[openssl] do not load default verify paths if CApath or CAfile specified (#884305)

Thu Dec 6 17:30:20 UTC 2012

commit 650873ff0ee52cef1653fa48db5f073daf30dd83
Author: Tomas Mraz <tmraz at fedoraproject.org>
Date:   Thu Dec 6 18:30:15 2012 +0100

    do not load default verify paths if CApath or CAfile specified (#884305)

 openssl-1.0.0-beta4-default-paths.patch |   77 ------------------------
 openssl-1.0.1c-default-paths.patch      |  100 +++++++++++++++++++++++++++++++
 openssl.spec                            |    7 ++-
 3 files changed, 105 insertions(+), 79 deletions(-)
---

diff --git a/openssl-1.0.1c-default-paths.patch b/openssl-1.0.1c-default-paths.patch
new file mode 100644
index 0000000..236d1db
--- /dev/null
+++ b/openssl-1.0.1c-default-paths.patch
@@ -0,0 +1,100 @@
+diff -up openssl-1.0.1c/apps/s_client.c.default-paths openssl-1.0.1c/apps/s_client.c
+--- openssl-1.0.1c/apps/s_client.c.default-paths	2012-03-18 19:16:05.000000000 +0100
++++ openssl-1.0.1c/apps/s_client.c	2012-12-06 18:24:06.425933203 +0100
+@@ -1166,12 +1166,19 @@ bad:
+ 	if (!set_cert_key_stuff(ctx,cert,key))
+ 		goto end;
+ 
+-	if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
+-		(!SSL_CTX_set_default_verify_paths(ctx)))
++	if (CAfile == NULL && CApath == NULL)
+ 		{
+-		/* BIO_printf(bio_err,"error setting default verify locations\n"); */
+-		ERR_print_errors(bio_err);
+-		/* goto end; */
++		if (!SSL_CTX_set_default_verify_paths(ctx))
++			{
++			ERR_print_errors(bio_err);
++			}
++		}
++	else
++		{
++		if (!SSL_CTX_load_verify_locations(ctx,CAfile,CApath))
++			{
++			ERR_print_errors(bio_err);
++			}
+ 		}
+ 
+ #ifndef OPENSSL_NO_TLSEXT
+diff -up openssl-1.0.1c/apps/s_server.c.default-paths openssl-1.0.1c/apps/s_server.c
+--- openssl-1.0.1c/apps/s_server.c.default-paths	2012-03-18 19:16:05.000000000 +0100
++++ openssl-1.0.1c/apps/s_server.c	2012-12-06 18:25:11.199329611 +0100
+@@ -1565,13 +1565,21 @@ bad:
+ 		}
+ #endif
+ 
+-	if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
+-		(!SSL_CTX_set_default_verify_paths(ctx)))
++	if (CAfile == NULL && CApath == NULL)
+ 		{
+-		/* BIO_printf(bio_err,"X509_load_verify_locations\n"); */
+-		ERR_print_errors(bio_err);
+-		/* goto end; */
++		if (!SSL_CTX_set_default_verify_paths(ctx))
++			{
++			ERR_print_errors(bio_err);
++			}
++		}
++	else
++		{
++		if (!SSL_CTX_load_verify_locations(ctx,CAfile,CApath))
++			{
++			ERR_print_errors(bio_err);
++			}
+ 		}
++
+ 	if (vpm)
+ 		SSL_CTX_set1_param(ctx, vpm);
+ 
+@@ -1622,8 +1630,11 @@ bad:
+ 		else
+ 			SSL_CTX_sess_set_cache_size(ctx2,128);
+ 
+-		if ((!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath)) ||
+-			(!SSL_CTX_set_default_verify_paths(ctx2)))
++		if (!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath))
++			{
++			ERR_print_errors(bio_err);
++			}
++		if (!SSL_CTX_set_default_verify_paths(ctx2))
+ 			{
+ 			ERR_print_errors(bio_err);
+ 			}
+diff -up openssl-1.0.1c/apps/s_time.c.default-paths openssl-1.0.1c/apps/s_time.c
+--- openssl-1.0.1c/apps/s_time.c.default-paths	2006-04-17 14:22:13.000000000 +0200
++++ openssl-1.0.1c/apps/s_time.c	2012-12-06 18:27:41.694574044 +0100
+@@ -373,12 +373,19 @@ int MAIN(int argc, char **argv)
+ 
+ 	SSL_load_error_strings();
+ 
+-	if ((!SSL_CTX_load_verify_locations(tm_ctx,CAfile,CApath)) ||
+-		(!SSL_CTX_set_default_verify_paths(tm_ctx)))
++	if (CAfile == NULL && CApath == NULL)
+ 		{
+-		/* BIO_printf(bio_err,"error setting default verify locations\n"); */
+-		ERR_print_errors(bio_err);
+-		/* goto end; */
++		if (!SSL_CTX_set_default_verify_paths(ctx))
++			{
++			ERR_print_errors(bio_err);
++			}
++		}
++	else
++		{
++		if (!SSL_CTX_load_verify_locations(ctx,CAfile,CApath))
++			{
++			ERR_print_errors(bio_err);
++			}
+ 		}
+ 
+ 	if (tm_cipher == NULL)
diff --git a/openssl.spec b/openssl.spec
index 530c555..4e77a93 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -22,7 +22,7 @@ Summary: Utilities from the general purpose cryptography library with TLS implem
 Name: openssl
 Version: 1.0.1c
 # Do not forget to bump SHLIB_VERSION on version upgrades
-Release: 9%{?dist}
+Release: 10%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@@ -45,7 +45,7 @@ Patch7: openssl-1.0.0-timezone.patch
 Patch8: openssl-1.0.1c-perlfind.patch
 Patch9: openssl-1.0.1c-aliasing.patch
 # Bug fixes
-Patch23: openssl-1.0.0-beta4-default-paths.patch
+Patch23: openssl-1.0.1c-default-paths.patch
 # Functionality changes
 Patch33: openssl-1.0.0-beta4-ca-dir.patch
 Patch34: openssl-0.9.6-x509.patch
@@ -431,6 +431,9 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
 %postun libs -p /sbin/ldconfig
 
 %changelog
+* Thu Dec  6 2012 Tomas Mraz <tmraz at redhat.com> 1.0.1c-10
+- do not load default verify paths if CApath or CAfile specified (#884305)
+
 * Tue Nov 20 2012 Tomas Mraz <tmraz at redhat.com> 1.0.1c-9
 - more fixes from upstream CVS
 - fix DSA key pairwise check (#878597)
