Merge lp:~sbeattie/ubuntu/oneiric/openssl/lp850608 into lp:ubuntu/oneiric/openssl

Proposed by Steve Beattie
Status: Merged
Merged at revision: 58
Proposed branch: lp:~sbeattie/ubuntu/oneiric/openssl/lp850608
Merge into: lp:ubuntu/oneiric/openssl
Diff against target: 27465 lines (+20613/-1941)
206 files modified
.pc/Bsymbolic-functions.patch/Configure (+2/-1)
.pc/aesni.patch/Configure (+2/-1)
.pc/aesni.patch/util/libeay.num (+5/-0)
.pc/applied-patches (+12/-0)
.pc/block_diginotar.patch/crypto/x509/x509_vfy.c (+2219/-0)
.pc/c_rehash-multi.patch/tools/c_rehash.in (+192/-0)
.pc/config-hurd.patch/config (+4/-0)
.pc/dgst_hmac.patch/apps/dgst.c (+632/-0)
.pc/dgst_hmac.patch/doc/apps/dgst.pod (+162/-0)
.pc/engines-path.patch/Configure (+2/-1)
.pc/gnu_source.patch/crypto/dso/dso_dlfcn.c (+1/-0)
.pc/libdoc-manpgs-pod-spell.patch/doc/crypto/ASN1_generate_nconf.pod (+265/-0)
.pc/libdoc-manpgs-pod-spell.patch/doc/crypto/BN_BLINDING_new.pod (+115/-0)
.pc/libdoc-manpgs-pod-spell.patch/doc/crypto/EVP_BytesToKey.pod (+67/-0)
.pc/libdoc-manpgs-pod-spell.patch/doc/crypto/EVP_EncryptInit.pod (+511/-0)
.pc/libdoc-manpgs-pod-spell.patch/doc/crypto/EVP_PKEY_cmp.pod (+61/-0)
.pc/libdoc-manpgs-pod-spell.patch/doc/crypto/X509_STORE_CTX_get_error.pod (+303/-0)
.pc/libdoc-manpgs-pod-spell.patch/doc/crypto/pem.pod (+476/-0)
.pc/libdoc-manpgs-pod-spell.patch/doc/ssl/SSL_CTX_set_client_CA_list.pod (+94/-0)
.pc/libdoc-manpgs-pod-spell.patch/doc/ssl/SSL_CTX_set_verify.pod (+294/-0)
.pc/libdoc-manpgs-pod-spell.patch/doc/ssl/SSL_CTX_use_psk_identity_hint.pod (+102/-0)
.pc/libdoc-manpgs-pod-spell.patch/doc/ssl/SSL_accept.pod (+76/-0)
.pc/libdoc-manpgs-pod-spell.patch/doc/ssl/SSL_connect.pod (+73/-0)
.pc/libdoc-manpgs-pod-spell.patch/doc/ssl/SSL_do_handshake.pod (+75/-0)
.pc/libdoc-manpgs-pod-spell.patch/doc/ssl/SSL_shutdown.pod (+125/-0)
.pc/libssl-misspell.patch/crypto/asn1/asn1_err.c (+329/-0)
.pc/openssl-pod-misspell.patch/apps/ca.c (+2985/-0)
.pc/openssl-pod-misspell.patch/apps/ecparam.c (+731/-0)
.pc/openssl-pod-misspell.patch/crypto/evp/encode.c (+445/-0)
.pc/openssl-pod-misspell.patch/doc/apps/config.pod (+279/-0)
.pc/openssl-pod-misspell.patch/doc/apps/genpkey.pod (+213/-0)
.pc/openssl-pod-misspell.patch/doc/apps/openssl.pod (+422/-0)
.pc/openssl-pod-misspell.patch/doc/apps/req.pod (+678/-0)
.pc/openssl-pod-misspell.patch/doc/apps/ts.pod (+594/-0)
.pc/openssl-pod-misspell.patch/doc/apps/tsget.pod (+194/-0)
.pc/openssl-pod-misspell.patch/doc/apps/x509v3_config.pod (+529/-0)
.pc/pic.patch/crypto/perlasm/cbc.pl (+0/-2)
.pc/pkcs12-doc.patch/doc/apps/pkcs12.pod (+363/-0)
.pc/pod_ec.misspell.patch/doc/apps/ec.pod (+190/-0)
.pc/pod_pksc12.misspell.patch/doc/apps/pkcs12.pod (+363/-0)
.pc/pod_req_misspell2.patch/doc/apps/req.pod (+678/-0)
.pc/pod_s_server.misspell.patch/doc/apps/s_server.pod (+355/-0)
.pc/pod_x509setflags.misspell.patch/doc/crypto/X509_VERIFY_PARAM_set_flags.pod (+171/-0)
.pc/shared-lib-ext.patch/Configure (+2/-1)
.pc/version-script.patch/Configure (+2/-1)
CHANGES (+42/-1)
Configure (+2/-1)
FAQ (+1/-1)
INSTALL.VMS (+24/-30)
Makefile (+1/-1)
Makefile.bak (+640/-0)
NEWS (+8/-0)
README (+1/-1)
VMS/install-vms.com (+67/-0)
VMS/install.com (+0/-79)
VMS/mkshared.com (+163/-99)
VMS/openssl_startup.com (+108/-0)
VMS/openssl_undo.com (+20/-0)
apps/CA.com (+58/-42)
apps/apps.c (+6/-0)
apps/asn1pars.c (+1/-0)
apps/ca.c (+1/-1)
apps/dgst.c (+2/-0)
apps/ecparam.c (+2/-2)
apps/enc.c (+4/-0)
apps/install-apps.com (+107/-0)
apps/install.com (+0/-65)
apps/makeapps.com (+231/-118)
apps/openssl.c (+62/-2)
apps/pkcs12.c (+1/-1)
apps/speed.c (+2/-0)
apps/vms_decc_init.c (+188/-0)
config (+4/-0)
crypto/LPdir_vms.c (+28/-21)
crypto/alphacpuid.pl (+3/-5)
crypto/asn1/a_object.c (+2/-2)
crypto/asn1/asn1_err.c (+1/-1)
crypto/asn1/bio_ndef.c (+0/-3)
crypto/asn1/x_name.c (+5/-2)
crypto/bio/b_sock.c (+28/-1)
crypto/bio/bss_dgram.c (+12/-6)
crypto/bio/bss_log.c (+29/-3)
crypto/bn/asm/alpha-mont.pl (+1/-1)
crypto/bn/asm/s390x-mont.pl (+2/-2)
crypto/bn/bn.h (+18/-0)
crypto/bn/bn_gf2m.c (+1/-0)
crypto/bn/bn_mont.c (+1/-1)
crypto/bn/bn_nist.c (+36/-28)
crypto/conf/conf_api.c (+1/-0)
crypto/cryptlib.c (+0/-1)
crypto/crypto-lib.com (+241/-129)
crypto/dsa/dsa_pmeth.c (+1/-0)
crypto/dso/dso_dlfcn.c (+1/-0)
crypto/dso/dso_vms.c (+103/-82)
crypto/ecdsa/ecdsatest.c (+2/-3)
crypto/ecdsa/ecs_ossl.c (+8/-0)
crypto/evp/encode.c (+1/-1)
crypto/evp/evp_test.c (+1/-0)
crypto/hmac/hm_pmeth.c (+2/-0)
crypto/install-crypto.com (+196/-0)
crypto/install.com (+0/-150)
crypto/o_time.c (+14/-8)
crypto/ocsp/ocsp_lib.c (+4/-4)
crypto/opensslv.h (+3/-3)
crypto/perlasm/cbc.pl (+0/-2)
crypto/rand/rand_vms.c (+14/-2)
crypto/rand/randfile.c (+2/-0)
crypto/rsa/rsa_oaep.c (+13/-7)
crypto/stack/safestack.h (+25/-25)
crypto/vms_rms.h (+51/-0)
crypto/x509/x509_vfy.c (+31/-0)
debian/changelog (+77/-0)
debian/libssl1.0.0.postinst (+5/-1)
debian/patches/Bsymbolic-functions.patch (+7/-3)
debian/patches/aesni.patch (+29/-14)
debian/patches/block_diginotar.patch (+64/-0)
debian/patches/c_rehash-multi.patch (+86/-0)
debian/patches/debian-targets.patch (+3/-2)
debian/patches/dgst_hmac.patch (+51/-0)
debian/patches/libdoc-manpgs-pod-spell.patch (+236/-0)
debian/patches/libssl-misspell.patch (+11/-0)
debian/patches/openssl-pod-misspell.patch (+137/-0)
debian/patches/pkcs12-doc.patch (+36/-0)
debian/patches/pod_ec.misspell.patch (+11/-0)
debian/patches/pod_pksc12.misspell.patch (+11/-0)
debian/patches/pod_req_misspell2.patch (+12/-0)
debian/patches/pod_s_server.misspell.patch (+11/-0)
debian/patches/pod_x509setflags.misspell.patch (+11/-0)
debian/patches/rehash_pod.patch (+2/-2)
debian/patches/series (+12/-0)
debian/patches/version-script.patch (+22/-4)
debian/rules (+3/-1)
doc/apps/c_rehash.pod (+2/-2)
doc/apps/config.pod (+1/-1)
doc/apps/dgst.pod (+10/-0)
doc/apps/ec.pod (+1/-1)
doc/apps/genpkey.pod (+2/-0)
doc/apps/openssl.pod (+2/-2)
doc/apps/pkcs12.pod (+7/-2)
doc/apps/req.pod (+2/-2)
doc/apps/s_server.pod (+1/-1)
doc/apps/ts.pod (+2/-2)
doc/apps/tsget.pod (+1/-1)
doc/apps/x509v3_config.pod (+1/-1)
doc/crypto/ASN1_generate_nconf.pod (+1/-1)
doc/crypto/BN_BLINDING_new.pod (+1/-1)
doc/crypto/EVP_BytesToKey.pod (+1/-1)
doc/crypto/EVP_EncryptInit.pod (+1/-1)
doc/crypto/EVP_PKEY_cmp.pod (+1/-1)
doc/crypto/X509_STORE_CTX_get_error.pod (+2/-0)
doc/crypto/X509_VERIFY_PARAM_set_flags.pod (+1/-1)
doc/crypto/pem.pod (+1/-1)
doc/ssl/SSL_CTX_set_client_CA_list.pod (+4/-0)
doc/ssl/SSL_CTX_set_verify.pod (+2/-2)
doc/ssl/SSL_CTX_use_psk_identity_hint.pod (+8/-0)
doc/ssl/SSL_accept.pod (+8/-0)
doc/ssl/SSL_connect.pod (+11/-11)
doc/ssl/SSL_do_handshake.pod (+8/-0)
doc/ssl/SSL_shutdown.pod (+8/-0)
doc/ssl/ssl.pod (+1/-1)
engines/ccgost/gost_crypt.c (+2/-1)
engines/ccgost/openssl.ld (+10/-0)
engines/e_capi_err.h (+4/-0)
engines/makeengines.com (+215/-111)
engines/openssl.ld (+3/-0)
install.com (+127/-92)
makevms.com (+274/-152)
ms/uplink.c (+2/-1)
openssl.spec (+1/-1)
ssl/bio_ssl.c (+4/-0)
ssl/d1_both.c (+10/-18)
ssl/d1_clnt.c (+4/-2)
ssl/d1_lib.c (+57/-8)
ssl/d1_pkt.c (+11/-9)
ssl/d1_srvr.c (+19/-7)
ssl/install-ssl.com (+136/-0)
ssl/install.com (+0/-90)
ssl/s3_clnt.c (+2/-0)
ssl/s3_lib.c (+6/-0)
ssl/s3_pkt.c (+4/-2)
ssl/s3_srvr.c (+16/-7)
ssl/ssl-lib.com (+213/-115)
ssl/ssl_lib.c (+13/-19)
test/bntest.com (+7/-0)
test/clean_test.com (+35/-0)
test/cms-test.pl (+2/-2)
test/maketests.com (+210/-111)
test/tcrl.com (+10/-7)
test/testca.com (+5/-3)
test/testenc.com (+8/-5)
test/testgen.com (+13/-9)
test/tests.com (+65/-38)
test/testss.com (+10/-7)
test/testssl.com (+12/-8)
test/testtsa.com (+38/-35)
test/tpkcs7.com (+10/-7)
test/tpkcs7d.com (+10/-7)
test/treq.com (+10/-7)
test/trsa.com (+8/-5)
test/tsid.com (+10/-7)
test/tverify.com (+6/-4)
test/tx509.com (+10/-7)
tools/c_rehash.in (+44/-28)
util/libeay.num (+6/-1)
util/mkdef.pl (+2/-0)
util/mkerr.pl (+1/-1)
To merge this branch: bzr merge lp:~sbeattie/ubuntu/oneiric/openssl/lp850608
Reviewer Review Type Date Requested Status
Marc Deslauriers Approve
Ubuntu branches Pending
Review via email: mp+75477@code.launchpad.net

Description of the change

This branch merges openssl-1.0.0e-2 from Debian unstable to fix security issues. Both the debian changes from 1.0.0d-2 and the upstream release 1.0.0e are bugfix only releases. This merge also includes an added fix for LP: #244250 (reduce spurious reboot warnings on desktop installs) by checking for a running X server to determine whether or not to issue the reboot notification.

To post a comment you must log in.
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Looks good. Uploaded.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file '.pc/Bsymbolic-functions.patch/Configure'
--- .pc/Bsymbolic-functions.patch/Configure 2011-05-01 23:51:53 +0000
+++ .pc/Bsymbolic-functions.patch/Configure 2011-09-15 05:17:15 +0000
@@ -362,6 +362,7 @@
362"debian-powerpcspe","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",362"debian-powerpcspe","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
363"debian-ppc64","gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",363"debian-ppc64","gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
364"debian-s390","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", 364"debian-s390","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
365"debian-s390x","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
365"debian-sh3", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",366"debian-sh3", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
366"debian-sh4", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",367"debian-sh4", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
367"debian-sh3eb", "gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",368"debian-sh3eb", "gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
@@ -370,7 +371,7 @@
370"debian-sparc","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",371"debian-sparc","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
371"debian-sparc-v8","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -mcpu=v8 -g -Wall -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",372"debian-sparc-v8","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -mcpu=v8 -g -Wall -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
372"debian-sparc-v9","gcc:-DB_ENDIAN -DTERMIO -O3 -mcpu=v9 -Wa,--noexecstack -Wa,-Av8plus -g -Wall -DULTRASPARC -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",373"debian-sparc-v9","gcc:-DB_ENDIAN -DTERMIO -O3 -mcpu=v9 -Wa,--noexecstack -Wa,-Av8plus -g -Wall -DULTRASPARC -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
373"debian-sparc64","gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall -DULTRASPARC -DBN_DIV2W::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",374"debian-sparc64","gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall -DULTRASPARC -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
374375
375####376####
376#### Variety of LINUX:-)377#### Variety of LINUX:-)
377378
=== modified file '.pc/aesni.patch/Configure'
--- .pc/aesni.patch/Configure 2011-05-01 23:51:53 +0000
+++ .pc/aesni.patch/Configure 2011-09-15 05:17:15 +0000
@@ -362,6 +362,7 @@
362"debian-powerpcspe","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",362"debian-powerpcspe","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
363"debian-ppc64","gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",363"debian-ppc64","gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
364"debian-s390","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", 364"debian-s390","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
365"debian-s390x","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
365"debian-sh3", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",366"debian-sh3", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
366"debian-sh4", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",367"debian-sh4", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
367"debian-sh3eb", "gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",368"debian-sh3eb", "gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
@@ -370,7 +371,7 @@
370"debian-sparc","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",371"debian-sparc","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
371"debian-sparc-v8","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -mcpu=v8 -g -Wall -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",372"debian-sparc-v8","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -mcpu=v8 -g -Wall -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
372"debian-sparc-v9","gcc:-DB_ENDIAN -DTERMIO -O3 -mcpu=v9 -Wa,--noexecstack -Wa,-Av8plus -g -Wall -DULTRASPARC -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",373"debian-sparc-v9","gcc:-DB_ENDIAN -DTERMIO -O3 -mcpu=v9 -Wa,--noexecstack -Wa,-Av8plus -g -Wall -DULTRASPARC -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
373"debian-sparc64","gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall -DULTRASPARC -DBN_DIV2W::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",374"debian-sparc64","gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall -DULTRASPARC -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
374375
375####376####
376#### Variety of LINUX:-)377#### Variety of LINUX:-)
377378
=== modified file '.pc/aesni.patch/util/libeay.num'
--- .pc/aesni.patch/util/libeay.num 2011-05-01 23:51:53 +0000
+++ .pc/aesni.patch/util/libeay.num 2011-09-15 05:17:15 +0000
@@ -4189,3 +4189,8 @@
4189CRYPTO_cbc128_decrypt 4561 EXIST::FUNCTION:4189CRYPTO_cbc128_decrypt 4561 EXIST::FUNCTION:
4190CRYPTO_cfb128_encrypt 4562 EXIST::FUNCTION:4190CRYPTO_cfb128_encrypt 4562 EXIST::FUNCTION:
4191CRYPTO_cfb128_8_encrypt 4563 EXIST::FUNCTION:4191CRYPTO_cfb128_8_encrypt 4563 EXIST::FUNCTION:
4192OPENSSL_strcasecmp 4564 EXIST::FUNCTION:
4193OPENSSL_memcmp 4565 EXIST::FUNCTION:
4194OPENSSL_strncasecmp 4566 EXIST::FUNCTION:
4195OPENSSL_gmtime 4567 EXIST::FUNCTION:
4196OPENSSL_gmtime_adj 4568 EXIST::FUNCTION:
41924197
=== modified file '.pc/applied-patches'
--- .pc/applied-patches 2011-05-01 23:51:53 +0000
+++ .pc/applied-patches 2011-09-15 05:17:15 +0000
@@ -18,6 +18,18 @@
18version-script.patch18version-script.patch
19gnu_source.patch19gnu_source.patch
20c_rehash-compat.patch20c_rehash-compat.patch
21libdoc-manpgs-pod-spell.patch
22libssl-misspell.patch
23openssl-pod-misspell.patch
24pod_req_misspell2.patch
25pod_pksc12.misspell.patch
26pod_s_server.misspell.patch
27pod_x509setflags.misspell.patch
28pod_ec.misspell.patch
29pkcs12-doc.patch
30dgst_hmac.patch
31block_diginotar.patch
32c_rehash-multi.patch
21aesni.patch33aesni.patch
22perlpath-quilt.patch34perlpath-quilt.patch
23Bsymbolic-functions.patch35Bsymbolic-functions.patch
2436
=== added directory '.pc/block_diginotar.patch'
=== added directory '.pc/block_diginotar.patch/crypto'
=== added directory '.pc/block_diginotar.patch/crypto/x509'
=== added file '.pc/block_diginotar.patch/crypto/x509/x509_vfy.c'
--- .pc/block_diginotar.patch/crypto/x509/x509_vfy.c 1970-01-01 00:00:00 +0000
+++ .pc/block_diginotar.patch/crypto/x509/x509_vfy.c 2011-09-15 05:17:15 +0000
@@ -0,0 +1,2219 @@
1/* crypto/x509/x509_vfy.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <time.h>
61#include <errno.h>
62
63#include "cryptlib.h"
64#include <openssl/crypto.h>
65#include <openssl/lhash.h>
66#include <openssl/buffer.h>
67#include <openssl/evp.h>
68#include <openssl/asn1.h>
69#include <openssl/x509.h>
70#include <openssl/x509v3.h>
71#include <openssl/objects.h>
72
73/* CRL score values */
74
75/* No unhandled critical extensions */
76
77#define CRL_SCORE_NOCRITICAL 0x100
78
79/* certificate is within CRL scope */
80
81#define CRL_SCORE_SCOPE 0x080
82
83/* CRL times valid */
84
85#define CRL_SCORE_TIME 0x040
86
87/* Issuer name matches certificate */
88
89#define CRL_SCORE_ISSUER_NAME 0x020
90
91/* If this score or above CRL is probably valid */
92
93#define CRL_SCORE_VALID (CRL_SCORE_NOCRITICAL|CRL_SCORE_TIME|CRL_SCORE_SCOPE)
94
95/* CRL issuer is certificate issuer */
96
97#define CRL_SCORE_ISSUER_CERT 0x018
98
99/* CRL issuer is on certificate path */
100
101#define CRL_SCORE_SAME_PATH 0x008
102
103/* CRL issuer matches CRL AKID */
104
105#define CRL_SCORE_AKID 0x004
106
107/* Have a delta CRL with valid times */
108
109#define CRL_SCORE_TIME_DELTA 0x002
110
111static int null_callback(int ok,X509_STORE_CTX *e);
112static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer);
113static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x);
114static int check_chain_extensions(X509_STORE_CTX *ctx);
115static int check_name_constraints(X509_STORE_CTX *ctx);
116static int check_trust(X509_STORE_CTX *ctx);
117static int check_revocation(X509_STORE_CTX *ctx);
118static int check_cert(X509_STORE_CTX *ctx);
119static int check_policy(X509_STORE_CTX *ctx);
120
121static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer,
122 unsigned int *preasons,
123 X509_CRL *crl, X509 *x);
124static int get_crl_delta(X509_STORE_CTX *ctx,
125 X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x);
126static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pcrl_score,
127 X509_CRL *base, STACK_OF(X509_CRL) *crls);
128static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl,
129 X509 **pissuer, int *pcrl_score);
130static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score,
131 unsigned int *preasons);
132static int check_crl_path(X509_STORE_CTX *ctx, X509 *x);
133static int check_crl_chain(X509_STORE_CTX *ctx,
134 STACK_OF(X509) *cert_path,
135 STACK_OF(X509) *crl_path);
136
137static int internal_verify(X509_STORE_CTX *ctx);
138const char X509_version[]="X.509" OPENSSL_VERSION_PTEXT;
139
140
141static int null_callback(int ok, X509_STORE_CTX *e)
142 {
143 return ok;
144 }
145
146#if 0
147static int x509_subject_cmp(X509 **a, X509 **b)
148 {
149 return X509_subject_name_cmp(*a,*b);
150 }
151#endif
152
153int X509_verify_cert(X509_STORE_CTX *ctx)
154 {
155 X509 *x,*xtmp,*chain_ss=NULL;
156 X509_NAME *xn;
157 int bad_chain = 0;
158 X509_VERIFY_PARAM *param = ctx->param;
159 int depth,i,ok=0;
160 int num;
161 int (*cb)(int xok,X509_STORE_CTX *xctx);
162 STACK_OF(X509) *sktmp=NULL;
163 if (ctx->cert == NULL)
164 {
165 X509err(X509_F_X509_VERIFY_CERT,X509_R_NO_CERT_SET_FOR_US_TO_VERIFY);
166 return -1;
167 }
168
169 cb=ctx->verify_cb;
170
171 /* first we make sure the chain we are going to build is
172 * present and that the first entry is in place */
173 if (ctx->chain == NULL)
174 {
175 if ( ((ctx->chain=sk_X509_new_null()) == NULL) ||
176 (!sk_X509_push(ctx->chain,ctx->cert)))
177 {
178 X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
179 goto end;
180 }
181 CRYPTO_add(&ctx->cert->references,1,CRYPTO_LOCK_X509);
182 ctx->last_untrusted=1;
183 }
184
185 /* We use a temporary STACK so we can chop and hack at it */
186 if (ctx->untrusted != NULL
187 && (sktmp=sk_X509_dup(ctx->untrusted)) == NULL)
188 {
189 X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
190 goto end;
191 }
192
193 num=sk_X509_num(ctx->chain);
194 x=sk_X509_value(ctx->chain,num-1);
195 depth=param->depth;
196
197
198 for (;;)
199 {
200 /* If we have enough, we break */
201 if (depth < num) break; /* FIXME: If this happens, we should take
202 * note of it and, if appropriate, use the
203 * X509_V_ERR_CERT_CHAIN_TOO_LONG error
204 * code later.
205 */
206
207 /* If we are self signed, we break */
208 xn=X509_get_issuer_name(x);
209 if (ctx->check_issued(ctx, x,x)) break;
210
211 /* If we were passed a cert chain, use it first */
212 if (ctx->untrusted != NULL)
213 {
214 xtmp=find_issuer(ctx, sktmp,x);
215 if (xtmp != NULL)
216 {
217 if (!sk_X509_push(ctx->chain,xtmp))
218 {
219 X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
220 goto end;
221 }
222 CRYPTO_add(&xtmp->references,1,CRYPTO_LOCK_X509);
223 (void)sk_X509_delete_ptr(sktmp,xtmp);
224 ctx->last_untrusted++;
225 x=xtmp;
226 num++;
227 /* reparse the full chain for
228 * the next one */
229 continue;
230 }
231 }
232 break;
233 }
234
235 /* at this point, chain should contain a list of untrusted
236 * certificates. We now need to add at least one trusted one,
237 * if possible, otherwise we complain. */
238
239 /* Examine last certificate in chain and see if it
240 * is self signed.
241 */
242
243 i=sk_X509_num(ctx->chain);
244 x=sk_X509_value(ctx->chain,i-1);
245 xn = X509_get_subject_name(x);
246 if (ctx->check_issued(ctx, x, x))
247 {
248 /* we have a self signed certificate */
249 if (sk_X509_num(ctx->chain) == 1)
250 {
251 /* We have a single self signed certificate: see if
252 * we can find it in the store. We must have an exact
253 * match to avoid possible impersonation.
254 */
255 ok = ctx->get_issuer(&xtmp, ctx, x);
256 if ((ok <= 0) || X509_cmp(x, xtmp))
257 {
258 ctx->error=X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT;
259 ctx->current_cert=x;
260 ctx->error_depth=i-1;
261 if (ok == 1) X509_free(xtmp);
262 bad_chain = 1;
263 ok=cb(0,ctx);
264 if (!ok) goto end;
265 }
266 else
267 {
268 /* We have a match: replace certificate with store version
269 * so we get any trust settings.
270 */
271 X509_free(x);
272 x = xtmp;
273 (void)sk_X509_set(ctx->chain, i - 1, x);
274 ctx->last_untrusted=0;
275 }
276 }
277 else
278 {
279 /* extract and save self signed certificate for later use */
280 chain_ss=sk_X509_pop(ctx->chain);
281 ctx->last_untrusted--;
282 num--;
283 x=sk_X509_value(ctx->chain,num-1);
284 }
285 }
286
287 /* We now lookup certs from the certificate store */
288 for (;;)
289 {
290 /* If we have enough, we break */
291 if (depth < num) break;
292
293 /* If we are self signed, we break */
294 xn=X509_get_issuer_name(x);
295 if (ctx->check_issued(ctx,x,x)) break;
296
297 ok = ctx->get_issuer(&xtmp, ctx, x);
298
299 if (ok < 0) return ok;
300 if (ok == 0) break;
301
302 x = xtmp;
303 if (!sk_X509_push(ctx->chain,x))
304 {
305 X509_free(xtmp);
306 X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
307 return 0;
308 }
309 num++;
310 }
311
312 /* we now have our chain, lets check it... */
313 xn=X509_get_issuer_name(x);
314
315 /* Is last certificate looked up self signed? */
316 if (!ctx->check_issued(ctx,x,x))
317 {
318 if ((chain_ss == NULL) || !ctx->check_issued(ctx, x, chain_ss))
319 {
320 if (ctx->last_untrusted >= num)
321 ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;
322 else
323 ctx->error=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT;
324 ctx->current_cert=x;
325 }
326 else
327 {
328
329 sk_X509_push(ctx->chain,chain_ss);
330 num++;
331 ctx->last_untrusted=num;
332 ctx->current_cert=chain_ss;
333 ctx->error=X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN;
334 chain_ss=NULL;
335 }
336
337 ctx->error_depth=num-1;
338 bad_chain = 1;
339 ok=cb(0,ctx);
340 if (!ok) goto end;
341 }
342
343 /* We have the chain complete: now we need to check its purpose */
344 ok = check_chain_extensions(ctx);
345
346 if (!ok) goto end;
347
348 /* Check name constraints */
349
350 ok = check_name_constraints(ctx);
351
352 if (!ok) goto end;
353
354 /* The chain extensions are OK: check trust */
355
356 if (param->trust > 0) ok = check_trust(ctx);
357
358 if (!ok) goto end;
359
360 /* We may as well copy down any DSA parameters that are required */
361 X509_get_pubkey_parameters(NULL,ctx->chain);
362
363 /* Check revocation status: we do this after copying parameters
364 * because they may be needed for CRL signature verification.
365 */
366
367 ok = ctx->check_revocation(ctx);
368 if(!ok) goto end;
369
370 /* At this point, we have a chain and need to verify it */
371 if (ctx->verify != NULL)
372 ok=ctx->verify(ctx);
373 else
374 ok=internal_verify(ctx);
375 if(!ok) goto end;
376
377#ifndef OPENSSL_NO_RFC3779
378 /* RFC 3779 path validation, now that CRL check has been done */
379 ok = v3_asid_validate_path(ctx);
380 if (!ok) goto end;
381 ok = v3_addr_validate_path(ctx);
382 if (!ok) goto end;
383#endif
384
385 /* If we get this far evaluate policies */
386 if (!bad_chain && (ctx->param->flags & X509_V_FLAG_POLICY_CHECK))
387 ok = ctx->check_policy(ctx);
388 if(!ok) goto end;
389 if (0)
390 {
391end:
392 X509_get_pubkey_parameters(NULL,ctx->chain);
393 }
394 if (sktmp != NULL) sk_X509_free(sktmp);
395 if (chain_ss != NULL) X509_free(chain_ss);
396 return ok;
397 }
398
399
400/* Given a STACK_OF(X509) find the issuer of cert (if any)
401 */
402
403static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x)
404{
405 int i;
406 X509 *issuer;
407 for (i = 0; i < sk_X509_num(sk); i++)
408 {
409 issuer = sk_X509_value(sk, i);
410 if (ctx->check_issued(ctx, x, issuer))
411 return issuer;
412 }
413 return NULL;
414}
415
416/* Given a possible certificate and issuer check them */
417
418static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer)
419{
420 int ret;
421 ret = X509_check_issued(issuer, x);
422 if (ret == X509_V_OK)
423 return 1;
424 /* If we haven't asked for issuer errors don't set ctx */
425 if (!(ctx->param->flags & X509_V_FLAG_CB_ISSUER_CHECK))
426 return 0;
427
428 ctx->error = ret;
429 ctx->current_cert = x;
430 ctx->current_issuer = issuer;
431 return ctx->verify_cb(0, ctx);
432 return 0;
433}
434
435/* Alternative lookup method: look from a STACK stored in other_ctx */
436
437static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
438{
439 *issuer = find_issuer(ctx, ctx->other_ctx, x);
440 if (*issuer)
441 {
442 CRYPTO_add(&(*issuer)->references,1,CRYPTO_LOCK_X509);
443 return 1;
444 }
445 else
446 return 0;
447}
448
449
450/* Check a certificate chains extensions for consistency
451 * with the supplied purpose
452 */
453
454static int check_chain_extensions(X509_STORE_CTX *ctx)
455{
456#ifdef OPENSSL_NO_CHAIN_VERIFY
457 return 1;
458#else
459 int i, ok=0, must_be_ca, plen = 0;
460 X509 *x;
461 int (*cb)(int xok,X509_STORE_CTX *xctx);
462 int proxy_path_length = 0;
463 int purpose;
464 int allow_proxy_certs;
465 cb=ctx->verify_cb;
466
467 /* must_be_ca can have 1 of 3 values:
468 -1: we accept both CA and non-CA certificates, to allow direct
469 use of self-signed certificates (which are marked as CA).
470 0: we only accept non-CA certificates. This is currently not
471 used, but the possibility is present for future extensions.
472 1: we only accept CA certificates. This is currently used for
473 all certificates in the chain except the leaf certificate.
474 */
475 must_be_ca = -1;
476
477 /* CRL path validation */
478 if (ctx->parent)
479 {
480 allow_proxy_certs = 0;
481 purpose = X509_PURPOSE_CRL_SIGN;
482 }
483 else
484 {
485 allow_proxy_certs =
486 !!(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS);
487 /* A hack to keep people who don't want to modify their
488 software happy */
489 if (getenv("OPENSSL_ALLOW_PROXY_CERTS"))
490 allow_proxy_certs = 1;
491 purpose = ctx->param->purpose;
492 }
493
494 /* Check all untrusted certificates */
495 for (i = 0; i < ctx->last_untrusted; i++)
496 {
497 int ret;
498 x = sk_X509_value(ctx->chain, i);
499 if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL)
500 && (x->ex_flags & EXFLAG_CRITICAL))
501 {
502 ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION;
503 ctx->error_depth = i;
504 ctx->current_cert = x;
505 ok=cb(0,ctx);
506 if (!ok) goto end;
507 }
508 if (!allow_proxy_certs && (x->ex_flags & EXFLAG_PROXY))
509 {
510 ctx->error = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED;
511 ctx->error_depth = i;
512 ctx->current_cert = x;
513 ok=cb(0,ctx);
514 if (!ok) goto end;
515 }
516 ret = X509_check_ca(x);
517 switch(must_be_ca)
518 {
519 case -1:
520 if ((ctx->param->flags & X509_V_FLAG_X509_STRICT)
521 && (ret != 1) && (ret != 0))
522 {
523 ret = 0;
524 ctx->error = X509_V_ERR_INVALID_CA;
525 }
526 else
527 ret = 1;
528 break;
529 case 0:
530 if (ret != 0)
531 {
532 ret = 0;
533 ctx->error = X509_V_ERR_INVALID_NON_CA;
534 }
535 else
536 ret = 1;
537 break;
538 default:
539 if ((ret == 0)
540 || ((ctx->param->flags & X509_V_FLAG_X509_STRICT)
541 && (ret != 1)))
542 {
543 ret = 0;
544 ctx->error = X509_V_ERR_INVALID_CA;
545 }
546 else
547 ret = 1;
548 break;
549 }
550 if (ret == 0)
551 {
552 ctx->error_depth = i;
553 ctx->current_cert = x;
554 ok=cb(0,ctx);
555 if (!ok) goto end;
556 }
557 if (ctx->param->purpose > 0)
558 {
559 ret = X509_check_purpose(x, purpose, must_be_ca > 0);
560 if ((ret == 0)
561 || ((ctx->param->flags & X509_V_FLAG_X509_STRICT)
562 && (ret != 1)))
563 {
564 ctx->error = X509_V_ERR_INVALID_PURPOSE;
565 ctx->error_depth = i;
566 ctx->current_cert = x;
567 ok=cb(0,ctx);
568 if (!ok) goto end;
569 }
570 }
571 /* Check pathlen if not self issued */
572 if ((i > 1) && !(x->ex_flags & EXFLAG_SI)
573 && (x->ex_pathlen != -1)
574 && (plen > (x->ex_pathlen + proxy_path_length + 1)))
575 {
576 ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED;
577 ctx->error_depth = i;
578 ctx->current_cert = x;
579 ok=cb(0,ctx);
580 if (!ok) goto end;
581 }
582 /* Increment path length if not self issued */
583 if (!(x->ex_flags & EXFLAG_SI))
584 plen++;
585 /* If this certificate is a proxy certificate, the next
586 certificate must be another proxy certificate or a EE
587 certificate. If not, the next certificate must be a
588 CA certificate. */
589 if (x->ex_flags & EXFLAG_PROXY)
590 {
591 if (x->ex_pcpathlen != -1 && i > x->ex_pcpathlen)
592 {
593 ctx->error =
594 X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED;
595 ctx->error_depth = i;
596 ctx->current_cert = x;
597 ok=cb(0,ctx);
598 if (!ok) goto end;
599 }
600 proxy_path_length++;
601 must_be_ca = 0;
602 }
603 else
604 must_be_ca = 1;
605 }
606 ok = 1;
607 end:
608 return ok;
609#endif
610}
611
612static int check_name_constraints(X509_STORE_CTX *ctx)
613 {
614 X509 *x;
615 int i, j, rv;
616 /* Check name constraints for all certificates */
617 for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--)
618 {
619 x = sk_X509_value(ctx->chain, i);
620 /* Ignore self issued certs unless last in chain */
621 if (i && (x->ex_flags & EXFLAG_SI))
622 continue;
623 /* Check against constraints for all certificates higher in
624 * chain including trust anchor. Trust anchor not strictly
625 * speaking needed but if it includes constraints it is to be
626 * assumed it expects them to be obeyed.
