Fix regression in X509_verify_cert() #bz1916594

Signed-off-by: Sahana Prasad <sahana@redhat.com>

openssl-1.1.1-verify-cert.patch

@@ -0,0 +1,113 @@
+diff -up openssl-1.1.1i/crypto/x509/x509_vfy.c.verify-cert openssl-1.1.1i/crypto/x509/x509_vfy.c
+--- openssl-1.1.1i/crypto/x509/x509_vfy.c.verify-cert	2021-01-20 17:24:53.100175663 +0100
++++ openssl-1.1.1i/crypto/x509/x509_vfy.c	2021-01-20 17:24:53.156176315 +0100
+@@ -323,9 +323,10 @@ static int sk_X509_contains(STACK_OF(X50
+ }
+ 
+ /*
+- * Find in given STACK_OF(X509) sk a non-expired issuer cert (if any) of given cert x.
+- * The issuer must not be the same as x and must not yet be in ctx->chain, where the
+- * exceptional case x is self-issued and ctx->chain has just one element is allowed.
++ * Find in given STACK_OF(X509) sk an issuer cert of given cert x.
++ * The issuer must not yet be in ctx->chain, where the exceptional case
++ * that x is self-issued and ctx->chain has just one element is allowed.
++ * Prefer the first one that is not expired, else take the last expired one.
+  */
+ static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x)
+ {
+@@ -338,7 +339,7 @@ static X509 *find_issuer(X509_STORE_CTX
+          * Below check 'issuer != x' is an optimization and safety precaution:
+          * Candidate issuer cert cannot be the same as the subject cert 'x'.
+          */
+-        if (issuer != x && ctx->check_issued(ctx, x, issuer)
++        if (ctx->check_issued(ctx, x, issuer)
+             && (((x->ex_flags & EXFLAG_SI) != 0 && sk_X509_num(ctx->chain) == 1)
+                 || !sk_X509_contains(ctx->chain, issuer))) {
+             rv = issuer;
+ 
+diff -up openssl-1.1.1i/test/recipes/70-test_verify_extra.t.verify-cert openssl-1.1.1i/test/recipes/70-test_verify_extra.t
+--- openssl-1.1.1i/test/recipes/70-test_verify_extra.t.verify-cert	2020-12-08 14:20:59.000000000 +0100
++++ openssl-1.1.1i/test/recipes/70-test_verify_extra.t	2021-01-20 17:24:53.156176315 +0100
+@@ -16,4 +16,5 @@ plan tests => 1;
+ ok(run(test(["verify_extra_test",
+              srctop_file("test", "certs", "roots.pem"),
+              srctop_file("test", "certs", "untrusted.pem"),
+-             srctop_file("test", "certs", "bad.pem")])));
++             srctop_file("test", "certs", "bad.pem"),
++             srctop_file("test", "certs", "rootCA.pem")])));
+diff -up openssl-1.1.1i/test/verify_extra_test.c.verify-cert openssl-1.1.1i/test/verify_extra_test.c
+--- openssl-1.1.1i/test/verify_extra_test.c.verify-cert	2020-12-08 14:20:59.000000000 +0100
++++ openssl-1.1.1i/test/verify_extra_test.c	2021-01-20 17:24:53.156176315 +0100
+@@ -18,6 +18,21 @@
+ static const char *roots_f;
+ static const char *untrusted_f;
+ static const char *bad_f;
++static const char *good_f;
++
++static X509 *load_cert_pem(const char *file)
++{
++    X509 *cert = NULL;
++    BIO *bio = NULL;
++
++    if (!TEST_ptr(bio = BIO_new(BIO_s_file())))
++        return NULL;
++    if (TEST_int_gt(BIO_read_filename(bio, file), 0))
++        (void)TEST_ptr(cert = PEM_read_bio_X509(bio, NULL, NULL, NULL));
++
++    BIO_free(bio);
++    return cert;
++}
+ 
+ static STACK_OF(X509) *load_certs_from_file(const char *filename)
+ {
+@@ -175,16 +190,48 @@ static int test_store_ctx(void)
+     return testresult;
+ }
+ 
++static int test_self_signed(const char *filename, int expected)
++{
++    X509 *cert = load_cert_pem(filename);
++    STACK_OF(X509) *trusted = sk_X509_new_null();
++    X509_STORE_CTX *ctx = X509_STORE_CTX_new();
++    int ret;
++
++    ret = TEST_ptr(cert)
++        && TEST_true(sk_X509_push(trusted, cert))
++        && TEST_true(X509_STORE_CTX_init(ctx, NULL, cert, NULL));
++    X509_STORE_CTX_trusted_stack(ctx, trusted);
++    ret = ret && TEST_int_eq(X509_verify_cert(ctx), expected);
++
++    X509_STORE_CTX_free(ctx);
++    sk_X509_free(trusted);
++    X509_free(cert);
++    return ret;
++}
++
++static int test_self_signed_good(void)
++{
++    return test_self_signed(good_f, 1);
++}
++
++static int test_self_signed_bad(void)
++{
++    return test_self_signed(bad_f, 0);
++}
++
+ int setup_tests(void)
+ {
+     if (!TEST_ptr(roots_f = test_get_argument(0))
+             || !TEST_ptr(untrusted_f = test_get_argument(1))
+-            || !TEST_ptr(bad_f = test_get_argument(2))) {
+-        TEST_error("usage: verify_extra_test roots.pem untrusted.pem bad.pem\n");
++            || !TEST_ptr(bad_f = test_get_argument(2))
++            || !TEST_ptr(good_f = test_get_argument(3))) {
++        TEST_error("usage: verify_extra_test roots.pem untrusted.pem bad.pem good.pem\n");
+         return 0;
+     }
+ 
+     ADD_TEST(test_alt_chains_cert_forgery);
+     ADD_TEST(test_store_ctx);
++    ADD_TEST(test_self_signed_good);
++    ADD_TEST(test_self_signed_bad);
+     return 1;
+ }

openssl.spec

@@ -22,7 +22,7 @@
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 1.1.1i
-Release: 2%{?dist}
+Release: 3%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@@ -44,6 +44,9 @@ Patch3: openssl-1.1.1-no-html.patch
 Patch4: openssl-1.1.1-man-rename.patch
 # Bug fixes
 Patch21: openssl-1.1.0-issuer-hash.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1916594
+Patch71: openssl-1.1.1-verify-cert.patch
+
 # Functionality changes
 Patch31: openssl-1.1.1-conf-paths.patch
 Patch32: openssl-1.1.1-version-add-engines.patch
@@ -186,6 +189,7 @@ cp %{SOURCE13} test/
 %patch67 -p1 -b .kdf-selftest
 %patch69 -p1 -b .alpn-cb
 %patch70 -p1 -b .rewire-fips-drbg
+%patch71 -p1 -b .verify-cert
 
 
 %build
@@ -474,6 +478,9 @@ export LD_LIBRARY_PATH
 %ldconfig_scriptlets libs
 
 %changelog
+* Wed Feb 10 2021 Sahana Prasad <sahana@redhat.com> - 1:1.1.1i-3
+- Fix regression in X509_verify_cert() (bz1916594)
+
 * Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.1.1i-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild