fix CVE-2015-1793 - certificate verification forgery
This commit is contained in:
Tomas Mraz
parent
546bf977b5
commit
929846e5d1
|
|
@ -1,6 +1,6 @@
|
|||
diff -up openssl-1.0.1k/apps/apps.c.alt-chains openssl-1.0.1k/apps/apps.c
|
||||
--- openssl-1.0.1k/apps/apps.c.alt-chains 2015-04-30 14:14:40.000000000 +0200
|
||||
+++ openssl-1.0.1k/apps/apps.c 2015-04-30 14:25:49.220873338 +0200
|
||||
--- openssl-1.0.1k/apps/apps.c.alt-chains 2015-07-09 14:58:55.949753674 +0200
|
||||
+++ openssl-1.0.1k/apps/apps.c 2015-07-09 14:58:55.970754174 +0200
|
||||
@@ -2365,6 +2365,8 @@ int args_verify(char ***pargs, int *parg
|
||||
flags |= X509_V_FLAG_NOTIFY_POLICY;
|
||||
else if (!strcmp(arg, "-check_ss_sig"))
|
||||
|
|
@ -11,8 +11,8 @@ diff -up openssl-1.0.1k/apps/apps.c.alt-chains openssl-1.0.1k/apps/apps.c
|
|||
flags |= X509_V_FLAG_TRUSTED_FIRST;
|
||||
else
|
||||
diff -up openssl-1.0.1k/apps/cms.c.alt-chains openssl-1.0.1k/apps/cms.c
|
||||
--- openssl-1.0.1k/apps/cms.c.alt-chains 2015-04-30 14:14:40.000000000 +0200
|
||||
+++ openssl-1.0.1k/apps/cms.c 2015-04-30 14:27:12.129773347 +0200
|
||||
--- openssl-1.0.1k/apps/cms.c.alt-chains 2015-07-09 14:58:55.949753674 +0200
|
||||
+++ openssl-1.0.1k/apps/cms.c 2015-07-09 14:58:55.970754174 +0200
|
||||
@@ -642,6 +642,7 @@ int MAIN(int argc, char **argv)
|
||||
BIO_printf (bio_err, "-text include or delete text MIME headers\n");
|
||||
BIO_printf (bio_err, "-CApath dir trusted certificates directory\n");
|
||||
|
|
@ -22,8 +22,8 @@ diff -up openssl-1.0.1k/apps/cms.c.alt-chains openssl-1.0.1k/apps/cms.c
|
|||
BIO_printf (bio_err, "-crl_check check revocation status of signer's certificate using CRLs\n");
|
||||
BIO_printf (bio_err, "-crl_check_all check revocation status of signer's certificate chain using CRLs\n");
|
||||
diff -up openssl-1.0.1k/apps/ocsp.c.alt-chains openssl-1.0.1k/apps/ocsp.c
|
||||
--- openssl-1.0.1k/apps/ocsp.c.alt-chains 2015-04-30 14:14:40.000000000 +0200
|
||||
+++ openssl-1.0.1k/apps/ocsp.c 2015-04-30 14:28:12.975167730 +0200
|
||||
--- openssl-1.0.1k/apps/ocsp.c.alt-chains 2015-07-09 14:58:55.949753674 +0200
|
||||
+++ openssl-1.0.1k/apps/ocsp.c 2015-07-09 14:58:55.971754198 +0200
|
||||
@@ -605,6 +605,7 @@ int MAIN(int argc, char **argv)
|
||||
BIO_printf (bio_err, "-path path to use in OCSP request\n");
|
||||
BIO_printf (bio_err, "-CApath dir trusted certificates directory\n");
|
||||
|
|
@ -33,8 +33,8 @@ diff -up openssl-1.0.1k/apps/ocsp.c.alt-chains openssl-1.0.1k/apps/ocsp.c
|
|||
BIO_printf (bio_err, "-VAfile file validator certificates file\n");
|
||||
BIO_printf (bio_err, "-validity_period n maximum validity discrepancy in seconds\n");
|
||||
diff -up openssl-1.0.1k/apps/s_client.c.alt-chains openssl-1.0.1k/apps/s_client.c
|
||||
--- openssl-1.0.1k/apps/s_client.c.alt-chains 2015-04-30 14:14:40.000000000 +0200
|
||||
+++ openssl-1.0.1k/apps/s_client.c 2015-04-30 14:29:33.254006312 +0200
|
||||
--- openssl-1.0.1k/apps/s_client.c.alt-chains 2015-07-09 14:58:55.956753841 +0200
|
||||
+++ openssl-1.0.1k/apps/s_client.c 2015-07-09 14:58:55.971754198 +0200
|
||||
@@ -299,6 +299,7 @@ static void sc_usage(void)
|
||||
BIO_printf(bio_err," -pass arg - private key file pass phrase source\n");
|
||||
BIO_printf(bio_err," -CApath arg - PEM format directory of CA's\n");
|
||||
|
|
@ -44,8 +44,8 @@ diff -up openssl-1.0.1k/apps/s_client.c.alt-chains openssl-1.0.1k/apps/s_client.
|
|||
BIO_printf(bio_err," -reconnect - Drop and re-make the connection with the same Session-ID\n");
|
||||
BIO_printf(bio_err," -pause - sleep(1) after each read(2) and write(2) system call\n");
|
||||
diff -up openssl-1.0.1k/apps/smime.c.alt-chains openssl-1.0.1k/apps/smime.c
|
||||
--- openssl-1.0.1k/apps/smime.c.alt-chains 2015-04-30 14:14:40.000000000 +0200
|
||||
+++ openssl-1.0.1k/apps/smime.c 2015-04-30 14:30:44.456633094 +0200
|
||||
--- openssl-1.0.1k/apps/smime.c.alt-chains 2015-07-09 14:58:55.950753698 +0200
|
||||
+++ openssl-1.0.1k/apps/smime.c 2015-07-09 14:58:55.971754198 +0200
|
||||
@@ -479,6 +479,7 @@ int MAIN(int argc, char **argv)
|
||||
BIO_printf (bio_err, "-text include or delete text MIME headers\n");
|
||||
BIO_printf (bio_err, "-CApath dir trusted certificates directory\n");
|
||||
|
|
@ -55,8 +55,8 @@ diff -up openssl-1.0.1k/apps/smime.c.alt-chains openssl-1.0.1k/apps/smime.c
|
|||
BIO_printf (bio_err, "-crl_check check revocation status of signer's certificate using CRLs\n");
|
||||
BIO_printf (bio_err, "-crl_check_all check revocation status of signer's certificate chain using CRLs\n");
|
||||
diff -up openssl-1.0.1k/apps/s_server.c.alt-chains openssl-1.0.1k/apps/s_server.c
|
||||
--- openssl-1.0.1k/apps/s_server.c.alt-chains 2015-04-30 14:14:40.000000000 +0200
|
||||
+++ openssl-1.0.1k/apps/s_server.c 2015-04-30 14:30:06.420764081 +0200
|
||||
--- openssl-1.0.1k/apps/s_server.c.alt-chains 2015-07-09 14:58:55.950753698 +0200
|
||||
+++ openssl-1.0.1k/apps/s_server.c 2015-07-09 14:58:55.971754198 +0200
|
||||
@@ -502,6 +502,7 @@ static void sv_usage(void)
|
||||
BIO_printf(bio_err," -state - Print the SSL states\n");
|
||||
BIO_printf(bio_err," -CApath arg - PEM format directory of CA's\n");
|
||||
|
|
@ -66,8 +66,8 @@ diff -up openssl-1.0.1k/apps/s_server.c.alt-chains openssl-1.0.1k/apps/s_server.
