[rpms/openssl] rebase_40beta: do not load default verify paths if CApath or CAfile specified (#884305)

[rpms/openssl] rebase_40beta: do not load default verify paths if CApath or CAfile specified (#884305)

[Tomas Mraz]

A new commit has been pushed.

Repo   : rpms/openssl
Branch : rebase_40beta
Commit : 650873ff0ee52cef1653fa48db5f073daf30dd83
Author : Tomas Mraz <tmraz@fedoraproject.org>
Date   : 2012-12-06T18:30:15+01:00
Stats  : +105/-79 in 3 file(s)
URL    : https://src.fedoraproject.org/rpms/openssl/c/650873ff0ee52cef1653fa48db5f073daf30dd83?branch=rebase_40beta

Log:
do not load default verify paths if CApath or CAfile specified (#884305)

---
diff --git a/openssl-1.0.0-beta4-default-paths.patch b/openssl-1.0.0-beta4-default-paths.patch
deleted file mode 100644
index 0b48a27..0000000
--- a/openssl-1.0.0-beta4-default-paths.patch
+++ /dev/null
@@ -1,77 +0,0 @@
-diff -up openssl-1.0.0-beta4/apps/s_client.c.default-paths openssl-1.0.0-beta4/apps/s_client.c
---- openssl-1.0.0-beta4/apps/s_client.c.default-paths	2009-08-12 15:21:26.000000000 +0200
-+++ openssl-1.0.0-beta4/apps/s_client.c	2009-11-12 12:26:32.000000000 +0100
-@@ -889,12 +889,13 @@ bad:
- 	if (!set_cert_key_stuff(ctx,cert,key))
- 		goto end;
- 
--	if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
--		(!SSL_CTX_set_default_verify_paths(ctx)))
-+	if (!SSL_CTX_load_verify_locations(ctx,CAfile,CApath))
-+		{
-+		ERR_print_errors(bio_err);
-+		}
-+	if (!SSL_CTX_set_default_verify_paths(ctx))
- 		{
--		/* BIO_printf(bio_err,"error setting default verify locations\n"); */
- 		ERR_print_errors(bio_err);
--		/* goto end; */
- 		}
- 
- #ifndef OPENSSL_NO_TLSEXT
-diff -up openssl-1.0.0-beta4/apps/s_server.c.default-paths openssl-1.0.0-beta4/apps/s_server.c
---- openssl-1.0.0-beta4/apps/s_server.c.default-paths	2009-10-28 18:49:37.000000000 +0100
-+++ openssl-1.0.0-beta4/apps/s_server.c	2009-11-12 12:31:23.000000000 +0100
-@@ -1408,12 +1408,13 @@ bad:
- 		}
- #endif
- 
--	if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
--		(!SSL_CTX_set_default_verify_paths(ctx)))
-+	if (!SSL_CTX_load_verify_locations(ctx,CAfile,CApath))
-+		{
-+		ERR_print_errors(bio_err);
-+		}
-+	if (!SSL_CTX_set_default_verify_paths(ctx))
- 		{
--		/* BIO_printf(bio_err,"X509_load_verify_locations\n"); */
- 		ERR_print_errors(bio_err);
--		/* goto end; */
- 		}
- 	if (vpm)
- 		SSL_CTX_set1_param(ctx, vpm);
-@@ -1465,8 +1466,11 @@ bad:
- 		else
- 			SSL_CTX_sess_set_cache_size(ctx2,128);
- 
--		if ((!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath)) ||
--			(!SSL_CTX_set_default_verify_paths(ctx2)))
-+		if (!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath))
-+			{
-+			ERR_print_errors(bio_err);
-+			}
-+		if (!SSL_CTX_set_default_verify_paths(ctx2))
- 			{
- 			ERR_print_errors(bio_err);
- 			}
-diff -up openssl-1.0.0-beta4/apps/s_time.c.default-paths openssl-1.0.0-beta4/apps/s_time.c
---- openssl-1.0.0-beta4/apps/s_time.c.default-paths	2006-04-17 14:22:13.000000000 +0200
-+++ openssl-1.0.0-beta4/apps/s_time.c	2009-11-12 12:26:32.000000000 +0100
-@@ -373,12 +373,13 @@ int MAIN(int argc, char **argv)
- 
- 	SSL_load_error_strings();
- 
--	if ((!SSL_CTX_load_verify_locations(tm_ctx,CAfile,CApath)) ||
--		(!SSL_CTX_set_default_verify_paths(tm_ctx)))
-+	if (!SSL_CTX_load_verify_locations(tm_ctx,CAfile,CApath))
-+		{
-+		ERR_print_errors(bio_err);
-+		}
-+	if (!SSL_CTX_set_default_verify_paths(tm_ctx))
- 		{
--		/* BIO_printf(bio_err,"error setting default verify locations\n"); */
- 		ERR_print_errors(bio_err);
--		/* goto end; */
- 		}
- 
- 	if (tm_cipher == NULL)

diff --git a/openssl-1.0.1c-default-paths.patch b/openssl-1.0.1c-default-paths.patch
new file mode 100644
index 0000000..236d1db
--- /dev/null
+++ b/openssl-1.0.1c-default-paths.patch
@@ -0,0 +1,100 @@
+diff -up openssl-1.0.1c/apps/s_client.c.default-paths openssl-1.0.1c/apps/s_client.c
+--- openssl-1.0.1c/apps/s_client.c.default-paths	2012-03-18 19:16:05.000000000 +0100
++++ openssl-1.0.1c/apps/s_client.c	2012-12-06 18:24:06.425933203 +0100
+@@ -1166,12 +1166,19 @@ bad:
+ 	if (!set_cert_key_stuff(ctx,cert,key))
+ 		goto end;
+ 
+-	if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
+-		(!SSL_CTX_set_default_verify_paths(ctx)))
++	if (CAfile == NULL && CApath == NULL)
+ 		{
+-		/* BIO_printf(bio_err,"error setting default verify locations\n"); */
+-		ERR_print_errors(bio_err);
+-		/* goto end; */
++		if (!SSL_CTX_set_default_verify_paths(ctx))
++			{
++			ERR_print_errors(bio_err);
++			}
++		}
++	else
++		{
++		if (!SSL_CTX_load_verify_locations(ctx,CAfile,CApath))
++			{
++			ERR_print_errors(bio_err);
++			}
+ 		}
+ 
+ #ifndef OPENSSL_NO_TLSEXT
+diff -up openssl-1.0.1c/apps/s_server.c.default-paths openssl-1.0.1c/apps/s_server.c
+--- openssl-1.0.1c/apps/s_server.c.default-paths	2012-03-18 19:16:05.000000000 +0100
++++ openssl-1.0.1c/apps/s_server.c	2012-12-06 18:25:11.199329611 +0100
+@@ -1565,13 +1565,21 @@ bad:
+ 		}
+ #endif
+ 
+-	if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
+-		(!SSL_CTX_set_default_verify_paths(ctx)))
++	if (CAfile == NULL && CApath == NULL)
+ 		{
+-		/* BIO_printf(bio_err,"X509_load_verify_locations\n"); */
+-		ERR_print_errors(bio_err);
+-		/* goto end; */
++		if (!SSL_CTX_set_default_verify_paths(ctx))
++			{
++			ERR_print_errors(bio_err);
++			}
++		}
++	else
++		{
++		if (!SSL_CTX_load_verify_locations(ctx,CAfile,CApath))
++			{
++			ERR_print_errors(bio_err);
++			}
+ 		}
++
+ 	if (vpm)
+ 		SSL_CTX_set1_param(ctx, vpm);
+ 
+@@ -1622,8 +1630,11 @@ bad:
+ 		else
+ 			SSL_CTX_sess_set_cache_size(ctx2,128);
+ 
+-		if ((!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath)) ||
+-			(!SSL_CTX_set_default_verify_paths(ctx2)))
++		if (!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath))
++			{
++			ERR_print_errors(bio_err);
++			}
++		if (!SSL_CTX_set_default_verify_paths(ctx2))
+ 			{
+ 			ERR_print_errors(bio_err);
+ 			}
+diff -up openssl-1.0.1c/apps/s_time.c.default-paths openssl-1.0.1c/apps/s_time.c
+--- openssl-1.0.1c/apps/s_time.c.default-paths	2006-04-17 14:22:13.000000000 +0200
++++ openssl-1.0.1c/apps/s_time.c	2012-12-06 18:27:41.694574044 +0100
+@@ -373,12 +373,19 @@ int MAIN(int argc, char **argv)
+ 
+ 	SSL_load_error_strings();
+ 
+-	if ((!SSL_CTX_load_verify_locations(tm_ctx,CAfile,CApath)) ||
+-		(!SSL_CTX_set_default_verify_paths(tm_ctx)))
++	if (CAfile == NULL && CApath == NULL)
+ 		{
+-		/* BIO_printf(bio_err,"error setting default verify locations\n"); */
+-		ERR_print_errors(bio_err);
+-		/* goto end; */
++		if (!SSL_CTX_set_default_verify_paths(ctx))
++			{
++			ERR_print_errors(bio_err);
++			}
++		}
++	else
++		{
++		if (!SSL_CTX_load_verify_locations(ctx,CAfile,CApath))
++			{
++			ERR_print_errors(bio_err);
++			}
+ 		}
+ 
+ 	if (tm_cipher == NULL)

diff --git a/openssl.spec b/openssl.spec
index 530c555..4e77a93 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -22,7 +22,7 @@ Summary: Utilities from the general purpose cryptography library with TLS implem
 Name: openssl
 Version: 1.0.1c
 # Do not forget to bump SHLIB_VERSION on version upgrades
-Release: 9%{?dist}
+Release: 10%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@@ -45,7 +45,7 @@ Patch7: openssl-1.0.0-timezone.patch
 Patch8: openssl-1.0.1c-perlfind.patch
 Patch9: openssl-1.0.1c-aliasing.patch
 # Bug fixes
-Patch23: openssl-1.0.0-beta4-default-paths.patch
+Patch23: openssl-1.0.1c-default-paths.patch
 # Functionality changes
 Patch33: openssl-1.0.0-beta4-ca-dir.patch
 Patch34: openssl-0.9.6-x509.patch
@@ -431,6 +431,9 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
 %postun libs -p /sbin/ldconfig
 
 %changelog
+* Thu Dec  6 2012 Tomas Mraz <tmraz@redhat.com> 1.0.1c-10
+- do not load default verify paths if CApath or CAfile specified (#884305)
+
 * Tue Nov 20 2012 Tomas Mraz <tmraz@redhat.com> 1.0.1c-9
 - more fixes from upstream CVS
 - fix DSA key pairwise check (#878597)