OpenSSL 0.9.5 merge

*warning* this bumps shared lib minors for libssl and libcrypto from 2.1 to 2.2
if you are using the ssl26 packages for ssh and other things to work you will
need to get new ones (see ~beck/libsslsnap/<arch>) on cvs or ~beck/src-patent.tar.gz on cvs

2 files changed, 95 insertions, 63 deletions

diff --git a/src/lib/libssl/doc/openssl.cnf b/src/lib/libssl/doc/openssl.cnf
index d70dd25622..dbe8cbefe0 100644
--- a/src/lib/libssl/doc/openssl.cnf
+++ b/src/lib/libssl/doc/openssl.cnf
@@ -3,8 +3,13 @@
 # This is mostly being used for generation of certificate requests.
 #
 
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME                    = .
 RANDFILE                = $ENV::HOME/.rnd
-oid_file                = $ENV::HOME/.oid
+
+# Extra OBJECT IDENTIFIER info:
+#oid_file               = $ENV::HOME/.oid
 oid_section             = new_oids
 
 # To use this configuration file with the "-extfile" option of the
@@ -86,6 +91,22 @@ distinguished_name	= req_distinguished_name
 attributes              = req_attributes
 x509_extensions = v3_ca # The extentions to add to the self signed cert
 
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options. 
+# default: PrintableString, T61String, BMPString.
+# pkix   : PrintableString, BMPString.
+# utf8only: only UTF8Strings.
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
+# so use this option with caution!
+string_mask = nombstr
+
+# req_extensions = v3_req # The extensions to add to a certificate request
+
 [ req_distinguished_name ]
 countryName                     = Country Name (2 letter code)
 countryName_default             = AU
@@ -170,8 +191,16 @@ authorityKeyIdentifier=keyid,issuer:always
 #nsCaPolicyUrl
 #nsSslServerName
 
+[ v3_req ]
+
+# Extensions to add to a certificate request
+
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+
 [ v3_ca ]
 
+
 # Extensions for a typical CA
 
 
@@ -200,10 +229,11 @@ basicConstraints = CA:true
 # Copy issuer details
 # issuerAltName=issuer:copy
 
-# RAW DER hex encoding of an extension: beware experts only!
-# 1.2.3.5=RAW:02:03
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
 # You can even override a supported extension:
-# basicConstraints= critical, RAW:30:03:01:01:FF
+# basicConstraints= critical, DER:30:03:01:01:FF
 
 [ crl_ext ]
 
diff --git a/src/lib/libssl/doc/openssl.txt b/src/lib/libssl/doc/openssl.txt
index 91b85e5f14..880eace4da 100644
--- a/src/lib/libssl/doc/openssl.txt
+++ b/src/lib/libssl/doc/openssl.txt
@@ -1,53 +1,12 @@
 
 This is some preliminary documentation for OpenSSL.
 
-==============================================================================
-                            BUFFER Library
-==============================================================================
-
-The buffer library handles simple character arrays. Buffers are used for
-various purposes in the library, most notably memory BIOs.
-
-The library uses the BUF_MEM structure defined in buffer.h:
-
-typedef struct buf_mem_st
-{
-        int length;     /* current number of bytes */
-        char *data;
-        int max;        /* size of buffer */
-} BUF_MEM;
-
-'length' is the current size of the buffer in bytes, 'max' is the amount of
-memory allocated to the buffer. There are three functions which handle these
-and one "miscellaneous" function.
-
-BUF_MEM *BUF_MEM_new()
-
-This allocates a new buffer of zero size. Returns the buffer or NULL on error.
-
-void BUF_MEM_free(BUF_MEM *a)
-
-This frees up an already existing buffer. The data is zeroed before freeing
-up in case the buffer contains sensitive data.
-
-int BUF_MEM_grow(BUF_MEM *str, int len)
-
-This changes the size of an already existing buffer. It returns zero on error
-or the new size (i.e. 'len'). Any data already in the buffer is preserved if
-it increases in size.
-
-char * BUF_strdup(char *str)
+Contents:
 
-This is the previously mentioned strdup function: like the standard library
-strdup() it copies a null terminated string into a block of allocated memory
-and returns a pointer to the allocated block.
+ OpenSSL X509V3 extension configuration
+ X509V3 Extension code: programmers guide
+ PKCS#12 Library
 
-Unlike the standard C library strdup() this function uses Malloc() and so
-should be used in preference to the standard library strdup() because it can
-be used for memory leak checking or replacing the malloc() function.
-
-The memory allocated from BUF_strdup() should be freed up using the Free()
-function.
 
 ==============================================================================
                OpenSSL X509V3 extension configuration
@@ -188,7 +147,7 @@ email.1=steve@here
 email.2=steve@there
 
 This is because the configuration file code cannot handle the same name
-occurring twice in the same extension.
+occurring twice in the same section.
 
 The syntax of raw extensions is governed by the extension code: it can
 for example contain data in multiple sections. The correct syntax to
@@ -315,6 +274,41 @@ TRUE. An end user certificate MUST NOT have the CA value set to true.
 According to PKIX recommendations it should exclude the extension entirely,
 however some software may require CA set to FALSE for end entity certificates.
 
+Extended Key Usage.
+
+This extensions consists of a list of usages.
+
+These can either be object short names of the dotted numerical form of OIDs.
+While any OID can be used only certain values make sense. In particular the
+following PKIX, NS and MS values are meaningful:
+
+Value                   Meaning
+-----                   -------
+serverAuth              SSL/TLS Web Server Authentication.
+clientAuth              SSL/TLS Web Client Authentication.
+codeSigning             Code signing.
+emailProtection         E-mail Protection (S/MIME).
+timeStamping            Trusted Timestamping
+msCodeInd               Microsoft Individual Code Signing (authenticode)
+msCodeCom               Microsoft Commercial Code Signing (authenticode)
+msCTLSign               Microsoft Trust List Signing
+msSGC                   Microsoft Server Gated Crypto
+msEFS                   Microsoft Encrypted File System
+nsSGC                   Netscape Server Gated Crypto
+
+For example, under IE5 a CA can be used for any purpose: by including a list
+of the above usages the CA can be restricted to only authorised uses.
+
+Note: software packages may place additional interpretations on certificate 
+use, in particular some usages may only work for selected CAs. Don't for example
+expect just including msSGC or nsSGC will automatically mean that a certificate
+can be used for SGC ("step up" encryption) otherwise anyone could use it.
+
+Examples:
+
+extendedKeyUsage=critical,codeSigning,1.2.3.4
+extendedKeyUsage=nsSGC,msSGC
+
 Subject Key Identifier.
 
 This is really a string extension and can take two possible values. Either
@@ -459,16 +453,16 @@ extension in a human or machine readable form.
 
 1. Initialisation and cleanup.
 
-X509V3_add_standard_extensions();
-
-This function should be called before any other extension code. It adds support
-for some common PKIX and Netscape extensions. Additional custom extensions can
-be added as well (see later).
+No special initialisation is needed before calling the extension functions.
+You used to have to call X509V3_add_standard_extensions(); but this is no longer
+required and this function no longer does anything.
 
 void X509V3_EXT_cleanup(void);
 
-This function should be called last to cleanup the extension code. After this
-call no other extension calls should be made.
+This function should be called to cleanup the extension code if any custom
+extensions have been added. If no custom extensions have been added then this
+call does nothing. After this call all custom extension code is freed up but
+you can still use the standard extensions.
 
 2. Printing and parsing extensions.
 
@@ -512,7 +506,7 @@ or CRL is due to be signed. Both return 0 on error on non zero for success.
 In each case 'conf' is the LHASH pointer of the configuration file to use
 and 'section' is the section containing the extension details.
 
-See the 'context functions' section for a description of the ctx paramater.
+See the 'context functions' section for a description of the ctx parameter.
 
 
 X509_EXTENSION *X509V3_EXT_conf(LHASH *conf, X509V3_CTX *ctx, char *name,
@@ -531,7 +525,7 @@ takes the NID of the extension rather than its name.
 For example to produce basicConstraints with the CA flag and a path length of
 10:
 
-x = X509V3_EXT_conf_nid(NULL, NULL, NID_basicConstraints, "CA:TRUE,pathlen:10");
+x = X509V3_EXT_conf_nid(NULL, NULL, NID_basic_constraints,"CA:TRUE,pathlen:10");
 
 
 X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, void *ext_struc);
@@ -659,7 +653,7 @@ The same as above but for an unsigned character value.
 int X509V3_add_value_bool(const char *name, int asn1_bool,
                                                 STACK_OF(CONF_VALUE) **extlist);
 
-This adds either "TRUE" or "FALSE" depending on the value of 'ans1_bool'
+This adds either "TRUE" or "FALSE" depending on the value of 'asn1_bool'
 
 int X509V3_add_value_bool_nf(char *name, int asn1_bool,
                                                 STACK_OF(CONF_VALUE) **extlist);
@@ -686,7 +680,7 @@ Multi value extensions are passed a STACK_OF(CONF_VALUE) name and value pairs
 or return a STACK_OF(CONF_VALUE).
 
 Raw extensions are just passed a BIO or a value and it is the extensions
-responsiblity to handle all the necessary printing.
+responsibility to handle all the necessary printing.
 
 There are two ways to add an extension. One is simply as an alias to an already
 existing extension. An alias is an extension that is identical in ASN1 structure
@@ -811,7 +805,7 @@ int i2r(struct v3_ext_method *method, void *ext, BIO *out, int indent);
 
 This function is passed the internal extension structure in the ext parameter
 and sends out a human readable version of the extension to out. The 'indent'
-paremeter should be noted to determine the necessary amount of indentation
+parameter should be noted to determine the necessary amount of indentation
 needed on the output.
 
 void * r2i(struct v3_ext_method *method, struct v3_ext_ctx *ctx, char *str);
@@ -882,7 +876,7 @@ d2i_PKCS12_fp(fp, p12)
 
 This is the same but for a FILE pointer.
 
-3. Parsing and creation functions.
+3. High level functions.
 
 3.1 Parsing with PKCS12_parse().
 
@@ -920,6 +914,14 @@ p12 = PKCS12_create(pass, "My Certificate", pkey, cert, NULL, 0,0,0,0,0);
 i2d_PKCS12_fp(fp, p12);
 PKCS12_free(p12);
 
+3.3 Changing a PKCS#12 structure password.
+
+int PKCS12_newpass(PKCS12 *p12, char *oldpass, char *newpass);
+
+This changes the password of an already existing PKCS#12 structure. oldpass
+is the old password and newpass is the new one. An error occurs if the old
+password is incorrect.
+
 LOW LEVEL FUNCTIONS.
 
 In some cases the high level functions do not provide the necessary