From 6ee6370e1d82fee4f4330cbd723938800c487cd0 Mon Sep 17 00:00:00 2001
From: David Abdurachmanov <David.Abdurachmanov@cern.ch>
Date: Fri, 18 Dec 2015 19:07:50 +0100
Subject: [PATCH] openssl,openssl-bootstrap: keep only 1.0.2d; fix CA bundle

Use 1.0.2d even for SLC6. In newer glibc versions __secure_getenv was
renamed to secure_getenv, thus we just rename it back on SLC6.

Include a fix for PR3979.

Set /etc/pki/tls as openssldir, but make sure that installation step
does not touch the directory. This solves the problem where das_client.py
was not able to verify cmsweb certificate.

(cherry picked from commit 535fb83bf89d5fc4a8b8db1c9437952232f17906, but
openssl-bootstrap.spec was kept unmodified)

Signed-off-by: David Abdurachmanov <David.Abdurachmanov@cern.ch>
---
 ...sl-1.0.2d-disable-install-openssldir.patch | 38 ++++++++++++++++
 openssl-1.0.2d-pr3979.patch                   | 44 +++++++++++++++++++
 openssl.spec                                  | 28 +++++++-----
 3 files changed, 99 insertions(+), 11 deletions(-)
 create mode 100644 openssl-1.0.2d-disable-install-openssldir.patch
 create mode 100644 openssl-1.0.2d-pr3979.patch

diff --git a/openssl-1.0.2d-disable-install-openssldir.patch b/openssl-1.0.2d-disable-install-openssldir.patch
new file mode 100644
index 00000000000..28a98e5e0c0
--- /dev/null
+++ b/openssl-1.0.2d-disable-install-openssldir.patch
@@ -0,0 +1,38 @@
+diff --git a/apps/Makefile b/apps/Makefile
+index cafe554..547fc41 100644
+--- a/apps/Makefile
++++ b/apps/Makefile
+@@ -109,16 +109,6 @@ install:
+ 	 chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new; \
+ 	 mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i ); \
+ 	 done;
+-	@set -e; for i in $(SCRIPTS); \
+-	do  \
+-	(echo installing $$i; \
+-	 cp $$i $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i.new; \
+-	 chmod 755 $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i.new; \
+-	 mv -f $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i.new $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i ); \
+-	 done
+-	@cp openssl.cnf $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf.new; \
+-	chmod 644 $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf.new; \
+-	mv -f  $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf.new $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf
+ 
+ tags:
+ 	ctags $(SRC)
+diff --git a/tools/Makefile b/tools/Makefile
+index c1a2f6b..6e7c104 100644
+--- a/tools/Makefile
++++ b/tools/Makefile
+@@ -26,12 +26,6 @@ install:
+ 	chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new; \
+ 	mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i ); \
+ 	done;
+-	@for i in $(MISC_APPS) ; \
+-	do  \
+-	(cp $$i $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i.new; \
+-	chmod 755 $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i.new; \
+-	mv -f $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i.new $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i ); \
+-	done;
+ 
+ files:
+ 	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
diff --git a/openssl-1.0.2d-pr3979.patch b/openssl-1.0.2d-pr3979.patch
new file mode 100644
index 00000000000..7c313645157
--- /dev/null
+++ b/openssl-1.0.2d-pr3979.patch
@@ -0,0 +1,44 @@
+diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c
+index 36b0d87..845be67 100644
+--- a/crypto/x509v3/v3_purp.c
++++ b/crypto/x509v3/v3_purp.c
+@@ -380,6 +380,14 @@ static void setup_crldp(X509 *x)
+         setup_dp(x, sk_DIST_POINT_value(x->crldp, i));
+ }
+ 
++#define V1_ROOT (EXFLAG_V1|EXFLAG_SS)
++#define ku_reject(x, usage) \
++        (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage)))
++#define xku_reject(x, usage) \
++        (((x)->ex_flags & EXFLAG_XKUSAGE) && !((x)->ex_xkusage & (usage)))
++#define ns_reject(x, usage) \
++        (((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage)))
++
+ static void x509v3_cache_extensions(X509 *x)
+ {
+     BASIC_CONSTRAINTS *bs;
+@@ -499,7 +507,8 @@ static void x509v3_cache_extensions(X509 *x)
+     if (!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x))) {
+         x->ex_flags |= EXFLAG_SI;
+         /* If SKID matches AKID also indicate self signed */
+-        if (X509_check_akid(x, x->akid) == X509_V_OK)
++        if (X509_check_akid(x, x->akid) == X509_V_OK &&
++            !ku_reject(x, KU_KEY_CERT_SIGN))
+             x->ex_flags |= EXFLAG_SS;
+     }
+     x->altname = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
+@@ -538,14 +547,6 @@ static void x509v3_cache_extensions(X509 *x)
+  * 4 basicConstraints absent but keyUsage present and keyCertSign asserted.
+  */
+ 
+-#define V1_ROOT (EXFLAG_V1|EXFLAG_SS)
+-#define ku_reject(x, usage) \
+-        (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage)))
+-#define xku_reject(x, usage) \
+-        (((x)->ex_flags & EXFLAG_XKUSAGE) && !((x)->ex_xkusage & (usage)))
+-#define ns_reject(x, usage) \
+-        (((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage)))
+-
+ static int check_ca(const X509 *x)
+ {
+     /* keyUsage if present should allow cert signing */
diff --git a/openssl.spec b/openssl.spec
index 009f6ecef83..a683fc8a29a 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -1,21 +1,27 @@
-### RPM external openssl 1.0.1e_1.0.2d
-%define generic_version 1.0.2d
-%define slc6_version 1.0.1e
+### RPM external openssl 1.0.2d
 Source0: http://davidlt.web.cern.ch/davidlt/vault/openssl-1.0.2d-5675d07a144aa1a6c85f488a95aeea7854e86059.tar.bz2
-Source1: http://davidlt.web.cern.ch/davidlt/vault/openssl-1.0.1e-42.el6.src.tar.bz2
 
