[rpms/openssl] rebase_40beta: add support for the -trusted_first option for certificate chain verification

public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed

From: Tomas Mraz <tmraz@fedoraproject.org>
To: git-commits@fedoraproject.org
Subject: [rpms/openssl] rebase_40beta: add support for the -trusted_first option for certificate chain verification
Date: Tue, 09 Jun 2026 12:42:52 GMT	[thread overview]
Message-ID: <178100897210.1.1277487988978472329.rpms-openssl-30aa9303c739@fedoraproject.org> (raw)

A new commit has been pushed.

Repo   : rpms/openssl
Branch : rebase_40beta
Commit : 30aa9303c739f90798183c5bbf45dec952d15738
Author : Tomas Mraz <tmraz@fedoraproject.org>
Date   : 2013-07-10T11:02:41+02:00
Stats  : +56/-1 in 2 file(s)
URL    : https://src.fedoraproject.org/rpms/openssl/c/30aa9303c739f90798183c5bbf45dec952d15738?branch=rebase_40beta

Log:
add support for the -trusted_first option for certificate chain verification

---
diff --git a/openssl-1.0.1e-trusted-first.patch b/openssl-1.0.1e-trusted-first.patch
new file mode 100644
index 0000000..9cf2457
--- /dev/null
+++ b/openssl-1.0.1e-trusted-first.patch
@@ -0,0 +1,50 @@
+diff -up openssl-1.0.1e/apps/apps.c.trusted-first openssl-1.0.1e/apps/apps.c
+--- openssl-1.0.1e/apps/apps.c.trusted-first	2013-02-11 16:26:04.000000000 +0100
++++ openssl-1.0.1e/apps/apps.c	2013-07-10 10:42:42.242706279 +0200
+@@ -2361,6 +2361,8 @@ int args_verify(char ***pargs, int *parg
+ 		flags |= X509_V_FLAG_NOTIFY_POLICY;
+ 	else if (!strcmp(arg, "-check_ss_sig"))
+ 		flags |= X509_V_FLAG_CHECK_SS_SIGNATURE;
++	else if (!strcmp(arg, "-trusted_first"))
++		flags |= X509_V_FLAG_TRUSTED_FIRST;
+ 	else
+ 		return 0;
+ 
+diff -up openssl-1.0.1e/CHANGES.trusted-first openssl-1.0.1e/CHANGES
+diff -up openssl-1.0.1e/crypto/x509/x509_vfy.c.trusted-first openssl-1.0.1e/crypto/x509/x509_vfy.c
+--- openssl-1.0.1e/crypto/x509/x509_vfy.c.trusted-first	2013-05-31 13:40:52.000000000 +0200
++++ openssl-1.0.1e/crypto/x509/x509_vfy.c	2013-07-10 10:45:49.473638295 +0200
+@@ -205,6 +205,21 @@ int X509_verify_cert(X509_STORE_CTX *ctx
+ 
+ 		/* If we are self signed, we break */
+ 		if (ctx->check_issued(ctx, x,x)) break;
++		/* If asked see if we can find issuer in trusted store first */
++		if (ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST)
++			{
++			ok = ctx->get_issuer(&xtmp, ctx, x);
++			if (ok < 0)
++				return ok;
++			/* If successful for now free up cert so it
++			 * will be picked up again later.
++			 */
++			if (ok > 0)
++				{
++				X509_free(xtmp);
++				break;
++				}
++			}
+ 
+ 		/* If we were passed a cert chain, use it first */
+ 		if (ctx->untrusted != NULL)
+diff -up openssl-1.0.1e/crypto/x509/x509_vfy.h.trusted-first openssl-1.0.1e/crypto/x509/x509_vfy.h
+--- openssl-1.0.1e/crypto/x509/x509_vfy.h.trusted-first	2013-05-31 13:40:51.890277515 +0200
++++ openssl-1.0.1e/crypto/x509/x509_vfy.h	2013-07-10 10:42:42.247706379 +0200
+@@ -389,6 +389,8 @@ void X509_STORE_CTX_set_depth(X509_STORE
+ #define X509_V_FLAG_USE_DELTAS			0x2000
+ /* Check selfsigned CA signature */
+ #define X509_V_FLAG_CHECK_SS_SIGNATURE		0x4000
++/* Use trusted store first */
++#define X509_V_FLAG_TRUSTED_FIRST		0x8000
+ 
+ 
+ #define X509_VP_FLAG_DEFAULT			0x1

diff --git a/openssl.spec b/openssl.spec
index ac9cc28..346bbd4 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -21,7 +21,7 @@
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 1.0.1e
-Release: 6%{?dist}
+Release: 7%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@@ -73,6 +73,7 @@ Patch71: openssl-1.0.1e-manfix.patch
 Patch81: openssl-1.0.1-beta2-padlock64.patch
 Patch82: openssl-1.0.1e-backports.patch
 Patch83: openssl-1.0.1e-bad-mac.patch
+Patch84: openssl-1.0.1e-trusted-first.patch
 
 License: OpenSSL
 Group: System Environment/Libraries
@@ -178,6 +179,7 @@ from other formats to the formats used by the OpenSSL toolkit.
 %patch82 -p1 -b .backports
 %patch71 -p1 -b .manfix
 %patch83 -p1 -b .bad-mac
+%patch84 -p1 -b .trusted-first
 
 sed -i 's/SHLIB_VERSION_NUMBER "1.0.0"/SHLIB_VERSION_NUMBER "%{version}"/' crypto/opensslv.h
 
@@ -438,6 +440,9 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
 %postun libs -p /sbin/ldconfig
 
 %changelog
+* Wed Jul 10 2013 Tomas Mraz <tmraz@redhat.com> 1.0.1e-7
+- add support for the -trusted_first option for certificate chain verification
+
 * Fri May  3 2013 Tomas Mraz <tmraz@redhat.com> 1.0.1e-6
 - fix build of manual pages with current pod2man (#959439)

                 reply	other threads:[~2026-06-09 12:42 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=178100897210.1.1277487988978472329.rpms-openssl-30aa9303c739@fedoraproject.org \
    --to=tmraz@fedoraproject.org \
    --cc=git-commits@fedoraproject.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox