jjelen / rpms / openssl

Forked from rpms/openssl 3 years ago
Clone
Source Code
GIT

Files

f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f30 f31 f32 f33 f7 f8 f9 man-perl master
  1.   f21
  2.   openssl-1.0.1k-alt-chains.patch
Blob Blame History Raw 
diff -up openssl-1.0.1k/apps/apps.c.alt-chains openssl-1.0.1k/apps/apps.c
--- openssl-1.0.1k/apps/apps.c.alt-chains	2015-07-09 14:58:55.949753674 +0200
+++ openssl-1.0.1k/apps/apps.c	2015-07-09 14:58:55.970754174 +0200
@@ -2365,6 +2365,8 @@ int args_verify(char ***pargs, int *parg
 		flags |= X509_V_FLAG_NOTIFY_POLICY;
 	else if (!strcmp(arg, "-check_ss_sig"))
 		flags |= X509_V_FLAG_CHECK_SS_SIGNATURE;
+	else if (!strcmp(arg, "-no_alt_chains"))
+		flags |= X509_V_FLAG_NO_ALT_CHAINS;
 	else if (!strcmp(arg, "-trusted_first"))
 		flags |= X509_V_FLAG_TRUSTED_FIRST;
 	else
diff -up openssl-1.0.1k/apps/cms.c.alt-chains openssl-1.0.1k/apps/cms.c
--- openssl-1.0.1k/apps/cms.c.alt-chains	2015-07-09 14:58:55.949753674 +0200
+++ openssl-1.0.1k/apps/cms.c	2015-07-09 14:58:55.970754174 +0200
@@ -642,6 +642,7 @@ int MAIN(int argc, char **argv)
 		BIO_printf (bio_err, "-text          include or delete text MIME headers\n");
 		BIO_printf (bio_err, "-CApath dir    trusted certificates directory\n");
 		BIO_printf (bio_err, "-CAfile file   trusted certificates file\n");
+		BIO_printf (bio_err, "-no_alt_chains only ever use the first certificate chain found\n");
 		BIO_printf (bio_err, "-trusted_first use trusted certificates first when building the trust chain\n");
 		BIO_printf (bio_err, "-crl_check     check revocation status of signer's certificate using CRLs\n");
 		BIO_printf (bio_err, "-crl_check_all check revocation status of signer's certificate chain using CRLs\n");
diff -up openssl-1.0.1k/apps/ocsp.c.alt-chains openssl-1.0.1k/apps/ocsp.c
--- openssl-1.0.1k/apps/ocsp.c.alt-chains	2015-07-09 14:58:55.949753674 +0200
+++ openssl-1.0.1k/apps/ocsp.c	2015-07-09 14:58:55.971754198 +0200
@@ -605,6 +605,7 @@ int MAIN(int argc, char **argv)
 		BIO_printf (bio_err, "-path                path to use in OCSP request\n");
 		BIO_printf (bio_err, "-CApath dir          trusted certificates directory\n");
 		BIO_printf (bio_err, "-CAfile file         trusted certificates file\n");
+		BIO_printf (bio_err, "-no_alt_chains       only ever use the first certificate chain found\n");
 		BIO_printf (bio_err, "-trusted_first       use trusted certificates first when building the trust chain\n");
 		BIO_printf (bio_err, "-VAfile file         validator certificates file\n");
 		BIO_printf (bio_err, "-validity_period n   maximum validity discrepancy in seconds\n");
diff -up openssl-1.0.1k/apps/s_client.c.alt-chains openssl-1.0.1k/apps/s_client.c
--- openssl-1.0.1k/apps/s_client.c.alt-chains	2015-07-09 14:58:55.956753841 +0200
+++ openssl-1.0.1k/apps/s_client.c	2015-07-09 14:58:55.971754198 +0200
@@ -299,6 +299,7 @@ static void sc_usage(void)
 	BIO_printf(bio_err," -pass arg     - private key file pass phrase source\n");
 	BIO_printf(bio_err," -CApath arg   - PEM format directory of CA's\n");
 	BIO_printf(bio_err," -CAfile arg   - PEM format file of CA's\n");