-%define isslc6 %(case %{cmsplatf} in (slc6*) echo 1 ;; (*) echo 0 ;; esac)
+# https://rt.openssl.org/Ticket/Display.html?id=3979&user=guest&pass=guest
+Patch0: openssl-1.0.2d-pr3979
+# We want to pick CA certificates from /etc/pki/tls (openssldir), but we
+# cannot install to a standard system location
+Patch1: openssl-1.0.2d-disable-install-openssldir
 
 %prep
-%if %isslc6
-%setup -b 1 -n openssl-%{slc6_version}
-%else
-%setup -b 0 -n openssl-%{generic_version}
-%endif
+%setup -b 0 -n openssl-%{realversion}
+%patch0 -p1
+%patch1 -p1
 
 # Disable documenation
 sed -ibak 's/install: all install_docs install_sw/install: all install_sw/g' Makefile.org Makefile
 
+case "%{cmsplatf}" in
+  slc6*)
+    # https://sourceware.org/glibc/wiki/Tips_and_Tricks/secure_getenv
+    grep -H -R 'secure_getenv(' * | cut -d':' -f1 | sort -u | xargs -t -n 1 sed -ibak 's;secure_getenv;__secure_getenv;g'
+    ;;
+esac
+
 %build
 
 case "%{cmsplatf}" in
@@ -42,7 +48,7 @@ case "%{cmsplatf}" in
     cfg_args="-DOPENSSL_USE_NEW_FUNCTIONS"
     ;;
     *)
-    cfg_args="--with-krb5-flavor=MIT --with-krb5-dir=/usr enable-krb5 no-zlib --openssldir=%{_sysconfdir}/pki/tls fips no-ec2m no-gost no-srp"
+    cfg_args="--with-krb5-flavor=MIT --with-krb5-dir=/usr enable-krb5 no-zlib --openssldir=/etc/pki/tls fips no-ec2m no-gost no-srp"
     ;;
 esac