[openssl] do not load default verify paths if CApath or CAfile specified (#884305)
Tomáš Mráz
tmraz at fedoraproject.org
Thu Dec 6 17:30:20 UTC 2012
commit 650873ff0ee52cef1653fa48db5f073daf30dd83
Author: Tomas Mraz <tmraz at fedoraproject.org>
Date: Thu Dec 6 18:30:15 2012 +0100
do not load default verify paths if CApath or CAfile specified (#884305)
openssl-1.0.0-beta4-default-paths.patch | 77 ------------------------
openssl-1.0.1c-default-paths.patch | 100 +++++++++++++++++++++++++++++++
openssl.spec | 7 ++-
3 files changed, 105 insertions(+), 79 deletions(-)
---
diff --git a/openssl-1.0.1c-default-paths.patch b/openssl-1.0.1c-default-paths.patch
new file mode 100644
index 0000000..236d1db
--- /dev/null
+++ b/openssl-1.0.1c-default-paths.patch
@@ -0,0 +1,100 @@
+diff -up openssl-1.0.1c/apps/s_client.c.default-paths openssl-1.0.1c/apps/s_client.c
+--- openssl-1.0.1c/apps/s_client.c.default-paths 2012-03-18 19:16:05.000000000 +0100
++++ openssl-1.0.1c/apps/s_client.c 2012-12-06 18:24:06.425933203 +0100
+@@ -1166,12 +1166,19 @@ bad:
+ if (!set_cert_key_stuff(ctx,cert,key))
+ goto end;
+
+- if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
+- (!SSL_CTX_set_default_verify_paths(ctx)))
++ if (CAfile == NULL && CApath == NULL)
+ {
+- /* BIO_printf(bio_err,"error setting default verify locations\n"); */
+- ERR_print_errors(bio_err);
+- /* goto end; */
++ if (!SSL_CTX_set_default_verify_paths(ctx))
++ {
++ ERR_print_errors(bio_err);
++ }
++ }
++ else
++ {
++ if (!SSL_CTX_load_verify_locations(ctx,CAfile,CApath))
++ {
++ ERR_print_errors(bio_err);
++ }
+ }
+
+ #ifndef OPENSSL_NO_TLSEXT
+diff -up openssl-1.0.1c/apps/s_server.c.default-paths openssl-1.0.1c/apps/s_server.c
+--- openssl-1.0.1c/apps/s_server.c.default-paths 2012-03-18 19:16:05.000000000 +0100
++++ openssl-1.0.1c/apps/s_server.c 2012-12-06 18:25:11.199329611 +0100
+@@ -1565,13 +1565,21 @@ bad:
+ }
+ #endif
+
+- if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
+- (!SSL_CTX_set_default_verify_paths(ctx)))
++ if (CAfile == NULL && CApath == NULL)
+ {
+- /* BIO_printf(bio_err,"X509_load_verify_locations\n"); */
+- ERR_print_errors(bio_err);
+- /* goto end; */
++ if (!SSL_CTX_set_default_verify_paths(ctx))
++ {
++ ERR_print_errors(bio_err);
++ }
++ }
++ else
++ {
++ if (!SSL_CTX_load_verify_locations(ctx,CAfile,CApath))
++ {
++ ERR_print_errors(bio_err);
++ }
+ }
++
+ if (vpm)
+ SSL_CTX_set1_param(ctx, vpm);
+
+@@ -1622,8 +1630,11 @@ bad:
+ else
+ SSL_CTX_sess_set_cache_size(ctx2,128);
+
+- if ((!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath)) ||
+- (!SSL_CTX_set_default_verify_paths(ctx2)))
++ if (!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath))
++ {
++ ERR_print_errors(bio_err);
++ }
++ if (!SSL_CTX_set_default_verify_paths(ctx2))
+ {
+ ERR_print_errors(bio_err);
+ }
+diff -up openssl-1.0.1c/apps/s_time.c.default-paths openssl-1.0.1c/apps/s_time.c
+--- openssl-1.0.1c/apps/s_time.c.default-paths 2006-04-17 14:22:13.000000000 +0200
++++ openssl-1.0.1c/apps/s_time.c 2012-12-06 18:27:41.694574044 +0100
+@@ -373,12 +373,19 @@ int MAIN(int argc, char **argv)
+
+ SSL_load_error_strings();
+
+- if ((!SSL_CTX_load_verify_locations(tm_ctx,CAfile,CApath)) ||
+- (!SSL_CTX_set_default_verify_paths(tm_ctx)))
++ if (CAfile == NULL && CApath == NULL)
+ {
+- /* BIO_printf(bio_err,"error setting default verify locations\n"); */
+- ERR_print_errors(bio_err);
+- /* goto end; */
++ if (!SSL_CTX_set_default_verify_paths(ctx))
++ {
++ ERR_print_errors(bio_err);
++ }
++ }
++ else
++ {
++ if (!SSL_CTX_load_verify_locations(ctx,CAfile,CApath))
++ {
++ ERR_print_errors(bio_err);
++ }
+ }
+
+ if (tm_cipher == NULL)
diff --git a/openssl.spec b/openssl.spec
index 530c555..4e77a93 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -22,7 +22,7 @@ Summary: Utilities from the general purpose cryptography library with TLS implem
Name: openssl
Version: 1.0.1c
# Do not forget to bump SHLIB_VERSION on version upgrades
-Release: 9%{?dist}
+Release: 10%{?dist}
Epoch: 1
# We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below.
@@ -45,7 +45,7 @@ Patch7: openssl-1.0.0-timezone.patch
Patch8: openssl-1.0.1c-perlfind.patch
Patch9: openssl-1.0.1c-aliasing.patch
# Bug fixes
-Patch23: openssl-1.0.0-beta4-default-paths.patch
+Patch23: openssl-1.0.1c-default-paths.patch
# Functionality changes
Patch33: openssl-1.0.0-beta4-ca-dir.patch
Patch34: openssl-0.9.6-x509.patch
@@ -431,6 +431,9 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
%postun libs -p /sbin/ldconfig
%changelog
+* Thu Dec 6 2012 Tomas Mraz <tmraz at redhat.com> 1.0.1c-10
+- do not load default verify paths if CApath or CAfile specified (#884305)
+
* Tue Nov 20 2012 Tomas Mraz <tmraz at redhat.com> 1.0.1c-9
- more fixes from upstream CVS
- fix DSA key pairwise check (#878597)
More information about the scm-commits
mailing list