+	BIO_printf(bio_err," -no_alt_chains - only ever use the first certificate chain found\n");
 	BIO_printf(bio_err," -trusted_first - Use trusted CA's first when building the trust chain\n");
 	BIO_printf(bio_err," -reconnect    - Drop and re-make the connection with the same Session-ID\n");
 	BIO_printf(bio_err," -pause        - sleep(1) after each read(2) and write(2) system call\n");
diff -up openssl-1.0.1k/apps/smime.c.alt-chains openssl-1.0.1k/apps/smime.c
--- openssl-1.0.1k/apps/smime.c.alt-chains	2015-07-09 14:58:55.950753698 +0200
+++ openssl-1.0.1k/apps/smime.c	2015-07-09 14:58:55.971754198 +0200
@@ -479,6 +479,7 @@ int MAIN(int argc, char **argv)
 		BIO_printf (bio_err, "-text          include or delete text MIME headers\n");
 		BIO_printf (bio_err, "-CApath dir    trusted certificates directory\n");
 		BIO_printf (bio_err, "-CAfile file   trusted certificates file\n");
+		BIO_printf (bio_err, "-no_alt_chains only ever use the first certificate chain found\n");
 		BIO_printf (bio_err, "-trusted_first use trusted certificates first when building the trust chain\n");
 		BIO_printf (bio_err, "-crl_check     check revocation status of signer's certificate using CRLs\n");
 		BIO_printf (bio_err, "-crl_check_all check revocation status of signer's certificate chain using CRLs\n");
diff -up openssl-1.0.1k/apps/s_server.c.alt-chains openssl-1.0.1k/apps/s_server.c
--- openssl-1.0.1k/apps/s_server.c.alt-chains	2015-07-09 14:58:55.950753698 +0200
+++ openssl-1.0.1k/apps/s_server.c	2015-07-09 14:58:55.971754198 +0200
@@ -502,6 +502,7 @@ static void sv_usage(void)
 	BIO_printf(bio_err," -state        - Print the SSL states\n");
 	BIO_printf(bio_err," -CApath arg   - PEM format directory of CA's\n");
 	BIO_printf(bio_err," -CAfile arg   - PEM format file of CA's\n");
+	BIO_printf(bio_err," -no_alt_chains - only ever use the first certificate chain found\n");
 	BIO_printf(bio_err," -trusted_first - Use trusted CA's first when building the trust chain\n");
 	BIO_printf(bio_err," -nocert       - Don't use any certificates (Anon-DH)\n");
 	BIO_printf(bio_err," -cipher arg   - play with 'openssl ciphers' to see what goes here\n");
diff -up openssl-1.0.1k/apps/verify.c.alt-chains openssl-1.0.1k/apps/verify.c
--- openssl-1.0.1k/apps/verify.c.alt-chains	2015-07-09 14:58:55.951753722 +0200
+++ openssl-1.0.1k/apps/verify.c	2015-07-09 14:58:55.972754221 +0200
@@ -238,7 +238,7 @@ int MAIN(int argc, char **argv)
 end:
 	if (ret == 1) {
 		BIO_printf(bio_err,"usage: verify [-verbose] [-CApath path] [-CAfile file] [-trusted_first] [-purpose purpose] [-crl_check]");
-		BIO_printf(bio_err," [-attime timestamp]");
+		BIO_printf(bio_err," [-no_alt_chains] [-attime timestamp]");
 #ifndef OPENSSL_NO_ENGINE
 		BIO_printf(bio_err," [-engine e]");
 #endif
diff -up openssl-1.0.1k/crypto/x509/x509_vfy.c.alt-chains openssl-1.0.1k/crypto/x509/x509_vfy.c
--- openssl-1.0.1k/crypto/x509/x509_vfy.c.alt-chains	2015-07-09 14:58:55.951753722 +0200
+++ openssl-1.0.1k/crypto/x509/x509_vfy.c	2015-07-09 15:28:03.630442145 +0200
@@ -154,11 +154,11 @@ static int x509_subject_cmp(X509 **a, X5
 
 int X509_verify_cert(X509_STORE_CTX *ctx)
 	{
-	X509 *x,*xtmp,*chain_ss=NULL;
+	X509 *x,*xtmp,*xtmp2,*chain_ss=NULL;
 	int bad_chain = 0;
 	X509_VERIFY_PARAM *param = ctx->param;
 	int depth,i,ok=0;
-	int num;
+	int num, j, retry;
 	int (*cb)(int xok,X509_STORE_CTX *xctx);
 	STACK_OF(X509) *sktmp=NULL;
 	if (ctx->cert == NULL)
@@ -167,21 +167,27 @@ int X509_verify_cert(X509_STORE_CTX *ctx
 		return -1;
 		}
 
+        if (ctx->chain != NULL) {
+            /*
+             * This X509_STORE_CTX has already been used to verify a cert. We
+             * cannot do another one.
+             */
+            X509err(X509_F_X509_VERIFY_CERT, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+            return -1;
+        }
+ 
 	cb=ctx->verify_cb;
 
 	/* first we make sure the chain we are going to build is
 	 * present and that the first entry is in place */
-	if (ctx->chain == NULL)
+	if (	((ctx->chain=sk_X509_new_null()) == NULL) ||
+		(!sk_X509_push(ctx->chain,ctx->cert)))
 		{
-		if (	((ctx->chain=sk_X509_new_null()) == NULL) ||
-			(!sk_X509_push(ctx->chain,ctx->cert)))
-			{
-			X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
-			goto end;
-			}
-		CRYPTO_add(&ctx->cert->references,1,CRYPTO_LOCK_X509);
-		ctx->last_untrusted=1;
+		X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
+		goto end;
 		}
+	CRYPTO_add(&ctx->cert->references,1,CRYPTO_LOCK_X509);
+	ctx->last_untrusted=1;
 
 	/* We use a temporary STACK so we can chop and hack at it */
 	if (ctx->untrusted != NULL
@@ -247,10 +253,14 @@ int X509_verify_cert(X509_STORE_CTX *ctx
 		break;
 		}
 
+	/* Remember how many untrusted certs we have */
+	j = num;
+
 	/* at this point, chain should contain a list of untrusted
 	 * certificates.  We now need to add at least one trusted one,
 	 * if possible, otherwise we complain. */
 
+	do {
 	/* Examine last certificate in chain and see if it
  	 * is self signed.
  	 */
@@ -294,6 +304,7 @@ int X509_verify_cert(X509_STORE_CTX *ctx
 			chain_ss=sk_X509_pop(ctx->chain);
 			ctx->last_untrusted--;
 			num--;
+			j--;
 			x=sk_X509_value(ctx->chain,num-1);
 			}
 		}
@@ -322,7 +333,42 @@ int X509_verify_cert(X509_STORE_CTX *ctx
 		num++;
 		}
 
-	/* we now have our chain, lets check it... */
+        /*
+         * If we haven't got a least one certificate from our store then check
+         * if there is an alternative chain that could be used.  We only do this
+         * if the user hasn't switched off alternate chain checking
+         */
+        retry = 0;
+        if (num == ctx->last_untrusted &&
+            !(ctx->param->flags & X509_V_FLAG_NO_ALT_CHAINS)) {
+            while (j-- > 1) {
+                xtmp2 = sk_X509_value(ctx->chain, j - 1);
+                ok = ctx->get_issuer(&xtmp, ctx, xtmp2);
+                if (ok < 0)
+                    goto end;
+                /* Check if we found an alternate chain */
+                if (ok > 0) {
+                    /*
+                     * Free up the found cert we'll add it again later
+                     */
+                    X509_free(xtmp);
+
+                    /*
+                     * Dump all the certs above this point - we've found an
+                     * alternate chain
+                     */
+                    while (num > j) {
+                        xtmp = sk_X509_pop(ctx->chain);
+                        X509_free(xtmp);
+                        num--;
+                    }
+                    ctx->last_untrusted = j;
+                    retry = 1;
+                    break;
+                }
+            }
+        }
+	} while (retry);
 
 	/* Is last certificate looked up self signed? */
 	if (!ctx->check_issued(ctx,x,x))
diff -up openssl-1.0.1k/crypto/x509/x509_vfy.h.alt-chains openssl-1.0.1k/crypto/x509/x509_vfy.h
--- openssl-1.0.1k/crypto/x509/x509_vfy.h.alt-chains	2015-07-09 14:58:55.951753722 +0200
+++ openssl-1.0.1k/crypto/x509/x509_vfy.h	2015-07-09 14:58:55.972754221 +0200
@@ -391,7 +391,12 @@ void X509_STORE_CTX_set_depth(X509_STORE
 #define X509_V_FLAG_CHECK_SS_SIGNATURE		0x4000
 /* Use trusted store first */
 #define X509_V_FLAG_TRUSTED_FIRST		0x8000
-
+/*
+ * If the initial chain is not trusted, do not attempt to build an alternative
+ * chain. Alternate chain checking was introduced in 1.0.1n/1.0.2b. Setting
+ * this flag will force the behaviour to match that of previous versions.
+ */
+#define X509_V_FLAG_NO_ALT_CHAINS               0x100000
 
 #define X509_VP_FLAG_DEFAULT			0x1
 #define X509_VP_FLAG_OVERWRITE			0x2
diff -up openssl-1.0.1k/doc/apps/cms.pod.alt-chains openssl-1.0.1k/doc/apps/cms.pod
--- openssl-1.0.1k/doc/apps/cms.pod.alt-chains	2015-07-09 14:58:55.951753722 +0200
+++ openssl-1.0.1k/doc/apps/cms.pod	2015-07-09 14:58:55.972754221 +0200
@@ -35,6 +35,7 @@ B<openssl> B<cms>
 [B<-print>]
 [B<-CAfile file>]
 [B<-CApath dir>]
+[B<-no_alt_chains>]
 [B<-trusted_first>]
 [B<-md digest>]
 [B<-[cipher]>]
@@ -413,7 +414,7 @@ portion of a message so they may be incl
 then many S/MIME mail clients check the signers certificate's email
 address matches that specified in the From: address.
 
-=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig>
+=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig -no_alt_chains>
 
 Set various certificate chain valiadition option. See the
 L<B<verify>|verify(1)> manual page for details.
diff -up openssl-1.0.1k/doc/apps/ocsp.pod.alt-chains openssl-1.0.1k/doc/apps/ocsp.pod
--- openssl-1.0.1k/doc/apps/ocsp.pod.alt-chains	2015-07-09 14:58:55.951753722 +0200
+++ openssl-1.0.1k/doc/apps/ocsp.pod	2015-07-09 14:58:55.973754245 +0200
@@ -29,6 +29,7 @@ B<openssl> B<ocsp>
 [B<-path>]
 [B<-CApath dir>]
 [B<-CAfile file>]
+[B<-no_alt_chains>]]
 [B<-trusted_first>]
 [B<-VAfile file>]
 [B<-validity_period n>]
@@ -143,6 +144,10 @@ connection timeout to the OCSP responder
 file or pathname containing trusted CA certificates. These are used to verify
 the signature on the OCSP response.
 
+=item B<-no_alt_chains>
+
+See L<B<verify>|verify(1)> manual page for details.
+
 =item B<-trusted_first>
 
 Use certificates in CA file or CA directory over certificates provided
diff -up openssl-1.0.1k/doc/apps/s_client.pod.alt-chains openssl-1.0.1k/doc/apps/s_client.pod
--- openssl-1.0.1k/doc/apps/s_client.pod.alt-chains	2015-07-09 14:58:55.952753746 +0200
+++ openssl-1.0.1k/doc/apps/s_client.pod	2015-07-09 14:58:55.973754245 +0200
@@ -19,6 +19,7 @@ B<openssl> B<s_client>
 [B<-pass arg>]
 [B<-CApath directory>]
 [B<-CAfile filename>]
+[B<-no_alt_chains>]
 [B<-trusted_first>]
 [B<-reconnect>]
 [B<-pause>]
@@ -122,7 +123,7 @@ also used when building the client certi
 A file containing trusted certificates to use during server authentication
 and to use when attempting to build the client certificate chain.
 
-=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig, -trusted_first>
+=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig -no_alt_chains>
 
 Set various certificate chain valiadition option. See the
 L<B<verify>|verify(1)> manual page for details.
diff -up openssl-1.0.1k/doc/apps/smime.pod.alt-chains openssl-1.0.1k/doc/apps/smime.pod
--- openssl-1.0.1k/doc/apps/smime.pod.alt-chains	2015-07-09 14:58:55.952753746 +0200
+++ openssl-1.0.1k/doc/apps/smime.pod	2015-07-09 14:58:55.973754245 +0200
@@ -17,6 +17,7 @@ B<openssl> B<smime>
 [B<-in file>]
 [B<-CAfile file>]
 [B<-CApath dir>]
+[B<-no_alt_chains>]
 [B<-trusted_first>]
 [B<-certfile file>]
 [B<-signer file>]
@@ -268,7 +269,7 @@ portion of a message so they may be incl
 then many S/MIME mail clients check the signers certificate's email
 address matches that specified in the From: address.
 
-=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig>
+=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig -no_alt_chains>
 
 Set various options of certificate chain verification. See
 L<B<verify>|verify(1)> manual page for details.
diff -up openssl-1.0.1k/doc/apps/s_server.pod.alt-chains openssl-1.0.1k/doc/apps/s_server.pod
--- openssl-1.0.1k/doc/apps/s_server.pod.alt-chains	2015-07-09 14:58:55.952753746 +0200
+++ openssl-1.0.1k/doc/apps/s_server.pod	2015-07-09 14:58:55.973754245 +0200
@@ -33,6 +33,7 @@ B<openssl> B<s_server>
 [B<-state>]
 [B<-CApath directory>]
 [B<-CAfile filename>]
+[B<-no_alt_chains>]
 [B<-trusted_first>]
 [B<-nocert>]
 [B<-cipher cipherlist>]
@@ -179,6 +180,10 @@ and to use when attempting to build the
 is also used in the list of acceptable client CAs passed to the client when
 a certificate is requested.
 
+=item B<-no_alt_chains>
+
+See the L<B<verify>|verify(1)> manual page for details.
+
 =item B<-trusted_first>
 
 Use certificates in CA file or CA directory before other certificates 
diff -up openssl-1.0.1k/doc/apps/verify.pod.alt-chains openssl-1.0.1k/doc/apps/verify.pod
--- openssl-1.0.1k/doc/apps/verify.pod.alt-chains	2015-07-09 14:58:55.952753746 +0200
+++ openssl-1.0.1k/doc/apps/verify.pod	2015-07-09 14:58:55.973754245 +0200
@@ -23,6 +23,7 @@ B<openssl> B<verify>
 [B<-extended_crl>]
 [B<-use_deltas>]
 [B<-policy_print>]
+[B<-no_alt_chains>]
 [B<-untrusted file>]
 [B<-help>]
 [B<-issuer_checks>]
@@ -115,6 +116,14 @@ Set policy variable inhibit-any-policy (
 
 Set policy variable inhibit-policy-mapping (see RFC5280).
 
+=item B<-no_alt_chains>
+
+When building a certificate chain, if the first certificate chain found is not
+trusted, then OpenSSL will continue to check to see if an alternative chain can
+be found that is trusted. With this option that behaviour is suppressed so that
+only the first chain found is ever used. Using this option will force the
+behaviour to match that of previous OpenSSL versions.
+
 =item B<-policy_print>
 
 Print out diagnostics related to policy processing.
diff -up openssl-1.0.1k/doc/crypto/X509_STORE_CTX_new.pod.alt-chains openssl-1.0.1k/doc/crypto/X509_STORE_CTX_new.pod
--- openssl-1.0.1k/doc/crypto/X509_STORE_CTX_new.pod.alt-chains	2014-10-15 15:49:15.000000000 +0200
+++ openssl-1.0.1k/doc/crypto/X509_STORE_CTX_new.pod	2015-07-09 15:29:16.461174414 +0200
@@ -39,10 +39,15 @@ X509_STORE_CTX_free() completely frees u
 is no longer valid.
 
