openssl/sme8/openssl-fips-0.9.8e-x509-store-lock.patch

diff -up openssl-fips-0.9.8e/crypto/x509/by_dir.c.lock openssl-fips-0.9.8e/crypto/x509/by_dir.c
--- openssl-fips-0.9.8e/crypto/x509/by_dir.c.lock       2014-08-08 11:54:24.000000000 +0200
+++ openssl-fips-0.9.8e/crypto/x509/by_dir.c    2014-12-17 14:38:00.660309868 +0100
@@ -356,11 +356,11 @@ static int get_cert_by_subject(X509_LOOK
 
                /* we have added it to the cache so now pull
                 * it out again */
-               CRYPTO_r_lock(CRYPTO_LOCK_X509_STORE);
+               CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
                j = sk_X509_OBJECT_find(xl->store_ctx->objs,&stmp);
                if(j != -1) tmp=sk_X509_OBJECT_value(xl->store_ctx->objs,j);
                else tmp = NULL;
-               CRYPTO_r_unlock(CRYPTO_LOCK_X509_STORE);
+               CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
 
                if (tmp != NULL)
                        {
@@ -379,4 +379,3 @@ finish:
        if (b != NULL) BUF_MEM_free(b);
        return(ok);
        }
-
diff -up openssl-fips-0.9.8e/crypto/x509/x509_lu.c.lock openssl-fips-0.9.8e/crypto/x509/x509_lu.c
--- openssl-fips-0.9.8e/crypto/x509/x509_lu.c.lock      2014-08-08 11:54:24.000000000 +0200
+++ openssl-fips-0.9.8e/crypto/x509/x509_lu.c   2014-12-17 14:38:00.660309868 +0100
@@ -286,7 +286,9 @@ int X509_STORE_get_by_subject(X509_STORE
        X509_OBJECT stmp,*tmp;
        int i,j;
 
+       CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
        tmp=X509_OBJECT_retrieve_by_subject(ctx->objs,type,name);
+       CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
 
        if (tmp == NULL)
                {
@@ -340,7 +342,6 @@ int X509_STORE_add_cert(X509_STORE *ctx,
 
        X509_OBJECT_up_ref_count(obj);
 
-
        if (X509_OBJECT_retrieve_match(ctx->objs, obj))
                {
                X509_OBJECT_free_contents(obj);
@@ -491,13 +492,13 @@ X509_OBJECT *X509_OBJECT_retrieve_match(
                        return obj;
                }
        return NULL;
-}
+       }
 
 
 /* Try to get issuer certificate from store. Due to limitations
  * of the API this can only retrieve a single certificate matching
  * a given subject name. However it will fill the cache with all
- * matching certificates, so we can examine the cache for all 
+ * matching certificates, so we can examine the cache for all
  * matches.
  *
  * Return values are:
@@ -505,13 +506,11 @@ X509_OBJECT *X509_OBJECT_retrieve_match(
  *  0 certificate not found.
  * -1 some other error.
  */
-
-
 int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
-{
+       {
        X509_NAME *xn;
        X509_OBJECT obj, *pobj;
-       int i, ok, idx;
+       int i, ok, idx, ret;
        xn=X509_get_issuer_name(x);
        ok=X509_STORE_get_by_subject(ctx,X509_LU_X509,xn,&obj);
        if (ok != X509_LU_X509)
@@ -537,27 +536,34 @@ int X509_STORE_CTX_get1_issuer(X509 **is
                return 1;
                }
        X509_OBJECT_free_contents(&obj);
-       /* Else find index of first matching cert */
-       idx = X509_OBJECT_idx_by_subject(ctx->ctx->objs, X509_LU_X509, xn);
-       /* This shouldn't normally happen since we already have one match */
-       if (idx == -1) return 0;
 
-       /* Look through all matching certificates for a suitable issuer */
-       for (i = idx; i < sk_X509_OBJECT_num(ctx->ctx->objs); i++)
+       /* Else find index of first cert accepted by 'check_issued' */
+       ret = 0;
+       CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
+       idx = X509_OBJECT_idx_by_subject(ctx->ctx->objs, X509_LU_X509, xn);
+       if (idx != -1) /* should be true as we've had at least one match */
                {
-               pobj = sk_X509_OBJECT_value(ctx->ctx->objs, i);
-               /* See if we've ran out of matches */
-               if (pobj->type != X509_LU_X509) return 0;
-               if (X509_NAME_cmp(xn, X509_get_subject_name(pobj->data.x509))) return 0;
-               if (ctx->check_issued(ctx, x, pobj->data.x509))
+               /* Look through all matching certs for suitable issuer */
+               for (i = idx; i < sk_X509_OBJECT_num(ctx->ctx->objs); i++)
                        {
-                       *issuer = pobj->data.x509;
-                       X509_OBJECT_up_ref_count(pobj);
-                       return 1;
+                       pobj = sk_X509_OBJECT_value(ctx->ctx->objs, i);
+                       /* See if we've run past the matches */
+                       if (pobj->type != X509_LU_X509)
+                               break;
+                       if (X509_NAME_cmp(xn, X509_get_subject_name(pobj->data.x509)))
+                               break;
+                       if (ctx->check_issued(ctx, x, pobj->data.x509))
+                               {
+                               *issuer = pobj->data.x509;
+                               X509_OBJECT_up_ref_count(pobj);
+                               ret = 1;
+                               break;
+                               }
                        }
                }
-       return 0;
-}
+       CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
+       return ret;
+       }
 
 int X509_STORE_set_flags(X509_STORE *ctx, unsigned long flags)
        {
1	vip-ire	1.1	diff -up openssl-fips-0.9.8e/crypto/x509/by_dir.c.lock openssl-fips-0.9.8e/crypto/x509/by_dir.c
2			--- openssl-fips-0.9.8e/crypto/x509/by_dir.c.lock 2014-08-08 11:54:24.000000000 +0200
3			+++ openssl-fips-0.9.8e/crypto/x509/by_dir.c 2014-12-17 14:38:00.660309868 +0100
4			@@ -356,11 +356,11 @@ static int get_cert_by_subject(X509_LOOK
5
6			/* we have added it to the cache so now pull
7			* it out again */
8			- CRYPTO_r_lock(CRYPTO_LOCK_X509_STORE);
9			+ CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
10			j = sk_X509_OBJECT_find(xl->store_ctx->objs,&stmp);
11			if(j != -1) tmp=sk_X509_OBJECT_value(xl->store_ctx->objs,j);
12			else tmp = NULL;
13			- CRYPTO_r_unlock(CRYPTO_LOCK_X509_STORE);
14			+ CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
15
16			if (tmp != NULL)
17			{
18			@@ -379,4 +379,3 @@ finish:
19			if (b != NULL) BUF_MEM_free(b);
20			return(ok);
21			}
22			-
23			diff -up openssl-fips-0.9.8e/crypto/x509/x509_lu.c.lock openssl-fips-0.9.8e/crypto/x509/x509_lu.c
24			--- openssl-fips-0.9.8e/crypto/x509/x509_lu.c.lock 2014-08-08 11:54:24.000000000 +0200
25			+++ openssl-fips-0.9.8e/crypto/x509/x509_lu.c 2014-12-17 14:38:00.660309868 +0100
26			@@ -286,7 +286,9 @@ int X509_STORE_get_by_subject(X509_STORE
27			X509_OBJECT stmp,*tmp;
28			int i,j;
29
30			+ CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
31			tmp=X509_OBJECT_retrieve_by_subject(ctx->objs,type,name);
32			+ CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
33
34			if (tmp == NULL)
35			{
36			@@ -340,7 +342,6 @@ int X509_STORE_add_cert(X509_STORE *ctx,
37
38			X509_OBJECT_up_ref_count(obj);
39
40			-
41			if (X509_OBJECT_retrieve_match(ctx->objs, obj))
42			{
43			X509_OBJECT_free_contents(obj);
44			@@ -491,13 +492,13 @@ X509_OBJECT *X509_OBJECT_retrieve_match(
45			return obj;
46			}
47			return NULL;
48			-}
49			+ }
50
51
52			/* Try to get issuer certificate from store. Due to limitations
53			* of the API this can only retrieve a single certificate matching
54			* a given subject name. However it will fill the cache with all
55			- * matching certificates, so we can examine the cache for all
56			+ * matching certificates, so we can examine the cache for all
57			* matches.
58			*
59			* Return values are:
60			@@ -505,13 +506,11 @@ X509_OBJECT *X509_OBJECT_retrieve_match(
61			* 0 certificate not found.
62			* -1 some other error.
63			*/
64			-
65			-
66			int X509_STORE_CTX_get1_issuer(X509 *issuer, X509_STORE_CTX ctx, X509 *x)
67			-{
68			+ {
69			X509_NAME *xn;
70			X509_OBJECT obj, *pobj;
71			- int i, ok, idx;
72			+ int i, ok, idx, ret;
73			xn=X509_get_issuer_name(x);
74			ok=X509_STORE_get_by_subject(ctx,X509_LU_X509,xn,&obj);
75			if (ok != X509_LU_X509)
76			@@ -537,27 +536,34 @@ int X509_STORE_CTX_get1_issuer(X509 **is
77			return 1;
78			}
79			X509_OBJECT_free_contents(&obj);
80			- /* Else find index of first matching cert */
81			- idx = X509_OBJECT_idx_by_subject(ctx->ctx->objs, X509_LU_X509, xn);
82			- /* This shouldn't normally happen since we already have one match */
83			- if (idx == -1) return 0;
84
85			- /* Look through all matching certificates for a suitable issuer */
86			- for (i = idx; i < sk_X509_OBJECT_num(ctx->ctx->objs); i++)
87			+ /* Else find index of first cert accepted by 'check_issued' */
88			+ ret = 0;
89			+ CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
90			+ idx = X509_OBJECT_idx_by_subject(ctx->ctx->objs, X509_LU_X509, xn);
91			+ if (idx != -1) /* should be true as we've had at least one match */
92			{
93			- pobj = sk_X509_OBJECT_value(ctx->ctx->objs, i);
94			- /* See if we've ran out of matches */
95			- if (pobj->type != X509_LU_X509) return 0;
96			- if (X509_NAME_cmp(xn, X509_get_subject_name(pobj->data.x509))) return 0;
97			- if (ctx->check_issued(ctx, x, pobj->data.x509))
98			+ /* Look through all matching certs for suitable issuer */
99			+ for (i = idx; i < sk_X509_OBJECT_num(ctx->ctx->objs); i++)
100			{
101			- *issuer = pobj->data.x509;
102			- X509_OBJECT_up_ref_count(pobj);
103			- return 1;
104			+ pobj = sk_X509_OBJECT_value(ctx->ctx->objs, i);
105			+ /* See if we've run past the matches */
106			+ if (pobj->type != X509_LU_X509)
107			+ break;
108			+ if (X509_NAME_cmp(xn, X509_get_subject_name(pobj->data.x509)))
109			+ break;
110			+ if (ctx->check_issued(ctx, x, pobj->data.x509))
111			+ {
112			+ *issuer = pobj->data.x509;
113			+ X509_OBJECT_up_ref_count(pobj);
114			+ ret = 1;
115			+ break;
116			+ }
117			}
118			}
119			- return 0;
120			-}
121			+ CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
122			+ return ret;
123			+ }
124
125			int X509_STORE_set_flags(X509_STORE *ctx, unsigned long flags)
126			{