Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
openssl,openssl-bootstrap: keep only 1.0.2d; fix CA bundle
Use 1.0.2d even for SLC6. In newer glibc versions __secure_getenv was
renamed to secure_getenv, thus we just rename it back on SLC6.

Include a fix for PR3979.

Set /etc/pki/tls as openssldir, but make sure that installation step
does not touch the directory. This solves the problem where das_client.py
was not able to verify cmsweb certificate.

(cherry picked from commit 535fb83, but
openssl-bootstrap.spec was kept unmodified)

Signed-off-by: David Abdurachmanov <David.Abdurachmanov@cern.ch>
  • Loading branch information
David Abdurachmanov authored and David Abdurachmanov committed Feb 2, 2016
1 parent 006009d commit 6ee6370
Show file tree
Hide file tree
Showing 3 changed files with 99 additions and 11 deletions.
38 changes: 38 additions & 0 deletions openssl-1.0.2d-disable-install-openssldir.patch
@@ -0,0 +1,38 @@
diff --git a/apps/Makefile b/apps/Makefile
index cafe554..547fc41 100644
--- a/apps/Makefile
+++ b/apps/Makefile
@@ -109,16 +109,6 @@ install:
chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new; \
mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i ); \
done;
- @set -e; for i in $(SCRIPTS); \
- do \
- (echo installing $$i; \
- cp $$i $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i.new; \
- chmod 755 $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i.new; \
- mv -f $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i.new $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i ); \
- done
- @cp openssl.cnf $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf.new; \
- chmod 644 $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf.new; \
- mv -f $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf.new $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf

tags:
ctags $(SRC)
diff --git a/tools/Makefile b/tools/Makefile
index c1a2f6b..6e7c104 100644
--- a/tools/Makefile
+++ b/tools/Makefile
@@ -26,12 +26,6 @@ install:
chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new; \
mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i ); \
done;
- @for i in $(MISC_APPS) ; \
- do \
- (cp $$i $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i.new; \
- chmod 755 $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i.new; \
- mv -f $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i.new $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i ); \
- done;

files:
$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
44 changes: 44 additions & 0 deletions openssl-1.0.2d-pr3979.patch
@@ -0,0 +1,44 @@
diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c
index 36b0d87..845be67 100644
--- a/crypto/x509v3/v3_purp.c
+++ b/crypto/x509v3/v3_purp.c
@@ -380,6 +380,14 @@ static void setup_crldp(X509 *x)
setup_dp(x, sk_DIST_POINT_value(x->crldp, i));
}

+#define V1_ROOT (EXFLAG_V1|EXFLAG_SS)
+#define ku_reject(x, usage) \
+ (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage)))
+#define xku_reject(x, usage) \
+ (((x)->ex_flags & EXFLAG_XKUSAGE) && !((x)->ex_xkusage & (usage)))
+#define ns_reject(x, usage) \
+ (((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage)))
+
static void x509v3_cache_extensions(X509 *x)
{
BASIC_CONSTRAINTS *bs;
@@ -499,7 +507,8 @@ static void x509v3_cache_extensions(X509 *x)
if (!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x))) {
x->ex_flags |= EXFLAG_SI;
/* If SKID matches AKID also indicate self signed */
- if (X509_check_akid(x, x->akid) == X509_V_OK)
+ if (X509_check_akid(x, x->akid) == X509_V_OK &&
+ !ku_reject(x, KU_KEY_CERT_SIGN))
x->ex_flags |= EXFLAG_SS;
}
x->altname = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
@@ -538,14 +547,6 @@ static void x509v3_cache_extensions(X509 *x)
* 4 basicConstraints absent but keyUsage present and keyCertSign asserted.
*/

-#define V1_ROOT (EXFLAG_V1|EXFLAG_SS)
-#define ku_reject(x, usage) \
- (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage)))
-#define xku_reject(x, usage) \
- (((x)->ex_flags & EXFLAG_XKUSAGE) && !((x)->ex_xkusage & (usage)))
-#define ns_reject(x, usage) \
- (((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage)))
-
static int check_ca(const X509 *x)
{
/* keyUsage if present should allow cert signing */
28 changes: 17 additions & 11 deletions openssl.spec
@@ -1,21 +1,27 @@
### RPM external openssl 1.0.1e_1.0.2d
%define generic_version 1.0.2d
%define slc6_version 1.0.1e
### RPM external openssl 1.0.2d
Source0: http://davidlt.web.cern.ch/davidlt/vault/openssl-1.0.2d-5675d07a144aa1a6c85f488a95aeea7854e86059.tar.bz2
Source1: http://davidlt.web.cern.ch/davidlt/vault/openssl-1.0.1e-42.el6.src.tar.bz2

%define isslc6 %(case %{cmsplatf} in (slc6*) echo 1 ;; (*) echo 0 ;; esac)
# https://rt.openssl.org/Ticket/Display.html?id=3979&user=guest&pass=guest
Patch0: openssl-1.0.2d-pr3979
# We want to pick CA certificates from /etc/pki/tls (openssldir), but we
# cannot install to a standard system location
Patch1: openssl-1.0.2d-disable-install-openssldir

%prep
%if %isslc6
%setup -b 1 -n openssl-%{slc6_version}
%else
%setup -b 0 -n openssl-%{generic_version}
%endif
%setup -b 0 -n openssl-%{realversion}
%patch0 -p1
%patch1 -p1

# Disable documenation
sed -ibak 's/install: all install_docs install_sw/install: all install_sw/g' Makefile.org Makefile

case "%{cmsplatf}" in
slc6*)
# https://sourceware.org/glibc/wiki/Tips_and_Tricks/secure_getenv
grep -H -R 'secure_getenv(' * | cut -d':' -f1 | sort -u | xargs -t -n 1 sed -ibak 's;secure_getenv;__secure_getenv;g'
;;
esac

%build

case "%{cmsplatf}" in
Expand All @@ -42,7 +48,7 @@ case "%{cmsplatf}" in
cfg_args="-DOPENSSL_USE_NEW_FUNCTIONS"
;;
*)
cfg_args="--with-krb5-flavor=MIT --with-krb5-dir=/usr enable-krb5 no-zlib --openssldir=%{_sysconfdir}/pki/tls fips no-ec2m no-gost no-srp"
cfg_args="--with-krb5-flavor=MIT --with-krb5-dir=/usr enable-krb5 no-zlib --openssldir=/etc/pki/tls fips no-ec2m no-gost no-srp"
;;
esac

Expand Down

0 comments on commit 6ee6370

Please sign in to comment.