tmraz pushed to openssl (master). "add alternative certificate chain discovery support from upstream"
notifications at fedoraproject.org
notifications at fedoraproject.org
Tue Apr 28 15:13:36 UTC 2015
>From d743a79756eb198f164a3c3ac7236cfce72e4fc1 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz at fedoraproject.org>
Date: Tue, 28 Apr 2015 17:10:52 +0200
Subject: add alternative certificate chain discovery support from upstream
diff --git a/openssl-1.0.2a-alt-chains.patch b/openssl-1.0.2a-alt-chains.patch
new file mode 100644
index 0000000..44453c6
--- /dev/null
+++ b/openssl-1.0.2a-alt-chains.patch
@@ -0,0 +1,527 @@
+diff -up openssl-1.0.2a/apps/apps.c.alt-chains openssl-1.0.2a/apps/apps.c
+--- openssl-1.0.2a/apps/apps.c.alt-chains 2015-03-19 14:30:36.000000000 +0100
++++ openssl-1.0.2a/apps/apps.c 2015-04-28 16:49:50.124558770 +0200
+@@ -2371,6 +2371,8 @@ int args_verify(char ***pargs, int *parg
+ flags |= X509_V_FLAG_SUITEB_192_LOS;
+ else if (!strcmp(arg, "-partial_chain"))
+ flags |= X509_V_FLAG_PARTIAL_CHAIN;
++ else if (!strcmp(arg, "-no_alt_chains"))
++ flags |= X509_V_FLAG_NO_ALT_CHAINS;
+ else
+ return 0;
+
+diff -up openssl-1.0.2a/apps/cms.c.alt-chains openssl-1.0.2a/apps/cms.c
+--- openssl-1.0.2a/apps/cms.c.alt-chains 2015-04-23 10:22:56.225685251 +0200
++++ openssl-1.0.2a/apps/cms.c 2015-04-28 16:49:50.125558793 +0200
+@@ -648,6 +648,8 @@ int MAIN(int argc, char **argv)
+ BIO_printf(bio_err,
+ "-trusted_first use trusted certificates first when building the trust chain\n");
+ BIO_printf(bio_err,
++ "-no_alt_chains only ever use the first certificate chain found\n");
++ BIO_printf(bio_err,
+ "-crl_check check revocation status of signer's certificate using CRLs\n");
+ BIO_printf(bio_err,
+ "-crl_check_all check revocation status of signer's certificate chain using CRLs\n");
+diff -up openssl-1.0.2a/apps/ocsp.c.alt-chains openssl-1.0.2a/apps/ocsp.c
+--- openssl-1.0.2a/apps/ocsp.c.alt-chains 2015-04-23 10:22:56.225685251 +0200
++++ openssl-1.0.2a/apps/ocsp.c 2015-04-28 16:49:50.125558793 +0200
+@@ -538,6 +538,8 @@ int MAIN(int argc, char **argv)
+ BIO_printf(bio_err,
+ "-trusted_first use trusted certificates first when building the trust chain\n");
+ BIO_printf(bio_err,
++ "-no_alt_chains only ever use the first certificate chain found\n");
++ BIO_printf(bio_err,
+ "-VAfile file validator certificates file\n");
+ BIO_printf(bio_err,
+ "-validity_period n maximum validity discrepancy in seconds\n");
+diff -up openssl-1.0.2a/apps/s_client.c.alt-chains openssl-1.0.2a/apps/s_client.c
+--- openssl-1.0.2a/apps/s_client.c.alt-chains 2015-04-23 10:22:56.225685251 +0200
++++ openssl-1.0.2a/apps/s_client.c 2015-04-28 16:49:50.126558815 +0200
+@@ -335,6 +335,8 @@ static void sc_usage(void)
+ BIO_printf(bio_err,
+ " -trusted_first - Use trusted CA's first when building the trust chain\n");
+ BIO_printf(bio_err,
++ " -no_alt_chains - only ever use the first certificate chain found\n");
++ BIO_printf(bio_err,
+ " -reconnect - Drop and re-make the connection with the same Session-ID\n");
+ BIO_printf(bio_err,
+ " -pause - sleep(1) after each read(2) and write(2) system call\n");
+diff -up openssl-1.0.2a/apps/smime.c.alt-chains openssl-1.0.2a/apps/smime.c
+--- openssl-1.0.2a/apps/smime.c.alt-chains 2015-04-23 10:22:56.226685277 +0200
++++ openssl-1.0.2a/apps/smime.c 2015-04-28 16:49:50.128558861 +0200
+@@ -444,6 +444,8 @@ int MAIN(int argc, char **argv)
+ BIO_printf(bio_err,
+ "-trusted_first use trusted certificates first when building the trust chain\n");
+ BIO_printf(bio_err,
++ "-no_alt_chains only ever use the first certificate chain found\n");
++ BIO_printf(bio_err,
+ "-crl_check check revocation status of signer's certificate using CRLs\n");
+ BIO_printf(bio_err,
+ "-crl_check_all check revocation status of signer's certificate chain using CRLs\n");
+diff -up openssl-1.0.2a/apps/s_server.c.alt-chains openssl-1.0.2a/apps/s_server.c
+--- openssl-1.0.2a/apps/s_server.c.alt-chains 2015-04-23 10:22:56.226685277 +0200
++++ openssl-1.0.2a/apps/s_server.c 2015-04-28 16:49:50.128558861 +0200
+@@ -571,6 +571,8 @@ static void sv_usage(void)
+ BIO_printf(bio_err,
+ " -trusted_first - Use trusted CA's first when building the trust chain\n");
+ BIO_printf(bio_err,
++ " -no_alt_chains - only ever use the first certificate chain found\n");
++ BIO_printf(bio_err,
+ " -nocert - Don't use any certificates (Anon-DH)\n");
+ BIO_printf(bio_err,
+ " -cipher arg - play with 'openssl ciphers' to see what goes here\n");
+diff -up openssl-1.0.2a/apps/verify.c.alt-chains openssl-1.0.2a/apps/verify.c
+--- openssl-1.0.2a/apps/verify.c.alt-chains 2015-04-28 16:49:50.128558861 +0200
++++ openssl-1.0.2a/apps/verify.c 2015-04-28 16:50:52.210974346 +0200
+@@ -232,7 +232,7 @@ int MAIN(int argc, char **argv)
+ if (ret == 1) {
+ BIO_printf(bio_err,
+ "usage: verify [-verbose] [-CApath path] [-CAfile file] [-trusted_first] [-purpose purpose] [-crl_check]");
+- BIO_printf(bio_err, " [-attime timestamp]");
++ BIO_printf(bio_err, " [-no_alt_chains] [-attime timestamp]");
+ #ifndef OPENSSL_NO_ENGINE
+ BIO_printf(bio_err, " [-engine e]");
+ #endif
+diff -up openssl-1.0.2a/crypto/x509/x509_vfy.c.alt-chains openssl-1.0.2a/crypto/x509/x509_vfy.c
+--- openssl-1.0.2a/crypto/x509/x509_vfy.c.alt-chains 2015-04-23 10:22:56.188684277 +0200
++++ openssl-1.0.2a/crypto/x509/x509_vfy.c 2015-04-28 17:03:40.478786778 +0200
+@@ -189,11 +189,11 @@ static X509 *lookup_cert_match(X509_STOR
+
+ int X509_verify_cert(X509_STORE_CTX *ctx)
+ {
+- X509 *x, *xtmp, *chain_ss = NULL;
++ X509 *x, *xtmp, *xtmp2, *chain_ss = NULL;
+ int bad_chain = 0;
+ X509_VERIFY_PARAM *param = ctx->param;
+ int depth, i, ok = 0;
+- int num;
++ int num, j, retry;
+ int (*cb) (int xok, X509_STORE_CTX *xctx);
+ STACK_OF(X509) *sktmp = NULL;
+ if (ctx->cert == NULL) {
+@@ -278,91 +278,136 @@ int X509_verify_cert(X509_STORE_CTX *ctx
+ break;
+ }
+
++ /* Remember how many untrusted certs we have */
++ j = num;
+ /*
+ * at this point, chain should contain a list of untrusted certificates.
