openssl/openssl-1.0.2a-default-paths.patch

Index: openssl-1.0.2b/apps/s_client.c
===================================================================
--- openssl-1.0.2b.orig/apps/s_client.c	2015-06-11 17:28:32.039203737 +0200
+++ openssl-1.0.2b/apps/s_client.c	2015-06-11 17:39:40.138741521 +0200
@@ -1346,10 +1346,6 @@ int MAIN(int argc, char **argv)
         ERR_print_errors(bio_err);
     }
 
-    ssl_ctx_add_crls(ctx, crls, crl_download);
-    if (!set_cert_key_stuff(ctx, cert, key, chain, build_chain))
-        goto end;
-
 #ifndef OPENSSL_NO_TLSEXT
     if (servername != NULL) {
         tlsextcbp.biodebug = bio_err;
Index: openssl-1.0.2b/apps/s_server.c
===================================================================
--- openssl-1.0.2b.orig/apps/s_server.c	2015-06-11 17:28:04.879854931 +0200
+++ openssl-1.0.2b/apps/s_server.c	2015-06-11 17:28:32.040203749 +0200
@@ -1788,12 +1788,16 @@ int MAIN(int argc, char *argv[])
     }
 #endif
 
-    if ((!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) ||
-        (!SSL_CTX_set_default_verify_paths(ctx))) {
-        /* BIO_printf(bio_err,"X509_load_verify_locations\n"); */
-        ERR_print_errors(bio_err);
-        /* goto end; */
+    if (CAfile == NULL && CApath == NULL) {
+        if (!SSL_CTX_set_default_verify_paths(ctx)) {
+            ERR_print_errors(bio_err);
+        }
+    } else {
+        if (!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) {
+            ERR_print_errors(bio_err);
+        }
     }
+
     if (vpm)
         SSL_CTX_set1_param(ctx, vpm);
 
@@ -1850,8 +1854,10 @@ int MAIN(int argc, char *argv[])
         else
             SSL_CTX_sess_set_cache_size(ctx2, 128);
 
-        if ((!SSL_CTX_load_verify_locations(ctx2, CAfile, CApath)) ||
-            (!SSL_CTX_set_default_verify_paths(ctx2))) {
+        if (!SSL_CTX_load_verify_locations(ctx2, CAfile, CApath)) {
+            ERR_print_errors(bio_err);
+        }
+        if (!SSL_CTX_set_default_verify_paths(ctx2)) {
             ERR_print_errors(bio_err);
         }
         if (vpm)
Index: openssl-1.0.2b/apps/s_time.c
===================================================================
--- openssl-1.0.2b.orig/apps/s_time.c	2015-06-11 17:28:04.879854931 +0200
+++ openssl-1.0.2b/apps/s_time.c	2015-06-11 17:28:32.040203749 +0200
@@ -381,13 +381,14 @@ int MAIN(int argc, char **argv)
 
     SSL_load_error_strings();
 
-    if ((!SSL_CTX_load_verify_locations(tm_ctx, CAfile, CApath)) ||
-        (!SSL_CTX_set_default_verify_paths(tm_ctx))) {
-        /*
-         * BIO_printf(bio_err,"error setting default verify locations\n");
-         */
-        ERR_print_errors(bio_err);
-        /* goto end; */
+    if (CAfile == NULL && CApath == NULL) {
+        if (!SSL_CTX_set_default_verify_paths(tm_ctx)) {
+            ERR_print_errors(bio_err);
+        }
+    } else {
+        if (!SSL_CTX_load_verify_locations(tm_ctx, CAfile, CApath)) {
+            ERR_print_errors(bio_err);
+        }
     }
 
