIO *bp, RSA **x,
51 pem_password_cb *cb, void *u);
52
53 RSA *PEM_read_RSAPrivateKey(FILE *fp, RSA **x,
54 pem_password_cb *cb, void *u);
55
56 int PEM_write_bio_RSAPrivateKey(BIO *bp, RSA *x, const EVP_CIPHER *enc,
57 unsigned char *kstr, int klen,
58 pem_password_cb *cb, void *u);
59
60 int PEM_write_RSAPrivateKey(FILE *fp, RSA *x, const EVP_CIPHER *enc,
61 unsigned char *kstr, int klen,
62 pem_password_cb *cb, void *u);
63
64 RSA *PEM_read_bio_RSAPublicKey(BIO *bp, RSA **x,
65 pem_password_cb *cb, void *u);
66
67 RSA *PEM_read_RSAPublicKey(FILE *fp, RSA **x,
68 pem_password_cb *cb, void *u);
69
70 int PEM_write_bio_RSAPublicKey(BIO *bp, RSA *x);
71
72 int PEM_write_RSAPublicKey(FILE *fp, RSA *x);
73
74 RSA *PEM_read_bio_RSA_PUBKEY(BIO *bp, RSA **x,
75 pem_password_cb *cb, void *u);
76
77 RSA *PEM_read_RSA_PUBKEY(FILE *fp, RSA **x,
78 pem_password_cb *cb, void *u);
79
80 int PEM_write_bio_RSA_PUBKEY(BIO *bp, RSA *x);
81
82 int PEM_write_RSA_PUBKEY(FILE *fp, RSA *x);
83
84 DSA *PEM_read_bio_DSAPrivateKey(BIO *bp, DSA **x,
85 pem_password_cb *cb, void *u);
86
87 DSA *PEM_read_DSAPrivateKey(FILE *fp, DSA **x,
88 pem_password_cb *cb, void *u);
89
90 int PEM_write_bio_DSAPrivateKey(BIO *bp, DSA *x, const EVP_CIPHER *enc,
91 unsigned char *kstr, int klen,
92 pem_password_cb *cb, void *u);
93
94 int PEM_write_DSAPrivateKey(FILE *fp, DSA *x, const EVP_CIPHER *enc,
95 unsigned char *kstr, int klen,
96 pem_password_cb *cb, void *u);
97
98 DSA *PEM_read_bio_DSA_PUBKEY(BIO *bp, DSA **x,
99 pem_password_cb *cb, void *u);
100
101 DSA *PEM_read_DSA_PUBKEY(FILE *fp, DSA **x,
102 pem_password_cb *cb, void *u);
103
104 int PEM_write_bio_DSA_PUBKEY(BIO *bp, DSA *x);
105
106 int PEM_write_DSA_PUBKEY(FILE *fp, DSA *x);
107
108 DSA *PEM_read_bio_DSAparams(BIO *bp, DSA **x, pem_password_cb *cb, void *u);
109
110 DSA *PEM_read_DSAparams(FILE *fp, DSA **x, pem_password_cb *cb, void *u);
111
112 int PEM_write_bio_DSAparams(BIO *bp, DSA *x);
113
114 int PEM_write_DSAparams(FILE *fp, DSA *x);
115
116 DH *PEM_read_bio_DHparams(BIO *bp, DH **x, pem_password_cb *cb, void *u);
117
118 DH *PEM_read_DHparams(FILE *fp, DH **x, pem_password_cb *cb, void *u);
119
120 int PEM_write_bio_DHparams(BIO *bp, DH *x);
121
122 int PEM_write_DHparams(FILE *fp, DH *x);
123
124 X509 *PEM_read_bio_X509(BIO *bp, X509 **x, pem_password_cb *cb, void *u);
125
126 X509 *PEM_read_X509(FILE *fp, X509 **x, pem_password_cb *cb, void *u);
127
128 int PEM_write_bio_X509(BIO *bp, X509 *x);
129
130 int PEM_write_X509(FILE *fp, X509 *x);
131
132 X509 *PEM_read_bio_X509_AUX(BIO *bp, X509 **x, pem_password_cb *cb, void *u);
133
134 X509 *PEM_read_X509_AUX(FILE *fp, X509 **x, pem_password_cb *cb, void *u);
135
136 int PEM_write_bio_X509_AUX(BIO *bp, X509 *x);
137
138 int PEM_write_X509_AUX(FILE *fp, X509 *x);
139
140 X509_REQ *PEM_read_bio_X509_REQ(BIO *bp, X509_REQ **x,
141 pem_password_cb *cb, void *u);
142
143 X509_REQ *PEM_read_X509_REQ(FILE *fp, X509_REQ **x,
144 pem_password_cb *cb, void *u);
145
146 int PEM_write_bio_X509_REQ(BIO *bp, X509_REQ *x);
147
148 int PEM_write_X509_REQ(FILE *fp, X509_REQ *x);
149
150 int PEM_write_bio_X509_REQ_NEW(BIO *bp, X509_REQ *x);
151
152 int PEM_write_X509_REQ_NEW(FILE *fp, X509_REQ *x);
153
154 X509_CRL *PEM_read_bio_X509_CRL(BIO *bp, X509_CRL **x,
155 pem_password_cb *cb, void *u);
156 X509_CRL *PEM_read_X509_CRL(FILE *fp, X509_CRL **x,
157 pem_password_cb *cb, void *u);
158 int PEM_write_bio_X509_CRL(BIO *bp, X509_CRL *x);
159 int PEM_write_X509_CRL(FILE *fp, X509_CRL *x);
160
161 PKCS7 *PEM_read_bio_PKCS7(BIO *bp, PKCS7 **x, pem_password_cb *cb, void *u);
162
163 PKCS7 *PEM_read_PKCS7(FILE *fp, PKCS7 **x, pem_password_cb *cb, void *u);
164
165 int PEM_write_bio_PKCS7(BIO *bp, PKCS7 *x);
166
167 int PEM_write_PKCS7(FILE *fp, PKCS7 *x);
168
169 NETSCAPE_CERT_SEQUENCE *PEM_read_bio_NETSCAPE_CERT_SEQUENCE(BIO *bp,
170 NETSCAPE_CERT_SEQUENCE **x,
171 pem_password_cb *cb, void *u);
172
173 NETSCAPE_CERT_SEQUENCE *PEM_read_NETSCAPE_CERT_SEQUENCE(FILE *fp,
174 NETSCAPE_CERT_SEQUENCE **x,
175 pem_password_cb *cb, void *u);
176
177 int PEM_write_bio_NETSCAPE_CERT_SEQUENCE(BIO *bp, NETSCAPE_CERT_SEQUENCE *x);
178
179 int PEM_write_NETSCAPE_CERT_SEQUENCE(FILE *fp, NETSCAPE_CERT_SEQUENCE *x);
180
181=head1 DESCRIPTION
182
183The PEM functions read or write structures in PEM format. In
184this sense PEM format is simply base64 encoded data surrounded
185by header lines.
186
187For more details about the meaning of arguments see the
188B<PEM FUNCTION ARGUMENTS> section.
189
190Each operation has four functions associated with it. For
191clarity the term "B<foobar> functions" will be used to collectively
192refer to the PEM_read_bio_foobar(), PEM_read_foobar(),
193PEM_write_bio_foobar() and PEM_write_foobar() functions.
194
195The B<PrivateKey> functions read or write a private key in
196PEM format using an EVP_PKEY structure. The write routines use
197"traditional" private key format and can handle both RSA and DSA
198private keys. The read functions can additionally transparently
199handle PKCS#8 format encrypted and unencrypted keys too.
200
201PEM_write_bio_PKCS8PrivateKey() and PEM_write_PKCS8PrivateKey()
202write a private key in an EVP_PKEY structure in PKCS#8
203EncryptedPrivateKeyInfo format using PKCS#5 v2.0 password based encryption
204algorithms. The B<cipher> argument specifies the encryption algoritm to
205use: unlike all other PEM routines the encryption is applied at the
206PKCS#8 level and not in the PEM headers. If B<cipher> is NULL then no
207encryption is used and a PKCS#8 PrivateKeyInfo structure is used instead.
208
209PEM_write_bio_PKCS8PrivateKey_nid() and PEM_write_PKCS8PrivateKey_nid()
210also write out a private key as a PKCS#8 EncryptedPrivateKeyInfo however
211it uses PKCS#5 v1.5 or PKCS#12 encryption algorithms instead. The algorithm
212to use is specified in the B<nid> parameter and should be the NID of the
213corresponding OBJECT IDENTIFIER (see NOTES section).
214
215The B<PUBKEY> functions process a public key using an EVP_PKEY
216structure. The public key is encoded as a SubjectPublicKeyInfo
217structure.
218
219The B<RSAPrivateKey> functions process an RSA private key using an
220RSA structure. It handles the same formats as the B<PrivateKey>
221functions but an error occurs if the private key is not RSA.
222
223The B<RSAPublicKey> functions process an RSA public key using an
224RSA structure. The public key is encoded using a PKCS#1 RSAPublicKey
225structure.
226
227The B<RSA_PUBKEY> functions also process an RSA public key using
228an RSA structure. However the public key is encoded using a
229SubjectPublicKeyInfo structure and an error occurs if the public
230key is not RSA.
231
232The B<DSAPrivateKey> functions process a DSA private key using a
233DSA structure. It handles the same formats as the B<PrivateKey>
234functions but an error occurs if the private key is not DSA.
235
236The B<DSA_PUBKEY> functions process a DSA public key using
237a DSA structure. The public key is encoded using a
238SubjectPublicKeyInfo structure and an error occurs if the public
239key is not DSA.
240
241The B<DSAparams> functions process DSA parameters using a DSA
242structure. The parameters are encoded using a foobar structure.
243
244The B<DHparams> functions process DH parameters using a DH
245structure. The parameters are encoded using a PKCS#3 DHparameter
246structure.
247
248The B<X509> functions process an X509 certificate using an X509
249structure. They will also process a trusted X509 certificate but
250any trust settings are discarded.
251
252The B<X509_AUX> functions process a trusted X509 certificate using
253an X509 structure.
254
255The B<X509_REQ> and B<X509_REQ_NEW> functions process a PKCS#10
256certificate request using an X509_REQ structure. The B<X509_REQ>
257write functions use B<CERTIFICATE REQUEST> in the header whereas
258the B<X509_REQ_NEW> functions use B<NEW CERTIFICATE REQUEST>
259(as required by some CAs). The B<X509_REQ> read functions will
260handle either form so there are no B<X509_REQ_NEW> read functions.
261
262The B<X509_CRL> functions process an X509 CRL using an X509_CRL
263structure.
264
265The B<PKCS7> functions process a PKCS#7 ContentInfo using a PKCS7
266structure.
267
268The B<NETSCAPE_CERT_SEQUENCE> functions process a Netscape Certificate
269Sequence using a NETSCAPE_CERT_SEQUENCE structure.
270
271=head1 PEM FUNCTION ARGUMENTS
272
273The PEM functions have many common arguments.
274
275The B<bp> BIO parameter (if present) specifies the BIO to read from
276or write to.
277
278The B<fp> FILE parameter (if present) specifies the FILE pointer to
279read from or write to.
280
281The PEM read functions all take an argument B<TYPE **x> and return
The diff has been truncated for viewing.

Subscribers

People subscribed via source and target branches

to all changes: