File openssl-1.0.1i-trusted-first.patch of Package compat-openssl098.24732

Overview Repositories Revisions Requests Users Attributes Meta

File openssl-1.0.1i-trusted-first.patch of Package compat-openssl098.24732

Index: openssl-0.9.8j/apps/apps.c
===================================================================
--- openssl-0.9.8j.orig/apps/apps.c	2017-11-06 13:50:17.540461140 +0100
+++ openssl-0.9.8j/apps/apps.c	2017-11-06 13:52:01.998102425 +0100
@@ -2261,6 +2261,8 @@ int args_verify(char ***pargs, int *parg
 		flags |= X509_V_FLAG_X509_STRICT;
 	else if (!strcmp(arg, "-policy_print"))
 		flags |= X509_V_FLAG_NOTIFY_POLICY;
+	else if (!strcmp(arg, "-trusted_first"))
+		flags |= X509_V_FLAG_TRUSTED_FIRST;
 	else
 		return 0;
 
Index: openssl-0.9.8j/apps/cms.c
===================================================================
--- openssl-0.9.8j.orig/apps/cms.c	2017-11-06 13:49:47.455988421 +0100
+++ openssl-0.9.8j/apps/cms.c	2017-11-06 13:50:17.540461140 +0100
@@ -627,6 +627,7 @@ int MAIN(int argc, char **argv)
 		BIO_printf (bio_err, "-text          include or delete text MIME headers\n");
 		BIO_printf (bio_err, "-CApath dir    trusted certificates directory\n");
 		BIO_printf (bio_err, "-CAfile file   trusted certificates file\n");
+		BIO_printf (bio_err, "-trusted_first use trusted certificates first when building the trust chain\n");
 		BIO_printf (bio_err, "-crl_check     check revocation status of signer's certificate using CRLs\n");
 		BIO_printf (bio_err, "-crl_check_all check revocation status of signer's certificate chain using CRLs\n");
 #ifndef OPENSSL_NO_ENGINE
Index: openssl-0.9.8j/apps/ocsp.c
===================================================================
--- openssl-0.9.8j.orig/apps/ocsp.c	2017-11-06 13:49:47.455988421 +0100
+++ openssl-0.9.8j/apps/ocsp.c	2017-11-06 13:50:17.540461140 +0100
@@ -549,6 +549,7 @@ int MAIN(int argc, char **argv)
 		BIO_printf (bio_err, "-path              path to use in OCSP request\n");
 		BIO_printf (bio_err, "-CApath dir        trusted certificates directory\n");
 		BIO_printf (bio_err, "-CAfile file       trusted certificates file\n");
+		BIO_printf (bio_err, "-trusted_first     use trusted certificates first when building the trust chain\n");
 		BIO_printf (bio_err, "-VAfile file       validator certificates file\n");
 		BIO_printf (bio_err, "-validity_period n maximum validity discrepancy in seconds\n");
 		BIO_printf (bio_err, "-status_age n      maximum status age in seconds\n");
Index: openssl-0.9.8j/apps/s_client.c
===================================================================
--- openssl-0.9.8j.orig/apps/s_client.c	2017-11-06 13:49:47.455988421 +0100
+++ openssl-0.9.8j/apps/s_client.c	2017-11-06 13:50:17.540461140 +0100
@@ -205,6 +205,7 @@ static void sc_usage(void)
 	BIO_printf(bio_err," -pass arg     - private key file pass phrase source\n");
 	BIO_printf(bio_err," -CApath arg   - PEM format directory of CA's\n");
 	BIO_printf(bio_err," -CAfile arg   - PEM format file of CA's\n");
+	BIO_printf(bio_err," -trusted_first - Use trusted CA's first when building the trust chain\n");
 	BIO_printf(bio_err," -reconnect    - Drop and re-make the connection with the same Session-ID\n");
 	BIO_printf(bio_err," -pause        - sleep(1) after each read(2) and write(2) system call\n");
 	BIO_printf(bio_err," -showcerts    - show all certificates in the chain\n");
Index: openssl-0.9.8j/apps/smime.c
===================================================================
--- openssl-0.9.8j.orig/apps/smime.c	2017-11-06 13:49:47.455988421 +0100
+++ openssl-0.9.8j/apps/smime.c	2017-11-06 13:50:17.540461140 +0100
@@ -466,6 +466,7 @@ int MAIN(int argc, char **argv)
 		BIO_printf (bio_err, "-text          include or delete text MIME headers\n");
 		BIO_printf (bio_err, "-CApath dir    trusted certificates directory\n");
 		BIO_printf (bio_err, "-CAfile file   trusted certificates file\n");
+		BIO_printf (bio_err, "-trusted_first use trusted certificates first when building the trust chain\n");
 		BIO_printf (bio_err, "-crl_check     check revocation status of signer's certificate using CRLs\n");
 		BIO_printf (bio_err, "-crl_check_all check revocation status of signer's certificate chain using CRLs\n");
 #ifndef OPENSSL_NO_ENGINE
Index: openssl-0.9.8j/apps/s_server.c
===================================================================
--- openssl-0.9.8j.orig/apps/s_server.c	2017-11-06 13:49:47.455988421 +0100
+++ openssl-0.9.8j/apps/s_server.c	2017-11-06 13:50:17.540461140 +0100
@@ -383,6 +383,7 @@ static void sv_usage(void)
 	BIO_printf(bio_err," -state        - Print the SSL states\n");
 	BIO_printf(bio_err," -CApath arg   - PEM format directory of CA's\n");
 	BIO_printf(bio_err," -CAfile arg   - PEM format file of CA's\n");
+	BIO_printf(bio_err," -trusted_first - Use trusted CA's first when building the trust chain\n");
 	BIO_printf(bio_err," -nocert       - Don't use any certificates (Anon-DH)\n");
 	BIO_printf(bio_err," -cipher arg   - play with 'openssl ciphers' to see what goes here\n");
 	BIO_printf(bio_err," -serverpref   - Use server's cipher preferences\n");
Index: openssl-0.9.8j/apps/s_time.c
===================================================================
--- openssl-0.9.8j.orig/apps/s_time.c	2017-11-06 13:49:47.455988421 +0100
+++ openssl-0.9.8j/apps/s_time.c	2017-11-06 13:50:17.544461203 +0100
@@ -227,6 +227,7 @@ static void s_time_usage(void)
                 file if not specified by this option\n\
 -CApath arg   - PEM format directory of CA's\n\
 -CAfile arg   - PEM format file of CA's\n\
+-trusted_first - Use trusted CA's first when building the trust chain\n\
 -cipher       - preferred cipher to use, play with 'openssl ciphers'\n\n";
 
 	printf( "usage: s_time <args>\n\n" );
Index: openssl-0.9.8j/apps/verify.c
===================================================================
--- openssl-0.9.8j.orig/apps/verify.c	2017-11-06 13:50:17.544461203 +0100
+++ openssl-0.9.8j/apps/verify.c	2017-11-06 13:51:28.593577569 +0100
@@ -215,7 +215,7 @@ int MAIN(int argc, char **argv)
 	ret=0;
 end:
 	if (ret == 1) {
-		BIO_printf(bio_err,"usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check]");
+		BIO_printf(bio_err,"usage: verify [-verbose] [-CApath path] [-CAfile file] [-trusted_first] [-purpose purpose] [-crl_check]");
 #ifndef OPENSSL_NO_ENGINE
 		BIO_printf(bio_err," [-engine e]");
 #endif
Index: openssl-0.9.8j/crypto/x509/x509_vfy.c
===================================================================
--- openssl-0.9.8j.orig/crypto/x509/x509_vfy.c	2017-11-06 13:49:47.455988421 +0100
+++ openssl-0.9.8j/crypto/x509/x509_vfy.c	2017-11-06 13:50:17.544461203 +0100
@@ -151,6 +151,21 @@ int X509_verify_cert(X509_STORE_CTX *ctx
 		/* If we are self signed, we break */
 		xn=X509_get_issuer_name(x);
 		if (ctx->check_issued(ctx, x,x)) break;
+		/* If asked see if we can find issuer in trusted store first */
+		if (ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST)
+			{
+			ok = ctx->get_issuer(&xtmp, ctx, x);
+			if (ok < 0)
+				return ok;
+			/* If successful for now free up cert so it
+			 * will be picked up again later.
+			 */
+			if (ok > 0)
+				{
+				X509_free(xtmp);
+				break;
+				}
+			}
 
 		/* If we were passed a cert chain, use it first */
 		if (ctx->untrusted != NULL)
Index: openssl-0.9.8j/crypto/x509/x509_vfy.h
===================================================================
--- openssl-0.9.8j.orig/crypto/x509/x509_vfy.h	2017-11-06 13:50:17.544461203 +0100
+++ openssl-0.9.8j/crypto/x509/x509_vfy.h	2017-11-06 13:52:47.710820652 +0100
@@ -362,6 +362,8 @@ void X509_STORE_CTX_set_depth(X509_STORE
 #define X509_V_FLAG_INHIBIT_MAP			0x400
 /* Notify callback that policy is OK */
 #define X509_V_FLAG_NOTIFY_POLICY		0x800
+/* Use trusted store first */
+#define X509_V_FLAG_TRUSTED_FIRST		0x8000
 
 #define X509_VP_FLAG_DEFAULT			0x1
 #define X509_VP_FLAG_OVERWRITE			0x2
Index: openssl-0.9.8j/doc/apps/ocsp.pod
===================================================================
--- openssl-0.9.8j.orig/doc/apps/ocsp.pod	2017-11-06 13:49:47.455988421 +0100
+++ openssl-0.9.8j/doc/apps/ocsp.pod	2017-11-06 13:50:17.544461203 +0100
@@ -29,6 +29,7 @@ B<openssl> B<ocsp>
 [B<-path>]
 [B<-CApath dir>]
 [B<-CAfile file>]
+[B<-trusted_first>]
 [B<-VAfile file>]
 [B<-validity_period n>]
 [B<-status_age n>]
@@ -137,6 +138,13 @@ or "/" by default.
 file or pathname containing trusted CA certificates. These are used to verify
 the signature on the OCSP response.
 
+=item B<-trusted_first>
+
+Use certificates in CA file or CA directory over certificates provided
+in the response or residing in other certificates file when building the trust
+chain to verify responder certificate.
+This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
+
 =item B<-verify_other file>
 
 file containing additional certificates to search when attempting to locate
Index: openssl-0.9.8j/doc/apps/s_client.pod
===================================================================
--- openssl-0.9.8j.orig/doc/apps/s_client.pod	2017-11-06 13:49:47.459988485 +0100
+++ openssl-0.9.8j/doc/apps/s_client.pod	2017-11-06 13:50:17.544461203 +0100
@@ -17,6 +17,7 @@ B<openssl> B<s_client>
 [B<-pass arg>]
 [B<-CApath directory>]
 [B<-CAfile filename>]
+[B<-trusted_first>]
 [B<-reconnect>]
 [B<-pause>]
 [B<-showcerts>]
Index: openssl-0.9.8j/doc/apps/smime.pod
===================================================================
--- openssl-0.9.8j.orig/doc/apps/smime.pod	2017-11-06 13:49:47.459988485 +0100
+++ openssl-0.9.8j/doc/apps/smime.pod	2017-11-06 13:53:17.023281190 +0100
@@ -24,6 +24,9 @@ B<openssl> B<smime>
 [B<-camellia192>]
 [B<-camellia256>]
 [B<-in file>]
+[B<-CAfile file>]
+[B<-CApath dir>]
+[B<-trusted_first>]
 [B<-certfile file>]
 [B<-signer file>]
 [B<-recip  file>]
@@ -132,6 +135,12 @@ B<-verify>. This directory must be a sta
 is a hash of each subject name (using B<x509 -hash>) should be linked
 to each certificate.
 
