pool/openssl
SHA256
2
0
Fork 2
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 186710 from Base:System

Browse Source 
Fix bug[ bnc#832833] openssl ssl_set_cert_masks() is broken; Add patch file: SSL_get_certificate-broken.patch (forwarded request 186693 from shawn2012)

OBS-URL: https://build.opensuse.org/request/show/186710
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=94
This commit is contained in:
Tomáš Chvátal 2013-08-13 09:00:53 +00:00 committed by Git OBS Bridge
parent 11127842fa
commit a79c9d166c
5 changed files with 206 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
SSL_get_certificate-broken.patch Normal file
View File

@ -0,0 +1,15 @@
Index: openssl-1.0.1e/ssl/ssl_lib.c
===================================================================
--- openssl-1.0.1e.orig/ssl/ssl_lib.c
+++ openssl-1.0.1e/ssl/ssl_lib.c
@@ -2792,9 +2792,7 @@ void ssl_clear_cipher_ctx(SSL *s)
/* Fix this function so that it takes an optional type parameter */
X509 *SSL_get_certificate(const SSL *s)
{
- if (s->server)
- return(ssl_get_server_send_cert(s));
- else if (s->cert != NULL)
+ if (s->cert != NULL)
return(s->cert->key->x509);
else
return(NULL);

100
openssl-1.0.1c-default-paths.patch Normal file
View File

@ -0,0 +1,100 @@
diff -up openssl-1.0.1c/apps/s_client.c.default-paths openssl-1.0.1c/apps/s_client.c
--- openssl-1.0.1c/apps/s_client.c.default-paths 2012-03-18 19:16:05.000000000 +0100
+++ openssl-1.0.1c/apps/s_client.c 2012-12-06 18:24:06.425933203 +0100
@@ -1166,12 +1166,19 @@ bad:
if (!set_cert_key_stuff(ctx,cert,key))
goto end;
- if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
- (!SSL_CTX_set_default_verify_paths(ctx)))
+ if (CAfile == NULL && CApath == NULL)
{
- /* BIO_printf(bio_err,"error setting default verify locations\n"); */
- ERR_print_errors(bio_err);
- /* goto end; */
+ if (!SSL_CTX_set_default_verify_paths(ctx))
+ {
+ ERR_print_errors(bio_err);
+ }
+ }
+ else
+ {
+ if (!SSL_CTX_load_verify_locations(ctx,CAfile,CApath))
+ {
+ ERR_print_errors(bio_err);
+ }
}
#ifndef OPENSSL_NO_TLSEXT
diff -up openssl-1.0.1c/apps/s_server.c.default-paths openssl-1.0.1c/apps/s_server.c
--- openssl-1.0.1c/apps/s_server.c.default-paths 2012-03-18 19:16:05.000000000 +0100
+++ openssl-1.0.1c/apps/s_server.c 2012-12-06 18:25:11.199329611 +0100
@@ -1565,13 +1565,21 @@ bad:
}
#endif
- if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
- (!SSL_CTX_set_default_verify_paths(ctx)))
+ if (CAfile == NULL && CApath == NULL)
{
- /* BIO_printf(bio_err,"X509_load_verify_locations\n"); */
- ERR_print_errors(bio_err);
- /* goto end; */
+ if (!SSL_CTX_set_default_verify_paths(ctx))
+ {
+ ERR_print_errors(bio_err);
+ }
+ }
+ else
+ {
+ if (!SSL_CTX_load_verify_locations(ctx,CAfile,CApath))
+ {
+ ERR_print_errors(bio_err);
+ }
}
+
if (vpm)
SSL_CTX_set1_param(ctx, vpm);
@@ -1622,8 +1630,11 @@ bad:
else
SSL_CTX_sess_set_cache_size(ctx2,128);
- if ((!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath)) ||
- (!SSL_CTX_set_default_verify_paths(ctx2)))
+ if (!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath))
+ {
+ ERR_print_errors(bio_err);
+ }
+ if (!SSL_CTX_set_default_verify_paths(ctx2))
{
ERR_print_errors(bio_err);
}
diff -up openssl-1.0.1c/apps/s_time.c.default-paths openssl-1.0.1c/apps/s_time.c
--- openssl-1.0.1c/apps/s_time.c.default-paths 2006-04-17 14:22:13.000000000 +0200
+++ openssl-1.0.1c/apps/s_time.c 2012-12-06 18:27:41.694574044 +0100
@@ -373,12 +373,19 @@ int MAIN(int argc, char **argv)
SSL_load_error_strings();
- if ((!SSL_CTX_load_verify_locations(tm_ctx,CAfile,CApath)) ||
- (!SSL_CTX_set_default_verify_paths(tm_ctx)))
+ if (CAfile == NULL && CApath == NULL)
{
- /* BIO_printf(bio_err,"error setting default verify locations\n"); */
- ERR_print_errors(bio_err);
- /* goto end; */
+ if (!SSL_CTX_set_default_verify_paths(tm_ctx))
+ {
+ ERR_print_errors(bio_err);
+ }
+ }
+ else
+ {
+ if (!SSL_CTX_load_verify_locations(tm_ctx,CAfile,CApath))
+ {
+ ERR_print_errors(bio_err);
+ }
}
if (tm_cipher == NULL)

29
openssl-pkgconfig.patch Normal file
View File

@ -0,0 +1,29 @@
--- openssl-1.0.1e.orig/Makefile.org
+++ openssl-1.0.1e/Makefile.org
@@ -366,7 +366,7 @@ libcrypto.pc: Makefile
echo 'Requires: '; \
echo 'Libs: -L$${libdir} -lcrypto'; \
echo 'Libs.private: $(EX_LIBS)'; \
- echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > libcrypto.pc
+ echo 'Cflags: -DOPENSSL_LOAD_CONF -I$${includedir} $(KRB5_INCLUDES)' ) > libcrypto.pc
libssl.pc: Makefile
@ ( echo 'prefix=$(INSTALLTOP)'; \
@@ -380,7 +380,7 @@ libssl.pc: Makefile
echo 'Requires: '; \
echo 'Libs: -L$${libdir} -lssl -lcrypto'; \
echo 'Libs.private: $(EX_LIBS)'; \
- echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > libssl.pc
+ echo 'Cflags: -DOPENSSL_LOAD_CONF -I$${includedir} $(KRB5_INCLUDES)' ) > libssl.pc
openssl.pc: Makefile
@ ( echo 'prefix=$(INSTALLTOP)'; \
@@ -394,7 +394,7 @@ openssl.pc: Makefile
echo 'Requires: '; \
echo 'Libs: -L$${libdir} -lssl -lcrypto'; \
echo 'Libs.private: $(EX_LIBS)'; \
- echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > openssl.pc
+ echo 'Cflags: -DOPENSSL_LOAD_CONF -I$${includedir} $(KRB5_INCLUDES)' ) > openssl.pc
Makefile: Makefile.org Configure config
@echo "Makefile is older than Makefile.org, Configure or config."

47
openssl.changes
View File

@ -1,3 +1,50 @@
-------------------------------------------------------------------
Mon Aug 12 06:05:03 UTC 2013 - shchang@suse.com
- Fix bug[ bnc#832833] openssl ssl_set_cert_masks() is broken
modify patch file: SSL_get_certificate-broken.patch
-------------------------------------------------------------------
Fri Aug 9 23:24:14 UTC 2013 - crrodriguez@opensuse.org
- Via padlock is only found in x86 and x86_64 CPUs, remove
the shared module for other archs.
-------------------------------------------------------------------
Wed Aug 7 18:30:45 UTC 2013 - crrodriguez@opensuse.org
- Cleanup engines that are of no use in a modern linux distro
- The following engines stay:
* libcapi.so --> usable in case you have third party /dev/crypto
* libgmp.so --> may help to doing some maths using GMP
* libgost.so --> implements the GOST block cipher
* libpadlock.so --> VIA padlock support
- Al other are removed because they require third party propietary
shared libraries nowhere to be found or that we can test.
-------------------------------------------------------------------
Wed Aug 7 18:30:23 UTC 2013 - crrodriguez@opensuse.org
- openssl-pkgconfig.patch: Here we go.. For applications
to benefit fully of features provided by openSSL engines
(rdrand, aes-ni..etc) either builtin or in DSO form applications
have to call ENGINE_load_builtin_engines() or OPENSSL_config()
unfortunately from a total of 68 apps/libraries linked to libcrypto
in a desktop system, only 4 do so, and there is a sea of buggy
code that I dont feel like fixing.
Instead we can pass -DOPENSSL_LOAD_CONF in the pkgconfig files
so the needed operation becomes implicit the next time such apps
are recompiled, see OPENSSL_config(3)
Unfortunately this does not fix everything, because there are apps
not using pkgconfig or using it incorrectly, but it is a good start.
-------------------------------------------------------------------
Wed Aug 7 09:33:55 UTC 2013 - dmueller@suse.com
- add openssl-1.0.1c-default-paths.patch:
Fix from Fedora for openssl s_client not setting
CApath by default
------------------------------------------------------------------- -------------------------------------------------------------------
Sat Aug 3 21:15:07 UTC 2013 - crrodriguez@opensuse.org Sat Aug 3 21:15:07 UTC 2013 - crrodriguez@opensuse.org

15
openssl.spec
View File

@ -51,6 +51,9 @@ Patch5: openssl-fix-pod-syntax.diff
Patch6: openssl-1.0.1e-truststore.diff Patch6: openssl-1.0.1e-truststore.diff
Patch7: compression_methods_switch.patch Patch7: compression_methods_switch.patch
Patch8: 0005-libssl-Hide-library-private-symbols.patch Patch8: 0005-libssl-Hide-library-private-symbols.patch
Patch9: openssl-1.0.1c-default-paths.patch
Patch10: openssl-pkgconfig.patch
Patch11: SSL_get_certificate-broken.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description %description
@ -135,6 +138,10 @@ this package's base documentation.
%patch6 -p1 %patch6 -p1
%patch7 -p1 %patch7 -p1
%patch8 -p1 %patch8 -p1
%patch9 -p1
%patch10 -p1
%patch11 -p1
cp -p %{S:10} . cp -p %{S:10} .
echo "adding/overwriting some entries in the 'table' hash in Configure" echo "adding/overwriting some entries in the 'table' hash in Configure"
# $dso_scheme:$shared_target:$shared_cflag:$shared_ldflag:$shared_extension:$ranlib:$arflags # $dso_scheme:$shared_target:$shared_cflag:$shared_ldflag:$shared_extension:$ranlib:$arflags
@ -327,6 +334,14 @@ cd $RPM_BUILD_ROOT%{_libdir}/
ln -sf /%{_lib}/libssl.so.%{num_version} ./libssl.so ln -sf /%{_lib}/libssl.so.%{num_version} ./libssl.so
ln -sf /%{_lib}/libcrypto.so.%{num_version} ./libcrypto.so ln -sf /%{_lib}/libcrypto.so.%{num_version} ./libcrypto.so
for engine in 4758cca atalla nuron sureware ubsec cswift chil aep; do
rm %{buildroot}/%{_lib}/engines/lib$engine.so
done
%ifnarch %{ix86} x86_64
rm %{buildroot}/%{_lib}/engines/libpadlock.so
%endif
%clean %clean
if ! test -f /.buildenv; then rm -rf $RPM_BUILD_ROOT; fi if ! test -f /.buildenv; then rm -rf $RPM_BUILD_ROOT; fi