+ * We now need to add at least one trusted one, if possible, otherwise we
+ * complain.
+ */
+
+- /*
+- * Examine last certificate in chain and see if it is self signed.
+- */
+-
+- i = sk_X509_num(ctx->chain);
+- x = sk_X509_value(ctx->chain, i - 1);
+- if (cert_self_signed(x)) {
+- /* we have a self signed certificate */
+- if (sk_X509_num(ctx->chain) == 1) {
+- /*
+- * We have a single self signed certificate: see if we can find
+- * it in the store. We must have an exact match to avoid possible
+- * impersonation.
+- */
+- ok = ctx->get_issuer(&xtmp, ctx, x);
+- if ((ok <= 0) || X509_cmp(x, xtmp)) {
+- ctx->error = X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT;
+- ctx->current_cert = x;
+- ctx->error_depth = i - 1;
+- if (ok == 1)
+- X509_free(xtmp);
+- bad_chain = 1;
+- ok = cb(0, ctx);
+- if (!ok)
+- goto end;
++ do {
++ /*
++ * Examine last certificate in chain and see if it is self signed.
++ */
++ i = sk_X509_num(ctx->chain);
++ x = sk_X509_value(ctx->chain, i - 1);
++ if (cert_self_signed(x)) {
++ /* we have a self signed certificate */
++ if (sk_X509_num(ctx->chain) == 1) {
++ /*
++ * We have a single self signed certificate: see if we can
++ * find it in the store. We must have an exact match to avoid
++ * possible impersonation.
++ */
++ ok = ctx->get_issuer(&xtmp, ctx, x);
++ if ((ok <= 0) || X509_cmp(x, xtmp)) {
++ ctx->error = X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT;
++ ctx->current_cert = x;
++ ctx->error_depth = i - 1;
++ if (ok == 1)
++ X509_free(xtmp);
++ bad_chain = 1;
++ ok = cb(0, ctx);
++ if (!ok)
++ goto end;
++ } else {
++ /*
++ * We have a match: replace certificate with store
++ * version so we get any trust settings.
++ */
++ X509_free(x);
++ x = xtmp;
++ (void)sk_X509_set(ctx->chain, i - 1, x);
++ ctx->last_untrusted = 0;
++ }
+ } else {
+ /*
+- * We have a match: replace certificate with store version so
+- * we get any trust settings.
++ * extract and save self signed certificate for later use
+ */
+- X509_free(x);
+- x = xtmp;
+- (void)sk_X509_set(ctx->chain, i - 1, x);
+- ctx->last_untrusted = 0;
++ chain_ss = sk_X509_pop(ctx->chain);
++ ctx->last_untrusted--;
++ num--;
++ j--;
++ x = sk_X509_value(ctx->chain, num - 1);
+ }
+- } else {
+- /*
+- * extract and save self signed certificate for later use
+- */
+- chain_ss = sk_X509_pop(ctx->chain);
+- ctx->last_untrusted--;
+- num--;
+- x = sk_X509_value(ctx->chain, num - 1);
+ }
+- }
+-
+- /* We now lookup certs from the certificate store */
+- for (;;) {
+- /* If we have enough, we break */
+- if (depth < num)
+- break;
++ /* We now lookup certs from the certificate store */
++ for (;;) {
++ /* If we have enough, we break */
++ if (depth < num)
++ break;
++ /* If we are self signed, we break */
++ if (cert_self_signed(x))
++ break;
++ ok = ctx->get_issuer(&xtmp, ctx, x);
+
+- /* If we are self signed, we break */
+- if (cert_self_signed(x))
+- break;
++ if (ok < 0)
++ return ok;
++ if (ok == 0)
++ break;
++ x = xtmp;
++ if (!sk_X509_push(ctx->chain, x)) {
++ X509_free(xtmp);
++ X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE);
++ return 0;
++ }
++ num++;
++ }
+
+- ok = ctx->get_issuer(&xtmp, ctx, x);
++ /* we now have our chain, lets check it... */
++ i = check_trust(ctx);
+
+- if (ok < 0)
+- return ok;
+- if (ok == 0)
+- break;
++ /* If explicitly rejected error */
++ if (i == X509_TRUST_REJECTED)
++ goto end;
++ /*
++ * If it's not explicitly trusted then check if there is an alternative
++ * chain that could be used. We only do this if we haven't already
++ * checked via TRUSTED_FIRST and the user hasn't switched off alternate
++ * chain checking
++ */
++ retry = 0;
++ if (i != X509_TRUST_TRUSTED
++ && !(ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST)
++ && !(ctx->param->flags & X509_V_FLAG_NO_ALT_CHAINS)) {
++ while (j-- > 1) {
++ STACK_OF(X509) *chtmp = ctx->chain;
++ xtmp2 = sk_X509_value(ctx->chain, j - 1);
++ /*
++ * Temporarily set chain to NULL so we don't discount
++ * duplicates: the same certificate could be an untrusted
++ * CA found in the trusted store.
++ */
++ ctx->chain = NULL;
++ ok = ctx->get_issuer(&xtmp, ctx, xtmp2);
++ ctx->chain = chtmp;
++ if (ok < 0)
++ goto end;
++ /* Check if we found an alternate chain */
++ if (ok > 0) {
++ /*
++ * Free up the found cert we'll add it again later
++ */
++ X509_free(xtmp);
+
+- x = xtmp;
+- if (!sk_X509_push(ctx->chain, x)) {
+- X509_free(xtmp);
+- X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE);
+- return 0;
++ /*
++ * Dump all the certs above this point - we've found an
++ * alternate chain
++ */
++ while (num > j) {
++ xtmp = sk_X509_pop(ctx->chain);
++ X509_free(xtmp);
++ num--;
++ ctx->last_untrusted--;
++ }
++ retry = 1;
++ break;
++ }
++ }
+ }
+- num++;
+- }
++ } while (retry);
+
+- /* we now have our chain, lets check it... */
+-
+- i = check_trust(ctx);
+-
+- /* If explicitly rejected error */
+- if (i == X509_TRUST_REJECTED)
+- goto end;
+ /*
+ * If not explicitly trusted then indicate error unless it's a single
+ * self signed certificate in which case we've indicated an error already
+diff -up openssl-1.0.2a/crypto/x509/x509_vfy.h.alt-chains openssl-1.0.2a/crypto/x509/x509_vfy.h
+--- openssl-1.0.2a/crypto/x509/x509_vfy.h.alt-chains 2015-04-23 10:22:56.016679751 +0200
++++ openssl-1.0.2a/crypto/x509/x509_vfy.h 2015-04-28 16:49:18.551838908 +0200
+@@ -432,6 +432,12 @@ void X509_STORE_CTX_set_depth(X509_STORE
+
+ /* Allow partial chains if at least one certificate is in trusted store */
+ # define X509_V_FLAG_PARTIAL_CHAIN 0x80000
++/*
++ * If the initial chain is not trusted, do not attempt to build an alternative
++ * chain. Alternate chain checking was introduced in 1.0.2b. Setting this flag
++ * will force the behaviour to match that of previous versions.
++ */
++# define X509_V_FLAG_NO_ALT_CHAINS 0x100000
+
+ # define X509_VP_FLAG_DEFAULT 0x1
+ # define X509_VP_FLAG_OVERWRITE 0x2
+diff -up openssl-1.0.2a/doc/apps/cms.pod.alt-chains openssl-1.0.2a/doc/apps/cms.pod
+--- openssl-1.0.2a/doc/apps/cms.pod.alt-chains 2015-04-23 10:22:56.227685303 +0200
++++ openssl-1.0.2a/doc/apps/cms.pod 2015-04-28 16:54:17.537682406 +0200
+@@ -36,6 +36,7 @@ B<openssl> B<cms>
+ [B<-CAfile file>]
+ [B<-CApath dir>]
+ [B<-trusted_first>]
++[B<-no_alt_chains>]
+ [B<-md digest>]
+ [B<-[cipher]>]
+ [B<-nointern>]
+@@ -426,7 +427,7 @@ portion of a message so they may be incl
+ then many S/MIME mail clients check the signers certificate's email
+ address matches that specified in the From: address.
+
+-=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig>
++=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig -no_alt_chains>
+
+ Set various certificate chain valiadition option. See the
+ L<B<verify>|verify(1)> manual page for details.
+@@ -662,4 +663,6 @@ Support for RSA-OAEP and RSA-PSS was fir
+ The use of non-RSA keys with B<-encrypt> and B<-decrypt> was first added
+ to OpenSSL 1.1.0.
+
++The -no_alt_chains options was first added to OpenSSL 1.0.2b.
++
+ =cut
+diff -up openssl-1.0.2a/doc/apps/ocsp.pod.alt-chains openssl-1.0.2a/doc/apps/ocsp.pod
+--- openssl-1.0.2a/doc/apps/ocsp.pod.alt-chains 2015-04-23 10:22:56.227685303 +0200
++++ openssl-1.0.2a/doc/apps/ocsp.pod 2015-04-28 16:53:44.564914852 +0200
+@@ -30,6 +30,7 @@ B<openssl> B<ocsp>
+ [B<-CApath dir>]
+ [B<-CAfile file>]
+ [B<-trusted_first>]
++[B<-no_alt_chains>]
+ [B<-VAfile file>]
+ [B<-validity_period n>]
+ [B<-status_age n>]
+@@ -151,6 +152,10 @@ in the response or residing in other cer
+ chain to verify responder certificate.
+ This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
+
++=item B<-no_alt_chains>
++
++See L<B<verify>|verify(1)> manual page for details.
++
+ =item B<-verify_other file>
+
+ file containing additional certificates to search when attempting to locate
+@@ -388,3 +393,9 @@ second file.
+
+ openssl ocsp -index demoCA/index.txt -rsigner rcert.pem -CA demoCA/cacert.pem
+ -reqin req.der -respout resp.der
++
++=head1 HISTORY
++
++The -no_alt_chains options was first added to OpenSSL 1.0.2b.
++
++=cut
+diff -up openssl-1.0.2a/doc/apps/s_client.pod.alt-chains openssl-1.0.2a/doc/apps/s_client.pod
+--- openssl-1.0.2a/doc/apps/s_client.pod.alt-chains 2015-04-23 10:22:56.227685303 +0200
++++ openssl-1.0.2a/doc/apps/s_client.pod 2015-04-28 16:55:24.812248450 +0200
+@@ -20,6 +20,7 @@ B<openssl> B<s_client>
+ [B<-CApath directory>]
+ [B<-CAfile filename>]
+ [B<-trusted_first>]
++[B<-no_alt_chains>]
+ [B<-reconnect>]
+ [B<-pause>]
+ [B<-showcerts>]
+@@ -124,7 +125,7 @@ also used when building the client certi
+ A file containing trusted certificates to use during server authentication
+ and to use when attempting to build the client certificate chain.
+
+-=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig, -trusted_first>
++=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig, -trusted_first -no_alt_chains>
+
+ Set various certificate chain valiadition option. See the
+ L<B<verify>|verify(1)> manual page for details.
+@@ -365,4 +366,8 @@ information whenever a session is renego
+
+ L<sess_id(1)|sess_id(1)>, L<s_server(1)|s_server(1)>, L<ciphers(1)|ciphers(1)>
+
++=head1 HISTORY
++
++The -no_alt_chains options was first added to OpenSSL 1.0.2b.