|
|||
BIO_printf(bio_err," -nocert - Don't use any certificates (Anon-DH)\n");
|
||||
BIO_printf(bio_err," -cipher arg - play with 'openssl ciphers' to see what goes here\n");
|
||||
diff -up openssl-1.0.1k/apps/verify.c.alt-chains openssl-1.0.1k/apps/verify.c
|
||||
--- openssl-1.0.1k/apps/verify.c.alt-chains 2015-04-30 14:14:40.000000000 +0200
|
||||
+++ openssl-1.0.1k/apps/verify.c 2015-04-30 14:31:20.055446426 +0200
|
||||
--- openssl-1.0.1k/apps/verify.c.alt-chains 2015-07-09 14:58:55.951753722 +0200
|
||||
+++ openssl-1.0.1k/apps/verify.c 2015-07-09 14:58:55.972754221 +0200
|
||||
@@ -238,7 +238,7 @@ int MAIN(int argc, char **argv)
|
||||
end:
|
||||
if (ret == 1) {
|
||||
|
|
@ -78,8 +78,8 @@ diff -up openssl-1.0.1k/apps/verify.c.alt-chains openssl-1.0.1k/apps/verify.c
|
|||
BIO_printf(bio_err," [-engine e]");
|
||||
#endif
|
||||
diff -up openssl-1.0.1k/crypto/x509/x509_vfy.c.alt-chains openssl-1.0.1k/crypto/x509/x509_vfy.c
|
||||
--- openssl-1.0.1k/crypto/x509/x509_vfy.c.alt-chains 2015-04-30 14:14:40.000000000 +0200
|
||||
+++ openssl-1.0.1k/crypto/x509/x509_vfy.c 2015-04-30 14:22:37.183472452 +0200
|
||||
--- openssl-1.0.1k/crypto/x509/x509_vfy.c.alt-chains 2015-07-09 14:58:55.951753722 +0200
|
||||
+++ openssl-1.0.1k/crypto/x509/x509_vfy.c 2015-07-09 15:28:03.630442145 +0200
|
||||
@@ -154,11 +154,11 @@ static int x509_subject_cmp(X509 **a, X5
|
||||
|
||||
int X509_verify_cert(X509_STORE_CTX *ctx)
|
||||
|
|
@ -94,7 +94,44 @@ diff -up openssl-1.0.1k/crypto/x509/x509_vfy.c.alt-chains openssl-1.0.1k/crypto/
|
|||
int (*cb)(int xok,X509_STORE_CTX *xctx);
|
||||
STACK_OF(X509) *sktmp=NULL;
|
||||
if (ctx->cert == NULL)
|
||||
@@ -247,10 +247,14 @@ int X509_verify_cert(X509_STORE_CTX *ctx
|
||||
@@ -167,21 +167,27 @@ int X509_verify_cert(X509_STORE_CTX *ctx
|
||||
return -1;
|
||||
}
|
||||
|
||||
+ if (ctx->chain != NULL) {
|
||||
+ /*
|
||||
+ * This X509_STORE_CTX has already been used to verify a cert. We
|
||||
+ * cannot do another one.
|
||||
+ */
|
||||
+ X509err(X509_F_X509_VERIFY_CERT, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
cb=ctx->verify_cb;
|
||||
|
||||
/* first we make sure the chain we are going to build is
|
||||
* present and that the first entry is in place */
|
||||
- if (ctx->chain == NULL)
|
||||
+ if ( ((ctx->chain=sk_X509_new_null()) == NULL) ||
|
||||
+ (!sk_X509_push(ctx->chain,ctx->cert)))
|
||||
{
|
||||
- if ( ((ctx->chain=sk_X509_new_null()) == NULL) ||
|
||||
- (!sk_X509_push(ctx->chain,ctx->cert)))
|
||||
- {
|
||||
- X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
|
||||
- goto end;
|
||||
- }
|
||||
- CRYPTO_add(&ctx->cert->references,1,CRYPTO_LOCK_X509);
|
||||
- ctx->last_untrusted=1;
|
||||
+ X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
|
||||
+ goto end;
|
||||
}
|
||||
+ CRYPTO_add(&ctx->cert->references,1,CRYPTO_LOCK_X509);
|
||||
+ ctx->last_untrusted=1;
|
||||
|
||||
/* We use a temporary STACK so we can chop and hack at it */
|
||||
if (ctx->untrusted != NULL
|
||||
@@ -247,10 +253,14 @@ int X509_verify_cert(X509_STORE_CTX *ctx
|
||||
break;
|
||||
}
|
||||
|
||||
|
|
@ -109,7 +146,7 @@ diff -up openssl-1.0.1k/crypto/x509/x509_vfy.c.alt-chains openssl-1.0.1k/crypto/
|
|||
/* Examine last certificate in chain and see if it
|
||||
* is self signed.
|
||||
*/
|
||||
@@ -294,6 +298,7 @@ int X509_verify_cert(X509_STORE_CTX *ctx
|
||||
@@ -294,6 +304,7 @@ int X509_verify_cert(X509_STORE_CTX *ctx
|
||||
chain_ss=sk_X509_pop(ctx->chain);
|
||||
ctx->last_untrusted--;
|
||||
num--;
|
||||
|
|
@ -117,7 +154,7 @@ diff -up openssl-1.0.1k/crypto/x509/x509_vfy.c.alt-chains openssl-1.0.1k/crypto/
|
|||
x=sk_X509_value(ctx->chain,num-1);
|
||||
}
|
||||
}
|
||||
@@ -322,7 +327,42 @@ int X509_verify_cert(X509_STORE_CTX *ctx
|
||||
@@ -322,7 +333,42 @@ int X509_verify_cert(X509_STORE_CTX *ctx
|
||||
num++;
|
||||
}
|
||||
|
||||
|
|
@ -128,7 +165,7 @@ diff -up openssl-1.0.1k/crypto/x509/x509_vfy.c.alt-chains openssl-1.0.1k/crypto/
|
|||
+ * if the user hasn't switched off alternate chain checking
|
||||
+ */
|
||||
+ retry = 0;
|
||||
+ if (j == ctx->last_untrusted &&
|
||||
+ if (num == ctx->last_untrusted &&
|
||||
+ !(ctx->param->flags & X509_V_FLAG_NO_ALT_CHAINS)) {
|
||||
+ while (j-- > 1) {
|
||||
+ xtmp2 = sk_X509_value(ctx->chain, j - 1);
|
||||
|
|
@ -150,8 +187,8 @@ diff -up openssl-1.0.1k/crypto/x509/x509_vfy.c.alt-chains openssl-1.0.1k/crypto/
|
|||
+ xtmp = sk_X509_pop(ctx->chain);
|
||||
+ X509_free(xtmp);
|
||||
+ num--;
|
||||
+ ctx->last_untrusted--;
|
||||
+ }
|
||||
+ ctx->last_untrusted = j;
|
||||
+ retry = 1;
|
||||
+ break;
|
||||
+ }
|
||||
|
|
@ -162,8 +199,8 @@ diff -up openssl-1.0.1k/crypto/x509/x509_vfy.c.alt-chains openssl-1.0.1k/crypto/
|
|||
/* Is last certificate looked up self signed? */
|
||||
if (!ctx->check_issued(ctx,x,x))
|
||||
diff -up openssl-1.0.1k/crypto/x509/x509_vfy.h.alt-chains openssl-1.0.1k/crypto/x509/x509_vfy.h
|
||||
--- openssl-1.0.1k/crypto/x509/x509_vfy.h.alt-chains 2015-04-30 14:14:40.000000000 +0200
|
||||
+++ openssl-1.0.1k/crypto/x509/x509_vfy.h 2015-04-30 14:16:56.818672373 +0200
|
||||
--- openssl-1.0.1k/crypto/x509/x509_vfy.h.alt-chains 2015-07-09 14:58:55.951753722 +0200
|
||||
+++ openssl-1.0.1k/crypto/x509/x509_vfy.h 2015-07-09 14:58:55.972754221 +0200
|
||||
@@ -391,7 +391,12 @@ void X509_STORE_CTX_set_depth(X509_STORE
|
||||
#define X509_V_FLAG_CHECK_SS_SIGNATURE 0x4000
|
||||
/* Use trusted store first */
|
||||
|
|
@ -179,8 +216,8 @@ diff -up openssl-1.0.1k/crypto/x509/x509_vfy.h.alt-chains openssl-1.0.1k/crypto/
|
|||
#define X509_VP_FLAG_DEFAULT 0x1
|
||||
#define X509_VP_FLAG_OVERWRITE 0x2
|
||||
diff -up openssl-1.0.1k/doc/apps/cms.pod.alt-chains openssl-1.0.1k/doc/apps/cms.pod
|
||||
--- openssl-1.0.1k/doc/apps/cms.pod.alt-chains 2015-04-30 14:32:50.736518235 +0200
|
||||
+++ openssl-1.0.1k/doc/apps/cms.pod 2015-04-30 14:36:11.989116293 +0200
|
||||
--- openssl-1.0.1k/doc/apps/cms.pod.alt-chains 2015-07-09 14:58:55.951753722 +0200
|
||||
+++ openssl-1.0.1k/doc/apps/cms.pod 2015-07-09 14:58:55.972754221 +0200
|
||||
@@ -35,6 +35,7 @@ B<openssl> B<cms>
|
||||
[B<-print>]
|
||||
[B<-CAfile file>]
|
||||
|
|
@ -199,8 +236,8 @@ diff -up openssl-1.0.1k/doc/apps/cms.pod.alt-chains openssl-1.0.1k/doc/apps/cms.
|
|||
Set various certificate chain valiadition option. See the
|
||||
L<B<verify>|verify(1)> manual page for details.
|
||||
diff -up openssl-1.0.1k/doc/apps/ocsp.pod.alt-chains openssl-1.0.1k/doc/apps/ocsp.pod
|
||||
--- openssl-1.0.1k/doc/apps/ocsp.pod.alt-chains 2015-04-30 14:14:40.000000000 +0200
|
||||
+++ openssl-1.0.1k/doc/apps/ocsp.pod 2015-04-30 14:34:40.398023692 +0200
|
||||
--- openssl-1.0.1k/doc/apps/ocsp.pod.alt-chains 2015-07-09 14:58:55.951753722 +0200
|
||||
+++ openssl-1.0.1k/doc/apps/ocsp.pod 2015-07-09 14:58:55.973754245 +0200
|
||||
@@ -29,6 +29,7 @@ B<openssl> B<ocsp>
|
||||
[B<-path>]
|
||||
[B<-CApath dir>]
|
||||
|
|
@ -221,8 +258,8 @@ diff -up openssl-1.0.1k/doc/apps/ocsp.pod.alt-chains openssl-1.0.1k/doc/apps/ocs
|
|||
|
||||
Use certificates in CA file or CA directory over certificates provided
|
||||
diff -up openssl-1.0.1k/doc/apps/s_client.pod.alt-chains openssl-1.0.1k/doc/apps/s_client.pod
|
||||
--- openssl-1.0.1k/doc/apps/s_client.pod.alt-chains 2015-04-30 14:14:40.000000000 +0200
|
||||
+++ openssl-1.0.1k/doc/apps/s_client.pod 2015-04-30 14:35:23.284003518 +0200
|
||||
--- openssl-1.0.1k/doc/apps/s_client.pod.alt-chains 2015-07-09 14:58:55.952753746 +0200
|
||||
+++ openssl-1.0.1k/doc/apps/s_client.pod 2015-07-09 14:58:55.973754245 +0200
|
||||
@@ -19,6 +19,7 @@ B<openssl> B<s_client>
|
||||
[B<-pass arg>]
|
||||
[B<-CApath directory>]
|
||||
|
|
@ -241,8 +278,8 @@ diff -up openssl-1.0.1k/doc/apps/s_client.pod.alt-chains openssl-1.0.1k/doc/apps
|
|||
Set various certificate chain valiadition option. See the
|
||||
L<B<verify>|verify(1)> manual page for details.
|
||||
diff -up openssl-1.0.1k/doc/apps/smime.pod.alt-chains openssl-1.0.1k/doc/apps/smime.pod
|
||||
--- openssl-1.0.1k/doc/apps/smime.pod.alt-chains 2015-04-30 14:14:40.000000000 +0200
|
||||
+++ openssl-1.0.1k/doc/apps/smime.pod 2015-04-30 14:37:58.832557366 +0200
|
||||
--- openssl-1.0.1k/doc/apps/smime.pod.alt-chains 2015-07-09 14:58:55.952753746 +0200
|
||||
+++ openssl-1.0.1k/doc/apps/smime.pod 2015-07-09 14:58:55.973754245 +0200
|
||||
@@ -17,6 +17,7 @@ B<openssl> B<smime>
|
||||
[B<-in file>]
|
||||
[B<-CAfile file>]
|
||||
|
|
@ -261,8 +298,8 @@ diff -up openssl-1.0.1k/doc/apps/smime.pod.alt-chains openssl-1.0.1k/doc/apps/sm
|
|||
Set various options of certificate chain verification. See
|
||||
L<B<verify>|verify(1)> manual page for details.
|
||||
diff -up openssl-1.0.1k/doc/apps/s_server.pod.alt-chains openssl-1.0.1k/doc/apps/s_server.pod
|
||||
--- openssl-1.0.1k/doc/apps/s_server.pod.alt-chains 2015-04-30 14:14:40.000000000 +0200
|
||||
+++ openssl-1.0.1k/doc/apps/s_server.pod 2015-04-30 14:37:02.850278328 +0200
|
||||
--- openssl-1.0.1k/doc/apps/s_server.pod.alt-chains 2015-07-09 14:58:55.952753746 +0200
|
||||
+++ openssl-1.0.1k/doc/apps/s_server.pod 2015-07-09 14:58:55.973754245 +0200
|
||||
@@ -33,6 +33,7 @@ B<openssl> B<s_server>
|
||||
[B<-state>]
|
||||
[B<-CApath directory>]
|
||||
|
|
@ -283,8 +320,8 @@ diff -up openssl-1.0.1k/doc/apps/s_server.pod.alt-chains openssl-1.0.1k/doc/apps
|
|||
|
||||
Use certificates in CA file or CA directory before other certificates
|
||||
diff -up openssl-1.0.1k/doc/apps/verify.pod.alt-chains openssl-1.0.1k/doc/apps/verify.pod
|
||||
--- openssl-1.0.1k/doc/apps/verify.pod.alt-chains 2015-04-30 14:14:40.000000000 +0200
|
||||
+++ openssl-1.0.1k/doc/apps/verify.pod 2015-04-30 14:38:32.853334645 +0200
|
||||
--- openssl-1.0.1k/doc/apps/verify.pod.alt-chains 2015-07-09 14:58:55.952753746 +0200
|
||||
+++ openssl-1.0.1k/doc/apps/verify.pod 2015-07-09 14:58:55.973754245 +0200
|
||||
@@ -23,6 +23,7 @@ B<openssl> B<verify>
|
||||
[B<-extended_crl>]
|
||||
[B<-use_deltas>]
|
||||
|
|
@ -308,9 +345,45 @@ diff -up openssl-1.0.1k/doc/apps/verify.pod.alt-chains openssl-1.0.1k/doc/apps/v
|
|||
=item B<-policy_print>
|
||||
|
||||
Print out diagnostics related to policy processing.
|
||||
diff -up openssl-1.0.1k/doc/crypto/X509_STORE_CTX_new.pod.alt-chains openssl-1.0.1k/doc/crypto/X509_STORE_CTX_new.pod
|
||||
--- openssl-1.0.1k/doc/crypto/X509_STORE_CTX_new.pod.alt-chains 2014-10-15 15:49:15.000000000 +0200
|
||||
+++ openssl-1.0.1k/doc/crypto/X509_STORE_CTX_new.pod 2015-07-09 15:29:16.461174414 +0200
|
||||
@@ -39,10 +39,15 @@ X509_STORE_CTX_free() completely frees u
|
||||
is no longer valid.
|
||||
|
||||
X509_STORE_CTX_init() sets up B<ctx> for a subsequent verification operation.
|
||||
-The trusted certificate store is set to B<store>, the end entity certificate
|
||||
-to be verified is set to B<x509> and a set of additional certificates (which
|
||||
-will be untrusted but may be used to build the chain) in B<chain>. Any or
|
||||
-all of the B<store>, B<x509> and B<chain> parameters can be B<NULL>.
|
||||
+It must be called before each call to X509_verify_cert(), i.e. a B<ctx> is only
|
||||
+good for one call to X509_verify_cert(); if you want to verify a second
|
||||
+certificate with the same B<ctx> then you must call X509_XTORE_CTX_cleanup()
|
||||
+and then X509_STORE_CTX_init() again before the second call to
|
||||
+X509_verify_cert(). The trusted certificate store is set to B<store>, the end
|
||||
+entity certificate to be verified is set to B<x509> and a set of additional
|
||||
+certificates (which will be untrusted but may be used to build the chain) in
|
||||
+B<chain>. Any or all of the B<store>, B<x509> and B<chain> parameters can be
|
||||
+B<NULL>.
|
||||
|
||||
X509_STORE_CTX_trusted_stack() sets the set of trusted certificates of B<ctx>
|
||||
to B<sk>. This is an alternative way of specifying trusted certificates
|
||||
diff -up openssl-1.0.1k/doc/crypto/X509_verify_cert.pod.alt-chains openssl-1.0.1k/doc/crypto/X509_verify_cert.pod
|
||||
--- openssl-1.0.1k/doc/crypto/X509_verify_cert.pod.alt-chains 2014-10-15 15:49:15.000000000 +0200
|
||||
+++ openssl-1.0.1k/doc/crypto/X509_verify_cert.pod 2015-07-09 15:29:16.461174414 +0200
|
||||
@@ -32,7 +32,8 @@ OpenSSL internally for certificate valid
|
||||
SSL/TLS code.
|
||||
|
||||
The negative return value from X509_verify_cert() can only occur if no
|
||||
-certificate is set in B<ctx> (due to a programming error) or if a retry
|
||||
+certificate is set in B<ctx> (due to a programming error); if X509_verify_cert()
|
||||
+twice without reinitialising B<ctx> in between; or if a retry
|
||||
operation is requested during internal lookups (which never happens with
|
||||
standard lookup methods). It is however recommended that application check
|
||||
for <= 0 return value on error.
|
||||
diff -up openssl-1.0.1k/doc/crypto/X509_VERIFY_PARAM_set_flags.pod.alt-chains openssl-1.0.1k/doc/crypto/X509_VERIFY_PARAM_set_flags.pod
|
||||
--- openssl-1.0.1k/doc/crypto/X509_VERIFY_PARAM_set_flags.pod.alt-chains 2014-10-15 14:51:06.000000000 +0200
|
||||
+++ openssl-1.0.1k/doc/crypto/X509_VERIFY_PARAM_set_flags.pod 2015-04-30 14:39:34.951753420 +0200
|
||||
--- openssl-1.0.1k/doc/crypto/X509_VERIFY_PARAM_set_flags.pod.alt-chains 2015-01-08 15:00:36.000000000 +0100
|
||||
+++ openssl-1.0.1k/doc/crypto/X509_VERIFY_PARAM_set_flags.pod 2015-07-09 14:58:55.973754245 +0200
|
||||
@@ -133,6 +133,12 @@ verification. If this flag is set then a
|
||||
to the verification callback and it B<must> be prepared to handle such cases
|
||||
without assuming they are hard errors.
|
||||
|
|
|
|||
|
|
@ -23,7 +23,7 @@
|
|||
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
||||
Name: openssl
|
||||
Version: 1.0.1k
|
||||
Release: 10%{?dist}
|
||||
Release: 11%{?dist}
|
||||
Epoch: 1
|
||||
# We have to remove certain patented algorithms from the openssl source
|
||||
# tarball with the hobble-openssl script which is included below.
|
||||
|
|
@ -504,6 +504,9 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
|
|||
%postun libs -p /sbin/ldconfig
|
||||
|
||||
%changelog
|
||||
* Thu Jul 9 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.1k-11
|
||||
- fix CVE-2015-1793 - certificate verification forgery
|
||||
|
||||
* Mon Jun 15 2015 Tomáš Mráz <tmraz@redhat.com> 1.0.1k-10
|
||||
- fix CVE-2015-1789 - out-of-bounds read in X509_cmp_time
|
||||
- fix CVE-2015-1790 - PKCS7 crash with missing EncryptedContent
|
||||
|
|
|
|||
Loading…
Reference in New Issue