Vendor import of OpenSSL 0.9.7d.

7 files changed, 103 insertions, 21 deletions

diff --git a/crypto/openssl/crypto/x509/Makefile.ssl b/crypto/openssl/crypto/x509/Makefile.ssl
index 6a5a879..3a34525 100644
--- a/crypto/openssl/crypto/x509/Makefile.ssl
+++ b/crypto/openssl/crypto/x509/Makefile.ssl
@@ -57,7 +57,7 @@ files:
 	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
 
 links:
-	@$(TOP)/util/point.sh Makefile.ssl Makefile
+	@sh $(TOP)/util/point.sh Makefile.ssl Makefile
 	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
 	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
 	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
diff --git a/crypto/openssl/crypto/x509/by_dir.c b/crypto/openssl/crypto/x509/by_dir.c
index 448bd7e..6207340 100644
--- a/crypto/openssl/crypto/x509/by_dir.c
+++ b/crypto/openssl/crypto/x509/by_dir.c
@@ -302,8 +302,38 @@ static int get_cert_by_subject(X509_LOOKUP *xl, int type, X509_NAME *name,
 		k=0;
 		for (;;)
 			{
-			sprintf(b->data,"%s/%08lx.%s%d",ctx->dirs[i],h,
-				postfix,k);
+			char c = '/';
+#ifdef OPENSSL_SYS_VMS
+			c = ctx->dirs[i][strlen(ctx->dirs[i])-1];
+			if (c != ':' && c != '>' && c != ']')
+				{
+				/* If no separator is present, we assume the
+				   directory specifier is a logical name, and
+				   add a colon.  We really should use better
+				   VMS routines for merging things like this,
+				   but this will do for now...
+				   -- Richard Levitte */
+				c = ':';
+				}
+			else
+				{
+				c = '\0';
+				}
+#endif
+			if (c == '\0')
+				{
+				/* This is special.  When c == '\0', no
+				   directory separator should be added. */
+				BIO_snprintf(b->data,b->max,
+					"%s%08lx.%s%d",ctx->dirs[i],h,
+					postfix,k);
+				}
+			else
+				{
+				BIO_snprintf(b->data,b->max,
+					"%s%c%08lx.%s%d",ctx->dirs[i],c,h,
+					postfix,k);
+				}
 			k++;
 			if (stat(b->data,&st) < 0)
 				break;
diff --git a/crypto/openssl/crypto/x509/x509.h b/crypto/openssl/crypto/x509/x509.h
index eaad568..8d0c7e2 100644
--- a/crypto/openssl/crypto/x509/x509.h
+++ b/crypto/openssl/crypto/x509/x509.h
@@ -810,10 +810,6 @@ X509_REQ *X509_REQ_dup(X509_REQ *req);
 X509_ALGOR *X509_ALGOR_dup(X509_ALGOR *xn);
 X509_NAME *X509_NAME_dup(X509_NAME *xn);
 X509_NAME_ENTRY *X509_NAME_ENTRY_dup(X509_NAME_ENTRY *ne);
-#ifndef OPENSSL_NO_RSA
-RSA *RSAPublicKey_dup(RSA *rsa);
-RSA *RSAPrivateKey_dup(RSA *rsa);
-#endif
 
 #endif /* !SSLEAY_MACROS */
 
diff --git a/crypto/openssl/crypto/x509/x509_txt.c b/crypto/openssl/crypto/x509/x509_txt.c
index 4f83db8..e31ebc6 100644
--- a/crypto/openssl/crypto/x509/x509_txt.c
+++ b/crypto/openssl/crypto/x509/x509_txt.c
@@ -147,8 +147,14 @@ const char *X509_verify_cert_error_string(long n)
 	case X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION:
 		return("unhandled critical extension");
 
+	case X509_V_ERR_KEYUSAGE_NO_CRL_SIGN:
+		return("key usage does not include CRL signing");
+
+	case X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION:
+		return("unhandled critical CRL extension");
+
 	default:
-		sprintf(buf,"error number %ld",n);
+		BIO_snprintf(buf,sizeof buf,"error number %ld",n);
 		return(buf);
 		}
 	}
diff --git a/crypto/openssl/crypto/x509/x509_vfy.c b/crypto/openssl/crypto/x509/x509_vfy.c
index 2bb21b4..2e4d0b8 100644
--- a/crypto/openssl/crypto/x509/x509_vfy.c
+++ b/crypto/openssl/crypto/x509/x509_vfy.c
@@ -383,6 +383,7 @@ static int check_chain_purpose(X509_STORE_CTX *ctx)
 	/* Check all untrusted certificates */
 	for (i = 0; i < ctx->last_untrusted; i++)
 		{
+		int ret;
 		x = sk_X509_value(ctx->chain, i);
 		if (!(ctx->flags & X509_V_FLAG_IGNORE_CRITICAL)
 			&& (x->ex_flags & EXFLAG_CRITICAL))
@@ -393,7 +394,10 @@ static int check_chain_purpose(X509_STORE_CTX *ctx)
 			ok=cb(0,ctx);
 			if (!ok) goto end;
 			}
-		if (!X509_check_purpose(x, ctx->purpose, i))
+		ret = X509_check_purpose(x, ctx->purpose, i);
+		if ((ret == 0)
+			 || ((ctx->flags & X509_V_FLAG_X509_STRICT)
+				&& (ret != 1)))
 			{
 			if (i)
 				ctx->error = X509_V_ERR_INVALID_CA;
@@ -537,6 +541,14 @@ static int check_crl(X509_STORE_CTX *ctx, X509_CRL *crl)
 
 	if(issuer)
 		{
+		/* Check for cRLSign bit if keyUsage present */
+		if ((issuer->ex_flags & EXFLAG_KUSAGE) &&
+			!(issuer->ex_kusage & KU_CRL_SIGN))
+			{
+			ctx->error = X509_V_ERR_KEYUSAGE_NO_CRL_SIGN;
+			ok = ctx->verify_cb(0, ctx);
+			if(!ok) goto err;
+			}
 
 		/* Attempt to get issuer certificate public key */
 		ikey = X509_get_pubkey(issuer);
@@ -611,17 +623,46 @@ static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
 	{
 	int idx, ok;
 	X509_REVOKED rtmp;
+	STACK_OF(X509_EXTENSION) *exts;
+	X509_EXTENSION *ext;
 	/* Look for serial number of certificate in CRL */
 	rtmp.serialNumber = X509_get_serialNumber(x);
 	idx = sk_X509_REVOKED_find(crl->crl->revoked, &rtmp);
-	/* Not found: OK */
-	if(idx == -1) return 1;
-	/* Otherwise revoked: want something cleverer than
+	/* If found assume revoked: want something cleverer than
 	 * this to handle entry extensions in V2 CRLs.
 	 */
-	ctx->error = X509_V_ERR_CERT_REVOKED;
-	ok = ctx->verify_cb(0, ctx);
-	return ok;
+	if(idx >= 0)
+		{
+		ctx->error = X509_V_ERR_CERT_REVOKED;
+		ok = ctx->verify_cb(0, ctx);
+		if (!ok) return 0;
+		}
+
+	if (ctx->flags & X509_V_FLAG_IGNORE_CRITICAL)
+		return 1;
+
+	/* See if we have any critical CRL extensions: since we
+	 * currently don't handle any CRL extensions the CRL must be
+	 * rejected. 
+	 * This code accesses the X509_CRL structure directly: applications
+	 * shouldn't do this.
+	 */
+
+	exts = crl->crl->extensions;
+
+	for (idx = 0; idx < sk_X509_EXTENSION_num(exts); idx++)
+		{
+		ext = sk_X509_EXTENSION_value(exts, idx);
+		if (ext->critical > 0)
+			{
+			ctx->error =
+				X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION;
+			ok = ctx->verify_cb(0, ctx);
+			if(!ok) return 0;
+			break;
+			}
+		}
+	return 1;
 	}
 
 static int internal_verify(X509_STORE_CTX *ctx)
diff --git a/crypto/openssl/crypto/x509/x509_vfy.h b/crypto/openssl/crypto/x509/x509_vfy.h
index f0be21f..1984958 100644
--- a/crypto/openssl/crypto/x509/x509_vfy.h
+++ b/crypto/openssl/crypto/x509/x509_vfy.h
@@ -304,17 +304,26 @@ struct x509_store_ctx_st      /* X509_STORE_CTX */
 
 #define		X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER		33
 #define		X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION		34
+#define		X509_V_ERR_KEYUSAGE_NO_CRL_SIGN			35
+#define		X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION	36
 
 /* The application is not happy */
 #define		X509_V_ERR_APPLICATION_VERIFICATION		50
 
 /* Certificate verify flags */
 
-#define	X509_V_FLAG_CB_ISSUER_CHECK		0x1	/* Send issuer+subject checks to verify_cb */
-#define	X509_V_FLAG_USE_CHECK_TIME		0x2	/* Use check time instead of current time */
-#define	X509_V_FLAG_CRL_CHECK			0x4	/* Lookup CRLs */
-#define	X509_V_FLAG_CRL_CHECK_ALL		0x8	/* Lookup CRLs for whole chain */
-#define	X509_V_FLAG_IGNORE_CRITICAL		0x10	/* Ignore unhandled critical extensions */
+/* Send issuer+subject checks to verify_cb */
+#define	X509_V_FLAG_CB_ISSUER_CHECK		0x1
+/* Use check time instead of current time */
+#define	X509_V_FLAG_USE_CHECK_TIME		0x2
+/* Lookup CRLs */
+#define	X509_V_FLAG_CRL_CHECK			0x4
+/* Lookup CRLs for whole chain */
+#define	X509_V_FLAG_CRL_CHECK_ALL		0x8
+/* Ignore unhandled critical extensions */
+#define	X509_V_FLAG_IGNORE_CRITICAL		0x10
+/* Disable workarounds for broken certificates */
+#define	X509_V_FLAG_X509_STRICT			0x20
 
 int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, int type,
 	     X509_NAME *name);
diff --git a/crypto/openssl/crypto/x509/x509type.c b/crypto/openssl/crypto/x509/x509type.c
index f78c2a6..c25959a 100644
--- a/crypto/openssl/crypto/x509/x509type.c
+++ b/crypto/openssl/crypto/x509/x509type.c
@@ -106,7 +106,7 @@ int X509_certificate_type(X509 *x, EVP_PKEY *pkey)
 		break;
 		}
 
-	if (EVP_PKEY_size(pk) <= 512/8)	/* /8 because it's 512 bits we look
+	if (EVP_PKEY_size(pk) <= 1024/8)/* /8 because it's 1024 bits we look
 					   for, not bytes */
 		ret|=EVP_PKT_EXP;
 	if(pkey==NULL) EVP_PKEY_free(pk);