++
+ =cut
+diff -up openssl-1.0.2a/doc/apps/smime.pod.alt-chains openssl-1.0.2a/doc/apps/smime.pod
+--- openssl-1.0.2a/doc/apps/smime.pod.alt-chains 2015-04-23 10:22:56.227685303 +0200
++++ openssl-1.0.2a/doc/apps/smime.pod 2015-04-28 16:57:33.598246384 +0200
+@@ -18,6 +18,7 @@ B<openssl> B<smime>
+ [B<-CAfile file>]
+ [B<-CApath dir>]
+ [B<-trusted_first>]
++[B<-no_alt_chains>]
+ [B<-certfile file>]
+ [B<-signer file>]
+ [B<-recip file>]
+@@ -268,7 +269,7 @@ portion of a message so they may be incl
+ then many S/MIME mail clients check the signers certificate's email
+ address matches that specified in the From: address.
+
+-=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig>
++=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig -no_alt_chains>
+
+ Set various options of certificate chain verification. See
+ L<B<verify>|verify(1)> manual page for details.
+@@ -450,5 +451,6 @@ structures may cause parsing errors.
+ The use of multiple B<-signer> options and the B<-resign> command were first
+ added in OpenSSL 1.0.0
+
++The -no_alt_chains options was first added to OpenSSL 1.0.2b.
+
+ =cut
+diff -up openssl-1.0.2a/doc/apps/s_server.pod.alt-chains openssl-1.0.2a/doc/apps/s_server.pod
+--- openssl-1.0.2a/doc/apps/s_server.pod.alt-chains 2015-04-23 10:22:56.227685303 +0200
++++ openssl-1.0.2a/doc/apps/s_server.pod 2015-04-28 16:56:27.494707598 +0200
+@@ -34,6 +34,7 @@ B<openssl> B<s_server>
+ [B<-CApath directory>]
+ [B<-CAfile filename>]
+ [B<-trusted_first>]
++[B<-no_alt_chains>]
+ [B<-nocert>]
+ [B<-cipher cipherlist>]
+ [B<-serverpref>]
+@@ -181,6 +182,10 @@ Use certificates in CA file or CA direct
+ when building the trust chain to verify client certificates.
+ This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
+
++=item B<-no_alt_chains>
++
++See the L<B<verify>|verify(1)> manual page for details.
++
+ =item B<-state>
+
+ prints out the SSL session states.
+@@ -413,4 +418,8 @@ unknown cipher suites a client says it s
+
+ L<sess_id(1)|sess_id(1)>, L<s_client(1)|s_client(1)>, L<ciphers(1)|ciphers(1)>
+
++=head1 HISTORY
++
++The -no_alt_chains options was first added to OpenSSL 1.0.2b.
++
+ =cut
+diff -up openssl-1.0.2a/doc/apps/verify.pod.alt-chains openssl-1.0.2a/doc/apps/verify.pod
+--- openssl-1.0.2a/doc/apps/verify.pod.alt-chains 2015-04-23 10:22:56.228685330 +0200
++++ openssl-1.0.2a/doc/apps/verify.pod 2015-04-28 16:52:22.544033948 +0200
+@@ -26,6 +26,7 @@ B<openssl> B<verify>
+ [B<-extended_crl>]
+ [B<-use_deltas>]
+ [B<-policy_print>]
++[B<-no_alt_chains>]
+ [B<-untrusted file>]
+ [B<-help>]
+ [B<-issuer_checks>]
+@@ -131,6 +132,14 @@ Set policy variable inhibit-any-policy (
+
+ Set policy variable inhibit-policy-mapping (see RFC5280).
+
++=item B<-no_alt_chains>
++
++When building a certificate chain, if the first certificate chain found is not
++trusted, then OpenSSL will continue to check to see if an alternative chain can
++be found that is trusted. With this option that behaviour is suppressed so that
++only the first chain found is ever used. Using this option will force the
++behaviour to match that of previous OpenSSL versions.
++
+ =item B<-policy_print>
+
+ Print out diagnostics related to policy processing.
+@@ -432,4 +441,8 @@ B<20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CER
+
+ L<x509(1)|x509(1)>
+
++=head1 HISTORY
++
++The -no_alt_chains options was first added to OpenSSL 1.0.2b.