     if (tm_cipher == NULL)
Accepting request 315685 from Base:System - update to 1.0.2d * fixes CVE-2015-1793 (bsc#936746) Alternate chains certificate forgery During certificate verfification, OpenSSL will attempt to find an alternative certificate chain if the first attempt to build such a chain fails. An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and "issue" an invalid certificate. - drop openssl-fix_invalid_manpage_name.patch (upstream) (forwarded request 315682 from vitezslav_cizek) OBS-URL: https://build.opensuse.org/request/show/315685 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=128 2015-07-12 22:51:54 +02:00			`Index: openssl-1.0.2b/apps/s_client.c`
			`===================================================================`
			`--- openssl-1.0.2b.orig/apps/s_client.c 2015-06-11 17:28:32.039203737 +0200`
			`+++ openssl-1.0.2b/apps/s_client.c 2015-06-11 17:39:40.138741521 +0200`
			`@@ -1346,10 +1346,6 @@ int MAIN(int argc, char **argv)`
			`ERR_print_errors(bio_err);`
Accepting request 310849 from Base:System - update to 1.0.2a * Major changes since 1.0.1: - Suite B support for TLS 1.2 and DTLS 1.2 - Support for DTLS 1.2 - TLS automatic EC curve selection. - API to set TLS supported signature algorithms and curves - SSL_CONF configuration API. - TLS Brainpool support. - ALPN support. - CMS support for RSA-PSS, RSA-OAEP, ECDH and X9.42 DH. - packaging changes: * merged patches modifying CIPHER_LIST into one, dropping: - openssl-1.0.1e-add-suse-default-cipher-header.patch - openssl-libssl-noweakciphers.patch * fix a manpage with invalid name - added openssl-fix_invalid_manpage_name.patch * remove a missing fips function - openssl-missing_FIPS_ec_group_new_by_curve_name.patch * reimported patches from Fedora dropped patches: - openssl-1.0.1c-default-paths.patch - openssl-1.0.1c-ipv6-apps.patch - openssl-1.0.1e-fips-ctor.patch - openssl-1.0.1e-fips-ec.patch - openssl-1.0.1e-fips.patch - openssl-1.0.1e-new-fips-reqs.patch - VIA_padlock_support_on_64systems.patch added patches: - openssl-1.0.2a-default-paths.patch - openssl-1.0.2a-fips-ctor.patch (forwarded request 309611 from vitezslav_cizek) OBS-URL: https://build.opensuse.org/request/show/310849 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=127 2015-06-08 08:25:56 +02:00			`}`

			`- ssl_ctx_add_crls(ctx, crls, crl_download);`
			`- if (!set_cert_key_stuff(ctx, cert, key, chain, build_chain))`
			`- goto end;`
			`-`
			`#ifndef OPENSSL_NO_TLSEXT`
			`if (servername != NULL) {`
			`tlsextcbp.biodebug = bio_err;`
Accepting request 315685 from Base:System - update to 1.0.2d * fixes CVE-2015-1793 (bsc#936746) Alternate chains certificate forgery During certificate verfification, OpenSSL will attempt to find an alternative certificate chain if the first attempt to build such a chain fails. An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and "issue" an invalid certificate. - drop openssl-fix_invalid_manpage_name.patch (upstream) (forwarded request 315682 from vitezslav_cizek) OBS-URL: https://build.opensuse.org/request/show/315685 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=128 2015-07-12 22:51:54 +02:00			`Index: openssl-1.0.2b/apps/s_server.c`
			`===================================================================`
			`--- openssl-1.0.2b.orig/apps/s_server.c 2015-06-11 17:28:04.879854931 +0200`
			`+++ openssl-1.0.2b/apps/s_server.c 2015-06-11 17:28:32.040203749 +0200`
			`@@ -1788,12 +1788,16 @@ int MAIN(int argc, char *argv[])`
Accepting request 310849 from Base:System - update to 1.0.2a * Major changes since 1.0.1: - Suite B support for TLS 1.2 and DTLS 1.2 - Support for DTLS 1.2 - TLS automatic EC curve selection. - API to set TLS supported signature algorithms and curves - SSL_CONF configuration API. - TLS Brainpool support. - ALPN support. - CMS support for RSA-PSS, RSA-OAEP, ECDH and X9.42 DH. - packaging changes: * merged patches modifying CIPHER_LIST into one, dropping: - openssl-1.0.1e-add-suse-default-cipher-header.patch - openssl-libssl-noweakciphers.patch * fix a manpage with invalid name - added openssl-fix_invalid_manpage_name.patch * remove a missing fips function - openssl-missing_FIPS_ec_group_new_by_curve_name.patch * reimported patches from Fedora dropped patches: - openssl-1.0.1c-default-paths.patch - openssl-1.0.1c-ipv6-apps.patch - openssl-1.0.1e-fips-ctor.patch - openssl-1.0.1e-fips-ec.patch - openssl-1.0.1e-fips.patch - openssl-1.0.1e-new-fips-reqs.patch - VIA_padlock_support_on_64systems.patch added patches: - openssl-1.0.2a-default-paths.patch - openssl-1.0.2a-fips-ctor.patch (forwarded request 309611 from vitezslav_cizek) OBS-URL: https://build.opensuse.org/request/show/310849 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=127 2015-06-08 08:25:56 +02:00			`}`
			`#endif`

