File openssl-1.0.1i-alt-chains.patch of Package compat-openssl098.14113

Index: openssl-0.9.8j/apps/apps.c
===================================================================
--- openssl-0.9.8j.orig/apps/apps.c	2017-11-06 15:14:21.520783041 +0100
+++ openssl-0.9.8j/apps/apps.c	2017-11-06 15:14:21.528783173 +0100
@@ -2261,6 +2261,8 @@ int args_verify(char ***pargs, int *parg
 		flags |= X509_V_FLAG_X509_STRICT;
 	else if (!strcmp(arg, "-policy_print"))
 		flags |= X509_V_FLAG_NOTIFY_POLICY;
+	else if (!strcmp(arg, "-no_alt_chains"))
+		flags |= X509_V_FLAG_NO_ALT_CHAINS;
 	else if (!strcmp(arg, "-trusted_first"))
 		flags |= X509_V_FLAG_TRUSTED_FIRST;
 	else
Index: openssl-0.9.8j/apps/cms.c
===================================================================
--- openssl-0.9.8j.orig/apps/cms.c	2017-11-06 15:14:21.520783041 +0100
+++ openssl-0.9.8j/apps/cms.c	2017-11-06 15:14:21.528783173 +0100
@@ -627,6 +627,7 @@ int MAIN(int argc, char **argv)
 		BIO_printf (bio_err, "-text          include or delete text MIME headers\n");
 		BIO_printf (bio_err, "-CApath dir    trusted certificates directory\n");
 		BIO_printf (bio_err, "-CAfile file   trusted certificates file\n");
+		BIO_printf (bio_err, "-no_alt_chains only ever use the first certificate chain found\n");
 		BIO_printf (bio_err, "-trusted_first use trusted certificates first when building the trust chain\n");
 		BIO_printf (bio_err, "-crl_check     check revocation status of signer's certificate using CRLs\n");
 		BIO_printf (bio_err, "-crl_check_all check revocation status of signer's certificate chain using CRLs\n");
Index: openssl-0.9.8j/apps/ocsp.c
===================================================================
--- openssl-0.9.8j.orig/apps/ocsp.c	2017-11-06 15:14:21.520783041 +0100
+++ openssl-0.9.8j/apps/ocsp.c	2017-11-06 15:14:21.528783173 +0100
@@ -549,6 +549,7 @@ int MAIN(int argc, char **argv)
 		BIO_printf (bio_err, "-path              path to use in OCSP request\n");
 		BIO_printf (bio_err, "-CApath dir        trusted certificates directory\n");
 		BIO_printf (bio_err, "-CAfile file       trusted certificates file\n");
+		BIO_printf (bio_err, "-no_alt_chains     only ever use the first certificate chain found\n");
 		BIO_printf (bio_err, "-trusted_first     use trusted certificates first when building the trust chain\n");
 		BIO_printf (bio_err, "-VAfile file       validator certificates file\n");
 		BIO_printf (bio_err, "-validity_period n maximum validity discrepancy in seconds\n");
Index: openssl-0.9.8j/apps/s_client.c
===================================================================
--- openssl-0.9.8j.orig/apps/s_client.c	2017-11-06 15:14:21.520783041 +0100
+++ openssl-0.9.8j/apps/s_client.c	2017-11-06 15:14:21.528783173 +0100
@@ -205,6 +205,7 @@ static void sc_usage(void)
 	BIO_printf(bio_err," -pass arg     - private key file pass phrase source\n");
 	BIO_printf(bio_err," -CApath arg   - PEM format directory of CA's\n");
 	BIO_printf(bio_err," -CAfile arg   - PEM format file of CA's\n");