++
+ =cut
+diff -up openssl-1.0.2a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod.alt-chains openssl-1.0.2a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod
+--- openssl-1.0.2a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod.alt-chains 2015-03-19 14:30:36.000000000 +0100
++++ openssl-1.0.2a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod 2015-04-28 16:52:22.544033948 +0200
+@@ -197,6 +197,12 @@ verification. If this flag is set then a
+ to the verification callback and it B<must> be prepared to handle such cases
+ without assuming they are hard errors.
+
++The B<X509_V_FLAG_NO_ALT_CHAINS> flag suppresses checking for alternative
++chains. By default, when building a certificate chain, if the first certificate
++chain found is not trusted, then OpenSSL will continue to check to see if an
++alternative chain can be found that is trusted. With this flag set the behaviour
++will match that of OpenSSL versions prior to 1.0.2b.
++
+ =head1 NOTES
+
+ The above functions should be used to manipulate verification parameters
+@@ -233,6 +239,6 @@ L<X509_check_ip(3)|X509_check_ip(3)>
+
+ =head1 HISTORY
+
+-TBA
++The B<X509_V_FLAG_NO_ALT_CHAINS> flag was added in OpenSSL 1.0.2b
+
+ =cut
diff --git a/openssl.spec b/openssl.spec
index f113439..e8224e9 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -23,7 +23,7 @@
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
Version: 1.0.2a
-Release: 1%{?dist}
+Release: 2%{?dist}
Epoch: 1
# We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below.
@@ -78,14 +78,15 @@ Patch74: openssl-1.0.2a-no-md5-verify.patch
Patch75: openssl-1.0.2a-compat-symbols.patch
Patch76: openssl-1.0.2a-new-fips-reqs.patch
Patch77: openssl-1.0.2a-weak-ciphers.patch
+Patch78: openssl-1.0.2a-cc-reqs.patch
Patch90: openssl-1.0.2a-enc-fail.patch
Patch92: openssl-1.0.2a-system-cipherlist.patch
Patch93: openssl-1.0.2a-disable-sslv2v3.patch
# Backported fixes including security fixes
Patch80: openssl-1.0.2a-wrap-pad.patch
Patch81: openssl-1.0.2a-padlock64.patch
-Patch84: openssl-1.0.2a-trusted-first-doc.patch
-Patch87: openssl-1.0.2a-cc-reqs.patch
+Patch82: openssl-1.0.2a-trusted-first-doc.patch
+Patch83: openssl-1.0.2a-alt-chains.patch
License: OpenSSL
Group: System Environment/Libraries
@@ -198,14 +199,15 @@ cp %{SOURCE12} %{SOURCE13} crypto/ec/
%patch75 -p1 -b .compat
%patch76 -p1 -b .fips-reqs
%patch77 -p1 -b .weak-ciphers
+%patch78 -p1 -b .cc-reqs
%patch90 -p1 -b .enc-fail
%patch92 -p1 -b .system
%patch93 -p1 -b .v2v3
%patch80 -p1 -b .wrap
%patch81 -p1 -b .padlock64
-%patch84 -p1 -b .trusted-first
-%patch87 -p1 -b .cc-reqs
+%patch82 -p1 -b .trusted-first
+%patch83 -p1 -b .alt-chains
sed -i 's/SHLIB_VERSION_NUMBER "1.0.0"/SHLIB_VERSION_NUMBER "%{version}"/' crypto/opensslv.h
@@ -473,6 +475,9 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
%postun libs -p /sbin/ldconfig
%changelog
+* Tue Apr 28 2015 Tomáš Mráz <tmraz at redhat.com> 1.0.2a-2
+- add alternative certificate chain discovery support from upstream
+
* Thu Apr 23 2015 Tomáš Mráz <tmraz at redhat.com> 1.0.2a-1
- rebase to 1.0.2 branch
--
cgit v0.10.2
http://pkgs.fedoraproject.org/cgit/openssl.git/commit/?h=master&id=d743a79756eb198f164a3c3ac7236cfce72e4fc1
More information about the scm-commits
mailing list