From 30aa9303c739f90798183c5bbf45dec952d15738 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Wed, 10 Jul 2013 11:02:41 +0200 Subject: [PATCH] add support for the -trusted_first option for certificate chain verification --- openssl-1.0.1e-trusted-first.patch | 50 ++++++++++++++++++++++++++++++ openssl.spec | 7 ++++- 2 files changed, 56 insertions(+), 1 deletion(-) create mode 100644 openssl-1.0.1e-trusted-first.patch diff --git a/openssl-1.0.1e-trusted-first.patch b/openssl-1.0.1e-trusted-first.patch new file mode 100644 index 0000000..9cf2457 --- /dev/null +++ b/openssl-1.0.1e-trusted-first.patch @@ -0,0 +1,50 @@ +diff -up openssl-1.0.1e/apps/apps.c.trusted-first openssl-1.0.1e/apps/apps.c +--- openssl-1.0.1e/apps/apps.c.trusted-first 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/apps/apps.c 2013-07-10 10:42:42.242706279 +0200 +@@ -2361,6 +2361,8 @@ int args_verify(char ***pargs, int *parg + flags |= X509_V_FLAG_NOTIFY_POLICY; + else if (!strcmp(arg, "-check_ss_sig")) + flags |= X509_V_FLAG_CHECK_SS_SIGNATURE; ++ else if (!strcmp(arg, "-trusted_first")) ++ flags |= X509_V_FLAG_TRUSTED_FIRST; + else + return 0; + +diff -up openssl-1.0.1e/CHANGES.trusted-first openssl-1.0.1e/CHANGES +diff -up openssl-1.0.1e/crypto/x509/x509_vfy.c.trusted-first openssl-1.0.1e/crypto/x509/x509_vfy.c +--- openssl-1.0.1e/crypto/x509/x509_vfy.c.trusted-first 2013-05-31 13:40:52.000000000 +0200 ++++ openssl-1.0.1e/crypto/x509/x509_vfy.c 2013-07-10 10:45:49.473638295 +0200 +@@ -205,6 +205,21 @@ int X509_verify_cert(X509_STORE_CTX *ctx + + /* If we are self signed, we break */ + if (ctx->check_issued(ctx, x,x)) break; ++ /* If asked see if we can find issuer in trusted store first */ ++ if (ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST) ++ { ++ ok = ctx->get_issuer(&xtmp, ctx, x); ++ if (ok < 0) ++ return ok; ++ /* If successful for now free up cert so it ++ * will be picked up again later. ++ */ ++ if (ok > 0) ++ { ++ X509_free(xtmp); ++ break; ++ } ++ } + + /* If we were passed a cert chain, use it first */ + if (ctx->untrusted != NULL) +diff -up openssl-1.0.1e/crypto/x509/x509_vfy.h.trusted-first openssl-1.0.1e/crypto/x509/x509_vfy.h +--- openssl-1.0.1e/crypto/x509/x509_vfy.h.trusted-first 2013-05-31 13:40:51.890277515 +0200 ++++ openssl-1.0.1e/crypto/x509/x509_vfy.h 2013-07-10 10:42:42.247706379 +0200 +@@ -389,6 +389,8 @@ void X509_STORE_CTX_set_depth(X509_STORE + #define X509_V_FLAG_USE_DELTAS 0x2000 + /* Check selfsigned CA signature */ + #define X509_V_FLAG_CHECK_SS_SIGNATURE 0x4000 ++/* Use trusted store first */ ++#define X509_V_FLAG_TRUSTED_FIRST 0x8000 + + + #define X509_VP_FLAG_DEFAULT 0x1 diff --git a/openssl.spec b/openssl.spec index ac9cc28..346bbd4 100644 --- a/openssl.spec +++ b/openssl.spec @@ -21,7 +21,7 @@ Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 1.0.1e -Release: 6%{?dist} +Release: 7%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -73,6 +73,7 @@ Patch71: openssl-1.0.1e-manfix.patch Patch81: openssl-1.0.1-beta2-padlock64.patch Patch82: openssl-1.0.1e-backports.patch Patch83: openssl-1.0.1e-bad-mac.patch +Patch84: openssl-1.0.1e-trusted-first.patch License: OpenSSL Group: System Environment/Libraries @@ -178,6 +179,7 @@ from other formats to the formats used by the OpenSSL toolkit. %patch82 -p1 -b .backports %patch71 -p1 -b .manfix %patch83 -p1 -b .bad-mac +%patch84 -p1 -b .trusted-first sed -i 's/SHLIB_VERSION_NUMBER "1.0.0"/SHLIB_VERSION_NUMBER "%{version}"/' crypto/opensslv.h @@ -438,6 +440,9 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.* %postun libs -p /sbin/ldconfig %changelog +* Wed Jul 10 2013 Tomas Mraz 1.0.1e-7 +- add support for the -trusted_first option for certificate chain verification + * Fri May 3 2013 Tomas Mraz 1.0.1e-6 - fix build of manual pages with current pod2man (#959439)