openssl/sme8/openssl-fips-0.9.8e-x509-store-lock.patch

diff -up openssl-fips-0.9.8e/crypto/x509/by_dir.c.lock openssl-fips-0.9.8e/crypto/x509/by_dir.c
--- openssl-fips-0.9.8e/crypto/x509/by_dir.c.lock       2014-08-08 11:54:24.000000000 +0200
+++ openssl-fips-0.9.8e/crypto/x509/by_dir.c    2014-12-17 14:38:00.660309868 +0100
@@ -356,11 +356,11 @@ static int get_cert_by_subject(X509_LOOK
 
                /* we have added it to the cache so now pull
                 * it out again */
-               CRYPTO_r_lock(CRYPTO_LOCK_X509_STORE);
+               CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
                j = sk_X509_OBJECT_find(xl->store_ctx->objs,&stmp);
                if(j != -1) tmp=sk_X509_OBJECT_value(xl->store_ctx->objs,j);
                else tmp = NULL;
-               CRYPTO_r_unlock(CRYPTO_LOCK_X509_STORE);
+               CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
 
                if (tmp != NULL)
                        {
@@ -379,4 +379,3 @@ finish:
        if (b != NULL) BUF_MEM_free(b);
        return(ok);
        }
-
diff -up openssl-fips-0.9.8e/crypto/x509/x509_lu.c.lock openssl-fips-0.9.8e/crypto/x509/x509_lu.c
--- openssl-fips-0.9.8e/crypto/x509/x509_lu.c.lock      2014-08-08 11:54:24.000000000 +0200
+++ openssl-fips-0.9.8e/crypto/x509/x509_lu.c   2014-12-17 14:38:00.660309868 +0100
@@ -286,7 +286,9 @@ int X509_STORE_get_by_subject(X509_STORE
        X509_OBJECT stmp,*tmp;
        int i,j;
 
+       CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
        tmp=X509_OBJECT_retrieve_by_subject(ctx->objs,type,name);
+       CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
 
        if (tmp == NULL)
                {
@@ -340,7 +342,6 @@ int X509_STORE_add_cert(X509_STORE *ctx,
 
        X509_OBJECT_up_ref_count(obj);
 
-
        if (X509_OBJECT_retrieve_match(ctx->objs, obj))
                {
                X509_OBJECT_free_contents(obj);
@@ -491,13 +492,13 @@ X509_OBJECT *X509_OBJECT_retrieve_match(
                        return obj;
                }
        return NULL;
-}
+       }
 
 
 /* Try to get issuer certificate from store. Due to limitations
  * of the API this can only retrieve a single certificate matching
  * a given subject name. However it will fill the cache with all
- * matching certificates, so we can examine the cache for all 
+ * matching certificates, so we can examine the cache for all
  * matches.
  *
  * Return values are:
@@ -505,13 +506,11 @@ X509_OBJECT *X509_OBJECT_retrieve_match(
  *  0 certificate not found.
  * -1 some other error.
  */
-
-
 int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
-{
+       {
        X509_NAME *xn;
        X509_OBJECT obj, *pobj;
-       int i, ok, idx;
+       int i, ok, idx, ret;
        xn=X509_get_issuer_name(x);
        ok=X509_STORE_get_by_subject(ctx,X509_LU_X509,xn,&obj);
        if (ok != X509_LU_X509)
@@ -537,27 +536,34 @@ int X509_STORE_CTX_get1_issuer(X509 **is
                return 1;
                }
        X509_OBJECT_free_contents(&obj);
-       /* Else find index of first matching cert */
-       idx = X509_OBJECT_idx_by_subject(ctx->ctx->objs, X509_LU_X509, xn);
-       /* This shouldn't normally happen since we already have one match */
-       if (idx == -1) return 0;
 
-       /* Look through all matching certificates for a suitable issuer */
-       for (i = idx; i < sk_X509_OBJECT_num(ctx->ctx->objs); i++)
+       /* Else find index of first cert accepted by 'check_issued' */
+       ret = 0;
+       CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
+       idx = X509_OBJECT_idx_by_subject(ctx->ctx->objs, X509_LU_X509, xn);
+       if (idx != -1) /* should be true as we've had at least one match */
                {
-               pobj = sk_X509_OBJECT_value(ctx->ctx->objs, i);
-               /* See if we've ran out of matches */
-               if (pobj->type != X509_LU_X509) return 0;
-               if (X509_NAME_cmp(xn, X509_get_subject_name(pobj->data.x509))) return 0;
-               if (ctx->check_issued(ctx, x, pobj->data.x509))
+               /* Look through all matching certs for suitable issuer */
+               for (i = idx; i < sk_X509_OBJECT_num(ctx->ctx->objs); i++)
                        {
-                       *issuer = pobj->data.x509;
-                       X509_OBJECT_up_ref_count(pobj);
-                       return 1;
+                       pobj = sk_X509_OBJECT_value(ctx->ctx->objs, i);
+                       /* See if we've run past the matches */
+                       if (pobj->type != X509_LU_X509)
+                               break;
+                       if (X509_NAME_cmp(xn, X509_get_subject_name(pobj->data.x509)))
+                               break;
+                       if (ctx->check_issued(ctx, x, pobj->data.x509))
+                               {
+                               *issuer = pobj->data.x509;
+                               X509_OBJECT_up_ref_count(pobj);
+                               ret = 1;
+                               break;
+                               }
                        }
                }
-       return 0;
-}
+       CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
+       return ret;
+       }
 
 int X509_STORE_set_flags(X509_STORE *ctx, unsigned long flags)
        {
1	diff -up openssl-fips-0.9.8e/crypto/x509/by_dir.c.lock openssl-fips-0.9.8e/crypto/x509/by_dir.c
2	--- openssl-fips-0.9.8e/crypto/x509/by_dir.c.lock 2014-08-08 11:54:24.000000000 +0200
3	+++ openssl-fips-0.9.8e/crypto/x509/by_dir.c 2014-12-17 14:38:00.660309868 +0100
4	@@ -356,11 +356,11 @@ static int get_cert_by_subject(X509_LOOK
5
6	/* we have added it to the cache so now pull
7	* it out again */
8	- CRYPTO_r_lock(CRYPTO_LOCK_X509_STORE);
9	+ CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
10	j = sk_X509_OBJECT_find(xl->store_ctx->objs,&stmp);
11	if(j != -1) tmp=sk_X509_OBJECT_value(xl->store_ctx->objs,j);
12	else tmp = NULL;
13	- CRYPTO_r_unlock(CRYPTO_LOCK_X509_STORE);
14	+ CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
15
16	if (tmp != NULL)
17	{
18	@@ -379,4 +379,3 @@ finish:
19	if (b != NULL) BUF_MEM_free(b);
20	return(ok);
21	}
22	-
23	diff -up openssl-fips-0.9.8e/crypto/x509/x509_lu.c.lock openssl-fips-0.9.8e/crypto/x509/x509_lu.c
24	--- openssl-fips-0.9.8e/crypto/x509/x509_lu.c.lock 2014-08-08 11:54:24.000000000 +0200
25	+++ openssl-fips-0.9.8e/crypto/x509/x509_lu.c 2014-12-17 14:38:00.660309868 +0100
26	@@ -286,7 +286,9 @@ int X509_STORE_get_by_subject(X509_STORE
27	X509_OBJECT stmp,*tmp;
28	int i,j;
29
30	+ CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
31	tmp=X509_OBJECT_retrieve_by_subject(ctx->objs,type,name);
32	+ CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
33
34	if (tmp == NULL)
35	{
36	@@ -340,7 +342,6 @@ int X509_STORE_add_cert(X509_STORE *ctx,
37
38	X509_OBJECT_up_ref_count(obj);
39
40	-
41	if (X509_OBJECT_retrieve_match(ctx->objs, obj))
42	{
43	X509_OBJECT_free_contents(obj);
44	@@ -491,13 +492,13 @@ X509_OBJECT *X509_OBJECT_retrieve_match(
45	return obj;
46	}
47	return NULL;
48	-}
49	+ }
50
51
52	/* Try to get issuer certificate from store. Due to limitations
53	* of the API this can only retrieve a single certificate matching
54	* a given subject name. However it will fill the cache with all
55	- * matching certificates, so we can examine the cache for all
56	+ * matching certificates, so we can examine the cache for all
57	* matches.
58	*
59	* Return values are:
60	@@ -505,13 +506,11 @@ X509_OBJECT *X509_OBJECT_retrieve_match(
61	* 0 certificate not found.
62	* -1 some other error.
63	*/
64	-
65	-
66	int X509_STORE_CTX_get1_issuer(X509 *issuer, X509_STORE_CTX ctx, X509 *x)
67	-{
68	+ {
69	X509_NAME *xn;
70	X509_OBJECT obj, *pobj;
71	- int i, ok, idx;
72	+ int i, ok, idx, ret;
73	xn=X509_get_issuer_name(x);
74	ok=X509_STORE_get_by_subject(ctx,X509_LU_X509,xn,&obj);
75	if (ok != X509_LU_X509)
76	@@ -537,27 +536,34 @@ int X509_STORE_CTX_get1_issuer(X509 **is
77	return 1;
78	}
79	X509_OBJECT_free_contents(&obj);
80	- /* Else find index of first matching cert */
81	- idx = X509_OBJECT_idx_by_subject(ctx->ctx->objs, X509_LU_X509, xn);
82	- /* This shouldn't normally happen since we already have one match */
83	- if (idx == -1) return 0;
84
85	- /* Look through all matching certificates for a suitable issuer */
86	- for (i = idx; i < sk_X509_OBJECT_num(ctx->ctx->objs); i++)
87	+ /* Else find index of first cert accepted by 'check_issued' */
88	+ ret = 0;
89	+ CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
90	+ idx = X509_OBJECT_idx_by_subject(ctx->ctx->objs, X509_LU_X509, xn);
91	+ if (idx != -1) /* should be true as we've had at least one match */
92	{
93	- pobj = sk_X509_OBJECT_value(ctx->ctx->objs, i);
94	- /* See if we've ran out of matches */
95	- if (pobj->type != X509_LU_X509) return 0;
96	- if (X509_NAME_cmp(xn, X509_get_subject_name(pobj->data.x509))) return 0;
97	- if (ctx->check_issued(ctx, x, pobj->data.x509))
98	+ /* Look through all matching certs for suitable issuer */
99	+ for (i = idx; i < sk_X509_OBJECT_num(ctx->ctx->objs); i++)
100	{
101	- *issuer = pobj->data.x509;
102	- X509_OBJECT_up_ref_count(pobj);
103	- return 1;
104	+ pobj = sk_X509_OBJECT_value(ctx->ctx->objs, i);
105	+ /* See if we've run past the matches */
106	+ if (pobj->type != X509_LU_X509)
107	+ break;
108	+ if (X509_NAME_cmp(xn, X509_get_subject_name(pobj->data.x509)))
109	+ break;
110	+ if (ctx->check_issued(ctx, x, pobj->data.x509))
111	+ {
112	+ *issuer = pobj->data.x509;
113	+ X509_OBJECT_up_ref_count(pobj);
114	+ ret = 1;
115	+ break;
116	+ }
117	}
118	}
119	- return 0;
120	-}
121	+ CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
122	+ return ret;
123	+ }
124
125	int X509_STORE_set_flags(X509_STORE *ctx, unsigned long flags)
126	{