openssl/openssl-1.0.2a-default-paths.patch
Stephan Kulow 7f772876ff Accepting request 315685 from Base:System
- update to 1.0.2d
  * fixes CVE-2015-1793 (bsc#936746)
  Alternate chains certificate forgery
     During certificate verfification, OpenSSL will attempt to find an
     alternative certificate chain if the first attempt to build such a chain
     fails. An error in the implementation of this logic can mean that an
     attacker could cause certain checks on untrusted certificates to be
     bypassed, such as the CA flag, enabling them to use a valid leaf
     certificate to act as a CA and "issue" an invalid certificate.
- drop openssl-fix_invalid_manpage_name.patch (upstream) (forwarded request 315682 from vitezslav_cizek)

OBS-URL: https://build.opensuse.org/request/show/315685
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=128
2015-07-12 20:51:54 +00:00

81 lines
2.9 KiB
Diff

Index: openssl-1.0.2b/apps/s_client.c
===================================================================
--- openssl-1.0.2b.orig/apps/s_client.c 2015-06-11 17:28:32.039203737 +0200
+++ openssl-1.0.2b/apps/s_client.c 2015-06-11 17:39:40.138741521 +0200
@@ -1346,10 +1346,6 @@ int MAIN(int argc, char **argv)
ERR_print_errors(bio_err);
}
- ssl_ctx_add_crls(ctx, crls, crl_download);
- if (!set_cert_key_stuff(ctx, cert, key, chain, build_chain))
- goto end;
-
#ifndef OPENSSL_NO_TLSEXT
if (servername != NULL) {
tlsextcbp.biodebug = bio_err;
Index: openssl-1.0.2b/apps/s_server.c
===================================================================
--- openssl-1.0.2b.orig/apps/s_server.c 2015-06-11 17:28:04.879854931 +0200
+++ openssl-1.0.2b/apps/s_server.c 2015-06-11 17:28:32.040203749 +0200
@@ -1788,12 +1788,16 @@ int MAIN(int argc, char *argv[])
}
#endif
- if ((!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) ||
- (!SSL_CTX_set_default_verify_paths(ctx))) {
- /* BIO_printf(bio_err,"X509_load_verify_locations\n"); */
- ERR_print_errors(bio_err);
- /* goto end; */
+ if (CAfile == NULL && CApath == NULL) {
+ if (!SSL_CTX_set_default_verify_paths(ctx)) {
+ ERR_print_errors(bio_err);
+ }
+ } else {
+ if (!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) {
+ ERR_print_errors(bio_err);
+ }
}
+
if (vpm)
SSL_CTX_set1_param(ctx, vpm);
@@ -1850,8 +1854,10 @@ int MAIN(int argc, char *argv[])
else
SSL_CTX_sess_set_cache_size(ctx2, 128);
- if ((!SSL_CTX_load_verify_locations(ctx2, CAfile, CApath)) ||
- (!SSL_CTX_set_default_verify_paths(ctx2))) {
+ if (!SSL_CTX_load_verify_locations(ctx2, CAfile, CApath)) {
+ ERR_print_errors(bio_err);
+ }
+ if (!SSL_CTX_set_default_verify_paths(ctx2)) {
ERR_print_errors(bio_err);
}
if (vpm)
Index: openssl-1.0.2b/apps/s_time.c
===================================================================
--- openssl-1.0.2b.orig/apps/s_time.c 2015-06-11 17:28:04.879854931 +0200
+++ openssl-1.0.2b/apps/s_time.c 2015-06-11 17:28:32.040203749 +0200
@@ -381,13 +381,14 @@ int MAIN(int argc, char **argv)
SSL_load_error_strings();
- if ((!SSL_CTX_load_verify_locations(tm_ctx, CAfile, CApath)) ||
- (!SSL_CTX_set_default_verify_paths(tm_ctx))) {
- /*
- * BIO_printf(bio_err,"error setting default verify locations\n");
- */
- ERR_print_errors(bio_err);
- /* goto end; */
+ if (CAfile == NULL && CApath == NULL) {
+ if (!SSL_CTX_set_default_verify_paths(tm_ctx)) {
+ ERR_print_errors(bio_err);
+ }
+ } else {
+ if (!SSL_CTX_load_verify_locations(tm_ctx, CAfile, CApath)) {
+ ERR_print_errors(bio_err);
+ }
}
if (tm_cipher == NULL)