7f772876ff
- update to 1.0.2d * fixes CVE-2015-1793 (bsc#936746) Alternate chains certificate forgery During certificate verfification, OpenSSL will attempt to find an alternative certificate chain if the first attempt to build such a chain fails. An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and "issue" an invalid certificate. - drop openssl-fix_invalid_manpage_name.patch (upstream) (forwarded request 315682 from vitezslav_cizek) OBS-URL: https://build.opensuse.org/request/show/315685 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=128
81 lines
2.9 KiB
Diff
81 lines
2.9 KiB
Diff
Index: openssl-1.0.2b/apps/s_client.c
|
|
===================================================================
|
|
--- openssl-1.0.2b.orig/apps/s_client.c 2015-06-11 17:28:32.039203737 +0200
|
|
+++ openssl-1.0.2b/apps/s_client.c 2015-06-11 17:39:40.138741521 +0200
|
|
@@ -1346,10 +1346,6 @@ int MAIN(int argc, char **argv)
|
|
ERR_print_errors(bio_err);
|
|
}
|
|
|
|
- ssl_ctx_add_crls(ctx, crls, crl_download);
|
|
- if (!set_cert_key_stuff(ctx, cert, key, chain, build_chain))
|
|
- goto end;
|
|
-
|
|
#ifndef OPENSSL_NO_TLSEXT
|
|
if (servername != NULL) {
|
|
tlsextcbp.biodebug = bio_err;
|
|
Index: openssl-1.0.2b/apps/s_server.c
|
|
===================================================================
|
|
--- openssl-1.0.2b.orig/apps/s_server.c 2015-06-11 17:28:04.879854931 +0200
|
|
+++ openssl-1.0.2b/apps/s_server.c 2015-06-11 17:28:32.040203749 +0200
|
|
@@ -1788,12 +1788,16 @@ int MAIN(int argc, char *argv[])
|
|
}
|
|
#endif
|
|
|
|
- if ((!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) ||
|
|
- (!SSL_CTX_set_default_verify_paths(ctx))) {
|
|
- /* BIO_printf(bio_err,"X509_load_verify_locations\n"); */
|
|
- ERR_print_errors(bio_err);
|
|
- /* goto end; */
|
|
+ if (CAfile == NULL && CApath == NULL) {
|
|
+ if (!SSL_CTX_set_default_verify_paths(ctx)) {
|
|
+ ERR_print_errors(bio_err);
|
|
+ }
|
|
+ } else {
|
|
+ if (!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) {
|
|
+ ERR_print_errors(bio_err);
|
|
+ }
|
|
}
|
|
+
|
|
if (vpm)
|
|
SSL_CTX_set1_param(ctx, vpm);
|
|
|
|
@@ -1850,8 +1854,10 @@ int MAIN(int argc, char *argv[])
|
|
else
|
|
SSL_CTX_sess_set_cache_size(ctx2, 128);
|
|
|
|
- if ((!SSL_CTX_load_verify_locations(ctx2, CAfile, CApath)) ||
|
|
- (!SSL_CTX_set_default_verify_paths(ctx2))) {
|
|
+ if (!SSL_CTX_load_verify_locations(ctx2, CAfile, CApath)) {
|
|
+ ERR_print_errors(bio_err);
|
|
+ }
|
|
+ if (!SSL_CTX_set_default_verify_paths(ctx2)) {
|
|
ERR_print_errors(bio_err);
|
|
}
|
|
if (vpm)
|
|
Index: openssl-1.0.2b/apps/s_time.c
|
|
===================================================================
|
|
--- openssl-1.0.2b.orig/apps/s_time.c 2015-06-11 17:28:04.879854931 +0200
|
|
+++ openssl-1.0.2b/apps/s_time.c 2015-06-11 17:28:32.040203749 +0200
|
|
@@ -381,13 +381,14 @@ int MAIN(int argc, char **argv)
|
|
|
|
SSL_load_error_strings();
|
|
|
|
- if ((!SSL_CTX_load_verify_locations(tm_ctx, CAfile, CApath)) ||
|
|
- (!SSL_CTX_set_default_verify_paths(tm_ctx))) {
|
|
- /*
|
|
- * BIO_printf(bio_err,"error setting default verify locations\n");
|
|
- */
|
|
- ERR_print_errors(bio_err);
|
|
- /* goto end; */
|
|
+ if (CAfile == NULL && CApath == NULL) {
|
|
+ if (!SSL_CTX_set_default_verify_paths(tm_ctx)) {
|
|
+ ERR_print_errors(bio_err);
|
|
+ }
|
|
+ } else {
|
|
+ if (!SSL_CTX_load_verify_locations(tm_ctx, CAfile, CApath)) {
|
|
+ ERR_print_errors(bio_err);
|
|
+ }
|
|
}
|
|
|
|
if (tm_cipher == NULL)
|