From a79c9d166c5e1bf970f89d3b08672317848bf52a21142ac78ca6151e6e003dfb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Chv=C3=A1tal?= Date: Tue, 13 Aug 2013 09:00:53 +0000 Subject: [PATCH] Accepting request 186710 from Base:System Fix bug[ bnc#832833] openssl ssl_set_cert_masks() is broken; Add patch file: SSL_get_certificate-broken.patch (forwarded request 186693 from shawn2012) OBS-URL: https://build.opensuse.org/request/show/186710 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openssl?expand=0&rev=94 --- SSL_get_certificate-broken.patch | 15 +++++ openssl-1.0.1c-default-paths.patch | 100 +++++++++++++++++++++++++++++ openssl-pkgconfig.patch | 29 +++++++++ openssl.changes | 47 ++++++++++++++ openssl.spec | 15 +++++ 5 files changed, 206 insertions(+) create mode 100644 SSL_get_certificate-broken.patch create mode 100644 openssl-1.0.1c-default-paths.patch create mode 100644 openssl-pkgconfig.patch diff --git a/SSL_get_certificate-broken.patch b/SSL_get_certificate-broken.patch new file mode 100644 index 0000000..f74a976 --- /dev/null +++ b/SSL_get_certificate-broken.patch @@ -0,0 +1,15 @@ +Index: openssl-1.0.1e/ssl/ssl_lib.c +=================================================================== +--- openssl-1.0.1e.orig/ssl/ssl_lib.c ++++ openssl-1.0.1e/ssl/ssl_lib.c +@@ -2792,9 +2792,7 @@ void ssl_clear_cipher_ctx(SSL *s) + /* Fix this function so that it takes an optional type parameter */ + X509 *SSL_get_certificate(const SSL *s) + { +- if (s->server) +- return(ssl_get_server_send_cert(s)); +- else if (s->cert != NULL) ++ if (s->cert != NULL) + return(s->cert->key->x509); + else + return(NULL); diff --git a/openssl-1.0.1c-default-paths.patch b/openssl-1.0.1c-default-paths.patch new file mode 100644 index 0000000..beb9875 --- /dev/null +++ b/openssl-1.0.1c-default-paths.patch @@ -0,0 +1,100 @@ +diff -up openssl-1.0.1c/apps/s_client.c.default-paths openssl-1.0.1c/apps/s_client.c +--- openssl-1.0.1c/apps/s_client.c.default-paths 2012-03-18 19:16:05.000000000 +0100 ++++ openssl-1.0.1c/apps/s_client.c 2012-12-06 18:24:06.425933203 +0100 +@@ -1166,12 +1166,19 @@ bad: + if (!set_cert_key_stuff(ctx,cert,key)) + goto end; + +- if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) || +- (!SSL_CTX_set_default_verify_paths(ctx))) ++ if (CAfile == NULL && CApath == NULL) + { +- /* BIO_printf(bio_err,"error setting default verify locations\n"); */ +- ERR_print_errors(bio_err); +- /* goto end; */ ++ if (!SSL_CTX_set_default_verify_paths(ctx)) ++ { ++ ERR_print_errors(bio_err); ++ } ++ } ++ else ++ { ++ if (!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ++ { ++ ERR_print_errors(bio_err); ++ } + } + + #ifndef OPENSSL_NO_TLSEXT +diff -up openssl-1.0.1c/apps/s_server.c.default-paths openssl-1.0.1c/apps/s_server.c +--- openssl-1.0.1c/apps/s_server.c.default-paths 2012-03-18 19:16:05.000000000 +0100 ++++ openssl-1.0.1c/apps/s_server.c 2012-12-06 18:25:11.199329611 +0100 +@@ -1565,13 +1565,21 @@ bad: + } + #endif + +- if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) || +- (!SSL_CTX_set_default_verify_paths(ctx))) ++ if (CAfile == NULL && CApath == NULL) + { +- /* BIO_printf(bio_err,"X509_load_verify_locations\n"); */ +- ERR_print_errors(bio_err); +- /* goto end; */ ++ if (!SSL_CTX_set_default_verify_paths(ctx)) ++ { ++ ERR_print_errors(bio_err); ++ } ++ } ++ else ++ { ++ if (!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ++ { ++ ERR_print_errors(bio_err); ++ } + } ++ + if (vpm) + SSL_CTX_set1_param(ctx, vpm); + +@@ -1622,8 +1630,11 @@ bad: + else + SSL_CTX_sess_set_cache_size(ctx2,128); + +- if ((!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath)) || +- (!SSL_CTX_set_default_verify_paths(ctx2))) ++ if (!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath)) ++ { ++ ERR_print_errors(bio_err); ++ } ++ if (!SSL_CTX_set_default_verify_paths(ctx2)) + { + ERR_print_errors(bio_err); + } +diff -up openssl-1.0.1c/apps/s_time.c.default-paths openssl-1.0.1c/apps/s_time.c +--- openssl-1.0.1c/apps/s_time.c.default-paths 2006-04-17 14:22:13.000000000 +0200 ++++ openssl-1.0.1c/apps/s_time.c 2012-12-06 18:27:41.694574044 +0100 +@@ -373,12 +373,19 @@ int MAIN(int argc, char **argv) + + SSL_load_error_strings(); + +- if ((!SSL_CTX_load_verify_locations(tm_ctx,CAfile,CApath)) || +- (!SSL_CTX_set_default_verify_paths(tm_ctx))) ++ if (CAfile == NULL && CApath == NULL) + { +- /* BIO_printf(bio_err,"error setting default verify locations\n"); */ +- ERR_print_errors(bio_err); +- /* goto end; */ ++ if (!SSL_CTX_set_default_verify_paths(tm_ctx)) ++ { ++ ERR_print_errors(bio_err); ++ } ++ } ++ else ++ { ++ if (!SSL_CTX_load_verify_locations(tm_ctx,CAfile,CApath)) ++ { ++ ERR_print_errors(bio_err); ++ } + } + + if (tm_cipher == NULL) diff --git a/openssl-pkgconfig.patch b/openssl-pkgconfig.patch new file mode 100644 index 0000000..ca6a819 --- /dev/null +++ b/openssl-pkgconfig.patch @@ -0,0 +1,29 @@ +--- openssl-1.0.1e.orig/Makefile.org ++++ openssl-1.0.1e/Makefile.org +@@ -366,7 +366,7 @@ libcrypto.pc: Makefile + echo 'Requires: '; \ + echo 'Libs: -L$${libdir} -lcrypto'; \ + echo 'Libs.private: $(EX_LIBS)'; \ +- echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > libcrypto.pc ++ echo 'Cflags: -DOPENSSL_LOAD_CONF -I$${includedir} $(KRB5_INCLUDES)' ) > libcrypto.pc + + libssl.pc: Makefile + @ ( echo 'prefix=$(INSTALLTOP)'; \ +@@ -380,7 +380,7 @@ libssl.pc: Makefile + echo 'Requires: '; \ + echo 'Libs: -L$${libdir} -lssl -lcrypto'; \ + echo 'Libs.private: $(EX_LIBS)'; \ +- echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > libssl.pc ++ echo 'Cflags: -DOPENSSL_LOAD_CONF -I$${includedir} $(KRB5_INCLUDES)' ) > libssl.pc + + openssl.pc: Makefile + @ ( echo 'prefix=$(INSTALLTOP)'; \ +@@ -394,7 +394,7 @@ openssl.pc: Makefile + echo 'Requires: '; \ + echo 'Libs: -L$${libdir} -lssl -lcrypto'; \ + echo 'Libs.private: $(EX_LIBS)'; \ +- echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > openssl.pc ++ echo 'Cflags: -DOPENSSL_LOAD_CONF -I$${includedir} $(KRB5_INCLUDES)' ) > openssl.pc + + Makefile: Makefile.org Configure config + @echo "Makefile is older than Makefile.org, Configure or config." diff --git a/openssl.changes b/openssl.changes index 3db9cf6..b8992ea 100644 --- a/openssl.changes +++ b/openssl.changes @@ -1,3 +1,50 @@ +------------------------------------------------------------------- +Mon Aug 12 06:05:03 UTC 2013 - shchang@suse.com + +- Fix bug[ bnc#832833] openssl ssl_set_cert_masks() is broken + modify patch file: SSL_get_certificate-broken.patch + +------------------------------------------------------------------- +Fri Aug 9 23:24:14 UTC 2013 - crrodriguez@opensuse.org + +- Via padlock is only found in x86 and x86_64 CPUs, remove + the shared module for other archs. + +------------------------------------------------------------------- +Wed Aug 7 18:30:45 UTC 2013 - crrodriguez@opensuse.org + +- Cleanup engines that are of no use in a modern linux distro +- The following engines stay: +* libcapi.so --> usable in case you have third party /dev/crypto +* libgmp.so --> may help to doing some maths using GMP +* libgost.so --> implements the GOST block cipher +* libpadlock.so --> VIA padlock support +- Al other are removed because they require third party propietary + shared libraries nowhere to be found or that we can test. + +------------------------------------------------------------------- +Wed Aug 7 18:30:23 UTC 2013 - crrodriguez@opensuse.org + +- openssl-pkgconfig.patch: Here we go.. For applications +to benefit fully of features provided by openSSL engines +(rdrand, aes-ni..etc) either builtin or in DSO form applications +have to call ENGINE_load_builtin_engines() or OPENSSL_config() +unfortunately from a total of 68 apps/libraries linked to libcrypto +in a desktop system, only 4 do so, and there is a sea of buggy +code that I dont feel like fixing. +Instead we can pass -DOPENSSL_LOAD_CONF in the pkgconfig files +so the needed operation becomes implicit the next time such apps +are recompiled, see OPENSSL_config(3) +Unfortunately this does not fix everything, because there are apps +not using pkgconfig or using it incorrectly, but it is a good start. + +------------------------------------------------------------------- +Wed Aug 7 09:33:55 UTC 2013 - dmueller@suse.com + +- add openssl-1.0.1c-default-paths.patch: + Fix from Fedora for openssl s_client not setting + CApath by default + ------------------------------------------------------------------- Sat Aug 3 21:15:07 UTC 2013 - crrodriguez@opensuse.org diff --git a/openssl.spec b/openssl.spec index f33cc1c..5fc4eef 100644 --- a/openssl.spec +++ b/openssl.spec @@ -51,6 +51,9 @@ Patch5: openssl-fix-pod-syntax.diff Patch6: openssl-1.0.1e-truststore.diff Patch7: compression_methods_switch.patch Patch8: 0005-libssl-Hide-library-private-symbols.patch +Patch9: openssl-1.0.1c-default-paths.patch +Patch10: openssl-pkgconfig.patch +Patch11: SSL_get_certificate-broken.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -135,6 +138,10 @@ this package's base documentation. %patch6 -p1 %patch7 -p1 %patch8 -p1 +%patch9 -p1 +%patch10 -p1 +%patch11 -p1 + cp -p %{S:10} . echo "adding/overwriting some entries in the 'table' hash in Configure" # $dso_scheme:$shared_target:$shared_cflag:$shared_ldflag:$shared_extension:$ranlib:$arflags @@ -327,6 +334,14 @@ cd $RPM_BUILD_ROOT%{_libdir}/ ln -sf /%{_lib}/libssl.so.%{num_version} ./libssl.so ln -sf /%{_lib}/libcrypto.so.%{num_version} ./libcrypto.so +for engine in 4758cca atalla nuron sureware ubsec cswift chil aep; do +rm %{buildroot}/%{_lib}/engines/lib$engine.so +done + +%ifnarch %{ix86} x86_64 +rm %{buildroot}/%{_lib}/engines/libpadlock.so +%endif + %clean if ! test -f /.buildenv; then rm -rf $RPM_BUILD_ROOT; fi