add support for the -trusted_first option for certificate chain verification

2013-07-10 11:02:41 +02:00 · 2013-07-10 11:02:41 +02:00 · 30aa9303c7
commit 30aa9303c7
parent dad6e3ee78
2 changed files with 56 additions and 1 deletions
--- a/openssl-1.0.1e-trusted-first.patch
+++ b/openssl-1.0.1e-trusted-first.patch
@ -0,0 +1,50 @@
 diff -up openssl-1.0.1e/apps/apps.c.trusted-first openssl-1.0.1e/apps/apps.c
 --- openssl-1.0.1e/apps/apps.c.trusted-first	2013-02-11 16:26:04.000000000 +0100
 +++ openssl-1.0.1e/apps/apps.c	2013-07-10 10:42:42.242706279 +0200
@@ -2361,6 +2361,8 @@ int args_verify(char ***pargs, int *parg
 		flags |= X509_V_FLAG_NOTIFY_POLICY;
 	else if (!strcmp(arg, "-check_ss_sig"))
 		flags |= X509_V_FLAG_CHECK_SS_SIGNATURE;
 +	else if (!strcmp(arg, "-trusted_first"))
 +		flags |= X509_V_FLAG_TRUSTED_FIRST;
 	else
 		return 0;
 diff -up openssl-1.0.1e/CHANGES.trusted-first openssl-1.0.1e/CHANGES
 diff -up openssl-1.0.1e/crypto/x509/x509_vfy.c.trusted-first openssl-1.0.1e/crypto/x509/x509_vfy.c
 --- openssl-1.0.1e/crypto/x509/x509_vfy.c.trusted-first	2013-05-31 13:40:52.000000000 +0200
 +++ openssl-1.0.1e/crypto/x509/x509_vfy.c	2013-07-10 10:45:49.473638295 +0200
@@ -205,6 +205,21 @@ int X509_verify_cert(X509_STORE_CTX *ctx
 		/* If we are self signed, we break */
 		if (ctx->check_issued(ctx, x,x)) break;
 +		/* If asked see if we can find issuer in trusted store first */
 +		if (ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST)
 +			{
 +			ok = ctx->get_issuer(&xtmp, ctx, x);
 +			if (ok < 0)
 +				return ok;
 +			/* If successful for now free up cert so it
 +			 * will be picked up again later.
 +			 */
 +			if (ok > 0)
 +				{
 +				X509_free(xtmp);
 +				break;
 +				}
 +			}
 		/* If we were passed a cert chain, use it first */
 		if (ctx->untrusted != NULL)
 diff -up openssl-1.0.1e/crypto/x509/x509_vfy.h.trusted-first openssl-1.0.1e/crypto/x509/x509_vfy.h
 --- openssl-1.0.1e/crypto/x509/x509_vfy.h.trusted-first	2013-05-31 13:40:51.890277515 +0200
 +++ openssl-1.0.1e/crypto/x509/x509_vfy.h	2013-07-10 10:42:42.247706379 +0200
@@ -389,6 +389,8 @@ void X509_STORE_CTX_set_depth(X509_STORE
 #define X509_V_FLAG_USE_DELTAS			0x2000
 /* Check selfsigned CA signature */
 #define X509_V_FLAG_CHECK_SS_SIGNATURE		0x4000
 +/* Use trusted store first */
 +#define X509_V_FLAG_TRUSTED_FIRST		0x8000
 #define X509_VP_FLAG_DEFAULT			0x1
--- a/openssl.spec
+++ b/openssl.spec
@ -21,7 +21,7 @@
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 1.0.1e
-Release: 6%{?dist}
+Release: 7%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@ -73,6 +73,7 @@ Patch71: openssl-1.0.1e-manfix.patch
 Patch81: openssl-1.0.1-beta2-padlock64.patch
 Patch82: openssl-1.0.1e-backports.patch
 Patch83: openssl-1.0.1e-bad-mac.patch
 Patch84: openssl-1.0.1e-trusted-first.patch
 License: OpenSSL
 Group: System Environment/Libraries
@ -178,6 +179,7 @@ from other formats to the formats used by the OpenSSL toolkit.
 %patch82 -p1 -b .backports
 %patch71 -p1 -b .manfix
 %patch83 -p1 -b .bad-mac
 %patch84 -p1 -b .trusted-first
 sed -i 's/SHLIB_VERSION_NUMBER "1.0.0"/SHLIB_VERSION_NUMBER "%{version}"/' crypto/opensslv.h
@ -438,6 +440,9 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
 %postun libs -p /sbin/ldconfig
 %changelog
 * Wed Jul 10 2013 Tomas Mraz <tmraz@redhat.com> 1.0.1e-7
 - add support for the -trusted_first option for certificate chain verification
 * Fri May  3 2013 Tomas Mraz <tmraz@redhat.com> 1.0.1e-6
 - fix build of manual pages with current pod2man (#959439)