627 */
628 for (j = sk_X509_num(ctx->chain) - 1; j > i; j--)
629 {
630 NAME_CONSTRAINTS *nc = sk_X509_value(ctx->chain, j)->nc;
631 if (nc)
632 {
633 rv = NAME_CONSTRAINTS_check(x, nc);
634 if (rv != X509_V_OK)
635 {
636 ctx->error = rv;
637 ctx->error_depth = i;
638 ctx->current_cert = x;
639 if (!ctx->verify_cb(0,ctx))
640 return 0;
641 }
642 }
643 }
644 }
645 return 1;
646 }
647
648static int check_trust(X509_STORE_CTX *ctx)
649{
650#ifdef OPENSSL_NO_CHAIN_VERIFY
651 return 1;
652#else
653 int i, ok;
654 X509 *x;
655 int (*cb)(int xok,X509_STORE_CTX *xctx);
656 cb=ctx->verify_cb;
657/* For now just check the last certificate in the chain */
658 i = sk_X509_num(ctx->chain) - 1;
659 x = sk_X509_value(ctx->chain, i);
660 ok = X509_check_trust(x, ctx->param->trust, 0);
661 if (ok == X509_TRUST_TRUSTED)
662 return 1;
663 ctx->error_depth = i;
664 ctx->current_cert = x;
665 if (ok == X509_TRUST_REJECTED)
666 ctx->error = X509_V_ERR_CERT_REJECTED;
667 else
668 ctx->error = X509_V_ERR_CERT_UNTRUSTED;
669 ok = cb(0, ctx);
670 return ok;
671#endif
672}
673
674static int check_revocation(X509_STORE_CTX *ctx)
675 {
676 int i, last, ok;
677 if (!(ctx->param->flags & X509_V_FLAG_CRL_CHECK))
678 return 1;
679 if (ctx->param->flags & X509_V_FLAG_CRL_CHECK_ALL)
680 last = sk_X509_num(ctx->chain) - 1;
681 else
682 {
683 /* If checking CRL paths this isn't the EE certificate */
684 if (ctx->parent)
685 return 1;
686 last = 0;
687 }
688 for(i = 0; i <= last; i++)
689 {
690 ctx->error_depth = i;
691 ok = check_cert(ctx);
692 if (!ok) return ok;
693 }
694 return 1;
695 }
696
697static int check_cert(X509_STORE_CTX *ctx)
698 {
699 X509_CRL *crl = NULL, *dcrl = NULL;
700 X509 *x;
701 int ok, cnum;
702 cnum = ctx->error_depth;
703 x = sk_X509_value(ctx->chain, cnum);
704 ctx->current_cert = x;
705 ctx->current_issuer = NULL;
706 ctx->current_crl_score = 0;
707 ctx->current_reasons = 0;
708 while (ctx->current_reasons != CRLDP_ALL_REASONS)
709 {
710 /* Try to retrieve relevant CRL */
711 if (ctx->get_crl)
712 ok = ctx->get_crl(ctx, &crl, x);
713 else
714 ok = get_crl_delta(ctx, &crl, &dcrl, x);
715 /* If error looking up CRL, nothing we can do except
716 * notify callback
717 */
718 if(!ok)
719 {
720 ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL;
721 ok = ctx->verify_cb(0, ctx);
722 goto err;
723 }
724 ctx->current_crl = crl;
725 ok = ctx->check_crl(ctx, crl);
726 if (!ok)
727 goto err;
728
729 if (dcrl)
730 {
731 ok = ctx->check_crl(ctx, dcrl);
732 if (!ok)
733 goto err;
734 ok = ctx->cert_crl(ctx, dcrl, x);
735 if (!ok)
736 goto err;
737 }
738 else
739 ok = 1;
740
741 /* Don't look in full CRL if delta reason is removefromCRL */
742 if (ok != 2)
743 {
744 ok = ctx->cert_crl(ctx, crl, x);
745 if (!ok)
746 goto err;
747 }
748
749 X509_CRL_free(crl);
750 X509_CRL_free(dcrl);
751 crl = NULL;
752 dcrl = NULL;
753 }
754 err:
755 X509_CRL_free(crl);
756 X509_CRL_free(dcrl);
757
758 ctx->current_crl = NULL;
759 return ok;
760
761 }
762
763/* Check CRL times against values in X509_STORE_CTX */
764
765static int check_crl_time(X509_STORE_CTX *ctx, X509_CRL *crl, int notify)
766 {
767 time_t *ptime;
768 int i;
769 if (notify)
770 ctx->current_crl = crl;
771 if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)
772 ptime = &ctx->param->check_time;
773 else
774 ptime = NULL;
775
776 i=X509_cmp_time(X509_CRL_get_lastUpdate(crl), ptime);
777 if (i == 0)
778 {
779 if (!notify)
780 return 0;
781 ctx->error=X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD;
782 if (!ctx->verify_cb(0, ctx))
783 return 0;
784 }
785
786 if (i > 0)
787 {
788 if (!notify)
789 return 0;
790 ctx->error=X509_V_ERR_CRL_NOT_YET_VALID;
791 if (!ctx->verify_cb(0, ctx))
792 return 0;
793 }
794
795 if(X509_CRL_get_nextUpdate(crl))
796 {
797 i=X509_cmp_time(X509_CRL_get_nextUpdate(crl), ptime);
798
799 if (i == 0)
800 {
801 if (!notify)
802 return 0;
803 ctx->error=X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD;
804 if (!ctx->verify_cb(0, ctx))
805 return 0;
806 }
807 /* Ignore expiry of base CRL is delta is valid */
808 if ((i < 0) && !(ctx->current_crl_score & CRL_SCORE_TIME_DELTA))
809 {
810 if (!notify)
811 return 0;
812 ctx->error=X509_V_ERR_CRL_HAS_EXPIRED;
813 if (!ctx->verify_cb(0, ctx))
814 return 0;
815 }
816 }
817
818 if (notify)
819 ctx->current_crl = NULL;
820
821 return 1;
822 }
823
824static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl,
825 X509 **pissuer, int *pscore, unsigned int *preasons,
826 STACK_OF(X509_CRL) *crls)
827 {
828 int i, crl_score, best_score = *pscore;
829 unsigned int reasons, best_reasons = 0;
830 X509 *x = ctx->current_cert;
831 X509_CRL *crl, *best_crl = NULL;
832 X509 *crl_issuer = NULL, *best_crl_issuer = NULL;
833
834 for (i = 0; i < sk_X509_CRL_num(crls); i++)
835 {
836 crl = sk_X509_CRL_value(crls, i);
837 reasons = *preasons;
838 crl_score = get_crl_score(ctx, &crl_issuer, &reasons, crl, x);
839
840 if (crl_score > best_score)
841 {
842 best_crl = crl;
843 best_crl_issuer = crl_issuer;
844 best_score = crl_score;
845 best_reasons = reasons;
846 }
847 }
848
849 if (best_crl)
850 {
851 if (*pcrl)
852 X509_CRL_free(*pcrl);
853 *pcrl = best_crl;
854 *pissuer = best_crl_issuer;
855 *pscore = best_score;
856 *preasons = best_reasons;
857 CRYPTO_add(&best_crl->references, 1, CRYPTO_LOCK_X509_CRL);
858 if (*pdcrl)
859 {
860 X509_CRL_free(*pdcrl);
861 *pdcrl = NULL;
862 }
863 get_delta_sk(ctx, pdcrl, pscore, best_crl, crls);
864 }
865
866 if (best_score >= CRL_SCORE_VALID)
867 return 1;
868
869 return 0;
870 }
871
872/* Compare two CRL extensions for delta checking purposes. They should be
873 * both present or both absent. If both present all fields must be identical.
874 */
875
876static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid)
877 {
878 ASN1_OCTET_STRING *exta, *extb;
879 int i;
880 i = X509_CRL_get_ext_by_NID(a, nid, 0);
881 if (i >= 0)
882 {
883 /* Can't have multiple occurrences */
884 if (X509_CRL_get_ext_by_NID(a, nid, i) != -1)
885 return 0;
886 exta = X509_EXTENSION_get_data(X509_CRL_get_ext(a, i));
887 }
888 else
889 exta = NULL;
890
891 i = X509_CRL_get_ext_by_NID(b, nid, 0);
892
893 if (i >= 0)
894 {
895
896 if (X509_CRL_get_ext_by_NID(b, nid, i) != -1)
897 return 0;
898 extb = X509_EXTENSION_get_data(X509_CRL_get_ext(b, i));
899 }
900 else
901 extb = NULL;
902
903 if (!exta && !extb)
904 return 1;
905
906 if (!exta || !extb)
907 return 0;
908
909
910 if (ASN1_OCTET_STRING_cmp(exta, extb))
911 return 0;
912
913 return 1;
914 }
915
916/* See if a base and delta are compatible */
917
918static int check_delta_base(X509_CRL *delta, X509_CRL *base)
919 {
920 /* Delta CRL must be a delta */
921 if (!delta->base_crl_number)
922 return 0;
923 /* Base must have a CRL number */
924 if (!base->crl_number)
925 return 0;
926 /* Issuer names must match */
927 if (X509_NAME_cmp(X509_CRL_get_issuer(base),
928 X509_CRL_get_issuer(delta)))
929 return 0;
930 /* AKID and IDP must match */
931 if (!crl_extension_match(delta, base, NID_authority_key_identifier))
932 return 0;
933 if (!crl_extension_match(delta, base, NID_issuing_distribution_point))
934 return 0;
935 /* Delta CRL base number must not exceed Full CRL number. */
936 if (ASN1_INTEGER_cmp(delta->base_crl_number, base->crl_number) > 0)
937 return 0;
938 /* Delta CRL number must exceed full CRL number */
939 if (ASN1_INTEGER_cmp(delta->crl_number, base->crl_number) > 0)
940 return 1;
941 return 0;
942 }
943
944/* For a given base CRL find a delta... maybe extend to delta scoring
945 * or retrieve a chain of deltas...
946 */
947
948static void get_delta_sk(X509_STORE_CTX *ctx, X509_CRL **dcrl, int *pscore,
949 X509_CRL *base, STACK_OF(X509_CRL) *crls)
950 {
951 X509_CRL *delta;
952 int i;
953 if (!(ctx->param->flags & X509_V_FLAG_USE_DELTAS))
954 return;
955 if (!((ctx->current_cert->ex_flags | base->flags) & EXFLAG_FRESHEST))
956 return;
957 for (i = 0; i < sk_X509_CRL_num(crls); i++)
958 {
959 delta = sk_X509_CRL_value(crls, i);
960 if (check_delta_base(delta, base))
961 {
962 if (check_crl_time(ctx, delta, 0))
963 *pscore |= CRL_SCORE_TIME_DELTA;
964 CRYPTO_add(&delta->references, 1, CRYPTO_LOCK_X509_CRL);
965 *dcrl = delta;
966 return;
967 }
968 }
969 *dcrl = NULL;
970 }
971
972/* For a given CRL return how suitable it is for the supplied certificate 'x'.
973 * The return value is a mask of several criteria.
974 * If the issuer is not the certificate issuer this is returned in *pissuer.
975 * The reasons mask is also used to determine if the CRL is suitable: if
976 * no new reasons the CRL is rejected, otherwise reasons is updated.
977 */
978
979static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer,
980 unsigned int *preasons,
981 X509_CRL *crl, X509 *x)
982 {
983
984 int crl_score = 0;
985 unsigned int tmp_reasons = *preasons, crl_reasons;
986
987 /* First see if we can reject CRL straight away */
988
989 /* Invalid IDP cannot be processed */
990 if (crl->idp_flags & IDP_INVALID)
991 return 0;
992 /* Reason codes or indirect CRLs need extended CRL support */
993 if (!(ctx->param->flags & X509_V_FLAG_EXTENDED_CRL_SUPPORT))
994 {
995 if (crl->idp_flags & (IDP_INDIRECT | IDP_REASONS))
996 return 0;
997 }
998 else if (crl->idp_flags & IDP_REASONS)
999 {
1000 /* If no new reasons reject */
1001 if (!(crl->idp_reasons & ~tmp_reasons))
1002 return 0;
1003 }
1004 /* Don't process deltas at this stage */
1005 else if (crl->base_crl_number)
1006 return 0;
1007 /* If issuer name doesn't match certificate need indirect CRL */
1008 if (X509_NAME_cmp(X509_get_issuer_name(x), X509_CRL_get_issuer(crl)))
1009 {
1010 if (!(crl->idp_flags & IDP_INDIRECT))
1011 return 0;
1012 }
1013 else
1014 crl_score |= CRL_SCORE_ISSUER_NAME;
1015
1016 if (!(crl->flags & EXFLAG_CRITICAL))
1017 crl_score |= CRL_SCORE_NOCRITICAL;
1018
1019 /* Check expiry */
1020 if (check_crl_time(ctx, crl, 0))
1021 crl_score |= CRL_SCORE_TIME;
1022
1023 /* Check authority key ID and locate certificate issuer */
1024 crl_akid_check(ctx, crl, pissuer, &crl_score);
1025
1026 /* If we can't locate certificate issuer at this point forget it */
1027
1028 if (!(crl_score & CRL_SCORE_AKID))
1029 return 0;
1030
1031 /* Check cert for matching CRL distribution points */
1032
1033 if (crl_crldp_check(x, crl, crl_score, &crl_reasons))
1034 {
1035 /* If no new reasons reject */
1036 if (!(crl_reasons & ~tmp_reasons))
1037 return 0;
1038 tmp_reasons |= crl_reasons;
1039 crl_score |= CRL_SCORE_SCOPE;
1040 }
1041
1042 *preasons = tmp_reasons;
1043
1044 return crl_score;
1045
1046 }
1047
1048static void crl_akid_check(X509_STORE_CTX *ctx, X509_CRL *crl,
1049 X509 **pissuer, int *pcrl_score)
1050 {
1051 X509 *crl_issuer = NULL;
1052 X509_NAME *cnm = X509_CRL_get_issuer(crl);
1053 int cidx = ctx->error_depth;
1054 int i;
1055
1056 if (cidx != sk_X509_num(ctx->chain) - 1)
1057 cidx++;
1058
1059 crl_issuer = sk_X509_value(ctx->chain, cidx);
1060
1061 if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK)
1062 {
1063 if (*pcrl_score & CRL_SCORE_ISSUER_NAME)
1064 {
1065 *pcrl_score |= CRL_SCORE_AKID|CRL_SCORE_ISSUER_CERT;
1066 *pissuer = crl_issuer;
1067 return;
1068 }
1069 }
1070
1071 for (cidx++; cidx < sk_X509_num(ctx->chain); cidx++)
1072 {
1073 crl_issuer = sk_X509_value(ctx->chain, cidx);
1074 if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm))
1075 continue;
1076 if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK)
1077 {
1078 *pcrl_score |= CRL_SCORE_AKID|CRL_SCORE_SAME_PATH;
1079 *pissuer = crl_issuer;
1080 return;
1081 }
1082 }
1083
1084 /* Anything else needs extended CRL support */
1085
1086 if (!(ctx->param->flags & X509_V_FLAG_EXTENDED_CRL_SUPPORT))
1087 return;
1088
1089 /* Otherwise the CRL issuer is not on the path. Look for it in the
1090 * set of untrusted certificates.
1091 */
1092 for (i = 0; i < sk_X509_num(ctx->untrusted); i++)
1093 {
1094 crl_issuer = sk_X509_value(ctx->untrusted, i);
1095 if (X509_NAME_cmp(X509_get_subject_name(crl_issuer), cnm))
1096 continue;
1097 if (X509_check_akid(crl_issuer, crl->akid) == X509_V_OK)
1098 {
1099 *pissuer = crl_issuer;
1100 *pcrl_score |= CRL_SCORE_AKID;
1101 return;
1102 }
1103 }
1104 }
1105
1106/* Check the path of a CRL issuer certificate. This creates a new
1107 * X509_STORE_CTX and populates it with most of the parameters from the
1108 * parent. This could be optimised somewhat since a lot of path checking
1109 * will be duplicated by the parent, but this will rarely be used in
1110 * practice.
1111 */
1112
1113static int check_crl_path(X509_STORE_CTX *ctx, X509 *x)
1114 {
1115 X509_STORE_CTX crl_ctx;
1116 int ret;
1117 /* Don't allow recursive CRL path validation */
1118 if (ctx->parent)
1119 return 0;
1120 if (!X509_STORE_CTX_init(&crl_ctx, ctx->ctx, x, ctx->untrusted))
1121 return -1;
1122
1123 crl_ctx.crls = ctx->crls;
1124 /* Copy verify params across */
1125 X509_STORE_CTX_set0_param(&crl_ctx, ctx->param);
1126
1127 crl_ctx.parent = ctx;
1128 crl_ctx.verify_cb = ctx->verify_cb;
1129
1130 /* Verify CRL issuer */
1131 ret = X509_verify_cert(&crl_ctx);
1132
1133 if (ret <= 0)
1134 goto err;
1135
1136 /* Check chain is acceptable */
1137
1138 ret = check_crl_chain(ctx, ctx->chain, crl_ctx.chain);
1139 err:
1140 X509_STORE_CTX_cleanup(&crl_ctx);
1141 return ret;
1142 }
1143
1144/* RFC3280 says nothing about the relationship between CRL path
1145 * and certificate path, which could lead to situations where a
1146 * certificate could be revoked or validated by a CA not authorised
1147 * to do so. RFC5280 is more strict and states that the two paths must
1148 * end in the same trust anchor, though some discussions remain...
1149 * until this is resolved we use the RFC5280 version
1150 */
1151
1152static int check_crl_chain(X509_STORE_CTX *ctx,
1153 STACK_OF(X509) *cert_path,
1154 STACK_OF(X509) *crl_path)
1155 {
1156 X509 *cert_ta, *crl_ta;
1157 cert_ta = sk_X509_value(cert_path, sk_X509_num(cert_path) - 1);
1158 crl_ta = sk_X509_value(crl_path, sk_X509_num(crl_path) - 1);
1159 if (!X509_cmp(cert_ta, crl_ta))
1160 return 1;
1161 return 0;
1162 }
1163
1164/* Check for match between two dist point names: three separate cases.
1165 * 1. Both are relative names and compare X509_NAME types.
1166 * 2. One full, one relative. Compare X509_NAME to GENERAL_NAMES.
1167 * 3. Both are full names and compare two GENERAL_NAMES.
1168 * 4. One is NULL: automatic match.
1169 */
1170
1171
1172static int idp_check_dp(DIST_POINT_NAME *a, DIST_POINT_NAME *b)
1173 {
1174 X509_NAME *nm = NULL;
1175 GENERAL_NAMES *gens = NULL;
1176 GENERAL_NAME *gena, *genb;
1177 int i, j;
1178 if (!a || !b)
1179 return 1;
1180 if (a->type == 1)
1181 {
1182 if (!a->dpname)
1183 return 0;
1184 /* Case 1: two X509_NAME */
1185 if (b->type == 1)
1186 {
1187 if (!b->dpname)
1188 return 0;
1189 if (!X509_NAME_cmp(a->dpname, b->dpname))
1190 return 1;
1191 else
1192 return 0;
1193 }
1194 /* Case 2: set name and GENERAL_NAMES appropriately */
1195 nm = a->dpname;
1196 gens = b->name.fullname;
1197 }
1198 else if (b->type == 1)
1199 {
1200 if (!b->dpname)
1201 return 0;
1202 /* Case 2: set name and GENERAL_NAMES appropriately */
1203 gens = a->name.fullname;
1204 nm = b->dpname;
1205 }
1206
1207 /* Handle case 2 with one GENERAL_NAMES and one X509_NAME */
1208 if (nm)
1209 {
1210 for (i = 0; i < sk_GENERAL_NAME_num(gens); i++)
1211 {
1212 gena = sk_GENERAL_NAME_value(gens, i);
1213 if (gena->type != GEN_DIRNAME)
1214 continue;
1215 if (!X509_NAME_cmp(nm, gena->d.directoryName))
1216 return 1;
1217 }
1218 return 0;
1219 }
1220
1221 /* Else case 3: two GENERAL_NAMES */
1222
1223 for (i = 0; i < sk_GENERAL_NAME_num(a->name.fullname); i++)
1224 {
1225 gena = sk_GENERAL_NAME_value(a->name.fullname, i);
1226 for (j = 0; j < sk_GENERAL_NAME_num(b->name.fullname); j++)
1227 {
1228 genb = sk_GENERAL_NAME_value(b->name.fullname, j);
1229 if (!GENERAL_NAME_cmp(gena, genb))
1230 return 1;
1231 }
1232 }
1233
1234 return 0;
1235
1236 }
1237
1238static int crldp_check_crlissuer(DIST_POINT *dp, X509_CRL *crl, int crl_score)
1239 {
1240 int i;
1241 X509_NAME *nm = X509_CRL_get_issuer(crl);
1242 /* If no CRLissuer return is successful iff don't need a match */
1243 if (!dp->CRLissuer)
1244 return !!(crl_score & CRL_SCORE_ISSUER_NAME);
1245 for (i = 0; i < sk_GENERAL_NAME_num(dp->CRLissuer); i++)
1246 {
1247 GENERAL_NAME *gen = sk_GENERAL_NAME_value(dp->CRLissuer, i);
1248 if (gen->type != GEN_DIRNAME)
1249 continue;
1250 if (!X509_NAME_cmp(gen->d.directoryName, nm))
1251 return 1;
1252 }
1253 return 0;
1254 }
1255
1256/* Check CRLDP and IDP */
1257
1258static int crl_crldp_check(X509 *x, X509_CRL *crl, int crl_score,
1259 unsigned int *preasons)
1260 {
1261 int i;
1262 if (crl->idp_flags & IDP_ONLYATTR)
1263 return 0;
1264 if (x->ex_flags & EXFLAG_CA)
1265 {
1266 if (crl->idp_flags & IDP_ONLYUSER)
1267 return 0;
1268 }
1269 else
1270 {
1271 if (crl->idp_flags & IDP_ONLYCA)
1272 return 0;
1273 }
1274 *preasons = crl->idp_reasons;
1275 for (i = 0; i < sk_DIST_POINT_num(x->crldp); i++)
1276 {
1277 DIST_POINT *dp = sk_DIST_POINT_value(x->crldp, i);
1278 if (crldp_check_crlissuer(dp, crl, crl_score))
1279 {
1280 if (!crl->idp ||
1281 idp_check_dp(dp->distpoint, crl->idp->distpoint))
1282 {
1283 *preasons &= dp->dp_reasons;
1284 return 1;
1285 }
1286 }
1287 }
1288 if ((!crl->idp || !crl->idp->distpoint) && (crl_score & CRL_SCORE_ISSUER_NAME))
1289 return 1;
1290 return 0;
1291 }
1292
1293/* Retrieve CRL corresponding to current certificate.
1294 * If deltas enabled try to find a delta CRL too
1295 */
1296
1297static int get_crl_delta(X509_STORE_CTX *ctx,
1298 X509_CRL **pcrl, X509_CRL **pdcrl, X509 *x)
1299 {
1300 int ok;
1301 X509 *issuer = NULL;
1302 int crl_score = 0;
1303 unsigned int reasons;
1304 X509_CRL *crl = NULL, *dcrl = NULL;
1305 STACK_OF(X509_CRL) *skcrl;
1306 X509_NAME *nm = X509_get_issuer_name(x);
1307 reasons = ctx->current_reasons;
1308 ok = get_crl_sk(ctx, &crl, &dcrl,
1309 &issuer, &crl_score, &reasons, ctx->crls);
1310
1311 if (ok)
1312 goto done;
1313
1314 /* Lookup CRLs from store */
1315
1316 skcrl = ctx->lookup_crls(ctx, nm);
1317
1318 /* If no CRLs found and a near match from get_crl_sk use that */
1319 if (!skcrl && crl)
1320 goto done;
1321
1322 get_crl_sk(ctx, &crl, &dcrl, &issuer, &crl_score, &reasons, skcrl);
1323
1324 sk_X509_CRL_pop_free(skcrl, X509_CRL_free);
1325
1326 done:
1327
1328 /* If we got any kind of CRL use it and return success */
1329 if (crl)
1330 {
1331 ctx->current_issuer = issuer;
1332 ctx->current_crl_score = crl_score;
1333 ctx->current_reasons = reasons;
1334 *pcrl = crl;
1335 *pdcrl = dcrl;
1336 return 1;
1337 }
1338
1339 return 0;
1340 }
1341
1342/* Check CRL validity */
1343static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl)
1344 {
1345 X509 *issuer = NULL;
1346 EVP_PKEY *ikey = NULL;
1347 int ok = 0, chnum, cnum;
1348 cnum = ctx->error_depth;
1349 chnum = sk_X509_num(ctx->chain) - 1;
1350 /* if we have an alternative CRL issuer cert use that */
1351 if (ctx->current_issuer)
1352 issuer = ctx->current_issuer;
1353
1354 /* Else find CRL issuer: if not last certificate then issuer
1355 * is next certificate in chain.
1356 */
1357 else if (cnum < chnum)
1358 issuer = sk_X509_value(ctx->chain, cnum + 1);
1359 else
1360 {
1361 issuer = sk_X509_value(ctx->chain, chnum);
1362 /* If not self signed, can't check signature */
1363 if(!ctx->check_issued(ctx, issuer, issuer))
1364 {
1365 ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER;
1366 ok = ctx->verify_cb(0, ctx);
1367 if(!ok) goto err;
1368 }
1369 }
1370
1371 if(issuer)
1372 {
1373 /* Skip most tests for deltas because they have already
1374 * been done
1375 */
1376 if (!crl->base_crl_number)
1377 {
1378 /* Check for cRLSign bit if keyUsage present */
1379 if ((issuer->ex_flags & EXFLAG_KUSAGE) &&
1380 !(issuer->ex_kusage & KU_CRL_SIGN))
1381 {
1382 ctx->error = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN;
1383 ok = ctx->verify_cb(0, ctx);
1384 if(!ok) goto err;
1385 }
1386
1387 if (!(ctx->current_crl_score & CRL_SCORE_SCOPE))
1388 {
1389 ctx->error = X509_V_ERR_DIFFERENT_CRL_SCOPE;
1390 ok = ctx->verify_cb(0, ctx);
1391 if(!ok) goto err;
1392 }
1393
1394 if (!(ctx->current_crl_score & CRL_SCORE_SAME_PATH))
1395 {
1396 if (check_crl_path(ctx, ctx->current_issuer) <= 0)
1397 {
1398 ctx->error = X509_V_ERR_CRL_PATH_VALIDATION_ERROR;
1399 ok = ctx->verify_cb(0, ctx);
1400 if(!ok) goto err;
1401 }
1402 }
1403
1404 if (crl->idp_flags & IDP_INVALID)
1405 {
1406 ctx->error = X509_V_ERR_INVALID_EXTENSION;
1407 ok = ctx->verify_cb(0, ctx);
1408 if(!ok) goto err;
1409 }
1410
1411
1412 }
1413
1414 if (!(ctx->current_crl_score & CRL_SCORE_TIME))
1415 {
1416 ok = check_crl_time(ctx, crl, 1);
1417 if (!ok)
1418 goto err;
1419 }
1420
1421 /* Attempt to get issuer certificate public key */
1422 ikey = X509_get_pubkey(issuer);
1423
1424 if(!ikey)
1425 {
1426 ctx->error=X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
1427 ok = ctx->verify_cb(0, ctx);
1428 if (!ok) goto err;
1429 }
1430 else
1431 {
1432 /* Verify CRL signature */
1433 if(X509_CRL_verify(crl, ikey) <= 0)
1434 {
1435 ctx->error=X509_V_ERR_CRL_SIGNATURE_FAILURE;
1436 ok = ctx->verify_cb(0, ctx);
1437 if (!ok) goto err;
1438 }
1439 }
1440 }
1441
1442 ok = 1;
1443
1444 err:
1445 EVP_PKEY_free(ikey);
1446 return ok;
1447 }
1448
1449/* Check certificate against CRL */
1450static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
1451 {
1452 int ok;
1453 X509_REVOKED *rev;
1454 /* The rules changed for this... previously if a CRL contained
1455 * unhandled critical extensions it could still be used to indicate
1456 * a certificate was revoked. This has since been changed since
1457 * critical extension can change the meaning of CRL entries.
1458 */
1459 if (crl->flags & EXFLAG_CRITICAL)
1460 {
1461 if (ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL)
1462 return 1;
1463 ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION;
1464 ok = ctx->verify_cb(0, ctx);
1465 if(!ok)
1466 return 0;
1467 }
1468 /* Look for serial number of certificate in CRL
1469 * If found make sure reason is not removeFromCRL.
1470 */
1471 if (X509_CRL_get0_by_cert(crl, &rev, x))
1472 {
1473 if (rev->reason == CRL_REASON_REMOVE_FROM_CRL)
1474 return 2;
1475 ctx->error = X509_V_ERR_CERT_REVOKED;
1476 ok = ctx->verify_cb(0, ctx);
1477 if (!ok)
1478 return 0;
1479 }
1480
1481 return 1;
1482 }
1483
1484static int check_policy(X509_STORE_CTX *ctx)
1485 {
1486 int ret;
1487 if (ctx->parent)
1488 return 1;
1489 ret = X509_policy_check(&ctx->tree, &ctx->explicit_policy, ctx->chain,
1490 ctx->param->policies, ctx->param->flags);
1491 if (ret == 0)
1492 {
1493 X509err(X509_F_CHECK_POLICY,ERR_R_MALLOC_FAILURE);
1494 return 0;
1495 }
1496 /* Invalid or inconsistent extensions */
1497 if (ret == -1)
1498 {
1499 /* Locate certificates with bad extensions and notify
1500 * callback.
1501 */
1502 X509 *x;
1503 int i;
1504 for (i = 1; i < sk_X509_num(ctx->chain); i++)
1505 {
1506 x = sk_X509_value(ctx->chain, i);
1507 if (!(x->ex_flags & EXFLAG_INVALID_POLICY))
1508 continue;
1509 ctx->current_cert = x;
1510 ctx->error = X509_V_ERR_INVALID_POLICY_EXTENSION;
1511 if(!ctx->verify_cb(0, ctx))
1512 return 0;
1513 }
1514 return 1;
1515 }
1516 if (ret == -2)
1517 {
1518 ctx->current_cert = NULL;
1519 ctx->error = X509_V_ERR_NO_EXPLICIT_POLICY;
1520 return ctx->verify_cb(0, ctx);
1521 }
1522
1523 if (ctx->param->flags & X509_V_FLAG_NOTIFY_POLICY)
1524 {
1525 ctx->current_cert = NULL;
1526 ctx->error = X509_V_OK;
1527 if (!ctx->verify_cb(2, ctx))
1528 return 0;
1529 }
1530
1531 return 1;
1532 }
1533
1534static int check_cert_time(X509_STORE_CTX *ctx, X509 *x)
1535 {
1536 time_t *ptime;
1537 int i;
1538
1539 if (ctx->param->flags & X509_V_FLAG_USE_CHECK_TIME)
1540 ptime = &ctx->param->check_time;
1541 else
1542 ptime = NULL;
1543
1544 i=X509_cmp_time(X509_get_notBefore(x), ptime);
1545 if (i == 0)
1546 {
1547 ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD;
1548 ctx->current_cert=x;
1549 if (!ctx->verify_cb(0, ctx))
1550 return 0;
1551 }
1552
1553 if (i > 0)
1554 {
1555 ctx->error=X509_V_ERR_CERT_NOT_YET_VALID;
1556 ctx->current_cert=x;
1557 if (!ctx->verify_cb(0, ctx))
1558 return 0;
1559 }
1560
1561 i=X509_cmp_time(X509_get_notAfter(x), ptime);
1562 if (i == 0)
1563 {
1564 ctx->error=X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD;
1565 ctx->current_cert=x;
1566 if (!ctx->verify_cb(0, ctx))
1567 return 0;
1568 }
1569
1570 if (i < 0)
1571 {
1572 ctx->error=X509_V_ERR_CERT_HAS_EXPIRED;
1573 ctx->current_cert=x;
1574 if (!ctx->verify_cb(0, ctx))
1575 return 0;
1576 }
1577
1578 return 1;
1579 }
1580
1581static int internal_verify(X509_STORE_CTX *ctx)
1582 {
1583 int ok=0,n;
1584 X509 *xs,*xi;
1585 EVP_PKEY *pkey=NULL;
1586 int (*cb)(int xok,X509_STORE_CTX *xctx);
1587
1588 cb=ctx->verify_cb;
1589
1590 n=sk_X509_num(ctx->chain);
1591 ctx->error_depth=n-1;
1592 n--;
1593 xi=sk_X509_value(ctx->chain,n);
1594
1595 if (ctx->check_issued(ctx, xi, xi))
1596 xs=xi;
1597 else
1598 {
1599 if (n <= 0)
1600 {
1601 ctx->error=X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE;
1602 ctx->current_cert=xi;
1603 ok=cb(0,ctx);
1604 goto end;
1605 }
1606 else
1607 {
1608 n--;
1609 ctx->error_depth=n;
1610 xs=sk_X509_value(ctx->chain,n);
1611 }
1612 }
1613
1614/* ctx->error=0; not needed */
1615 while (n >= 0)
1616 {
1617 ctx->error_depth=n;
1618
1619 /* Skip signature check for self signed certificates unless
1620 * explicitly asked for. It doesn't add any security and
1621 * just wastes time.
1622 */
1623 if (!xs->valid && (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE)))
1624 {
1625 if ((pkey=X509_get_pubkey(xi)) == NULL)
1626 {
1627 ctx->error=X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
1628 ctx->current_cert=xi;
1629 ok=(*cb)(0,ctx);
1630 if (!ok) goto end;
1631 }
1632 else if (X509_verify(xs,pkey) <= 0)
1633 {
1634 ctx->error=X509_V_ERR_CERT_SIGNATURE_FAILURE;
1635 ctx->current_cert=xs;
1636 ok=(*cb)(0,ctx);
1637 if (!ok)
1638 {
1639 EVP_PKEY_free(pkey);
1640 goto end;
1641 }
1642 }
1643 EVP_PKEY_free(pkey);
1644 pkey=NULL;
1645 }
1646
1647 xs->valid = 1;
1648
1649 ok = check_cert_time(ctx, xs);
1650 if (!ok)
1651 goto end;
1652
1653 /* The last error (if any) is still in the error value */
1654 ctx->current_issuer=xi;
1655 ctx->current_cert=xs;
1656 ok=(*cb)(1,ctx);
1657 if (!ok) goto end;
1658
1659 n--;
1660 if (n >= 0)
1661 {
1662 xi=xs;
1663 xs=sk_X509_value(ctx->chain,n);
1664 }
1665 }
1666 ok=1;
1667end:
1668 return ok;
1669 }
1670
1671int X509_cmp_current_time(const ASN1_TIME *ctm)
1672{
1673 return X509_cmp_time(ctm, NULL);
1674}
1675
1676int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time)
1677 {
1678 char *str;
1679 ASN1_TIME atm;
1680 long offset;
1681 char buff1[24],buff2[24],*p;
1682 int i,j;
1683
1684 p=buff1;
1685 i=ctm->length;
1686 str=(char *)ctm->data;
1687 if (ctm->type == V_ASN1_UTCTIME)
1688 {
1689 if ((i < 11) || (i > 17)) return 0;
1690 memcpy(p,str,10);
1691 p+=10;
1692 str+=10;
1693 }
1694 else
1695 {
1696 if (i < 13) return 0;
1697 memcpy(p,str,12);
1698 p+=12;
1699 str+=12;
1700 }
1701
1702 if ((*str == 'Z') || (*str == '-') || (*str == '+'))
1703 { *(p++)='0'; *(p++)='0'; }
1704 else
1705 {
1706 *(p++)= *(str++);
1707 *(p++)= *(str++);
1708 /* Skip any fractional seconds... */
1709 if (*str == '.')
1710 {
1711 str++;
1712 while ((*str >= '0') && (*str <= '9')) str++;
1713 }
1714
1715 }
1716 *(p++)='Z';
1717 *(p++)='\0';
1718
1719 if (*str == 'Z')
1720 offset=0;
1721 else
1722 {
1723 if ((*str != '+') && (*str != '-'))
1724 return 0;
1725 offset=((str[1]-'0')*10+(str[2]-'0'))*60;
1726 offset+=(str[3]-'0')*10+(str[4]-'0');
1727 if (*str == '-')
1728 offset= -offset;
1729 }
1730 atm.type=ctm->type;
1731 atm.flags = 0;
1732 atm.length=sizeof(buff2);
1733 atm.data=(unsigned char *)buff2;
1734
1735 if (X509_time_adj(&atm,-offset*60, cmp_time) == NULL)
1736 return 0;
1737
1738 if (ctm->type == V_ASN1_UTCTIME)
1739 {
1740 i=(buff1[0]-'0')*10+(buff1[1]-'0');
1741 if (i < 50) i+=100; /* cf. RFC 2459 */
1742 j=(buff2[0]-'0')*10+(buff2[1]-'0');
1743 if (j < 50) j+=100;
1744
1745 if (i < j) return -1;
1746 if (i > j) return 1;
1747 }
1748 i=strcmp(buff1,buff2);
1749 if (i == 0) /* wait a second then return younger :-) */
1750 return -1;
1751 else
1752 return i;
1753 }
1754
1755ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj)
1756{
1757 return X509_time_adj(s, adj, NULL);
1758}
1759
1760ASN1_TIME *X509_time_adj(ASN1_TIME *s, long offset_sec, time_t *in_tm)
1761 {
1762 return X509_time_adj_ex(s, 0, offset_sec, in_tm);
1763 }
1764
1765ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s,
1766 int offset_day, long offset_sec, time_t *in_tm)
1767 {
1768 time_t t;
1769
1770 if (in_tm) t = *in_tm;
1771 else time(&t);
1772
1773 if (s && !(s->flags & ASN1_STRING_FLAG_MSTRING))
1774 {
1775 if (s->type == V_ASN1_UTCTIME)
1776 return ASN1_UTCTIME_adj(s,t, offset_day, offset_sec);
1777 if (s->type == V_ASN1_GENERALIZEDTIME)
1778 return ASN1_GENERALIZEDTIME_adj(s, t, offset_day,
1779 offset_sec);
1780 }
1781 return ASN1_TIME_adj(s, t, offset_day, offset_sec);
1782 }
1783
1784int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain)
1785 {
1786 EVP_PKEY *ktmp=NULL,*ktmp2;
1787 int i,j;
1788
1789 if ((pkey != NULL) && !EVP_PKEY_missing_parameters(pkey)) return 1;
1790
1791 for (i=0; i<sk_X509_num(chain); i++)
1792 {
1793 ktmp=X509_get_pubkey(sk_X509_value(chain,i));
1794 if (ktmp == NULL)
1795 {
1796 X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY);
1797 return 0;
1798 }
1799 if (!EVP_PKEY_missing_parameters(ktmp))
1800 break;
1801 else
1802 {
1803 EVP_PKEY_free(ktmp);
1804 ktmp=NULL;
1805 }
1806 }
1807 if (ktmp == NULL)
1808 {
1809 X509err(X509_F_X509_GET_PUBKEY_PARAMETERS,X509_R_UNABLE_TO_FIND_PARAMETERS_IN_CHAIN);
1810 return 0;
1811 }
1812
1813 /* first, populate the other certs */
1814 for (j=i-1; j >= 0; j--)
1815 {
1816 ktmp2=X509_get_pubkey(sk_X509_value(chain,j));
1817 EVP_PKEY_copy_parameters(ktmp2,ktmp);
1818 EVP_PKEY_free(ktmp2);
1819 }
1820
1821 if (pkey != NULL) EVP_PKEY_copy_parameters(pkey,ktmp);
1822 EVP_PKEY_free(ktmp);
1823 return 1;
1824 }
1825
1826int X509_STORE_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
1827 CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
1828 {
1829 /* This function is (usually) called only once, by
1830 * SSL_get_ex_data_X509_STORE_CTX_idx (ssl/ssl_cert.c). */
1831 return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_X509_STORE_CTX, argl, argp,
1832 new_func, dup_func, free_func);
1833 }
1834
1835int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, void *data)
1836 {
1837 return CRYPTO_set_ex_data(&ctx->ex_data,idx,data);
1838 }
1839
1840void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx)
1841 {
1842 return CRYPTO_get_ex_data(&ctx->ex_data,idx);
1843 }
1844
1845int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx)
1846 {
1847 return ctx->error;
1848 }
1849
1850void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int err)
1851 {
1852 ctx->error=err;
1853 }
1854
1855int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx)
1856 {
1857 return ctx->error_depth;
1858 }
1859
1860X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx)
1861 {
1862 return ctx->current_cert;
1863 }
1864
1865STACK_OF(X509) *X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx)
1866 {
1867 return ctx->chain;
1868 }
1869
1870STACK_OF(X509) *X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx)
1871 {
1872 int i;
1873 X509 *x;
1874 STACK_OF(X509) *chain;
1875 if (!ctx->chain || !(chain = sk_X509_dup(ctx->chain))) return NULL;
1876 for (i = 0; i < sk_X509_num(chain); i++)
1877 {
1878 x = sk_X509_value(chain, i);
1879 CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
1880 }
1881 return chain;
1882 }
1883
1884X509 *X509_STORE_CTX_get0_current_issuer(X509_STORE_CTX *ctx)
1885 {
1886 return ctx->current_issuer;
1887 }
1888
1889X509_CRL *X509_STORE_CTX_get0_current_crl(X509_STORE_CTX *ctx)
1890 {
1891 return ctx->current_crl;
1892 }
1893
1894X509_STORE_CTX *X509_STORE_CTX_get0_parent_ctx(X509_STORE_CTX *ctx)
1895 {
1896 return ctx->parent;
1897 }
1898
1899void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *x)
1900 {
1901 ctx->cert=x;
1902 }
1903
1904void X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
1905 {
1906 ctx->untrusted=sk;
1907 }
1908
1909void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk)
1910 {
1911 ctx->crls=sk;
1912 }
1913
1914int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose)
1915 {
1916 return X509_STORE_CTX_purpose_inherit(ctx, 0, purpose, 0);
1917 }
1918
1919int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust)
1920 {
1921 return X509_STORE_CTX_purpose_inherit(ctx, 0, 0, trust);
1922 }
1923
1924/* This function is used to set the X509_STORE_CTX purpose and trust
1925 * values. This is intended to be used when another structure has its
1926 * own trust and purpose values which (if set) will be inherited by
1927 * the ctx. If they aren't set then we will usually have a default
1928 * purpose in mind which should then be used to set the trust value.
1929 * An example of this is SSL use: an SSL structure will have its own
1930 * purpose and trust settings which the application can set: if they
1931 * aren't set then we use the default of SSL client/server.
1932 */
1933
1934int X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose,
1935 int purpose, int trust)
1936{
1937 int idx;
1938 /* If purpose not set use default */
1939 if (!purpose) purpose = def_purpose;
1940 /* If we have a purpose then check it is valid */
1941 if (purpose)
1942 {
1943 X509_PURPOSE *ptmp;
1944 idx = X509_PURPOSE_get_by_id(purpose);
1945 if (idx == -1)
1946 {
1947 X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT,
1948 X509_R_UNKNOWN_PURPOSE_ID);
1949 return 0;
1950 }
1951 ptmp = X509_PURPOSE_get0(idx);
1952 if (ptmp->trust == X509_TRUST_DEFAULT)
1953 {
1954 idx = X509_PURPOSE_get_by_id(def_purpose);
1955 if (idx == -1)
1956 {
1957 X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT,
1958 X509_R_UNKNOWN_PURPOSE_ID);
1959 return 0;
1960 }
1961 ptmp = X509_PURPOSE_get0(idx);
1962 }
1963 /* If trust not set then get from purpose default */
1964 if (!trust) trust = ptmp->trust;
1965 }
1966 if (trust)
1967 {
1968 idx = X509_TRUST_get_by_id(trust);
1969 if (idx == -1)
1970 {
1971 X509err(X509_F_X509_STORE_CTX_PURPOSE_INHERIT,
1972 X509_R_UNKNOWN_TRUST_ID);
1973 return 0;
1974 }
1975 }
1976
1977 if (purpose && !ctx->param->purpose) ctx->param->purpose = purpose;
1978 if (trust && !ctx->param->trust) ctx->param->trust = trust;
1979 return 1;
1980}
1981
1982X509_STORE_CTX *X509_STORE_CTX_new(void)
1983{
1984 X509_STORE_CTX *ctx;
1985 ctx = (X509_STORE_CTX *)OPENSSL_malloc(sizeof(X509_STORE_CTX));
1986 if (!ctx)
1987 {
1988 X509err(X509_F_X509_STORE_CTX_NEW,ERR_R_MALLOC_FAILURE);
1989 return NULL;
1990 }
1991 memset(ctx, 0, sizeof(X509_STORE_CTX));
1992 return ctx;
1993}
1994
1995void X509_STORE_CTX_free(X509_STORE_CTX *ctx)
1996{
1997 X509_STORE_CTX_cleanup(ctx);
1998 OPENSSL_free(ctx);
1999}
2000
2001int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
2002 STACK_OF(X509) *chain)
2003 {
2004 int ret = 1;
2005 ctx->ctx=store;
2006 ctx->current_method=0;
2007 ctx->cert=x509;
2008 ctx->untrusted=chain;
2009 ctx->crls = NULL;
2010 ctx->last_untrusted=0;
2011 ctx->other_ctx=NULL;
2012 ctx->valid=0;
2013 ctx->chain=NULL;
2014 ctx->error=0;
2015 ctx->explicit_policy=0;
2016 ctx->error_depth=0;
2017 ctx->current_cert=NULL;
2018 ctx->current_issuer=NULL;
2019 ctx->current_crl=NULL;
2020 ctx->current_crl_score=0;
2021 ctx->current_reasons=0;
2022 ctx->tree = NULL;
2023 ctx->parent = NULL;
2024
2025 ctx->param = X509_VERIFY_PARAM_new();
2026
2027 if (!ctx->param)
2028 {
2029 X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE);
2030 return 0;
2031 }
2032
2033 /* Inherit callbacks and flags from X509_STORE if not set
2034 * use defaults.
2035 */
2036
2037
2038 if (store)
2039 ret = X509_VERIFY_PARAM_inherit(ctx->param, store->param);
2040 else
2041 ctx->param->inh_flags |= X509_VP_FLAG_DEFAULT|X509_VP_FLAG_ONCE;
2042
2043 if (store)
2044 {
2045 ctx->verify_cb = store->verify_cb;
2046 ctx->cleanup = store->cleanup;
2047 }
2048 else
2049 ctx->cleanup = 0;
2050
2051 if (ret)
2052 ret = X509_VERIFY_PARAM_inherit(ctx->param,
2053 X509_VERIFY_PARAM_lookup("default"));
2054
2055 if (ret == 0)
2056 {
2057 X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE);
2058 return 0;
2059 }
2060
2061 if (store && store->check_issued)
2062 ctx->check_issued = store->check_issued;
2063 else
2064 ctx->check_issued = check_issued;
2065
2066 if (store && store->get_issuer)
2067 ctx->get_issuer = store->get_issuer;
2068 else
2069 ctx->get_issuer = X509_STORE_CTX_get1_issuer;
2070
2071 if (store && store->verify_cb)
2072 ctx->verify_cb = store->verify_cb;
2073 else
2074 ctx->verify_cb = null_callback;
2075
2076 if (store && store->verify)
2077 ctx->verify = store->verify;
2078 else
2079 ctx->verify = internal_verify;
2080
2081 if (store && store->check_revocation)
2082 ctx->check_revocation = store->check_revocation;
2083 else
2084 ctx->check_revocation = check_revocation;
2085
2086 if (store && store->get_crl)
2087 ctx->get_crl = store->get_crl;
2088 else
2089 ctx->get_crl = NULL;
2090
2091 if (store && store->check_crl)
2092 ctx->check_crl = store->check_crl;
2093 else
2094 ctx->check_crl = check_crl;
2095
2096 if (store && store->cert_crl)
2097 ctx->cert_crl = store->cert_crl;
2098 else
2099 ctx->cert_crl = cert_crl;
2100
2101 if (store && store->lookup_certs)
2102 ctx->lookup_certs = store->lookup_certs;
2103 else
2104 ctx->lookup_certs = X509_STORE_get1_certs;
2105
2106 if (store && store->lookup_crls)
2107 ctx->lookup_crls = store->lookup_crls;
2108 else
2109 ctx->lookup_crls = X509_STORE_get1_crls;
2110
2111 ctx->check_policy = check_policy;
2112
2113
2114 /* This memset() can't make any sense anyway, so it's removed. As
2115 * X509_STORE_CTX_cleanup does a proper "free" on the ex_data, we put a
2116 * corresponding "new" here and remove this bogus initialisation. */
2117 /* memset(&(ctx->ex_data),0,sizeof(CRYPTO_EX_DATA)); */
2118 if(!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx,
2119 &(ctx->ex_data)))
2120 {
2121 OPENSSL_free(ctx);
2122 X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE);
2123 return 0;
2124 }
2125 return 1;
2126 }
2127
2128/* Set alternative lookup method: just a STACK of trusted certificates.
2129 * This avoids X509_STORE nastiness where it isn't needed.
2130 */
2131
2132void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk)
2133{
2134 ctx->other_ctx = sk;
2135 ctx->get_issuer = get_issuer_sk;
2136}
2137
2138void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx)
2139 {
2140 if (ctx->cleanup) ctx->cleanup(ctx);
2141 if (ctx->param != NULL)
2142 {
2143 if (ctx->parent == NULL)
2144 X509_VERIFY_PARAM_free(ctx->param);
2145 ctx->param=NULL;
2146 }
2147 if (ctx->tree != NULL)
2148 {
2149 X509_policy_tree_free(ctx->tree);
2150 ctx->tree=NULL;
2151 }
2152 if (ctx->chain != NULL)
2153 {
2154 sk_X509_pop_free(ctx->chain,X509_free);
2155 ctx->chain=NULL;
2156 }
2157 CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx, &(ctx->ex_data));
2158 memset(&ctx->ex_data,0,sizeof(CRYPTO_EX_DATA));
2159 }
2160
2161void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth)
2162 {
2163 X509_VERIFY_PARAM_set_depth(ctx->param, depth);
2164 }
2165
2166void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, unsigned long flags)
2167 {
2168 X509_VERIFY_PARAM_set_flags(ctx->param, flags);
2169 }
2170
2171void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags, time_t t)
2172 {
2173 X509_VERIFY_PARAM_set_time(ctx->param, t);
2174 }
2175
2176void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx,
2177 int (*verify_cb)(int, X509_STORE_CTX *))
2178 {
2179 ctx->verify_cb=verify_cb;
2180 }
2181
2182X509_POLICY_TREE *X509_STORE_CTX_get0_policy_tree(X509_STORE_CTX *ctx)
2183 {
2184 return ctx->tree;
2185 }
2186
2187int X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx)
2188 {
2189 return ctx->explicit_policy;
2190 }
2191
2192int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name)
2193 {
2194 const X509_VERIFY_PARAM *param;
2195 param = X509_VERIFY_PARAM_lookup(name);
2196 if (!param)
2197 return 0;
2198 return X509_VERIFY_PARAM_inherit(ctx->param, param);
2199 }
2200
2201X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx)
2202 {
2203 return ctx->param;
2204 }
2205
2206void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param)
2207 {
2208 if (ctx->param)
2209 X509_VERIFY_PARAM_free(ctx->param);
2210 ctx->param = param;
2211 }
2212
2213IMPLEMENT_STACK_OF(X509)
2214IMPLEMENT_ASN1_SET_OF(X509)
2215
2216IMPLEMENT_STACK_OF(X509_NAME)
2217
2218IMPLEMENT_STACK_OF(X509_ATTRIBUTE)
2219IMPLEMENT_ASN1_SET_OF(X509_ATTRIBUTE)
02220
=== added directory '.pc/c_rehash-multi.patch'
=== added directory '.pc/c_rehash-multi.patch/tools'
=== added file '.pc/c_rehash-multi.patch/tools/c_rehash.in'
--- .pc/c_rehash-multi.patch/tools/c_rehash.in 1970-01-01 00:00:00 +0000
+++ .pc/c_rehash-multi.patch/tools/c_rehash.in 2011-09-15 05:17:15 +0000
@@ -0,0 +1,192 @@
1#!/usr/local/bin/perl
2
3
4# Perl c_rehash script, scan all files in a directory
5# and add symbolic links to their hash values.
6
7my $openssl;
8
9my $dir;
10my $prefix;
11
12if(defined $ENV{OPENSSL}) {
13 $openssl = $ENV{OPENSSL};
14} else {
15 $openssl = "openssl";
16 $ENV{OPENSSL} = $openssl;
17}
18
19my $pwd;
20eval "require Cwd";
21if (defined(&Cwd::getcwd)) {
22 $pwd=Cwd::getcwd();
23} else {
24 $pwd=`pwd`; chomp($pwd);
25}
26my $path_delim = ($pwd =~ /^[a-z]\:/i) ? ';' : ':'; # DOS/Win32 or Unix delimiter?
27
28$ENV{PATH} = "$prefix/bin" . ($ENV{PATH} ? $path_delim . $ENV{PATH} : ""); # prefix our path
29
30if(! -x $openssl) {
31 my $found = 0;
32 foreach (split /$path_delim/, $ENV{PATH}) {
33 if(-x "$_/$openssl") {
34 $found = 1;
35 $openssl = "$_/$openssl";
36 last;
37 }
38 }
39 if($found == 0) {
40 print STDERR "c_rehash: rehashing skipped ('openssl' program not available)\n";
41 exit 0;
42 }
43}
44
45if(@ARGV) {
46 @dirlist = @ARGV;
47} elsif($ENV{SSL_CERT_DIR}) {
48 @dirlist = split /$path_delim/, $ENV{SSL_CERT_DIR};
49} else {
50 $dirlist[0] = "$dir/certs";
51}
52
53if (-d $dirlist[0]) {
54 chdir $dirlist[0];
55 $openssl="$pwd/$openssl" if (!-x $openssl);
56 chdir $pwd;
57}
58
59foreach (@dirlist) {
60 if(-d $_ and -w $_) {
61 hash_dir($_);
62 }
63}
64
65sub hash_dir {
66 my %hashlist;
67 print "Doing $_[0]\n";
68 chdir $_[0];
69 opendir(DIR, ".");
70 my @flist = readdir(DIR);
71 # Delete any existing symbolic links
72 foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) {
73 if(-l $_) {
74 unlink $_;
75 }
76 }
77 closedir DIR;
78 FILE: foreach $fname (grep {/\.pem$|\.crt$/} @flist) {
79 # Check to see if certificates and/or CRLs present.
80 my ($cert, $crl) = check_file($fname);
81 if(!$cert && !$crl) {
82 ($cert, $crl) = check_file("$openssl x509 -in \"$fname\" -inform der -outform pem | ");
83 if(!$cert && !$crl) {
84 print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n";
85 next;
86 }
87 }
88 link_hash_cert($fname) if($cert);
89 link_hash_cert_old($fname) if($cert);
90 link_hash_crl($fname) if($crl);
91 }
92}
93
94sub check_file {
95 my ($is_cert, $is_crl) = (0,0);
96 my $fname = $_[0];
97 open IN, $fname;
98 while(<IN>) {
99 if(/^-----BEGIN (.*)-----/) {
100 my $hdr = $1;
101 if($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) {
102 $is_cert = 1;
103 last if($is_crl);
104 } elsif($hdr eq "X509 CRL") {
105 $is_crl = 1;
106 last if($is_cert);
107 }
108 }
109 }
110 close IN;
111 return ($is_cert, $is_crl);
112}
113
114
115# Link a certificate to its subject name hash value, each hash is of
116# the form <hash>.<n> where n is an integer. If the hash value already exists
117# then we need to up the value of n, unless its a duplicate in which
118# case we skip the link. We check for duplicates by comparing the
119# certificate fingerprints
120
121sub link_hash_cert {
122 my $fname = $_[0];
123 my $hashopt = $_[1] || '-subject_hash';
124 $fname =~ s/'/'\\''/g;
125 my ($hash, $fprint) = `"$openssl" x509 $hashopt -fingerprint -noout -in "$fname"`;
126 chomp $hash;
127 chomp $fprint;
128 $fprint =~ s/^.*=//;
129 $fprint =~ tr/://d;
130 my $suffix = 0;
131 # Search for an unused hash filename
132 while(exists $hashlist{"$hash.$suffix"}) {
133 # Hash matches: if fingerprint matches its a duplicate cert
134 if($hashlist{"$hash.$suffix"} eq $fprint) {
135 print STDERR "WARNING: Skipping duplicate certificate $fname\n";
136 return;
137 }
138 $suffix++;
139 }
140 $hash .= ".$suffix";
141 print "$fname => $hash\n";
142 $symlink_exists=eval {symlink("",""); 1};
143 if ($symlink_exists) {
144 symlink $fname, $hash;
145 } else {
146 open IN,"<$fname" or die "can't open $fname for read";
147 open OUT,">$hash" or die "can't open $hash for write";
148 print OUT <IN>; # does the job for small text files
149 close OUT;
150 close IN;
151 }
152 $hashlist{$hash} = $fprint;
153}
154
155sub link_hash_cert_old {
156 link_hash_cert($_[0], '-subject_hash_old');
157}
158
159# Same as above except for a CRL. CRL links are of the form <hash>.r<n>
160
161sub link_hash_crl {
162 my $fname = $_[0];
163 $fname =~ s/'/'\\''/g;
164 my ($hash, $fprint) = `"$openssl" crl -hash -fingerprint -noout -in '$fname'`;
165 if(!$hash || !fprint) {
166 ($hash, $fprint) = `"$openssl" crl -hash -fingerprint -noout -in '$fname' -inform der`;
167 }
168 chomp $hash;
169 chomp $fprint;
170 $fprint =~ s/^.*=//;
171 $fprint =~ tr/://d;
172 my $suffix = 0;
173 # Search for an unused hash filename
174 while(exists $hashlist{"$hash.r$suffix"}) {
175 # Hash matches: if fingerprint matches its a duplicate cert
176 if($hashlist{"$hash.r$suffix"} eq $fprint) {
177 print STDERR "WARNING: Skipping duplicate CRL $fname\n";
178 return;
179 }
180 $suffix++;
181 }
182 $hash .= ".r$suffix";
183 print "$fname => $hash\n";
184 $symlink_exists=eval {symlink("",""); 1};
185 if ($symlink_exists) {
186 symlink $fname, $hash;
187 } else {
188 system ("cp", $fname, $hash);
189 }
190 $hashlist{$hash} = $fprint;
191}
192
0193
=== modified file '.pc/config-hurd.patch/config'
--- .pc/config-hurd.patch/config 2010-12-12 15:37:21 +0000
+++ .pc/config-hurd.patch/config 2011-09-15 05:17:15 +0000
@@ -825,6 +825,10 @@
825# options="$options -DATALLA"825# options="$options -DATALLA"
826#fi826#fi
827827
828($CC -Wa,--help -c -o /dev/null -x assembler /dev/null 2>&1 | \
829 grep \\--noexecstack) 2>&1 > /dev/null && \
830 options="$options -Wa,--noexecstack"
831
828# gcc < 2.8 does not support -march=ultrasparc832# gcc < 2.8 does not support -march=ultrasparc
829if [ "$OUT" = solaris-sparcv9-gcc -a $GCCVER -lt 28 ]833if [ "$OUT" = solaris-sparcv9-gcc -a $GCCVER -lt 28 ]
830then834then
831835
=== added directory '.pc/dgst_hmac.patch'
=== added directory '.pc/dgst_hmac.patch/apps'
=== added file '.pc/dgst_hmac.patch/apps/dgst.c'
--- .pc/dgst_hmac.patch/apps/dgst.c 1970-01-01 00:00:00 +0000
+++ .pc/dgst_hmac.patch/apps/dgst.c 2011-09-15 05:17:15 +0000
@@ -0,0 +1,632 @@
1/* apps/dgst.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58
59#include <stdio.h>
60#include <string.h>
61#include <stdlib.h>
62#include "apps.h"
63#include <openssl/bio.h>
64#include <openssl/err.h>
65#include <openssl/evp.h>
66#include <openssl/objects.h>
67#include <openssl/x509.h>
68#include <openssl/pem.h>
69#include <openssl/hmac.h>
70
71#undef BUFSIZE
72#define BUFSIZE 1024*8
73
74#undef PROG
75#define PROG dgst_main
76
77int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
78 EVP_PKEY *key, unsigned char *sigin, int siglen,
79 const char *sig_name, const char *md_name,
80 const char *file,BIO *bmd);
81
82static void list_md_fn(const EVP_MD *m,
83 const char *from, const char *to, void *arg)
84 {
85 const char *mname;
86 /* Skip aliases */
87 if (!m)
88 return;
89 mname = OBJ_nid2ln(EVP_MD_type(m));
90 /* Skip shortnames */
91 if (strcmp(from, mname))
92 return;
93 /* Skip clones */
94 if (EVP_MD_flags(m) & EVP_MD_FLAG_PKEY_DIGEST)
95 return;
96 if (strchr(mname, ' '))
97 mname= EVP_MD_name(m);
98 BIO_printf(arg, "-%-14s to use the %s message digest algorithm\n",
99 mname, mname);
100 }
101
102int MAIN(int, char **);
103
104int MAIN(int argc, char **argv)
105 {
106 ENGINE *e = NULL;
107 unsigned char *buf=NULL;
108 int i,err=1;
109 const EVP_MD *md=NULL,*m;
110 BIO *in=NULL,*inp;
111 BIO *bmd=NULL;
112 BIO *out = NULL;
113#define PROG_NAME_SIZE 39
114 char pname[PROG_NAME_SIZE+1];
115 int separator=0;
116 int debug=0;
117 int keyform=FORMAT_PEM;
118 const char *outfile = NULL, *keyfile = NULL;
119 const char *sigfile = NULL, *randfile = NULL;
120 int out_bin = -1, want_pub = 0, do_verify = 0;
121 EVP_PKEY *sigkey = NULL;
122 unsigned char *sigbuf = NULL;
123 int siglen = 0;
124 char *passargin = NULL, *passin = NULL;
125#ifndef OPENSSL_NO_ENGINE
126 char *engine=NULL;
127#endif
128 char *hmac_key=NULL;
129 char *mac_name=NULL;
130 STACK_OF(OPENSSL_STRING) *sigopts = NULL, *macopts = NULL;
131
132 apps_startup();
133
134 if ((buf=(unsigned char *)OPENSSL_malloc(BUFSIZE)) == NULL)
135 {
136 BIO_printf(bio_err,"out of memory\n");
137 goto end;
138 }
139 if (bio_err == NULL)
140 if ((bio_err=BIO_new(BIO_s_file())) != NULL)
141 BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
142
143 if (!load_config(bio_err, NULL))
144 goto end;
145
146 /* first check the program name */
147 program_name(argv[0],pname,sizeof pname);
148
149 md=EVP_get_digestbyname(pname);
150
151 argc--;
152 argv++;
153 while (argc > 0)
154 {
155 if ((*argv)[0] != '-') break;
156 if (strcmp(*argv,"-c") == 0)
157 separator=1;
158 else if (strcmp(*argv,"-r") == 0)
159 separator=2;
160 else if (strcmp(*argv,"-rand") == 0)
161 {
162 if (--argc < 1) break;
163 randfile=*(++argv);
164 }
165 else if (strcmp(*argv,"-out") == 0)
166 {
167 if (--argc < 1) break;
168 outfile=*(++argv);
169 }
170 else if (strcmp(*argv,"-sign") == 0)
171 {
172 if (--argc < 1) break;
173 keyfile=*(++argv);
174 }
175 else if (!strcmp(*argv,"-passin"))
176 {
177 if (--argc < 1)
178 break;
179 passargin=*++argv;
180 }
181 else if (strcmp(*argv,"-verify") == 0)
182 {
183 if (--argc < 1) break;
184 keyfile=*(++argv);
185 want_pub = 1;
186 do_verify = 1;
187 }
188 else if (strcmp(*argv,"-prverify") == 0)
189 {
190 if (--argc < 1) break;
191 keyfile=*(++argv);
192 do_verify = 1;
193 }
194 else if (strcmp(*argv,"-signature") == 0)
195 {
196 if (--argc < 1) break;
197 sigfile=*(++argv);
198 }
199 else if (strcmp(*argv,"-keyform") == 0)
200 {
201 if (--argc < 1) break;
202 keyform=str2fmt(*(++argv));
203 }
204#ifndef OPENSSL_NO_ENGINE
205 else if (strcmp(*argv,"-engine") == 0)
206 {
207 if (--argc < 1) break;
208 engine= *(++argv);
209 e = setup_engine(bio_err, engine, 0);
210 }
211#endif
212 else if (strcmp(*argv,"-hex") == 0)
213 out_bin = 0;
214 else if (strcmp(*argv,"-binary") == 0)
215 out_bin = 1;
216 else if (strcmp(*argv,"-d") == 0)
217 debug=1;
218 else if (!strcmp(*argv,"-hmac"))
219 {
220 if (--argc < 1)
221 break;
222 hmac_key=*++argv;
223 }
224 else if (!strcmp(*argv,"-mac"))
225 {
226 if (--argc < 1)
227 break;
228 mac_name=*++argv;
229 }
230 else if (strcmp(*argv,"-sigopt") == 0)
231 {
232 if (--argc < 1)
233 break;
234 if (!sigopts)
235 sigopts = sk_OPENSSL_STRING_new_null();
236 if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, *(++argv)))
237 break;
238 }
239 else if (strcmp(*argv,"-macopt") == 0)
240 {
241 if (--argc < 1)
242 break;
243 if (!macopts)
244 macopts = sk_OPENSSL_STRING_new_null();
245 if (!macopts || !sk_OPENSSL_STRING_push(macopts, *(++argv)))
246 break;
247 }
248 else if ((m=EVP_get_digestbyname(&((*argv)[1]))) != NULL)
249 md=m;
250 else
251 break;
252 argc--;
253 argv++;
254 }
255
256
257 if(do_verify && !sigfile) {
258 BIO_printf(bio_err, "No signature to verify: use the -signature option\n");
259 goto end;
260 }
261
262 if ((argc > 0) && (argv[0][0] == '-')) /* bad option */
263 {
264 BIO_printf(bio_err,"unknown option '%s'\n",*argv);
265 BIO_printf(bio_err,"options are\n");
266 BIO_printf(bio_err,"-c to output the digest with separating colons\n");
267 BIO_printf(bio_err,"-r to output the digest in coreutils format\n");
268 BIO_printf(bio_err,"-d to output debug info\n");
269 BIO_printf(bio_err,"-hex output as hex dump\n");
270 BIO_printf(bio_err,"-binary output in binary form\n");
271 BIO_printf(bio_err,"-sign file sign digest using private key in file\n");
272 BIO_printf(bio_err,"-verify file verify a signature using public key in file\n");
273 BIO_printf(bio_err,"-prverify file verify a signature using private key in file\n");
274 BIO_printf(bio_err,"-keyform arg key file format (PEM or ENGINE)\n");
275 BIO_printf(bio_err,"-out filename output to filename rather than stdout\n");
276 BIO_printf(bio_err,"-signature file signature to verify\n");
277 BIO_printf(bio_err,"-sigopt nm:v signature parameter\n");
278 BIO_printf(bio_err,"-hmac key create hashed MAC with key\n");
279 BIO_printf(bio_err,"-mac algorithm create MAC (not neccessarily HMAC)\n");
280 BIO_printf(bio_err,"-macopt nm:v MAC algorithm parameters or key\n");
281#ifndef OPENSSL_NO_ENGINE
282 BIO_printf(bio_err,"-engine e use engine e, possibly a hardware device.\n");
283#endif
284
285 EVP_MD_do_all_sorted(list_md_fn, bio_err);
286 goto end;
287 }
288
289 in=BIO_new(BIO_s_file());
290 bmd=BIO_new(BIO_f_md());
291 if (debug)
292 {
293 BIO_set_callback(in,BIO_debug_callback);
294 /* needed for windows 3.1 */
295 BIO_set_callback_arg(in,(char *)bio_err);
296 }
297
298 if(!app_passwd(bio_err, passargin, NULL, &passin, NULL))
299 {
300 BIO_printf(bio_err, "Error getting password\n");
301 goto end;
302 }
303
304 if ((in == NULL) || (bmd == NULL))
305 {
306 ERR_print_errors(bio_err);
307 goto end;
308 }
309
310 if(out_bin == -1) {
311 if(keyfile)
312 out_bin = 1;
313 else
314 out_bin = 0;
315 }
316
317 if(randfile)
318 app_RAND_load_file(randfile, bio_err, 0);
319
320 if(outfile) {
321 if(out_bin)
322 out = BIO_new_file(outfile, "wb");
323 else out = BIO_new_file(outfile, "w");
324 } else {
325 out = BIO_new_fp(stdout, BIO_NOCLOSE);
326#ifdef OPENSSL_SYS_VMS
327 {
328 BIO *tmpbio = BIO_new(BIO_f_linebuffer());
329 out = BIO_push(tmpbio, out);
330 }
331#endif
332 }
333
334 if(!out) {
335 BIO_printf(bio_err, "Error opening output file %s\n",
336 outfile ? outfile : "(stdout)");
337 ERR_print_errors(bio_err);
338 goto end;
339 }
340 if ((!!mac_name + !!keyfile + !!hmac_key) > 1)
341 {
342 BIO_printf(bio_err, "MAC and Signing key cannot both be specified\n");
343 goto end;
344 }
345
346 if(keyfile)
347 {
348 if (want_pub)
349 sigkey = load_pubkey(bio_err, keyfile, keyform, 0, NULL,
350 e, "key file");
351 else
352 sigkey = load_key(bio_err, keyfile, keyform, 0, passin,
353 e, "key file");
354 if (!sigkey)
355 {
356 /* load_[pub]key() has already printed an appropriate
357 message */
358 goto end;
359 }
360 }
361
362 if (mac_name)
363 {
364 EVP_PKEY_CTX *mac_ctx = NULL;
365 int r = 0;
366 if (!init_gen_str(bio_err, &mac_ctx, mac_name,e, 0))
367 goto mac_end;
368 if (macopts)
369 {
370 char *macopt;
371 for (i = 0; i < sk_OPENSSL_STRING_num(macopts); i++)
372 {
373 macopt = sk_OPENSSL_STRING_value(macopts, i);
374 if (pkey_ctrl_string(mac_ctx, macopt) <= 0)
375 {
376 BIO_printf(bio_err,
377 "MAC parameter error \"%s\"\n",
378 macopt);
379 ERR_print_errors(bio_err);
380 goto mac_end;
381 }
382 }
383 }
384 if (EVP_PKEY_keygen(mac_ctx, &sigkey) <= 0)
385 {
386 BIO_puts(bio_err, "Error generating key\n");
387 ERR_print_errors(bio_err);
388 goto mac_end;
389 }
390 r = 1;
391 mac_end:
392 if (mac_ctx)
393 EVP_PKEY_CTX_free(mac_ctx);
394 if (r == 0)
395 goto end;
396 }
397
398 if (hmac_key)
399 {
400 sigkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, e,
401 (unsigned char *)hmac_key, -1);
402 if (!sigkey)
403 goto end;
404 }
405
406 if (sigkey)
407 {
408 EVP_MD_CTX *mctx = NULL;
409 EVP_PKEY_CTX *pctx = NULL;
410 int r;
411 if (!BIO_get_md_ctx(bmd, &mctx))
412 {
413 BIO_printf(bio_err, "Error getting context\n");
414 ERR_print_errors(bio_err);
415 goto end;
416 }
417 if (do_verify)
418 r = EVP_DigestVerifyInit(mctx, &pctx, md, e, sigkey);
419 else
420 r = EVP_DigestSignInit(mctx, &pctx, md, e, sigkey);
421 if (!r)
422 {
423 BIO_printf(bio_err, "Error setting context\n");
424 ERR_print_errors(bio_err);
425 goto end;
426 }
427 if (sigopts)
428 {
429 char *sigopt;
430 for (i = 0; i < sk_OPENSSL_STRING_num(sigopts); i++)
431 {
432 sigopt = sk_OPENSSL_STRING_value(sigopts, i);
433 if (pkey_ctrl_string(pctx, sigopt) <= 0)
434 {
435 BIO_printf(bio_err,
436 "parameter error \"%s\"\n",
437 sigopt);
438 ERR_print_errors(bio_err);
439 goto end;
440 }
441 }
442 }
443 }
444 /* we use md as a filter, reading from 'in' */
445 else
446 {
447 if (md == NULL)
448 md = EVP_md5();
449 if (!BIO_set_md(bmd,md))
450 {
451 BIO_printf(bio_err, "Error setting digest %s\n", pname);
452 ERR_print_errors(bio_err);
453 goto end;
454 }
455 }
456
457 if(sigfile && sigkey) {
458 BIO *sigbio;
459 sigbio = BIO_new_file(sigfile, "rb");
460 siglen = EVP_PKEY_size(sigkey);
461 sigbuf = OPENSSL_malloc(siglen);
462 if(!sigbio) {
463 BIO_printf(bio_err, "Error opening signature file %s\n",
464 sigfile);
465 ERR_print_errors(bio_err);
466 goto end;
467 }
468 siglen = BIO_read(sigbio, sigbuf, siglen);
469 BIO_free(sigbio);
470 if(siglen <= 0) {
471 BIO_printf(bio_err, "Error reading signature file %s\n",
472 sigfile);
473 ERR_print_errors(bio_err);
474 goto end;
475 }
476 }
477 inp=BIO_push(bmd,in);
478
479 if (md == NULL)
480 {
481 EVP_MD_CTX *tctx;
482 BIO_get_md_ctx(bmd, &tctx);
483 md = EVP_MD_CTX_md(tctx);
484 }
485
486 if (argc == 0)
487 {
488 BIO_set_fp(in,stdin,BIO_NOCLOSE);
489 err=do_fp(out, buf,inp,separator, out_bin, sigkey, sigbuf,
490 siglen,NULL,NULL,"stdin",bmd);
491 }
492 else
493 {
494 const char *md_name = NULL, *sig_name = NULL;
495 if(!out_bin)
496 {
497 if (sigkey)
498 {
499 const EVP_PKEY_ASN1_METHOD *ameth;
500 ameth = EVP_PKEY_get0_asn1(sigkey);
501 if (ameth)
502 EVP_PKEY_asn1_get0_info(NULL, NULL,
503 NULL, NULL, &sig_name, ameth);
504 }
505 md_name = EVP_MD_name(md);
506 }
507 err = 0;
508 for (i=0; i<argc; i++)
509 {
510 int r;
511 if (BIO_read_filename(in,argv[i]) <= 0)
512 {
513 perror(argv[i]);
514 err++;
515 continue;
516 }
517 else
518 r=do_fp(out,buf,inp,separator,out_bin,sigkey,sigbuf,
519 siglen,sig_name,md_name, argv[i],bmd);
520 if(r)
521 err=r;
522 (void)BIO_reset(bmd);
523 }
524 }
525end:
526 if (buf != NULL)
527 {
528 OPENSSL_cleanse(buf,BUFSIZE);
529 OPENSSL_free(buf);
530 }
531 if (in != NULL) BIO_free(in);
532 if (passin)
533 OPENSSL_free(passin);
534 BIO_free_all(out);
535 EVP_PKEY_free(sigkey);
536 if (sigopts)
537 sk_OPENSSL_STRING_free(sigopts);
538 if (macopts)
539 sk_OPENSSL_STRING_free(macopts);
540 if(sigbuf) OPENSSL_free(sigbuf);
541 if (bmd != NULL) BIO_free(bmd);
542 apps_shutdown();
543 OPENSSL_EXIT(err);
544 }
545
546int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
547 EVP_PKEY *key, unsigned char *sigin, int siglen,
548 const char *sig_name, const char *md_name,
549 const char *file,BIO *bmd)
550 {
551 size_t len;
552 int i;
553
554 for (;;)
555 {
556 i=BIO_read(bp,(char *)buf,BUFSIZE);
557 if(i < 0)
558 {
559 BIO_printf(bio_err, "Read Error in %s\n",file);
560 ERR_print_errors(bio_err);
561 return 1;
562 }
563 if (i == 0) break;
564 }
565 if(sigin)
566 {
567 EVP_MD_CTX *ctx;
568 BIO_get_md_ctx(bp, &ctx);
569 i = EVP_DigestVerifyFinal(ctx, sigin, (unsigned int)siglen);
570 if(i > 0)
571 BIO_printf(out, "Verified OK\n");
572 else if(i == 0)
573 {
574 BIO_printf(out, "Verification Failure\n");
575 return 1;
576 }
577 else
578 {
579 BIO_printf(bio_err, "Error Verifying Data\n");
580 ERR_print_errors(bio_err);
581 return 1;
582 }
583 return 0;
584 }
585 if(key)
586 {
587 EVP_MD_CTX *ctx;
588 BIO_get_md_ctx(bp, &ctx);
589 len = BUFSIZE;
590 if(!EVP_DigestSignFinal(ctx, buf, &len))
591 {
592 BIO_printf(bio_err, "Error Signing Data\n");
593 ERR_print_errors(bio_err);
594 return 1;
595 }
596 }
597 else
598 {
599 len=BIO_gets(bp,(char *)buf,BUFSIZE);
600 if ((int)len <0)
601 {
602 ERR_print_errors(bio_err);
603 return 1;
604 }
605 }
606
607 if(binout) BIO_write(out, buf, len);
608 else if (sep == 2)
609 {
610 for (i=0; i<(int)len; i++)
611 BIO_printf(out, "%02x",buf[i]);
612 BIO_printf(out, " *%s\n", file);
613 }
614 else
615 {
616 if (sig_name)
617 BIO_printf(out, "%s-%s(%s)= ", sig_name, md_name, file);
618 else if (md_name)
619 BIO_printf(out, "%s(%s)= ", md_name, file);
620 else
621 BIO_printf(out, "(%s)= ", file);
622 for (i=0; i<(int)len; i++)
623 {
624 if (sep && (i != 0))
625 BIO_printf(out, ":");
626 BIO_printf(out, "%02x",buf[i]);
627 }
628 BIO_printf(out, "\n");
629 }
630 return 0;
631 }
632
0633
=== added directory '.pc/dgst_hmac.patch/doc'
=== added directory '.pc/dgst_hmac.patch/doc/apps'
=== added file '.pc/dgst_hmac.patch/doc/apps/dgst.pod'
--- .pc/dgst_hmac.patch/doc/apps/dgst.pod 1970-01-01 00:00:00 +0000
+++ .pc/dgst_hmac.patch/doc/apps/dgst.pod 2011-09-15 05:17:15 +0000
@@ -0,0 +1,162 @@
1=pod
2
3=head1 NAME
4
5dgst, md5, md4, md2, sha1, sha, mdc2, ripemd160 - message digests
6
7=head1 SYNOPSIS
8
9B<openssl> B<dgst>
10[B<-md5|-md4|-md2|-sha1|-sha|-mdc2|-ripemd160|-dss1>]
11[B<-c>]
12[B<-d>]
13[B<-hex>]
14[B<-binary>]
15[B<-out filename>]
16[B<-sign filename>]
17[B<-keyform arg>]
18[B<-passin arg>]
19[B<-verify filename>]
20[B<-prverify filename>]
21[B<-signature filename>]
22[B<-hmac key>]
23[B<file...>]
24
25[B<md5|md4|md2|sha1|sha|mdc2|ripemd160>]
26[B<-c>]
27[B<-d>]
28[B<file...>]
29
30=head1 DESCRIPTION
31
32The digest functions output the message digest of a supplied file or files
33in hexadecimal form. They can also be used for digital signing and verification.
34
35=head1 OPTIONS
36
37=over 4
38
39=item B<-c>
40
41print out the digest in two digit groups separated by colons, only relevant if
42B<hex> format output is used.
43
44=item B<-d>
45
46print out BIO debugging information.
47
48=item B<-hex>
49
50digest is to be output as a hex dump. This is the default case for a "normal"
51digest as opposed to a digital signature.
52
53=item B<-binary>
54
55output the digest or signature in binary form.
56
57=item B<-out filename>
58
59filename to output to, or standard output by default.
60
61=item B<-sign filename>
62
63digitally sign the digest using the private key in "filename".
64
65=item B<-keyform arg>
66
67Specifies the key format to sign digest with. Only PEM and ENGINE
68formats are supported by the B<dgst> command.
69
70=item B<-engine id>
71
72Use engine B<id> for operations (including private key storage).
73This engine is not used as source for digest algorithms, unless it is
74also specified in the configuration file.
75
76=item B<-sigopt nm:v>
77
78Pass options to the signature algorithm during sign or verify operations.
79Names and values of these options are algorithm-specific.
80
81
82=item B<-passin arg>
83
84the private key password source. For more information about the format of B<arg>
85see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)|openssl(1)>.
86
87=item B<-verify filename>
88
89verify the signature using the the public key in "filename".
90The output is either "Verification OK" or "Verification Failure".
91
92=item B<-prverify filename>
93
94verify the signature using the the private key in "filename".
95
96=item B<-signature filename>
97
98the actual signature to verify.
99
100=item B<-hmac key>
101
102create a hashed MAC using "key".
103
104=item B<-mac alg>
105
106create MAC (keyed Message Authentication Code). The most popular MAC
107algorithm is HMAC (hash-based MAC), but there are other MAC algorithms
108which are not based on hash, for instance B<gost-mac> algorithm,
109supported by B<ccgost> engine. MAC keys and other options should be set
110via B<-macopt> parameter.
111
112=item B<-macopt nm:v>
113
114Passes options to MAC algorithm, specified by B<-mac> key.
115Following options are supported by both by B<HMAC> and B<gost-mac>:
116
117=over 8
118
119=item B<key:string>
120
121Specifies MAC key as alphnumeric string (use if key contain printable
122characters only). String length must conform to any restrictions of
123the MAC algorithm for example exactly 32 chars for gost-mac.
124
125=item B<hexkey:string>
126
127Specifies MAC key in hexadecimal form (two hex digits per byte).
128Key length must conform to any restrictions of the MAC algorithm
129for example exactly 32 chars for gost-mac.
130
131=back
132
133=item B<-rand file(s)>
134
135a file or files containing random data used to seed the random number
136generator, or an EGD socket (see L<RAND_egd(3)|RAND_egd(3)>).
137Multiple files can be specified separated by a OS-dependent character.
138The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
139all others.
140
141=item B<file...>
142
143file or files to digest. If no files are specified then standard input is
144used.
145
146=back
147
148=head1 NOTES
149
150The digest of choice for all new applications is SHA1. Other digests are
151however still widely used.
152
153If you wish to sign or verify data using the DSA algorithm then the dss1
154digest must be used.
155
156A source of random numbers is required for certain signing algorithms, in
157particular DSA.
158
159The signing and verify options should only be used if a single file is
160being signed or verified.
161
162=cut
0163
=== modified file '.pc/engines-path.patch/Configure'
--- .pc/engines-path.patch/Configure 2010-12-19 16:24:16 +0000
+++ .pc/engines-path.patch/Configure 2011-09-15 05:17:15 +0000
@@ -362,6 +362,7 @@
362"debian-powerpcspe","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",362"debian-powerpcspe","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
363"debian-ppc64","gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",363"debian-ppc64","gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
364"debian-s390","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", 364"debian-s390","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
365"debian-s390x","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
365"debian-sh3", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",366"debian-sh3", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
366"debian-sh4", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",367"debian-sh4", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
367"debian-sh3eb", "gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",368"debian-sh3eb", "gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
@@ -370,7 +371,7 @@
370"debian-sparc","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",371"debian-sparc","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
371"debian-sparc-v8","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -mcpu=v8 -g -Wall -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",372"debian-sparc-v8","gcc:-DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -mcpu=v8 -g -Wall -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
372"debian-sparc-v9","gcc:-DB_ENDIAN -DTERMIO -O3 -mcpu=v9 -Wa,--noexecstack -Wa,-Av8plus -g -Wall -DULTRASPARC -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",373"debian-sparc-v9","gcc:-DB_ENDIAN -DTERMIO -O3 -mcpu=v9 -Wa,--noexecstack -Wa,-Av8plus -g -Wall -DULTRASPARC -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
373"debian-sparc64","gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall -DULTRASPARC -DBN_DIV2W::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",374"debian-sparc64","gcc:-m64 -DB_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall -DULTRASPARC -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
374375
375####376####
376#### Variety of LINUX:-)377#### Variety of LINUX:-)
377378
=== modified file '.pc/gnu_source.patch/crypto/dso/dso_dlfcn.c'
--- .pc/gnu_source.patch/crypto/dso/dso_dlfcn.c 2010-12-19 16:24:16 +0000
+++ .pc/gnu_source.patch/crypto/dso/dso_dlfcn.c 2011-09-15 05:17:15 +0000
@@ -85,6 +85,7 @@
85# define HAVE_DLINFO 185# define HAVE_DLINFO 1
86# if defined(_AIX) || defined(__CYGWIN__) || \86# if defined(_AIX) || defined(__CYGWIN__) || \
87 defined(__SCO_VERSION__) || defined(_SCO_ELF) || \87 defined(__SCO_VERSION__) || defined(_SCO_ELF) || \
88 (defined(__osf__) && !defined(RTLD_NEXT)) || \
88 (defined(__OpenBSD__) && !defined(RTLD_SELF))89 (defined(__OpenBSD__) && !defined(RTLD_SELF))
89# undef HAVE_DLINFO90# undef HAVE_DLINFO
90# endif91# endif
9192
=== added directory '.pc/libdoc-manpgs-pod-spell.patch'
=== added directory '.pc/libdoc-manpgs-pod-spell.patch/doc'
=== added directory '.pc/libdoc-manpgs-pod-spell.patch/doc/crypto'
=== added file '.pc/libdoc-manpgs-pod-spell.patch/doc/crypto/ASN1_generate_nconf.pod'
--- .pc/libdoc-manpgs-pod-spell.patch/doc/crypto/ASN1_generate_nconf.pod 1970-01-01 00:00:00 +0000
+++ .pc/libdoc-manpgs-pod-spell.patch/doc/crypto/ASN1_generate_nconf.pod 2011-09-15 05:17:15 +0000
@@ -0,0 +1,265 @@
1=pod
2
3=head1 NAME
4
5ASN1_generate_nconf, ASN1_generate_v3 - ASN1 generation functions
6
7=head1 SYNOPSIS
8
9 #include <openssl/asn1.h>
10
11 ASN1_TYPE *ASN1_generate_nconf(char *str, CONF *nconf);
12 ASN1_TYPE *ASN1_generate_v3(char *str, X509V3_CTX *cnf);
13
14=head1 DESCRIPTION
15
16These functions generate the ASN1 encoding of a string
17in an B<ASN1_TYPE> structure.
18
19B<str> contains the string to encode B<nconf> or B<cnf> contains
20the optional configuration information where additional strings
21will be read from. B<nconf> will typically come from a config
22file wherease B<cnf> is obtained from an B<X509V3_CTX> structure
23which will typically be used by X509 v3 certificate extension
24functions. B<cnf> or B<nconf> can be set to B<NULL> if no additional
25configuration will be used.
26
27=head1 GENERATION STRING FORMAT
28
29The actual data encoded is determined by the string B<str> and
30the configuration information. The general format of the string
31is:
32
33=over 2
34
35=item B<[modifier,]type[:value]>
36
37=back
38
39That is zero or more comma separated modifiers followed by a type
40followed by an optional colon and a value. The formats of B<type>,
41B<value> and B<modifier> are explained below.
42
43=head2 SUPPORTED TYPES
44
45The supported types are listed below. Unless otherwise specified
46only the B<ASCII> format is permissible.
47
48=over 2
49
50=item B<BOOLEAN>, B<BOOL>
51
52This encodes a boolean type. The B<value> string is mandatory and
53should be B<TRUE> or B<FALSE>. Additionally B<TRUE>, B<true>, B<Y>,
54B<y>, B<YES>, B<yes>, B<FALSE>, B<false>, B<N>, B<n>, B<NO> and B<no>
55are acceptable.
56
57=item B<NULL>
58
59Encode the B<NULL> type, the B<value> string must not be present.
60
61=item B<INTEGER>, B<INT>
62
63Encodes an ASN1 B<INTEGER> type. The B<value> string represents
64the value of the integer, it can be preceeded by a minus sign and
65is normally interpreted as a decimal value unless the prefix B<0x>
66is included.
67
68=item B<ENUMERATED>, B<ENUM>
69
70Encodes the ASN1 B<ENUMERATED> type, it is otherwise identical to
71B<INTEGER>.
72
73=item B<OBJECT>, B<OID>
74
75Encodes an ASN1 B<OBJECT IDENTIFIER>, the B<value> string can be
76a short name, a long name or numerical format.
77
78=item B<UTCTIME>, B<UTC>
79
80Encodes an ASN1 B<UTCTime> structure, the value should be in
81the format B<YYMMDDHHMMSSZ>.
82
83=item B<GENERALIZEDTIME>, B<GENTIME>
84
85Encodes an ASN1 B<GeneralizedTime> structure, the value should be in
86the format B<YYYYMMDDHHMMSSZ>.
87
88=item B<OCTETSTRING>, B<OCT>
89
90Encodes an ASN1 B<OCTET STRING>. B<value> represents the contents
91of this structure, the format strings B<ASCII> and B<HEX> can be
92used to specify the format of B<value>.
93
94=item B<BITSTRING>, B<BITSTR>
95
96Encodes an ASN1 B<BIT STRING>. B<value> represents the contents
97of this structure, the format strings B<ASCII>, B<HEX> and B<BITLIST>
98can be used to specify the format of B<value>.
99
100If the format is anything other than B<BITLIST> the number of unused
101bits is set to zero.
102
103=item B<UNIVERSALSTRING>, B<UNIV>, B<IA5>, B<IA5STRING>, B<UTF8>,
104B<UTF8String>, B<BMP>, B<BMPSTRING>, B<VISIBLESTRING>,
105B<VISIBLE>, B<PRINTABLESTRING>, B<PRINTABLE>, B<T61>,
106B<T61STRING>, B<TELETEXSTRING>, B<GeneralString>, B<NUMERICSTRING>,
107B<NUMERIC>
108
109These encode the corresponding string types. B<value> represents the
110contents of this structure. The format can be B<ASCII> or B<UTF8>.
111
112=item B<SEQUENCE>, B<SEQ>, B<SET>
113
114Formats the result as an ASN1 B<SEQUENCE> or B<SET> type. B<value>
115should be a section name which will contain the contents. The
116field names in the section are ignored and the values are in the
117generated string format. If B<value> is absent then an empty SEQUENCE
118will be encoded.
119
120=back
121
122=head2 MODIFIERS
123
124Modifiers affect the following structure, they can be used to
125add EXPLICIT or IMPLICIT tagging, add wrappers or to change
126the string format of the final type and value. The supported
127formats are documented below.
128
129=over 2
130
131=item B<EXPLICIT>, B<EXP>
132
133Add an explicit tag to the following structure. This string
134should be followed by a colon and the tag value to use as a
135decimal value.
136
137By following the number with B<U>, B<A>, B<P> or B<C> UNIVERSAL,
138APPLICATION, PRIVATE or CONTEXT SPECIFIC tagging can be used,
139the default is CONTEXT SPECIFIC.
140
141=item B<IMPLICIT>, B<IMP>
142
143This is the same as B<EXPLICIT> except IMPLICIT tagging is used
144instead.
145
146=item B<OCTWRAP>, B<SEQWRAP>, B<SETWRAP>, B<BITWRAP>
147
148The following structure is surrounded by an OCTET STRING, a SEQUENCE,
149a SET or a BIT STRING respectively. For a BIT STRING the number of unused
150bits is set to zero.
151
152=item B<FORMAT>
153
154This specifies the format of the ultimate value. It should be followed
155by a colon and one of the strings B<ASCII>, B<UTF8>, B<HEX> or B<BITLIST>.
156
157If no format specifier is included then B<ASCII> is used. If B<UTF8> is
158specified then the value string must be a valid B<UTF8> string. For B<HEX> the
159output must be a set of hex digits. B<BITLIST> (which is only valid for a BIT
160STRING) is a comma separated list of the indices of the set bits, all other
161bits are zero.
162
163=back
164
165=head1 EXAMPLES
166
167A simple IA5String:
168
169 IA5STRING:Hello World
170
171An IA5String explicitly tagged:
172
173 EXPLICIT:0,IA5STRING:Hello World
174
175An IA5String explicitly tagged using APPLICATION tagging:
176
177 EXPLICIT:0A,IA5STRING:Hello World
178
179A BITSTRING with bits 1 and 5 set and all others zero:
180
181 FORMAT:BITLIST,BITSTRING:1,5
182
183A more complex example using a config file to produce a
184SEQUENCE consiting of a BOOL an OID and a UTF8String:
185
186 asn1 = SEQUENCE:seq_section
187
188 [seq_section]
189
190 field1 = BOOLEAN:TRUE
191 field2 = OID:commonName
192 field3 = UTF8:Third field
193
194This example produces an RSAPrivateKey structure, this is the
195key contained in the file client.pem in all OpenSSL distributions
196(note: the field names such as 'coeff' are ignored and are present just
197for clarity):
198
199 asn1=SEQUENCE:private_key
200 [private_key]
201 version=INTEGER:0
202
203 n=INTEGER:0xBB6FE79432CC6EA2D8F970675A5A87BFBE1AFF0BE63E879F2AFFB93644\
204 D4D2C6D000430DEC66ABF47829E74B8C5108623A1C0EE8BE217B3AD8D36D5EB4FCA1D9
205
206 e=INTEGER:0x010001
207
208 d=INTEGER:0x6F05EAD2F27FFAEC84BEC360C4B928FD5F3A9865D0FCAAD291E2A52F4A\
209 F810DC6373278C006A0ABBA27DC8C63BF97F7E666E27C5284D7D3B1FFFE16B7A87B51D
210
211 p=INTEGER:0xF3929B9435608F8A22C208D86795271D54EBDFB09DDEF539AB083DA912\
212 D4BD57
213
214 q=INTEGER:0xC50016F89DFF2561347ED1186A46E150E28BF2D0F539A1594BBD7FE467\
215 46EC4F
216
217 exp1=INTEGER:0x9E7D4326C924AFC1DEA40B45650134966D6F9DFA3A7F9D698CD4ABEA\
218 9C0A39B9
219
220 exp2=INTEGER:0xBA84003BB95355AFB7C50DF140C60513D0BA51D637272E355E397779\
221 E7B2458F
222
223 coeff=INTEGER:0x30B9E4F2AFA5AC679F920FC83F1F2DF1BAF1779CF989447FABC2F5\
224 628657053A
225
226This example is the corresponding public key in a SubjectPublicKeyInfo
227structure:
228
229 # Start with a SEQUENCE
230 asn1=SEQUENCE:pubkeyinfo
231
232 # pubkeyinfo contains an algorithm identifier and the public key wrapped
233 # in a BIT STRING
234 [pubkeyinfo]
235 algorithm=SEQUENCE:rsa_alg
236 pubkey=BITWRAP,SEQUENCE:rsapubkey
237
238 # algorithm ID for RSA is just an OID and a NULL
239 [rsa_alg]
240 algorithm=OID:rsaEncryption
241 parameter=NULL
242
243 # Actual public key: modulus and exponent
244 [rsapubkey]
245 n=INTEGER:0xBB6FE79432CC6EA2D8F970675A5A87BFBE1AFF0BE63E879F2AFFB93644\
246 D4D2C6D000430DEC66ABF47829E74B8C5108623A1C0EE8BE217B3AD8D36D5EB4FCA1D9
247
248 e=INTEGER:0x010001
249
250=head1 RETURN VALUES
251
252ASN1_generate_nconf() and ASN1_generate_v3() return the encoded
253data as an B<ASN1_TYPE> structure or B<NULL> if an error occurred.
254
255The error codes that can be obtained by L<ERR_get_error(3)|ERR_get_error(3)>.
256
257=head1 SEE ALSO
258
259L<ERR_get_error(3)|ERR_get_error(3)>
260
261=head1 HISTORY
262
263ASN1_generate_nconf() and ASN1_generate_v3() were added to OpenSSL 0.9.8
264
265=cut
0266
=== added file '.pc/libdoc-manpgs-pod-spell.patch/doc/crypto/BN_BLINDING_new.pod'
--- .pc/libdoc-manpgs-pod-spell.patch/doc/crypto/BN_BLINDING_new.pod 1970-01-01 00:00:00 +0000
+++ .pc/libdoc-manpgs-pod-spell.patch/doc/crypto/BN_BLINDING_new.pod 2011-09-15 05:17:15 +0000
@@ -0,0 +1,115 @@
1=pod
2
3=head1 NAME
4
5BN_BLINDING_new, BN_BLINDING_free, BN_BLINDING_update, BN_BLINDING_convert,
6BN_BLINDING_invert, BN_BLINDING_convert_ex, BN_BLINDING_invert_ex,
7BN_BLINDING_get_thread_id, BN_BLINDING_set_thread_id, BN_BLINDING_get_flags,
8BN_BLINDING_set_flags, BN_BLINDING_create_param - blinding related BIGNUM
9functions.
10
11=head1 SYNOPSIS
12
13 #include <openssl/bn.h>
14
15 BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai,
16 BIGNUM *mod);
17 void BN_BLINDING_free(BN_BLINDING *b);
18 int BN_BLINDING_update(BN_BLINDING *b,BN_CTX *ctx);
19 int BN_BLINDING_convert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx);
20 int BN_BLINDING_invert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx);
21 int BN_BLINDING_convert_ex(BIGNUM *n, BIGNUM *r, BN_BLINDING *b,
22 BN_CTX *ctx);
23 int BN_BLINDING_invert_ex(BIGNUM *n, const BIGNUM *r, BN_BLINDING *b,
24 BN_CTX *ctx);
25 #ifndef OPENSSL_NO_DEPRECATED
26 unsigned long BN_BLINDING_get_thread_id(const BN_BLINDING *);
27 void BN_BLINDING_set_thread_id(BN_BLINDING *, unsigned long);
28 #endif
29 CRYPTO_THREADID *BN_BLINDING_thread_id(BN_BLINDING *);
30 unsigned long BN_BLINDING_get_flags(const BN_BLINDING *);
31 void BN_BLINDING_set_flags(BN_BLINDING *, unsigned long);
32 BN_BLINDING *BN_BLINDING_create_param(BN_BLINDING *b,
33 const BIGNUM *e, BIGNUM *m, BN_CTX *ctx,
34 int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
35 const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx),
36 BN_MONT_CTX *m_ctx);
37
38=head1 DESCRIPTION
39
40BN_BLINDING_new() allocates a new B<BN_BLINDING> structure and copies
41the B<A> and B<Ai> values into the newly created B<BN_BLINDING> object.
42
43BN_BLINDING_free() frees the B<BN_BLINDING> structure.
44
45BN_BLINDING_update() updates the B<BN_BLINDING> parameters by squaring
46the B<A> and B<Ai> or, after specific number of uses and if the
47necessary parameters are set, by re-creating the blinding parameters.
48
49BN_BLINDING_convert_ex() multiplies B<n> with the blinding factor B<A>.
50If B<r> is not NULL a copy the inverse blinding factor B<Ai> will be
51returned in B<r> (this is useful if a B<RSA> object is shared amoung
52several threads). BN_BLINDING_invert_ex() multiplies B<n> with the
53inverse blinding factor B<Ai>. If B<r> is not NULL it will be used as
54the inverse blinding.
55
56BN_BLINDING_convert() and BN_BLINDING_invert() are wrapper
57functions for BN_BLINDING_convert_ex() and BN_BLINDING_invert_ex()
58with B<r> set to NULL.
59
60BN_BLINDING_thread_id() provides access to the B<CRYPTO_THREADID>
61object within the B<BN_BLINDING> structure. This is to help users
62provide proper locking if needed for multi-threaded use. The "thread
63id" object of a newly allocated B<BN_BLINDING> structure is
64initialised to the thread id in which BN_BLINDING_new() was called.
65
66BN_BLINDING_get_flags() returns the BN_BLINDING flags. Currently
67there are two supported flags: B<BN_BLINDING_NO_UPDATE> and
68B<BN_BLINDING_NO_RECREATE>. B<BN_BLINDING_NO_UPDATE> inhibits the
69automatic update of the B<BN_BLINDING> parameters after each use
70and B<BN_BLINDING_NO_RECREATE> inhibits the automatic re-creation
71of the B<BN_BLINDING> parameters after a fixed number of uses (currently
7232). In newly allocated B<BN_BLINDING> objects no flags are set.
73BN_BLINDING_set_flags() sets the B<BN_BLINDING> parameters flags.
74
75BN_BLINDING_create_param() creates new B<BN_BLINDING> parameters
76using the exponent B<e> and the modulus B<m>. B<bn_mod_exp> and
77B<m_ctx> can be used to pass special functions for exponentiation
78(normally BN_mod_exp_mont() and B<BN_MONT_CTX>).
79
80=head1 RETURN VALUES
81
82BN_BLINDING_new() returns the newly allocated B<BN_BLINDING> structure
83or NULL in case of an error.
84
85BN_BLINDING_update(), BN_BLINDING_convert(), BN_BLINDING_invert(),
86BN_BLINDING_convert_ex() and BN_BLINDING_invert_ex() return 1 on
87success and 0 if an error occured.
88
89BN_BLINDING_thread_id() returns a pointer to the thread id object
90within a B<BN_BLINDING> object.
91
92BN_BLINDING_get_flags() returns the currently set B<BN_BLINDING> flags
93(a B<unsigned long> value).
94
95BN_BLINDING_create_param() returns the newly created B<BN_BLINDING>
96parameters or NULL on error.
97
98=head1 SEE ALSO
99
100L<bn(3)|bn(3)>
101
102=head1 HISTORY
103
104BN_BLINDING_thread_id was first introduced in OpenSSL 1.0.0, and it
105deprecates BN_BLINDING_s