+	BIO_printf(bio_err," -no_alt_chains - only ever use the first certificate chain found\n");
 	BIO_printf(bio_err," -trusted_first - Use trusted CA's first when building the trust chain\n");
 	BIO_printf(bio_err," -reconnect    - Drop and re-make the connection with the same Session-ID\n");
 	BIO_printf(bio_err," -pause        - sleep(1) after each read(2) and write(2) system call\n");
Index: openssl-0.9.8j/apps/smime.c
===================================================================
--- openssl-0.9.8j.orig/apps/smime.c	2017-11-06 15:14:21.520783041 +0100
+++ openssl-0.9.8j/apps/smime.c	2017-11-06 15:14:21.528783173 +0100
@@ -466,6 +466,7 @@ int MAIN(int argc, char **argv)
 		BIO_printf (bio_err, "-text          include or delete text MIME headers\n");
 		BIO_printf (bio_err, "-CApath dir    trusted certificates directory\n");
 		BIO_printf (bio_err, "-CAfile file   trusted certificates file\n");
+		BIO_printf (bio_err, "-no_alt_chains only ever use the first certificate chain found\n");
 		BIO_printf (bio_err, "-trusted_first use trusted certificates first when building the trust chain\n");
 		BIO_printf (bio_err, "-crl_check     check revocation status of signer's certificate using CRLs\n");
 		BIO_printf (bio_err, "-crl_check_all check revocation status of signer's certificate chain using CRLs\n");
Index: openssl-0.9.8j/apps/s_server.c
===================================================================
--- openssl-0.9.8j.orig/apps/s_server.c	2017-11-06 15:14:21.520783041 +0100
+++ openssl-0.9.8j/apps/s_server.c	2017-11-06 15:14:21.528783173 +0100
@@ -383,6 +383,7 @@ static void sv_usage(void)
 	BIO_printf(bio_err," -state        - Print the SSL states\n");
 	BIO_printf(bio_err," -CApath arg   - PEM format directory of CA's\n");
 	BIO_printf(bio_err," -CAfile arg   - PEM format file of CA's\n");
+	BIO_printf(bio_err," -no_alt_chains - only ever use the first certificate chain found\n");
 	BIO_printf(bio_err," -trusted_first - Use trusted CA's first when building the trust chain\n");
 	BIO_printf(bio_err," -nocert       - Don't use any certificates (Anon-DH)\n");
 	BIO_printf(bio_err," -cipher arg   - play with 'openssl ciphers' to see what goes here\n");
Index: openssl-0.9.8j/apps/verify.c
===================================================================
--- openssl-0.9.8j.orig/apps/verify.c	2017-11-06 15:14:21.520783041 +0100
+++ openssl-0.9.8j/apps/verify.c	2017-11-06 15:14:21.528783173 +0100
@@ -216,6 +216,7 @@ int MAIN(int argc, char **argv)
 end:
 	if (ret == 1) {
 		BIO_printf(bio_err,"usage: verify [-verbose] [-CApath path] [-CAfile file] [-trusted_first] [-purpose purpose] [-crl_check]");
+		BIO_printf(bio_err," [-no_alt_chains]");
 #ifndef OPENSSL_NO_ENGINE
 		BIO_printf(bio_err," [-engine e]");
 #endif
Index: openssl-0.9.8j/crypto/x509/x509_vfy.c
===================================================================
--- openssl-0.9.8j.orig/crypto/x509/x509_vfy.c	2017-11-06 15:14:21.520783041 +0100
+++ openssl-0.9.8j/crypto/x509/x509_vfy.c	2017-11-06 15:14:31.372945803 +0100
@@ -96,12 +96,12 @@ static int x509_subject_cmp(X509 **a, X5
 
 int X509_verify_cert(X509_STORE_CTX *ctx)
 	{
-	X509 *x,*xtmp,*chain_ss=NULL;
+	X509 *x,*xtmp,*xtmp2,*chain_ss=NULL;
 	X509_NAME *xn;
 	int bad_chain = 0;
 	X509_VERIFY_PARAM *param = ctx->param;
 	int depth,i,ok=0;
-	int num;
+	int num,j,retry;
 	int (*cb)(int xok,X509_STORE_CTX *xctx);
 	STACK_OF(X509) *sktmp=NULL;
 	if (ctx->cert == NULL)
@@ -110,21 +110,27 @@ int X509_verify_cert(X509_STORE_CTX *ctx
 		return -1;
 		}
 
+        if (ctx->chain != NULL) {
+            /*
+             * This X509_STORE_CTX has already been used to verify a cert. We
+             * cannot do another one.
+             */
+            X509err(X509_F_X509_VERIFY_CERT, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+            return -1;
+        }
+ 
 	cb=ctx->verify_cb;
 
 	/* first we make sure the chain we are going to build is
 	 * present and that the first entry is in place */
-	if (ctx->chain == NULL)
+	if (	((ctx->chain=sk_X509_new_null()) == NULL) ||
+		(!sk_X509_push(ctx->chain,ctx->cert)))
 		{
-		if (	((ctx->chain=sk_X509_new_null()) == NULL) ||
-			(!sk_X509_push(ctx->chain,ctx->cert)))
-			{
-			X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
-			goto end;
-			}
-		CRYPTO_add(&ctx->cert->references,1,CRYPTO_LOCK_X509);
-		ctx->last_untrusted=1;
+		X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE);
+		goto end;
 		}
+	CRYPTO_add(&ctx->cert->references,1,CRYPTO_LOCK_X509);
+	ctx->last_untrusted=1;
 
 	/* We use a temporary STACK so we can chop and hack at it */
 	if (ctx->untrusted != NULL
@@ -191,10 +197,14 @@ int X509_verify_cert(X509_STORE_CTX *ctx
 		break;
 		}
 
+	/* Remember how many untrusted certs we have */
+	j = num;
+
 	/* at this point, chain should contain a list of untrusted
 	 * certificates.  We now need to add at least one trusted one,
 	 * if possible, otherwise we complain. */
 
+	do {
 	/* Examine last certificate in chain and see if it
  	 * is self signed.
  	 */
@@ -239,6 +249,7 @@ int X509_verify_cert(X509_STORE_CTX *ctx
 			chain_ss=sk_X509_pop(ctx->chain);
 			ctx->last_untrusted--;
 			num--;
+			j--;
 			x=sk_X509_value(ctx->chain,num-1);
 			}
 		}
@@ -268,8 +279,42 @@ int X509_verify_cert(X509_STORE_CTX *ctx
 		num++;
 		}
 
-	/* we now have our chain, lets check it... */
-	xn=X509_get_issuer_name(x);
+        /*
+         * If we haven't got a least one certificate from our store then check
+         * if there is an alternative chain that could be used.  We only do this
+         * if the user hasn't switched off alternate chain checking
+         */
+        retry = 0;
+        if (num == ctx->last_untrusted &&
+            !(ctx->param->flags & X509_V_FLAG_NO_ALT_CHAINS)) {
+            while (j-- > 1) {
+                xtmp2 = sk_X509_value(ctx->chain, j - 1);
+                ok = ctx->get_issuer(&xtmp, ctx, xtmp2);
+                if (ok < 0)
+                    goto end;
+                /* Check if we found an alternate chain */
+                if (ok > 0) {
+                    /*
+                     * Free up the found cert we'll add it again later
+                     */
+                    X509_free(xtmp);
+
+                    /*
+                     * Dump all the certs above this point - we've found an
+                     * alternate chain
+                     */
+                    while (num > j) {
+                        xtmp = sk_X509_pop(ctx->chain);
+                        X509_free(xtmp);
+                        num--;
+                    }
+                    ctx->last_untrusted = j;
+                    retry = 1;
+                    break;
+                }
+            }
+        }
+	} while (retry);
 
 	/* Is last certificate looked up self signed? */
 	if (!ctx->check_issued(ctx,x,x))
Index: openssl-0.9.8j/crypto/x509/x509_vfy.h
===================================================================
--- openssl-0.9.8j.orig/crypto/x509/x509_vfy.h	2017-11-06 15:14:21.520783041 +0100
+++ openssl-0.9.8j/crypto/x509/x509_vfy.h	2017-11-06 15:14:21.528783173 +0100
@@ -365,6 +365,14 @@ void X509_STORE_CTX_set_depth(X509_STORE
 /* Use trusted store first */
 #define X509_V_FLAG_TRUSTED_FIRST		0x8000
 
+/*
+ * If the initial chain is not trusted, do not attempt to build an alternative
+ * chain. Alternate chain checking was introduced in 1.0.1n/1.0.2b. Setting
+ * this flag will force the behaviour to match that of previous versions.
+ */
+#define X509_V_FLAG_NO_ALT_CHAINS               0x100000
+ 
+
 #define X509_VP_FLAG_DEFAULT			0x1
 #define X509_VP_FLAG_OVERWRITE			0x2
 #define X509_VP_FLAG_RESET_FLAGS		0x4
Index: openssl-0.9.8j/doc/apps/ocsp.pod
===================================================================
--- openssl-0.9.8j.orig/doc/apps/ocsp.pod	2017-11-06 15:14:21.520783041 +0100
+++ openssl-0.9.8j/doc/apps/ocsp.pod	2017-11-06 15:14:21.528783173 +0100
@@ -29,6 +29,7 @@ B<openssl> B<ocsp>
 [B<-path>]
 [B<-CApath dir>]
 [B<-CAfile file>]
+[B<-no_alt_chains>]]
 [B<-trusted_first>]
 [B<-VAfile file>]
 [B<-validity_period n>]
@@ -138,6 +139,10 @@ or "/" by default.
 file or pathname containing trusted CA certificates. These are used to verify
 the signature on the OCSP response.
 