 X509_STORE_CTX_init() sets up B<ctx> for a subsequent verification operation.
-The trusted certificate store is set to B<store>, the end entity certificate
-to be verified is set to B<x509> and a set of additional certificates (which
-will be untrusted but may be used to build the chain) in B<chain>. Any or
-all of the B<store>, B<x509> and B<chain> parameters can be B<NULL>.
+It must be called before each call to X509_verify_cert(), i.e. a B<ctx> is only
+good for one call to X509_verify_cert(); if you want to verify a second
+certificate with the same B<ctx> then you must call X509_XTORE_CTX_cleanup()
+and then X509_STORE_CTX_init() again before the second call to
+X509_verify_cert(). The trusted certificate store is set to B<store>, the end
+entity certificate to be verified is set to B<x509> and a set of additional
+certificates (which will be untrusted but may be used to build the chain) in
+B<chain>. Any or all of the B<store>, B<x509> and B<chain> parameters can be
+B<NULL>.
 
 X509_STORE_CTX_trusted_stack() sets the set of trusted certificates of B<ctx>
 to B<sk>. This is an alternative way of specifying trusted certificates 
diff -up openssl-1.0.1k/doc/crypto/X509_verify_cert.pod.alt-chains openssl-1.0.1k/doc/crypto/X509_verify_cert.pod
--- openssl-1.0.1k/doc/crypto/X509_verify_cert.pod.alt-chains	2014-10-15 15:49:15.000000000 +0200
+++ openssl-1.0.1k/doc/crypto/X509_verify_cert.pod	2015-07-09 15:29:16.461174414 +0200
@@ -32,7 +32,8 @@ OpenSSL internally for certificate valid
 SSL/TLS code.
 
 The negative return value from X509_verify_cert() can only occur if no
-certificate is set in B<ctx> (due to a programming error) or if a retry
+certificate is set in B<ctx> (due to a programming error); if X509_verify_cert()
+twice without reinitialising B<ctx> in between; or if a retry
 operation is requested during internal lookups (which never happens with
 standard lookup methods). It is however recommended that application check
 for <= 0 return value on error.
diff -up openssl-1.0.1k/doc/crypto/X509_VERIFY_PARAM_set_flags.pod.alt-chains openssl-1.0.1k/doc/crypto/X509_VERIFY_PARAM_set_flags.pod
--- openssl-1.0.1k/doc/crypto/X509_VERIFY_PARAM_set_flags.pod.alt-chains	2015-01-08 15:00:36.000000000 +0100
+++ openssl-1.0.1k/doc/crypto/X509_VERIFY_PARAM_set_flags.pod	2015-07-09 14:58:55.973754245 +0200
@@ -133,6 +133,12 @@ verification. If this flag is set then a
 to the verification callback and it B<must> be prepared to handle such cases
 without assuming they are hard errors.
 
+The B<X509_V_FLAG_NO_ALT_CHAINS> flag suppresses checking for alternative
+chains. By default, when building a certificate chain, if the first certificate
+chain found is not trusted, then OpenSSL will continue to check to see if an
+alternative chain can be found that is trusted. With this flag set the behaviour
+will match that of OpenSSL versions prior to 1.0.1n and 1.0.2b.
+
 =head1 NOTES
 
 The above functions should be used to manipulate verification parameters
@@ -166,6 +172,6 @@ L<X509_verify_cert(3)|X509_verify_cert(3
 
 =head1 HISTORY
 
-TBA
+The B<X509_V_FLAG_NO_ALT_CHAINS> flag was added in upstream OpenSSL 1.0.1n and 1.0.2b
 
 =cut
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.