Merged update from upstream sources

This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.

Source: https://src.fedoraproject.org/rpms/openssl.git#fb8e66a58fb43344f23aefb4eaefe1b6ca04a80d
This commit is contained in:
DistroBaker 2021-02-11 17:09:01 +00:00
parent 6cc21a3e02
commit f731f488ac
2 changed files with 121 additions and 1 deletions

View File

@ -0,0 +1,113 @@
diff -up openssl-1.1.1i/crypto/x509/x509_vfy.c.verify-cert openssl-1.1.1i/crypto/x509/x509_vfy.c
--- openssl-1.1.1i/crypto/x509/x509_vfy.c.verify-cert 2021-01-20 17:24:53.100175663 +0100
+++ openssl-1.1.1i/crypto/x509/x509_vfy.c 2021-01-20 17:24:53.156176315 +0100
@@ -323,9 +323,10 @@ static int sk_X509_contains(STACK_OF(X50
}
/*
- * Find in given STACK_OF(X509) sk a non-expired issuer cert (if any) of given cert x.
- * The issuer must not be the same as x and must not yet be in ctx->chain, where the
- * exceptional case x is self-issued and ctx->chain has just one element is allowed.
+ * Find in given STACK_OF(X509) sk an issuer cert of given cert x.
+ * The issuer must not yet be in ctx->chain, where the exceptional case
+ * that x is self-issued and ctx->chain has just one element is allowed.
+ * Prefer the first one that is not expired, else take the last expired one.
*/
static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x)
{
@@ -338,7 +339,7 @@ static X509 *find_issuer(X509_STORE_CTX
* Below check 'issuer != x' is an optimization and safety precaution:
* Candidate issuer cert cannot be the same as the subject cert 'x'.
*/
- if (issuer != x && ctx->check_issued(ctx, x, issuer)
+ if (ctx->check_issued(ctx, x, issuer)
&& (((x->ex_flags & EXFLAG_SI) != 0 && sk_X509_num(ctx->chain) == 1)
|| !sk_X509_contains(ctx->chain, issuer))) {
rv = issuer;
diff -up openssl-1.1.1i/test/recipes/70-test_verify_extra.t.verify-cert openssl-1.1.1i/test/recipes/70-test_verify_extra.t
--- openssl-1.1.1i/test/recipes/70-test_verify_extra.t.verify-cert 2020-12-08 14:20:59.000000000 +0100
+++ openssl-1.1.1i/test/recipes/70-test_verify_extra.t 2021-01-20 17:24:53.156176315 +0100
@@ -16,4 +16,5 @@ plan tests => 1;
ok(run(test(["verify_extra_test",
srctop_file("test", "certs", "roots.pem"),
srctop_file("test", "certs", "untrusted.pem"),
- srctop_file("test", "certs", "bad.pem")])));
+ srctop_file("test", "certs", "bad.pem"),
+ srctop_file("test", "certs", "rootCA.pem")])));
diff -up openssl-1.1.1i/test/verify_extra_test.c.verify-cert openssl-1.1.1i/test/verify_extra_test.c
--- openssl-1.1.1i/test/verify_extra_test.c.verify-cert 2020-12-08 14:20:59.000000000 +0100
+++ openssl-1.1.1i/test/verify_extra_test.c 2021-01-20 17:24:53.156176315 +0100
@@ -18,6 +18,21 @@
static const char *roots_f;
static const char *untrusted_f;
static const char *bad_f;
+static const char *good_f;
+
+static X509 *load_cert_pem(const char *file)
+{
+ X509 *cert = NULL;
+ BIO *bio = NULL;
+
+ if (!TEST_ptr(bio = BIO_new(BIO_s_file())))
+ return NULL;
+ if (TEST_int_gt(BIO_read_filename(bio, file), 0))
+ (void)TEST_ptr(cert = PEM_read_bio_X509(bio, NULL, NULL, NULL));
+
+ BIO_free(bio);
+ return cert;
+}
static STACK_OF(X509) *load_certs_from_file(const char *filename)
{
@@ -175,16 +190,48 @@ static int test_store_ctx(void)
return testresult;
}
+static int test_self_signed(const char *filename, int expected)
+{
+ X509 *cert = load_cert_pem(filename);
+ STACK_OF(X509) *trusted = sk_X509_new_null();
+ X509_STORE_CTX *ctx = X509_STORE_CTX_new();
+ int ret;
+
+ ret = TEST_ptr(cert)
+ && TEST_true(sk_X509_push(trusted, cert))
+ && TEST_true(X509_STORE_CTX_init(ctx, NULL, cert, NULL));
+ X509_STORE_CTX_trusted_stack(ctx, trusted);
+ ret = ret && TEST_int_eq(X509_verify_cert(ctx), expected);
+
+ X509_STORE_CTX_free(ctx);
+ sk_X509_free(trusted);
+ X509_free(cert);
+ return ret;
+}
+
+static int test_self_signed_good(void)
+{
+ return test_self_signed(good_f, 1);
+}
+
+static int test_self_signed_bad(void)
+{
+ return test_self_signed(bad_f, 0);
+}
+
int setup_tests(void)
{
if (!TEST_ptr(roots_f = test_get_argument(0))
|| !TEST_ptr(untrusted_f = test_get_argument(1))
- || !TEST_ptr(bad_f = test_get_argument(2))) {
- TEST_error("usage: verify_extra_test roots.pem untrusted.pem bad.pem\n");
+ || !TEST_ptr(bad_f = test_get_argument(2))
+ || !TEST_ptr(good_f = test_get_argument(3))) {
+ TEST_error("usage: verify_extra_test roots.pem untrusted.pem bad.pem good.pem\n");
return 0;
}
ADD_TEST(test_alt_chains_cert_forgery);
ADD_TEST(test_store_ctx);
+ ADD_TEST(test_self_signed_good);
+ ADD_TEST(test_self_signed_bad);
return 1;
}

View File

@ -22,7 +22,7 @@
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
Version: 1.1.1i
Release: 2%{?dist}
Release: 3%{?dist}
Epoch: 1
# We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below.
@ -44,6 +44,9 @@ Patch3: openssl-1.1.1-no-html.patch
Patch4: openssl-1.1.1-man-rename.patch
# Bug fixes
Patch21: openssl-1.1.0-issuer-hash.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1916594
Patch71: openssl-1.1.1-verify-cert.patch
# Functionality changes
Patch31: openssl-1.1.1-conf-paths.patch
Patch32: openssl-1.1.1-version-add-engines.patch
@ -186,6 +189,7 @@ cp %{SOURCE13} test/
%patch67 -p1 -b .kdf-selftest
%patch69 -p1 -b .alpn-cb
%patch70 -p1 -b .rewire-fips-drbg
%patch71 -p1 -b .verify-cert
%build
@ -474,6 +478,9 @@ export LD_LIBRARY_PATH
%ldconfig_scriptlets libs
%changelog
* Wed Feb 10 2021 Sahana Prasad <sahana@redhat.com> - 1:1.1.1i-3
- Fix regression in X509_verify_cert() (bz1916594)
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.1.1i-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild