openssl/openssl-1.0.1c-default-paths.patch

Index: openssl-1.0.1g/apps/s_client.c
===================================================================
--- openssl-1.0.1g.orig/apps/s_client.c
+++ openssl-1.0.1g/apps/s_client.c
@@ -1174,12 +1174,19 @@ bad:
 	if (!set_cert_key_stuff(ctx,cert,key))
 		goto end;
 
-	if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
-		(!SSL_CTX_set_default_verify_paths(ctx)))
+	if (CAfile == NULL && CApath == NULL)
 		{
-		/* BIO_printf(bio_err,"error setting default verify locations\n"); */
-		ERR_print_errors(bio_err);
-		/* goto end; */
+		if (!SSL_CTX_set_default_verify_paths(ctx))
+			{
+			ERR_print_errors(bio_err);
+			}
+		}
+	else
+		{
+		if (!SSL_CTX_load_verify_locations(ctx,CAfile,CApath))
+			{
+			ERR_print_errors(bio_err);
+			}
 		}
 
 #ifndef OPENSSL_NO_TLSEXT
Index: openssl-1.0.1g/apps/s_server.c
===================================================================
--- openssl-1.0.1g.orig/apps/s_server.c
+++ openssl-1.0.1g/apps/s_server.c
@@ -1572,13 +1572,21 @@ bad:
 		}
 #endif
 
-	if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
-		(!SSL_CTX_set_default_verify_paths(ctx)))
+	if (CAfile == NULL && CApath == NULL)
 		{
-		/* BIO_printf(bio_err,"X509_load_verify_locations\n"); */
-		ERR_print_errors(bio_err);
-		/* goto end; */
+		if (!SSL_CTX_set_default_verify_paths(ctx))
+			{
+			ERR_print_errors(bio_err);
+			}
+		}
+	else
+		{
+		if (!SSL_CTX_load_verify_locations(ctx,CAfile,CApath))
+			{
+			ERR_print_errors(bio_err);
+			}
 		}
+
 	if (vpm)
 		SSL_CTX_set1_param(ctx, vpm);
 
@@ -1629,8 +1637,11 @@ bad:
 		else
 			SSL_CTX_sess_set_cache_size(ctx2,128);
 
-		if ((!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath)) ||
-			(!SSL_CTX_set_default_verify_paths(ctx2)))
+		if (!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath))
+			{
+			ERR_print_errors(bio_err);
+			}
+		if (!SSL_CTX_set_default_verify_paths(ctx2))
 			{
 			ERR_print_errors(bio_err);
 			}
Index: openssl-1.0.1g/apps/s_time.c
===================================================================
--- openssl-1.0.1g.orig/apps/s_time.c
+++ openssl-1.0.1g/apps/s_time.c
@@ -373,12 +373,19 @@ int MAIN(int argc, char **argv)
 
 	SSL_load_error_strings();
 
-	if ((!SSL_CTX_load_verify_locations(tm_ctx,CAfile,CApath)) ||
-		(!SSL_CTX_set_default_verify_paths(tm_ctx)))
+	if (CAfile == NULL && CApath == NULL)
 		{
-		/* BIO_printf(bio_err,"error setting default verify locations\n"); */
-		ERR_print_errors(bio_err);
-		/* goto end; */
+		if (!SSL_CTX_set_default_verify_paths(tm_ctx))
+			{
+			ERR_print_errors(bio_err);
+			}
+		}
+	else
+		{
+		if (!SSL_CTX_load_verify_locations(tm_ctx,CAfile,CApath))
+			{
+			ERR_print_errors(bio_err);
+			}
 		}
 
 	if (tm_cipher == NULL)
Accepting request 229370 from Base:System - update to 1.0.1g: * fix for critical TLS heartbeat read overrun (CVE-2014-0160) (bnc#872299) * Fix for Recovering OpenSSL ECDSA Nonces (CVE-2014-0076) (bnc#869945) * Workaround for the "TLS hang bug" (see FAQ and PR#2771) - remove CVE-2014-0076.patch - openssl.keyring: upstream changed to: pub 4096R/FA40E9E2 2005-03-19 Dr Stephen N Henson <steve@openssl.org> uid Dr Stephen Henson <shenson@drh-consultancy.co.uk> uid Dr Stephen Henson <shenson@opensslfoundation.com> OBS-URL: https://build.opensuse.org/request/show/229370 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=110 2014-04-09 18:17:23 +02:00			`Index: openssl-1.0.1g/apps/s_client.c`
			`===================================================================`
			`--- openssl-1.0.1g.orig/apps/s_client.c`
			`+++ openssl-1.0.1g/apps/s_client.c`
			`@@ -1174,12 +1174,19 @@ bad:`
Accepting request 186710 from Base:System Fix bug[ bnc#832833] openssl ssl_set_cert_masks() is broken; Add patch file: SSL_get_certificate-broken.patch (forwarded request 186693 from shawn2012) OBS-URL: https://build.opensuse.org/request/show/186710 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=94 2013-08-13 11:00:53 +02:00			`if (!set_cert_key_stuff(ctx,cert,key))`
			`goto end;`

			`- if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) \|\|`
			`- (!SSL_CTX_set_default_verify_paths(ctx)))`
			`+ if (CAfile == NULL && CApath == NULL)`
			`{`
			`- /* BIO_printf(bio_err,"error setting default verify locations\n"); */`
			`- ERR_print_errors(bio_err);`
			`- /* goto end; */`
			`+ if (!SSL_CTX_set_default_verify_paths(ctx))`
			`+ {`
			`+ ERR_print_errors(bio_err);`
			`+ }`
			`+ }`
			`+ else`
			`+ {`
			`+ if (!SSL_CTX_load_verify_locations(ctx,CAfile,CApath))`
			`+ {`
			`+ ERR_print_errors(bio_err);`
			`+ }`
			`}`

			`#ifndef OPENSSL_NO_TLSEXT`
Accepting request 229370 from Base:System - update to 1.0.1g: * fix for critical TLS heartbeat read overrun (CVE-2014-0160) (bnc#872299) * Fix for Recovering OpenSSL ECDSA Nonces (CVE-2014-0076) (bnc#869945) * Workaround for the "TLS hang bug" (see FAQ and PR#2771) - remove CVE-2014-0076.patch - openssl.keyring: upstream changed to: pub 4096R/FA40E9E2 2005-03-19 Dr Stephen N Henson <steve@openssl.org> uid Dr Stephen Henson <shenson@drh-consultancy.co.uk> uid Dr Stephen Henson <shenson@opensslfoundation.com> OBS-URL: https://build.opensuse.org/request/show/229370 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=110 2014-04-09 18:17:23 +02:00			`Index: openssl-1.0.1g/apps/s_server.c`
			`===================================================================`
			`--- openssl-1.0.1g.orig/apps/s_server.c`
			`+++ openssl-1.0.1g/apps/s_server.c`
			`@@ -1572,13 +1572,21 @@ bad:`
Accepting request 186710 from Base:System Fix bug[ bnc#832833] openssl ssl_set_cert_masks() is broken; Add patch file: SSL_get_certificate-broken.patch (forwarded request 186693 from shawn2012) OBS-URL: https://build.opensuse.org/request/show/186710 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=94 2013-08-13 11:00:53 +02:00			`}`
			`#endif`

			`- if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) \|\|`
			`- (!SSL_CTX_set_default_verify_paths(ctx)))`
			`+ if (CAfile == NULL && CApath == NULL)`
			`{`
			`- /* BIO_printf(bio_err,"X509_load_verify_locations\n"); */`
			`- ERR_print_errors(bio_err);`
			`- /* goto end; */`
			`+ if (!SSL_CTX_set_default_verify_paths(ctx))`
			`+ {`
			`+ ERR_print_errors(bio_err);`
			`+ }`
			`+ }`
			`+ else`
			`+ {`
			`+ if (!SSL_CTX_load_verify_locations(ctx,CAfile,CApath))`
			`+ {`
			`+ ERR_print_errors(bio_err);`
			`+ }`
			`}`
			`+`
			`if (vpm)`
			`SSL_CTX_set1_param(ctx, vpm);`

Accepting request 229370 from Base:System - update to 1.0.1g: * fix for critical TLS heartbeat read overrun (CVE-2014-0160) (bnc#872299) * Fix for Recovering OpenSSL ECDSA Nonces (CVE-2014-0076) (bnc#869945) * Workaround for the "TLS hang bug" (see FAQ and PR#2771) - remove CVE-2014-0076.patch - openssl.keyring: upstream changed to: pub 4096R/FA40E9E2 2005-03-19 Dr Stephen N Henson <steve@openssl.org> uid Dr Stephen Henson <shenson@drh-consultancy.co.uk> uid Dr Stephen Henson <shenson@opensslfoundation.com> OBS-URL: https://build.opensuse.org/request/show/229370 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=110 2014-04-09 18:17:23 +02:00			`@@ -1629,8 +1637,11 @@ bad:`
Accepting request 186710 from Base:System Fix bug[ bnc#832833] openssl ssl_set_cert_masks() is broken; Add patch file: SSL_get_certificate-broken.patch (forwarded request 186693 from shawn2012) OBS-URL: https://build.opensuse.org/request/show/186710 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=94 2013-08-13 11:00:53 +02:00			`else`
			`SSL_CTX_sess_set_cache_size(ctx2,128);`

			`- if ((!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath)) \|\|`
			`- (!SSL_CTX_set_default_verify_paths(ctx2)))`
			`+ if (!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath))`
			`+ {`
			`+ ERR_print_errors(bio_err);`
			`+ }`
			`+ if (!SSL_CTX_set_default_verify_paths(ctx2))`
			`{`
			`ERR_print_errors(bio_err);`
			`}`
Accepting request 229370 from Base:System - update to 1.0.1g: * fix for critical TLS heartbeat read overrun (CVE-2014-0160) (bnc#872299) * Fix for Recovering OpenSSL ECDSA Nonces (CVE-2014-0076) (bnc#869945) * Workaround for the "TLS hang bug" (see FAQ and PR#2771) - remove CVE-2014-0076.patch - openssl.keyring: upstream changed to: pub 4096R/FA40E9E2 2005-03-19 Dr Stephen N Henson <steve@openssl.org> uid Dr Stephen Henson <shenson@drh-consultancy.co.uk> uid Dr Stephen Henson <shenson@opensslfoundation.com> OBS-URL: https://build.opensuse.org/request/show/229370 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=110 2014-04-09 18:17:23 +02:00			`Index: openssl-1.0.1g/apps/s_time.c`
			`===================================================================`
			`--- openssl-1.0.1g.orig/apps/s_time.c`
			`+++ openssl-1.0.1g/apps/s_time.c`
Accepting request 186710 from Base:System Fix bug[ bnc#832833] openssl ssl_set_cert_masks() is broken; Add patch file: SSL_get_certificate-broken.patch (forwarded request 186693 from shawn2012) OBS-URL: https://build.opensuse.org/request/show/186710 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=94 2013-08-13 11:00:53 +02:00			`@@ -373,12 +373,19 @@ int MAIN(int argc, char **argv)`

			`SSL_load_error_strings();`

			`- if ((!SSL_CTX_load_verify_locations(tm_ctx,CAfile,CApath)) \|\|`
			`- (!SSL_CTX_set_default_verify_paths(tm_ctx)))`
			`+ if (CAfile == NULL && CApath == NULL)`
			`{`
			`- /* BIO_printf(bio_err,"error setting default verify locations\n"); */`
			`- ERR_print_errors(bio_err);`
			`- /* goto end; */`
			`+ if (!SSL_CTX_set_default_verify_paths(tm_ctx))`
			`+ {`
			`+ ERR_print_errors(bio_err);`
			`+ }`
			`+ }`
			`+ else`
			`+ {`
			`+ if (!SSL_CTX_load_verify_locations(tm_ctx,CAfile,CApath))`
			`+ {`
			`+ ERR_print_errors(bio_err);`
			`+ }`
			`}`

			`if (tm_cipher == NULL)`