Accepting request 186710 from Base:System

Fix bug[ bnc#832833] openssl ssl_set_cert_masks() is broken; Add patch file: SSL_get_certificate-broken.patch (forwarded request 186693 from shawn2012) OBS-URL: https://build.opensuse.org/request/show/186710 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=94
2013-08-13 09:00:53 +00:00 · 2013-08-13 09:00:53 +00:00 · a79c9d166c
commit a79c9d166c
parent 11127842fa
5 changed files with 206 additions and 0 deletions
--- a/SSL_get_certificate-broken.patch
+++ b/SSL_get_certificate-broken.patch
@ -0,0 +1,15 @@
+Index: openssl-1.0.1e/ssl/ssl_lib.c
+===================================================================
+--- openssl-1.0.1e.orig/ssl/ssl_lib.c
+++ openssl-1.0.1e/ssl/ssl_lib.c
+@@ -2792,9 +2792,7 @@ void ssl_clear_cipher_ctx(SSL *s)
+ /* Fix this function so that it takes an optional type parameter */
+ X509 *SSL_get_certificate(const SSL *s)
+ 	{
+-	if (s->server)
+-		return(ssl_get_server_send_cert(s));
+-	else if (s->cert != NULL)
+	if (s->cert != NULL)
+ 		return(s->cert->key->x509);
+ 	else
+ 		return(NULL);
--- a/openssl-1.0.1c-default-paths.patch
+++ b/openssl-1.0.1c-default-paths.patch
@ -0,0 +1,100 @@
+diff -up openssl-1.0.1c/apps/s_client.c.default-paths openssl-1.0.1c/apps/s_client.c
+--- openssl-1.0.1c/apps/s_client.c.default-paths	2012-03-18 19:16:05.000000000 +0100
+++ openssl-1.0.1c/apps/s_client.c	2012-12-06 18:24:06.425933203 +0100
+@@ -1166,12 +1166,19 @@ bad:
+ 	if (!set_cert_key_stuff(ctx,cert,key))
+ 		goto end;
+ 
+-	if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
+-		(!SSL_CTX_set_default_verify_paths(ctx)))
+	if (CAfile == NULL && CApath == NULL)
+ 		{
+-		/* BIO_printf(bio_err,"error setting default verify locations\n"); */
+-		ERR_print_errors(bio_err);
+-		/* goto end; */
+		if (!SSL_CTX_set_default_verify_paths(ctx))
+			{
+			ERR_print_errors(bio_err);
+			}
+		}
+	else
+		{
+		if (!SSL_CTX_load_verify_locations(ctx,CAfile,CApath))
+			{
+			ERR_print_errors(bio_err);
+			}
+ 		}
+ 
+ #ifndef OPENSSL_NO_TLSEXT
+diff -up openssl-1.0.1c/apps/s_server.c.default-paths openssl-1.0.1c/apps/s_server.c
+--- openssl-1.0.1c/apps/s_server.c.default-paths	2012-03-18 19:16:05.000000000 +0100
+++ openssl-1.0.1c/apps/s_server.c	2012-12-06 18:25:11.199329611 +0100
+@@ -1565,13 +1565,21 @@ bad:
+ 		}
+ #endif
+ 
+-	if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
+-		(!SSL_CTX_set_default_verify_paths(ctx)))
+	if (CAfile == NULL && CApath == NULL)
+ 		{
+-		/* BIO_printf(bio_err,"X509_load_verify_locations\n"); */
+-		ERR_print_errors(bio_err);
+-		/* goto end; */
+		if (!SSL_CTX_set_default_verify_paths(ctx))
+			{
+			ERR_print_errors(bio_err);
+			}
+		}
+	else
+		{
+		if (!SSL_CTX_load_verify_locations(ctx,CAfile,CApath))
+			{
+			ERR_print_errors(bio_err);
+			}
+ 		}
+
+ 	if (vpm)
+ 		SSL_CTX_set1_param(ctx, vpm);
+ 
+@@ -1622,8 +1630,11 @@ bad:
+ 		else
+ 			SSL_CTX_sess_set_cache_size(ctx2,128);
+ 
+-		if ((!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath)) ||
+-			(!SSL_CTX_set_default_verify_paths(ctx2)))
+		if (!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath))
+			{
+			ERR_print_errors(bio_err);
+			}
+		if (!SSL_CTX_set_default_verify_paths(ctx2))
+ 			{
+ 			ERR_print_errors(bio_err);
+ 			}
+diff -up openssl-1.0.1c/apps/s_time.c.default-paths openssl-1.0.1c/apps/s_time.c
+--- openssl-1.0.1c/apps/s_time.c.default-paths	2006-04-17 14:22:13.000000000 +0200
+++ openssl-1.0.1c/apps/s_time.c	2012-12-06 18:27:41.694574044 +0100
+@@ -373,12 +373,19 @@ int MAIN(int argc, char **argv)
+ 
+ 	SSL_load_error_strings();
+ 
+-	if ((!SSL_CTX_load_verify_locations(tm_ctx,CAfile,CApath)) ||
+-		(!SSL_CTX_set_default_verify_paths(tm_ctx)))
+	if (CAfile == NULL && CApath == NULL)
+ 		{
+-		/* BIO_printf(bio_err,"error setting default verify locations\n"); */
+-		ERR_print_errors(bio_err);
+-		/* goto end; */
+		if (!SSL_CTX_set_default_verify_paths(tm_ctx))
+			{
+			ERR_print_errors(bio_err);
+			}
+		}
+	else
+		{
+		if (!SSL_CTX_load_verify_locations(tm_ctx,CAfile,CApath))
+			{
+			ERR_print_errors(bio_err);
+			}
+ 		}
+ 
+ 	if (tm_cipher == NULL)
--- a/openssl-pkgconfig.patch
+++ b/openssl-pkgconfig.patch
@ -0,0 +1,29 @@
+--- openssl-1.0.1e.orig/Makefile.org
+++ openssl-1.0.1e/Makefile.org
+@@ -366,7 +366,7 @@ libcrypto.pc: Makefile
+ 	    echo 'Requires: '; \
+ 	    echo 'Libs: -L$${libdir} -lcrypto'; \
+ 	    echo 'Libs.private: $(EX_LIBS)'; \
+-	    echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > libcrypto.pc
+	    echo 'Cflags: -DOPENSSL_LOAD_CONF -I$${includedir} $(KRB5_INCLUDES)' ) > libcrypto.pc
+ 
+ libssl.pc: Makefile
+ 	@ ( echo 'prefix=$(INSTALLTOP)'; \
+@@ -380,7 +380,7 @@ libssl.pc: Makefile
+ 	    echo 'Requires: '; \
+ 	    echo 'Libs: -L$${libdir} -lssl -lcrypto'; \
+ 	    echo 'Libs.private: $(EX_LIBS)'; \
+-	    echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > libssl.pc
+	    echo 'Cflags: -DOPENSSL_LOAD_CONF -I$${includedir} $(KRB5_INCLUDES)' ) > libssl.pc
+ 
+ openssl.pc: Makefile
+ 	@ ( echo 'prefix=$(INSTALLTOP)'; \
+@@ -394,7 +394,7 @@ openssl.pc: Makefile
+ 	    echo 'Requires: '; \
+ 	    echo 'Libs: -L$${libdir} -lssl -lcrypto'; \
+ 	    echo 'Libs.private: $(EX_LIBS)'; \
+-	    echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > openssl.pc
+	    echo 'Cflags: -DOPENSSL_LOAD_CONF -I$${includedir} $(KRB5_INCLUDES)' ) > openssl.pc
+ 
+ Makefile: Makefile.org Configure config
+ 	@echo "Makefile is older than Makefile.org, Configure or config."
--- a/openssl.changes
+++ b/openssl.changes
@ -1,3 +1,50 @@
+-------------------------------------------------------------------
+Mon Aug 12 06:05:03 UTC 2013 - shchang@suse.com
+
+- Fix bug[ bnc#832833] openssl ssl_set_cert_masks() is broken
+  modify patch file: SSL_get_certificate-broken.patch
+
+-------------------------------------------------------------------
+Fri Aug  9 23:24:14 UTC 2013 - crrodriguez@opensuse.org
+
+- Via padlock is only found in x86 and x86_64 CPUs, remove 
+  the shared module for other archs.
+
+-------------------------------------------------------------------
+Wed Aug  7 18:30:45 UTC 2013 - crrodriguez@opensuse.org
+
+- Cleanup engines that are of no use in a modern linux distro
+- The following engines stay:
+* libcapi.so --> usable in case you have third party /dev/crypto
+* libgmp.so --> may help to doing some maths using GMP
+* libgost.so --> implements the GOST block cipher
+* libpadlock.so --> VIA padlock support
+- Al other are removed because they require third party propietary 
+ shared libraries nowhere to be found or that we can test.
+
+-------------------------------------------------------------------
+Wed Aug  7 18:30:23 UTC 2013 - crrodriguez@opensuse.org
+
+- openssl-pkgconfig.patch: Here we go.. For applications 
+to benefit fully of features provided by openSSL engines 
+(rdrand, aes-ni..etc) either builtin or in DSO form applications 
+have to call ENGINE_load_builtin_engines() or OPENSSL_config()
+unfortunately from a total of 68 apps/libraries linked to libcrypto
+in a desktop system, only 4 do so, and there is a sea of buggy
+code that I dont feel like fixing.
+Instead we can pass -DOPENSSL_LOAD_CONF in the pkgconfig files
+so the needed operation becomes implicit the next time such apps
+are recompiled, see OPENSSL_config(3)
+Unfortunately this does not fix everything, because there are apps
+not using pkgconfig or using it incorrectly, but it is a good start.
+
+-------------------------------------------------------------------
+Wed Aug  7 09:33:55 UTC 2013 - dmueller@suse.com
+
+- add openssl-1.0.1c-default-paths.patch:
+  Fix from Fedora for openssl s_client not setting 
+  CApath by default
+
 -------------------------------------------------------------------
 Sat Aug  3 21:15:07 UTC 2013 - crrodriguez@opensuse.org

--- a/openssl.spec
+++ b/openssl.spec
@ -51,6 +51,9 @@ Patch5:         openssl-fix-pod-syntax.diff
 Patch6:         openssl-1.0.1e-truststore.diff
 Patch7:         compression_methods_switch.patch
 Patch8:         0005-libssl-Hide-library-private-symbols.patch
+Patch9:         openssl-1.0.1c-default-paths.patch
+Patch10:        openssl-pkgconfig.patch
+Patch11:        SSL_get_certificate-broken.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build

 %description
@ -135,6 +138,10 @@ this package's base documentation.
 %patch6 -p1
 %patch7 -p1
 %patch8 -p1
+%patch9 -p1
+%patch10 -p1
+%patch11 -p1
+
 cp -p %{S:10} .
 echo "adding/overwriting some entries in the 'table' hash in Configure"
 # $dso_scheme:$shared_target:$shared_cflag:$shared_ldflag:$shared_extension:$ranlib:$arflags
@ -327,6 +334,14 @@ cd $RPM_BUILD_ROOT%{_libdir}/
 ln -sf /%{_lib}/libssl.so.%{num_version} ./libssl.so
 ln -sf /%{_lib}/libcrypto.so.%{num_version} ./libcrypto.so

+for engine in 4758cca atalla nuron sureware ubsec cswift chil aep; do
+rm %{buildroot}/%{_lib}/engines/lib$engine.so
+done
+
+%ifnarch %{ix86} x86_64
+rm %{buildroot}/%{_lib}/engines/libpadlock.so
+%endif
+
 %clean
 if ! test -f /.buildenv; then rm -rf $RPM_BUILD_ROOT; fi