+=item B<-trusted_first>
+
+Use certificates in CA file or CA directory over certificates provided
+in the message when building the trust chain to verify a certificate.
+This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
+
 =item B<-des -des3 -rc2-40 -rc2-64 -rc2-128 -aes128 -aes192 -aes256 -camellia128 -camellia192 -camellia256>
 
 the encryption algorithm to use. DES (56 bits), triple DES (168 bits),
Index: openssl-0.9.8j/doc/apps/s_server.pod
===================================================================
--- openssl-0.9.8j.orig/doc/apps/s_server.pod	2017-11-06 13:49:47.459988485 +0100
+++ openssl-0.9.8j/doc/apps/s_server.pod	2017-11-06 13:50:17.544461203 +0100
@@ -33,6 +33,7 @@ B<openssl> B<s_server>
 [B<-state>]
 [B<-CApath directory>]
 [B<-CAfile filename>]
+[B<-trusted_first>]
 [B<-nocert>]
 [B<-cipher cipherlist>]
 [B<-quiet>]
@@ -163,6 +164,12 @@ and to use when attempting to build the
 is also used in the list of acceptable client CAs passed to the client when
 a certificate is requested.
 
+=item B<-trusted_first>
+
+Use certificates in CA file or CA directory before other certificates 
+when building the trust chain to verify client certificates.
+This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
+
 =item B<-state>
 
 prints out the SSL session states.
Index: openssl-0.9.8j/doc/apps/s_time.pod
===================================================================
--- openssl-0.9.8j.orig/doc/apps/s_time.pod	2017-11-06 13:49:47.459988485 +0100
+++ openssl-0.9.8j/doc/apps/s_time.pod	2017-11-06 13:50:17.544461203 +0100
@@ -14,6 +14,7 @@ B<openssl> B<s_time>
 [B<-key filename>]
 [B<-CApath directory>]
 [B<-CAfile filename>]
+[B<-trusted_first>]
 [B<-reuse>]
 [B<-new>]
 [B<-verify depth>]
@@ -76,6 +77,12 @@ also used when building the client certi
 A file containing trusted certificates to use during server authentication
 and to use when attempting to build the client certificate chain.
 
+=item B<-trusted_first>
+
+Use certificates in CA file or CA directory over the certificates provided
+by the server when building the trust chain to verify server certificate.
+This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
+
 =item B<-new>
 
 performs the timing test using a new session ID for each connection.
Index: openssl-0.9.8j/doc/apps/verify.pod
===================================================================
--- openssl-0.9.8j.orig/doc/apps/verify.pod	2017-11-06 13:49:47.459988485 +0100
+++ openssl-0.9.8j/doc/apps/verify.pod	2017-11-06 13:50:17.544461203 +0100
@@ -9,6 +9,7 @@ verify - Utility to verify certificates.
 B<openssl> B<verify>
 [B<-CApath directory>]
 [B<-CAfile file>]
+[B<-trusted_first>]
 [B<-purpose purpose>]
 [B<-untrusted file>]
 [B<-help>]
@@ -43,6 +44,12 @@ in PEM format concatenated together.
 
 A file of untrusted certificates. The file should contain multiple certificates
 
+=item B<-trusted_first>
+
+Use certificates in CA file or CA directory before the certificates in the untrusted
+file when building the trust chain to verify certificates.
+This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
+
 =item B<-purpose purpose>
 
 the intended use for the certificate. Without this option no chain verification

Places

File openssl-1.0.1i-trusted-first.patch of Package compat-openssl098.24732

Places