Update openssl: 1.0.2c -> 1.0.2d

6 files changed, 85 insertions, 6 deletions

diff --git a/openssl/doc/apps/verify.pod b/openssl/doc/apps/verify.pod
index df1b86dfe..bffa6c0ec 100644
--- a/openssl/doc/apps/verify.pod
+++ b/openssl/doc/apps/verify.pod
@@ -15,6 +15,7 @@ B<openssl> B<verify>
 [B<-attime timestamp>]
 [B<-check_ss_sig>]
 [B<-crlfile file>]
+[B<-crl_download>]
 [B<-crl_check>]
 [B<-crl_check_all>]
 [B<-policy_check>]
@@ -29,6 +30,7 @@ B<openssl> B<verify>
 [B<-untrusted file>]
 [B<-help>]
 [B<-issuer_checks>]
+[B<-trusted file>]
 [B<-verbose>]
 [B<->]
 [certificates]
@@ -69,6 +71,10 @@ because it doesn't add any security.
 
 File containing one or more CRL's (in PEM format) to load.
 
+=item B<-crl_download>
+
+Attempt to download CRL information for this certificate.
+
 =item B<-crl_check>
 
 Checks end entity certificate validity by attempting to look up a valid CRL.
@@ -133,6 +139,11 @@ be found that is trusted. With this option that behaviour is suppressed so that
 only the first chain found is ever used. Using this option will force the
 behaviour to match that of previous OpenSSL versions.
 
+=item B<-trusted file>
+
+A file of additional trusted certificates. The file should contain multiple
+certificates in PEM format concatenated together.
+
 =item B<-policy_print>
 
 Print out diagnostics related to policy processing.
diff --git a/openssl/doc/crypto/X509_NAME_get_index_by_NID.pod b/openssl/doc/crypto/X509_NAME_get_index_by_NID.pod
index c8a812879..109f56132 100644
--- a/openssl/doc/crypto/X509_NAME_get_index_by_NID.pod
+++ b/openssl/doc/crypto/X509_NAME_get_index_by_NID.pod
@@ -29,6 +29,7 @@ and issuer names.
 X509_NAME_get_index_by_NID() and X509_NAME_get_index_by_OBJ() retrieve
 the next index matching B<nid> or B<obj> after B<lastpos>. B<lastpos>
 should initially be set to -1. If there are no more entries -1 is returned.
+If B<nid> is invalid (doesn't correspond to a valid OID) then -2 is returned.
 
 X509_NAME_entry_count() returns the total number of entries in B<name>.
 
@@ -63,6 +64,10 @@ The list of all relevant B<NID_*> and B<OBJ_* codes> can be found in
 the source code header files E<lt>openssl/obj_mac.hE<gt> and/or
 E<lt>openssl/objects.hE<gt>.
 
+Applications which could pass invalid NIDs to X509_NAME_get_index_by_NID()
+should check for the return value of -2. Alternatively the NID validity
+can be determined first by checking OBJ_nid2obj(nid) is not NULL.
+
 =head1 EXAMPLES
 
 Process all entries:
@@ -95,6 +100,8 @@ Process all commonName entries:
 
 X509_NAME_get_index_by_NID() and X509_NAME_get_index_by_OBJ()
 return the index of the next matching entry or -1 if not found.
+X509_NAME_get_index_by_NID() can also return -2 if the supplied
+NID is invalid.
 
 X509_NAME_entry_count() returns the total number of entries.
 
diff --git a/openssl/doc/crypto/X509_STORE_CTX_new.pod b/openssl/doc/crypto/X509_STORE_CTX_new.pod
index b17888f14..eb38b0a10 100644
--- a/openssl/doc/crypto/X509_STORE_CTX_new.pod
+++ b/openssl/doc/crypto/X509_STORE_CTX_new.pod
@@ -39,10 +39,15 @@ X509_STORE_CTX_free() completely frees up B<ctx>. After this call B<ctx>
 is no longer valid.
 
 X509_STORE_CTX_init() sets up B<ctx> for a subsequent verification operation.
-The trusted certificate store is set to B<store>, the end entity certificate
-to be verified is set to B<x509> and a set of additional certificates (which
-will be untrusted but may be used to build the chain) in B<chain>. Any or
-all of the B<store>, B<x509> and B<chain> parameters can be B<NULL>.
+It must be called before each call to X509_verify_cert(), i.e. a B<ctx> is only
+good for one call to X509_verify_cert(); if you want to verify a second
+certificate with the same B<ctx> then you must call X509_XTORE_CTX_cleanup()
+and then X509_STORE_CTX_init() again before the second call to
+X509_verify_cert(). The trusted certificate store is set to B<store>, the end
+entity certificate to be verified is set to B<x509> and a set of additional
+certificates (which will be untrusted but may be used to build the chain) in
+B<chain>. Any or all of the B<store>, B<x509> and B<chain> parameters can be
+B<NULL>.
 
 X509_STORE_CTX_trusted_stack() sets the set of trusted certificates of B<ctx>
 to B<sk>. This is an alternative way of specifying trusted certificates 
diff --git a/openssl/doc/crypto/X509_verify_cert.pod b/openssl/doc/crypto/X509_verify_cert.pod
index 5253bdcd7..a22e44118 100644
--- a/openssl/doc/crypto/X509_verify_cert.pod
+++ b/openssl/doc/crypto/X509_verify_cert.pod
@@ -32,7 +32,8 @@ OpenSSL internally for certificate validation, in both the S/MIME and
 SSL/TLS code.
 
 The negative return value from X509_verify_cert() can only occur if no
-certificate is set in B<ctx> (due to a programming error) or if a retry
+certificate is set in B<ctx> (due to a programming error); if X509_verify_cert()
+twice without reinitialising B<ctx> in between; or if a retry
 operation is requested during internal lookups (which never happens with
 standard lookup methods). It is however recommended that application check
 for <= 0 return value on error.
diff --git a/openssl/doc/ssl/SSL_CTX_get0_param.pod b/openssl/doc/ssl/SSL_CTX_get0_param.pod
new file mode 100644
index 000000000..332f18118
--- /dev/null
+++ b/openssl/doc/ssl/SSL_CTX_get0_param.pod
@@ -0,0 +1,55 @@
+=pod
+
+=head1 NAME
+
+SSL_CTX_get0_param, SSL_get0_param, SSL_CTX_set1_param, SSL_set1_param -
+get and set verification parameters
+
+=head1 SYNOPSIS
+
+ #include <openssl/ssl.h>
+
+ X509_VERIFY_PARAM *SSL_CTX_get0_param(SSL_CTX *ctx)
+ X509_VERIFY_PARAM *SSL_get0_param(SSL *ssl)
+ int SSL_CTX_set1_param(SSL_CTX *ctx, X509_VERIFY_PARAM *vpm)
+ int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm)
+
+=head1 DESCRIPTION
+
+SSL_CTX_get0_param() and SSL_get0_param() retrieve an internal pointer to
+the verification parameters for B<ctx> or B<ssl> respectively. The returned
+pointer must not be freed by the calling application.
+
+SSL_CTX_set1_param() and SSL_set1_param() set the verification parameters
+to B<vpm> for B<ctx> or B<ssl>.
+
+=head1 NOTES
+
+Typically parameters are retrieved from an B<SSL_CTX> or B<SSL> structure
+using SSL_CTX_get0_param() or SSL_get0_param() and an application modifies
+them to suit its needs: for example to add a hostname check.
+
+=head1 EXAMPLE
+
+Check hostname matches "www.foo.com" in peer certificate:
+
+ X509_VERIFY_PARAM *vpm = SSL_get0_param(ssl);
+ X509_VERIFY_PARAM_set1_host(vpm, "www.foo.com");
+
+=head1 RETURN VALUES
+
+SSL_CTX_get0_param() and SSL_get0_param() return a pointer to an
+B<X509_VERIFY_PARAM> structure.
+
+SSL_CTX_set1_param() and SSL_set1_param() return 1 for success and 0
+for failure.
+
+=head1 SEE ALSO
+
+L<X509_VERIFY_PARAM_set_flags(3)|X509_VERIFY_PARAM_set_flags(3)>
+
+=head1 HISTORY
+
+These functions were first added to OpenSSL 1.0.2.
+
+=cut
diff --git a/openssl/doc/ssl/SSL_CTX_use_serverinfo.pod b/openssl/doc/ssl/SSL_CTX_use_serverinfo.pod
index da7935c83..318e052e2 100755
--- a/openssl/doc/ssl/SSL_CTX_use_serverinfo.pod
+++ b/openssl/doc/ssl/SSL_CTX_use_serverinfo.pod
@@ -2,7 +2,7 @@
 
 =head1 NAME
 
-SSL_CTX_use_serverinfo, SSL_CTX_use_serverinfo_file
+SSL_CTX_use_serverinfo, SSL_CTX_use_serverinfo_file - use serverinfo extension
 
 =head1 SYNOPSIS