			`- if ((!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) \|\|`
			`- (!SSL_CTX_set_default_verify_paths(ctx))) {`
			`- /* BIO_printf(bio_err,"X509_load_verify_locations\n"); */`
			`- ERR_print_errors(bio_err);`
			`- /* goto end; */`
			`+ if (CAfile == NULL && CApath == NULL) {`
			`+ if (!SSL_CTX_set_default_verify_paths(ctx)) {`
			`+ ERR_print_errors(bio_err);`
			`+ }`
			`+ } else {`
			`+ if (!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) {`
			`+ ERR_print_errors(bio_err);`
			`+ }`
			`}`
			`+`
			`if (vpm)`
			`SSL_CTX_set1_param(ctx, vpm);`

Accepting request 315685 from Base:System - update to 1.0.2d * fixes CVE-2015-1793 (bsc#936746) Alternate chains certificate forgery During certificate verfification, OpenSSL will attempt to find an alternative certificate chain if the first attempt to build such a chain fails. An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and "issue" an invalid certificate. - drop openssl-fix_invalid_manpage_name.patch (upstream) (forwarded request 315682 from vitezslav_cizek) OBS-URL: https://build.opensuse.org/request/show/315685 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=128 2015-07-12 22:51:54 +02:00			`@@ -1850,8 +1854,10 @@ int MAIN(int argc, char *argv[])`
Accepting request 310849 from Base:System - update to 1.0.2a * Major changes since 1.0.1: - Suite B support for TLS 1.2 and DTLS 1.2 - Support for DTLS 1.2 - TLS automatic EC curve selection. - API to set TLS supported signature algorithms and curves - SSL_CONF configuration API. - TLS Brainpool support. - ALPN support. - CMS support for RSA-PSS, RSA-OAEP, ECDH and X9.42 DH. - packaging changes: * merged patches modifying CIPHER_LIST into one, dropping: - openssl-1.0.1e-add-suse-default-cipher-header.patch - openssl-libssl-noweakciphers.patch * fix a manpage with invalid name - added openssl-fix_invalid_manpage_name.patch * remove a missing fips function - openssl-missing_FIPS_ec_group_new_by_curve_name.patch * reimported patches from Fedora dropped patches: - openssl-1.0.1c-default-paths.patch - openssl-1.0.1c-ipv6-apps.patch - openssl-1.0.1e-fips-ctor.patch - openssl-1.0.1e-fips-ec.patch - openssl-1.0.1e-fips.patch - openssl-1.0.1e-new-fips-reqs.patch - VIA_padlock_support_on_64systems.patch added patches: - openssl-1.0.2a-default-paths.patch - openssl-1.0.2a-fips-ctor.patch (forwarded request 309611 from vitezslav_cizek) OBS-URL: https://build.opensuse.org/request/show/310849 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=127 2015-06-08 08:25:56 +02:00			`else`
			`SSL_CTX_sess_set_cache_size(ctx2, 128);`

