From 650873ff0ee52cef1653fa48db5f073daf30dd83 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Thu, 6 Dec 2012 18:30:15 +0100 Subject: [PATCH] do not load default verify paths if CApath or CAfile specified (#884305) --- openssl-1.0.0-beta4-default-paths.patch | 77 ------------------ openssl-1.0.1c-default-paths.patch | 100 ++++++++++++++++++++++++ openssl.spec | 7 +- 3 files changed, 105 insertions(+), 79 deletions(-) delete mode 100644 openssl-1.0.0-beta4-default-paths.patch create mode 100644 openssl-1.0.1c-default-paths.patch diff --git a/openssl-1.0.0-beta4-default-paths.patch b/openssl-1.0.0-beta4-default-paths.patch deleted file mode 100644 index 0b48a27..0000000 --- a/openssl-1.0.0-beta4-default-paths.patch +++ /dev/null @@ -1,77 +0,0 @@ -diff -up openssl-1.0.0-beta4/apps/s_client.c.default-paths openssl-1.0.0-beta4/apps/s_client.c ---- openssl-1.0.0-beta4/apps/s_client.c.default-paths 2009-08-12 15:21:26.000000000 +0200 -+++ openssl-1.0.0-beta4/apps/s_client.c 2009-11-12 12:26:32.000000000 +0100 -@@ -889,12 +889,13 @@ bad: - if (!set_cert_key_stuff(ctx,cert,key)) - goto end; - -- if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) || -- (!SSL_CTX_set_default_verify_paths(ctx))) -+ if (!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) -+ { -+ ERR_print_errors(bio_err); -+ } -+ if (!SSL_CTX_set_default_verify_paths(ctx)) - { -- /* BIO_printf(bio_err,"error setting default verify locations\n"); */ - ERR_print_errors(bio_err); -- /* goto end; */ - } - - #ifndef OPENSSL_NO_TLSEXT -diff -up openssl-1.0.0-beta4/apps/s_server.c.default-paths openssl-1.0.0-beta4/apps/s_server.c ---- openssl-1.0.0-beta4/apps/s_server.c.default-paths 2009-10-28 18:49:37.000000000 +0100 -+++ openssl-1.0.0-beta4/apps/s_server.c 2009-11-12 12:31:23.000000000 +0100 -@@ -1408,12 +1408,13 @@ bad: - } - #endif - -- if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) || -- (!SSL_CTX_set_default_verify_paths(ctx))) -+ if (!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) -+ { -+ ERR_print_errors(bio_err); -+ } -+ if (!SSL_CTX_set_default_verify_paths(ctx)) - { -- /* BIO_printf(bio_err,"X509_load_verify_locations\n"); */ - ERR_print_errors(bio_err); -- /* goto end; */ - } - if (vpm) - SSL_CTX_set1_param(ctx, vpm); -@@ -1465,8 +1466,11 @@ bad: - else - SSL_CTX_sess_set_cache_size(ctx2,128); - -- if ((!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath)) || -- (!SSL_CTX_set_default_verify_paths(ctx2))) -+ if (!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath)) -+ { -+ ERR_print_errors(bio_err); -+ } -+ if (!SSL_CTX_set_default_verify_paths(ctx2)) - { - ERR_print_errors(bio_err); - } -diff -up openssl-1.0.0-beta4/apps/s_time.c.default-paths openssl-1.0.0-beta4/apps/s_time.c ---- openssl-1.0.0-beta4/apps/s_time.c.default-paths 2006-04-17 14:22:13.000000000 +0200 -+++ openssl-1.0.0-beta4/apps/s_time.c 2009-11-12 12:26:32.000000000 +0100 -@@ -373,12 +373,13 @@ int MAIN(int argc, char **argv) - - SSL_load_error_strings(); - -- if ((!SSL_CTX_load_verify_locations(tm_ctx,CAfile,CApath)) || -- (!SSL_CTX_set_default_verify_paths(tm_ctx))) -+ if (!SSL_CTX_load_verify_locations(tm_ctx,CAfile,CApath)) -+ { -+ ERR_print_errors(bio_err); -+ } -+ if (!SSL_CTX_set_default_verify_paths(tm_ctx)) - { -- /* BIO_printf(bio_err,"error setting default verify locations\n"); */ - ERR_print_errors(bio_err); -- /* goto end; */ - } - - if (tm_cipher == NULL) diff --git a/openssl-1.0.1c-default-paths.patch b/openssl-1.0.1c-default-paths.patch new file mode 100644 index 0000000..236d1db --- /dev/null +++ b/openssl-1.0.1c-default-paths.patch @@ -0,0 +1,100 @@ +diff -up openssl-1.0.1c/apps/s_client.c.default-paths openssl-1.0.1c/apps/s_client.c +--- openssl-1.0.1c/apps/s_client.c.default-paths 2012-03-18 19:16:05.000000000 +0100 ++++ openssl-1.0.1c/apps/s_client.c 2012-12-06 18:24:06.425933203 +0100 +@@ -1166,12 +1166,19 @@ bad: + if (!set_cert_key_stuff(ctx,cert,key)) + goto end; + +- if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) || +- (!SSL_CTX_set_default_verify_paths(ctx))) ++ if (CAfile == NULL && CApath == NULL) + { +- /* BIO_printf(bio_err,"error setting default verify locations\n"); */ +- ERR_print_errors(bio_err); +- /* goto end; */ ++ if (!SSL_CTX_set_default_verify_paths(ctx)) ++ { ++ ERR_print_errors(bio_err); ++ } ++ } ++ else ++ { ++ if (!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ++ { ++ ERR_print_errors(bio_err); ++ } + } + + #ifndef OPENSSL_NO_TLSEXT +diff -up openssl-1.0.1c/apps/s_server.c.default-paths openssl-1.0.1c/apps/s_server.c +--- openssl-1.0.1c/apps/s_server.c.default-paths 2012-03-18 19:16:05.000000000 +0100 ++++ openssl-1.0.1c/apps/s_server.c 2012-12-06 18:25:11.199329611 +0100 +@@ -1565,13 +1565,21 @@ bad: + } + #endif + +- if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) || +- (!SSL_CTX_set_default_verify_paths(ctx))) ++ if (CAfile == NULL && CApath == NULL) + { +- /* BIO_printf(bio_err,"X509_load_verify_locations\n"); */ +- ERR_print_errors(bio_err); +- /* goto end; */ ++ if (!SSL_CTX_set_default_verify_paths(ctx)) ++ { ++ ERR_print_errors(bio_err); ++ } ++ } ++ else ++ { ++ if (!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ++ { ++ ERR_print_errors(bio_err); ++ } + } ++ + if (vpm) + SSL_CTX_set1_param(ctx, vpm); + +@@ -1622,8 +1630,11 @@ bad: + else + SSL_CTX_sess_set_cache_size(ctx2,128); + +- if ((!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath)) || +- (!SSL_CTX_set_default_verify_paths(ctx2))) ++ if (!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath)) ++ { ++ ERR_print_errors(bio_err); ++ } ++ if (!SSL_CTX_set_default_verify_paths(ctx2)) + { + ERR_print_errors(bio_err); + } +diff -up openssl-1.0.1c/apps/s_time.c.default-paths openssl-1.0.1c/apps/s_time.c +--- openssl-1.0.1c/apps/s_time.c.default-paths 2006-04-17 14:22:13.000000000 +0200 ++++ openssl-1.0.1c/apps/s_time.c 2012-12-06 18:27:41.694574044 +0100 +@@ -373,12 +373,19 @@ int MAIN(int argc, char **argv) + + SSL_load_error_strings(); + +- if ((!SSL_CTX_load_verify_locations(tm_ctx,CAfile,CApath)) || +- (!SSL_CTX_set_default_verify_paths(tm_ctx))) ++ if (CAfile == NULL && CApath == NULL) + { +- /* BIO_printf(bio_err,"error setting default verify locations\n"); */ +- ERR_print_errors(bio_err); +- /* goto end; */ ++ if (!SSL_CTX_set_default_verify_paths(ctx)) ++ { ++ ERR_print_errors(bio_err); ++ } ++ } ++ else ++ { ++ if (!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ++ { ++ ERR_print_errors(bio_err); ++ } + } + + if (tm_cipher == NULL) diff --git a/openssl.spec b/openssl.spec index 530c555..4e77a93 100644 --- a/openssl.spec +++ b/openssl.spec @@ -22,7 +22,7 @@ Summary: Utilities from the general purpose cryptography library with TLS implem Name: openssl Version: 1.0.1c # Do not forget to bump SHLIB_VERSION on version upgrades -Release: 9%{?dist} +Release: 10%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -45,7 +45,7 @@ Patch7: openssl-1.0.0-timezone.patch Patch8: openssl-1.0.1c-perlfind.patch Patch9: openssl-1.0.1c-aliasing.patch # Bug fixes -Patch23: openssl-1.0.0-beta4-default-paths.patch +Patch23: openssl-1.0.1c-default-paths.patch # Functionality changes Patch33: openssl-1.0.0-beta4-ca-dir.patch Patch34: openssl-0.9.6-x509.patch @@ -431,6 +431,9 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.* %postun libs -p /sbin/ldconfig %changelog +* Thu Dec 6 2012 Tomas Mraz 1.0.1c-10 +- do not load default verify paths if CApath or CAfile specified (#884305) + * Tue Nov 20 2012 Tomas Mraz 1.0.1c-9 - more fixes from upstream CVS - fix DSA key pairwise check (#878597)