+=item B<-no_alt_chains>
+
+See L<B<verify>|verify(1)> manual page for details.
+
 =item B<-trusted_first>
 
 Use certificates in CA file or CA directory over certificates provided
Index: openssl-0.9.8j/doc/apps/s_client.pod
===================================================================
--- openssl-0.9.8j.orig/doc/apps/s_client.pod	2017-11-06 15:14:21.520783041 +0100
+++ openssl-0.9.8j/doc/apps/s_client.pod	2017-11-06 15:14:21.528783173 +0100
@@ -17,6 +17,7 @@ B<openssl> B<s_client>
 [B<-pass arg>]
 [B<-CApath directory>]
 [B<-CAfile filename>]
+[B<-no_alt_chains>]
 [B<-trusted_first>]
 [B<-reconnect>]
 [B<-pause>]
Index: openssl-0.9.8j/doc/apps/smime.pod
===================================================================
--- openssl-0.9.8j.orig/doc/apps/smime.pod	2017-11-06 15:14:21.520783041 +0100
+++ openssl-0.9.8j/doc/apps/smime.pod	2017-11-06 15:14:21.528783173 +0100
@@ -26,6 +26,7 @@ B<openssl> B<smime>
 [B<-in file>]
 [B<-CAfile file>]
 [B<-CApath dir>]
+[B<-no_alt_chains>]
 [B<-trusted_first>]
 [B<-certfile file>]
 [B<-signer file>]
Index: openssl-0.9.8j/doc/apps/s_server.pod
===================================================================
--- openssl-0.9.8j.orig/doc/apps/s_server.pod	2017-11-06 15:14:21.520783041 +0100
+++ openssl-0.9.8j/doc/apps/s_server.pod	2017-11-06 15:14:21.528783173 +0100
@@ -33,6 +33,7 @@ B<openssl> B<s_server>
 [B<-state>]
 [B<-CApath directory>]
 [B<-CAfile filename>]
+[B<-no_alt_chains>]
 [B<-trusted_first>]
 [B<-nocert>]
 [B<-cipher cipherlist>]
@@ -164,6 +165,10 @@ and to use when attempting to build the
 is also used in the list of acceptable client CAs passed to the client when
 a certificate is requested.
 
+=item B<-no_alt_chains>
+
+See the L<B<verify>|verify(1)> manual page for details.
+
 =item B<-trusted_first>
 
 Use certificates in CA file or CA directory before other certificates 
Index: openssl-0.9.8j/doc/apps/verify.pod
===================================================================
--- openssl-0.9.8j.orig/doc/apps/verify.pod	2017-11-06 15:14:21.520783041 +0100
+++ openssl-0.9.8j/doc/apps/verify.pod	2017-11-06 15:14:21.528783173 +0100
@@ -11,6 +11,7 @@ B<openssl> B<verify>
 [B<-CAfile file>]
 [B<-trusted_first>]
 [B<-purpose purpose>]
+[B<-no_alt_chains>]
 [B<-untrusted file>]
 [B<-help>]
 [B<-issuer_checks>]
@@ -50,6 +51,14 @@ Use certificates in CA file or CA direct
 file when building the trust chain to verify certificates.
 This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
 
+=item B<-no_alt_chains>
+
+When building a certificate chain, if the first certificate chain found is not
+trusted, then OpenSSL will continue to check to see if an alternative chain can
+be found that is trusted. With this option that behaviour is suppressed so that
+only the first chain found is ever used. Using this option will force the
+behaviour to match that of previous OpenSSL versions.
+
 =item B<-purpose purpose>
 
 the intended use for the certificate. Without this option no chain verification
openSUSE Build Service is sponsored by