			`- if ((!SSL_CTX_load_verify_locations(ctx2, CAfile, CApath)) \|\|`
			`- (!SSL_CTX_set_default_verify_paths(ctx2))) {`
			`+ if (!SSL_CTX_load_verify_locations(ctx2, CAfile, CApath)) {`
			`+ ERR_print_errors(bio_err);`
			`+ }`
			`+ if (!SSL_CTX_set_default_verify_paths(ctx2)) {`
			`ERR_print_errors(bio_err);`
			`}`
			`if (vpm)`
Accepting request 315685 from Base:System - update to 1.0.2d * fixes CVE-2015-1793 (bsc#936746) Alternate chains certificate forgery During certificate verfification, OpenSSL will attempt to find an alternative certificate chain if the first attempt to build such a chain fails. An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and "issue" an invalid certificate. - drop openssl-fix_invalid_manpage_name.patch (upstream) (forwarded request 315682 from vitezslav_cizek) OBS-URL: https://build.opensuse.org/request/show/315685 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=128 2015-07-12 22:51:54 +02:00			`Index: openssl-1.0.2b/apps/s_time.c`
			`===================================================================`
			`--- openssl-1.0.2b.orig/apps/s_time.c 2015-06-11 17:28:04.879854931 +0200`
			`+++ openssl-1.0.2b/apps/s_time.c 2015-06-11 17:28:32.040203749 +0200`
Accepting request 310849 from Base:System - update to 1.0.2a * Major changes since 1.0.1: - Suite B support for TLS 1.2 and DTLS 1.2 - Support for DTLS 1.2 - TLS automatic EC curve selection. - API to set TLS supported signature algorithms and curves - SSL_CONF configuration API. - TLS Brainpool support. - ALPN support. - CMS support for RSA-PSS, RSA-OAEP, ECDH and X9.42 DH. - packaging changes: * merged patches modifying CIPHER_LIST into one, dropping: - openssl-1.0.1e-add-suse-default-cipher-header.patch - openssl-libssl-noweakciphers.patch * fix a manpage with invalid name - added openssl-fix_invalid_manpage_name.patch * remove a missing fips function - openssl-missing_FIPS_ec_group_new_by_curve_name.patch * reimported patches from Fedora dropped patches: - openssl-1.0.1c-default-paths.patch - openssl-1.0.1c-ipv6-apps.patch - openssl-1.0.1e-fips-ctor.patch - openssl-1.0.1e-fips-ec.patch - openssl-1.0.1e-fips.patch - openssl-1.0.1e-new-fips-reqs.patch - VIA_padlock_support_on_64systems.patch added patches: - openssl-1.0.2a-default-paths.patch - openssl-1.0.2a-fips-ctor.patch (forwarded request 309611 from vitezslav_cizek) OBS-URL: https://build.opensuse.org/request/show/310849 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=127 2015-06-08 08:25:56 +02:00			`@@ -381,13 +381,14 @@ int MAIN(int argc, char **argv)`

			`SSL_load_error_strings();`

			`- if ((!SSL_CTX_load_verify_locations(tm_ctx, CAfile, CApath)) \|\|`
			`- (!SSL_CTX_set_default_verify_paths(tm_ctx))) {`
			`- /*`
			`- * BIO_printf(bio_err,"error setting default verify locations\n");`
			`- */`
			`- ERR_print_errors(bio_err);`
			`- /* goto end; */`
			`+ if (CAfile == NULL && CApath == NULL) {`
			`+ if (!SSL_CTX_set_default_verify_paths(tm_ctx)) {`
			`+ ERR_print_errors(bio_err);`
			`+ }`
			`+ } else {`
			`+ if (!SSL_CTX_load_verify_locations(tm_ctx, CAfile, CApath)) {`
			`+ ERR_print_errors(bio_err);`
			`+ }`
			`}`

			`if (tm_cipher == NULL)`