Blame SOURCES/openssl-1.0.1e-trusted-first.patch

a5ef24
diff -up openssl-1.0.1e/apps/apps.c.trusted-first openssl-1.0.1e/apps/apps.c
a5ef24
--- openssl-1.0.1e/apps/apps.c.trusted-first	2013-02-11 16:26:04.000000000 +0100
a5ef24
+++ openssl-1.0.1e/apps/apps.c	2013-08-16 15:42:39.920534769 +0200
a5ef24
@@ -2361,6 +2361,8 @@ int args_verify(char ***pargs, int *parg
a5ef24
 		flags |= X509_V_FLAG_NOTIFY_POLICY;
a5ef24
 	else if (!strcmp(arg, "-check_ss_sig"))
a5ef24
 		flags |= X509_V_FLAG_CHECK_SS_SIGNATURE;
a5ef24
+	else if (!strcmp(arg, "-trusted_first"))
a5ef24
+		flags |= X509_V_FLAG_TRUSTED_FIRST;
a5ef24
 	else
a5ef24
 		return 0;
a5ef24
 
a5ef24
diff -up openssl-1.0.1e/apps/cms.c.trusted-first openssl-1.0.1e/apps/cms.c
a5ef24
--- openssl-1.0.1e/apps/cms.c.trusted-first	2013-02-11 16:26:04.000000000 +0100
a5ef24
+++ openssl-1.0.1e/apps/cms.c	2013-08-16 15:43:56.671213879 +0200
a5ef24
@@ -642,6 +642,7 @@ int MAIN(int argc, char **argv)
a5ef24
 		BIO_printf (bio_err, "-text          include or delete text MIME headers\n");
a5ef24
 		BIO_printf (bio_err, "-CApath dir    trusted certificates directory\n");
a5ef24
 		BIO_printf (bio_err, "-CAfile file   trusted certificates file\n");
a5ef24
+		BIO_printf (bio_err, "-trusted_first use trusted certificates first when building the trust chain\n");
a5ef24
 		BIO_printf (bio_err, "-crl_check     check revocation status of signer's certificate using CRLs\n");
a5ef24
 		BIO_printf (bio_err, "-crl_check_all check revocation status of signer's certificate chain using CRLs\n");
a5ef24
 #ifndef OPENSSL_NO_ENGINE
a5ef24
diff -up openssl-1.0.1e/apps/ocsp.c.trusted-first openssl-1.0.1e/apps/ocsp.c
a5ef24
--- openssl-1.0.1e/apps/ocsp.c.trusted-first	2013-02-11 16:26:04.000000000 +0100
a5ef24
+++ openssl-1.0.1e/apps/ocsp.c	2013-08-16 15:49:47.477572414 +0200
a5ef24
@@ -595,6 +595,7 @@ int MAIN(int argc, char **argv)
a5ef24
 		BIO_printf (bio_err, "-path              path to use in OCSP request\n");
a5ef24
 		BIO_printf (bio_err, "-CApath dir        trusted certificates directory\n");
a5ef24
 		BIO_printf (bio_err, "-CAfile file       trusted certificates file\n");
a5ef24
+		BIO_printf (bio_err, "-trusted_first     use trusted certificates first when building the trust chain\n");
a5ef24
 		BIO_printf (bio_err, "-VAfile file       validator certificates file\n");
a5ef24
 		BIO_printf (bio_err, "-validity_period n maximum validity discrepancy in seconds\n");
a5ef24
 		BIO_printf (bio_err, "-status_age n      maximum status age in seconds\n");
a5ef24
diff -up openssl-1.0.1e/apps/s_client.c.trusted-first openssl-1.0.1e/apps/s_client.c
a5ef24
--- openssl-1.0.1e/apps/s_client.c.trusted-first	2013-08-16 15:42:39.000000000 +0200
a5ef24
+++ openssl-1.0.1e/apps/s_client.c	2013-08-16 15:49:00.727542994 +0200
a5ef24
@@ -298,6 +298,7 @@ static void sc_usage(void)
a5ef24
 	BIO_printf(bio_err," -pass arg     - private key file pass phrase source\n");
a5ef24
 	BIO_printf(bio_err," -CApath arg   - PEM format directory of CA's\n");
a5ef24
 	BIO_printf(bio_err," -CAfile arg   - PEM format file of CA's\n");
a5ef24
+	BIO_printf(bio_err," -trusted_first - Use trusted CA's first when building the trust chain\n");
a5ef24
 	BIO_printf(bio_err," -reconnect    - Drop and re-make the connection with the same Session-ID\n");
a5ef24
 	BIO_printf(bio_err," -pause        - sleep(1) after each read(2) and write(2) system call\n");
a5ef24
 	BIO_printf(bio_err," -showcerts    - show all certificates in the chain\n");
a5ef24
diff -up openssl-1.0.1e/apps/smime.c.trusted-first openssl-1.0.1e/apps/smime.c
a5ef24
--- openssl-1.0.1e/apps/smime.c.trusted-first	2013-02-11 16:26:04.000000000 +0100
a5ef24
+++ openssl-1.0.1e/apps/smime.c	2013-08-16 15:46:44.024875150 +0200
a5ef24
@@ -479,6 +479,7 @@ int MAIN(int argc, char **argv)
a5ef24
 		BIO_printf (bio_err, "-text          include or delete text MIME headers\n");
a5ef24
 		BIO_printf (bio_err, "-CApath dir    trusted certificates directory\n");
a5ef24
 		BIO_printf (bio_err, "-CAfile file   trusted certificates file\n");
a5ef24
+		BIO_printf (bio_err, "-trusted_first use trusted certificates first when building the trust chain\n");
a5ef24
 		BIO_printf (bio_err, "-crl_check     check revocation status of signer's certificate using CRLs\n");
a5ef24
 		BIO_printf (bio_err, "-crl_check_all check revocation status of signer's certificate chain using CRLs\n");
a5ef24
 #ifndef OPENSSL_NO_ENGINE
a5ef24
diff -up openssl-1.0.1e/apps/s_server.c.trusted-first openssl-1.0.1e/apps/s_server.c
a5ef24
--- openssl-1.0.1e/apps/s_server.c.trusted-first	2013-08-16 15:42:39.000000000 +0200
a5ef24
+++ openssl-1.0.1e/apps/s_server.c	2013-08-16 15:48:19.469634430 +0200
a5ef24
@@ -501,6 +501,7 @@ static void sv_usage(void)
a5ef24
 	BIO_printf(bio_err," -state        - Print the SSL states\n");
a5ef24
 	BIO_printf(bio_err," -CApath arg   - PEM format directory of CA's\n");
a5ef24
 	BIO_printf(bio_err," -CAfile arg   - PEM format file of CA's\n");
a5ef24
+	BIO_printf(bio_err," -trusted_first - Use trusted CA's first when building the trust chain\n");
a5ef24
 	BIO_printf(bio_err," -nocert       - Don't use any certificates (Anon-DH)\n");
a5ef24
 	BIO_printf(bio_err," -cipher arg   - play with 'openssl ciphers' to see what goes here\n");
a5ef24
 	BIO_printf(bio_err," -serverpref   - Use server's cipher preferences\n");
a5ef24
diff -up openssl-1.0.1e/apps/s_time.c.trusted-first openssl-1.0.1e/apps/s_time.c
a5ef24
--- openssl-1.0.1e/apps/s_time.c.trusted-first	2013-08-16 15:42:39.000000000 +0200
a5ef24
+++ openssl-1.0.1e/apps/s_time.c	2013-08-16 15:47:35.862674188 +0200
a5ef24
@@ -179,6 +179,7 @@ static void s_time_usage(void)
a5ef24
                 file if not specified by this option\n\
a5ef24
 -CApath arg   - PEM format directory of CA's\n\
a5ef24
 -CAfile arg   - PEM format file of CA's\n\
a5ef24
+-trusted_first - Use trusted CA's first when building the trust chain\n\
a5ef24
 -cipher       - preferred cipher to use, play with 'openssl ciphers'\n\n";
a5ef24
 
a5ef24
 	printf( "usage: s_time <args>\n\n" );
a5ef24
diff -up openssl-1.0.1e/apps/ts.c.trusted-first openssl-1.0.1e/apps/ts.c
a5ef24
--- openssl-1.0.1e/apps/ts.c.trusted-first	2013-08-16 15:42:39.000000000 +0200
a5ef24
+++ openssl-1.0.1e/apps/ts.c	2013-08-16 15:45:27.766206812 +0200
a5ef24
@@ -383,7 +383,7 @@ int MAIN(int argc, char **argv)
a5ef24
 		   "ts -verify [-data file_to_hash] [-digest digest_bytes] "
a5ef24
 		   "[-queryfile request.tsq] "
a5ef24
 		   "-in response.tsr [-token_in] "
a5ef24
-		   "-CApath ca_path -CAfile ca_file.pem "
a5ef24
+		   "-CApath ca_path -CAfile ca_file.pem -trusted_first"
a5ef24
 		   "-untrusted cert_file.pem\n");
a5ef24
  cleanup:
a5ef24
 	/* Clean up. */
a5ef24
diff -up openssl-1.0.1e/apps/verify.c.trusted-first openssl-1.0.1e/apps/verify.c
a5ef24
--- openssl-1.0.1e/apps/verify.c.trusted-first	2013-02-11 16:26:04.000000000 +0100
a5ef24
+++ openssl-1.0.1e/apps/verify.c	2013-08-16 15:46:09.720124654 +0200
a5ef24
@@ -237,7 +237,7 @@ int MAIN(int argc, char **argv)
a5ef24
 
a5ef24
 end:
a5ef24
 	if (ret == 1) {
a5ef24
-		BIO_printf(bio_err,"usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check]");
a5ef24
+		BIO_printf(bio_err,"usage: verify [-verbose] [-CApath path] [-CAfile file] [-trusted_first] [-purpose purpose] [-crl_check]");
a5ef24
 		BIO_printf(bio_err," [-attime timestamp]");
a5ef24
 #ifndef OPENSSL_NO_ENGINE
a5ef24
 		BIO_printf(bio_err," [-engine e]");
a5ef24
diff -up openssl-1.0.1e/crypto/x509/x509_vfy.c.trusted-first openssl-1.0.1e/crypto/x509/x509_vfy.c
a5ef24
--- openssl-1.0.1e/crypto/x509/x509_vfy.c.trusted-first	2013-08-16 15:42:39.864533545 +0200
a5ef24
+++ openssl-1.0.1e/crypto/x509/x509_vfy.c	2013-08-16 15:42:39.921534791 +0200
a5ef24
@@ -207,6 +207,21 @@ int X509_verify_cert(X509_STORE_CTX *ctx
a5ef24
 
a5ef24
 		/* If we are self signed, we break */
a5ef24
 		if (ctx->check_issued(ctx, x,x)) break;
a5ef24
+		/* If asked see if we can find issuer in trusted store first */
a5ef24
+		if (ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST)
a5ef24
+			{
a5ef24
+			ok = ctx->get_issuer(&xtmp, ctx, x);
a5ef24
+			if (ok < 0)
a5ef24
+				return ok;
a5ef24
+			/* If successful for now free up cert so it
a5ef24
+			 * will be picked up again later.
a5ef24
+			 */
a5ef24
+			if (ok > 0)
a5ef24
+				{
a5ef24
+				X509_free(xtmp);
a5ef24
+				break;
a5ef24
+				}
a5ef24
+			}
a5ef24
 
a5ef24
 		/* If we were passed a cert chain, use it first */
a5ef24
 		if (ctx->untrusted != NULL)
a5ef24
diff -up openssl-1.0.1e/crypto/x509/x509_vfy.h.trusted-first openssl-1.0.1e/crypto/x509/x509_vfy.h
a5ef24
--- openssl-1.0.1e/crypto/x509/x509_vfy.h.trusted-first	2013-08-16 15:42:39.356522432 +0200
a5ef24
+++ openssl-1.0.1e/crypto/x509/x509_vfy.h	2013-08-16 15:42:39.922534813 +0200
a5ef24
@@ -389,6 +389,8 @@ void X509_STORE_CTX_set_depth(X509_STORE
a5ef24
 #define X509_V_FLAG_USE_DELTAS			0x2000
a5ef24
 /* Check selfsigned CA signature */
a5ef24
 #define X509_V_FLAG_CHECK_SS_SIGNATURE		0x4000
a5ef24
+/* Use trusted store first */
a5ef24
+#define X509_V_FLAG_TRUSTED_FIRST		0x8000
a5ef24
 
a5ef24
 
a5ef24
 #define X509_VP_FLAG_DEFAULT			0x1
a5ef24
diff -up openssl-1.0.1e/doc/apps/cms.pod.trusted-first openssl-1.0.1e/doc/apps/cms.pod
a5ef24
--- openssl-1.0.1e/doc/apps/cms.pod.trusted-first	2013-08-16 15:42:39.000000000 +0200
a5ef24
+++ openssl-1.0.1e/doc/apps/cms.pod	2013-08-16 15:50:48.723921117 +0200
a5ef24
@@ -35,6 +35,7 @@ B<openssl> B<cms>
a5ef24
 [B<-print>]
a5ef24
 [B<-CAfile file>]
a5ef24
 [B<-CApath dir>]
a5ef24
+[B<-trusted_first>]
a5ef24
 [B<-md digest>]
a5ef24
 [B<-[cipher]>]
a5ef24
 [B<-nointern>]
a5ef24
@@ -238,6 +239,12 @@ B<-verify>. This directory must be a sta
a5ef24
 is a hash of each subject name (using B<x509 -hash>) should be linked
a5ef24
 to each certificate.
a5ef24
 
a5ef24
+=item B<-trusted_first>
a5ef24
+
a5ef24
+Use certificates in CA file or CA directory before untrusted certificates
a5ef24
+from the message when building the trust chain to verify certificates.
a5ef24
+This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
a5ef24
+
a5ef24
 =item B<-md digest>
a5ef24
 
a5ef24
 digest algorithm to use when signing or resigning. If not present then the
a5ef24
diff -up openssl-1.0.1e/doc/apps/ocsp.pod.trusted-first openssl-1.0.1e/doc/apps/ocsp.pod
a5ef24
--- openssl-1.0.1e/doc/apps/ocsp.pod.trusted-first	2013-08-16 15:42:39.000000000 +0200
a5ef24
+++ openssl-1.0.1e/doc/apps/ocsp.pod	2013-08-16 15:52:20.106933403 +0200
a5ef24
@@ -29,6 +29,7 @@ B<openssl> B<ocsp>
a5ef24
 [B<-path>]
a5ef24
 [B<-CApath dir>]
a5ef24
 [B<-CAfile file>]
a5ef24
+[B<-trusted_first>]
a5ef24
 [B<-VAfile file>]
a5ef24
 [B<-validity_period n>]
a5ef24
 [B<-status_age n>]
a5ef24
@@ -138,6 +139,13 @@ or "/" by default.
a5ef24
 file or pathname containing trusted CA certificates. These are used to verify
a5ef24
 the signature on the OCSP response.
a5ef24
 
a5ef24
+=item B<-trusted_first>
a5ef24
+
a5ef24
+Use certificates in CA file or CA directory over certificates provided
a5ef24
+in the response or residing in other certificates file when building the trust
a5ef24
+chain to verify responder certificate.
a5ef24
+This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
a5ef24
+
a5ef24
 =item B<-verify_other file>
a5ef24
 
a5ef24
 file containing additional certificates to search when attempting to locate
a5ef24
diff -up openssl-1.0.1e/doc/apps/s_client.pod.trusted-first openssl-1.0.1e/doc/apps/s_client.pod
a5ef24
--- openssl-1.0.1e/doc/apps/s_client.pod.trusted-first	2013-08-16 15:42:39.000000000 +0200
a5ef24
+++ openssl-1.0.1e/doc/apps/s_client.pod	2013-08-16 15:53:17.364194159 +0200
a5ef24
@@ -17,6 +17,7 @@ B<openssl> B<s_client>
a5ef24
 [B<-pass arg>]
a5ef24
 [B<-CApath directory>]
a5ef24
 [B<-CAfile filename>]
a5ef24
+[B<-trusted_first>]
a5ef24
 [B<-reconnect>]
a5ef24
 [B<-pause>]
a5ef24
 [B<-showcerts>]
a5ef24
@@ -107,7 +108,7 @@ also used when building the client certi
a5ef24
 A file containing trusted certificates to use during server authentication
a5ef24
 and to use when attempting to build the client certificate chain.
a5ef24
 
a5ef24
-=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig>
a5ef24
+=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig, -trusted_first>
a5ef24
 
a5ef24
 Set various certificate chain valiadition option. See the
a5ef24
 L<B<verify>|verify(1)> manual page for details.
a5ef24
diff -up openssl-1.0.1e/doc/apps/smime.pod.trusted-first openssl-1.0.1e/doc/apps/smime.pod
a5ef24
--- openssl-1.0.1e/doc/apps/smime.pod.trusted-first	2013-08-16 15:42:39.000000000 +0200
a5ef24
+++ openssl-1.0.1e/doc/apps/smime.pod	2013-08-16 15:56:12.497050767 +0200
a5ef24
@@ -15,6 +15,9 @@ B<openssl> B<smime>
a5ef24
 [B<-pk7out>]
a5ef24
 [B<-[cipher]>]
a5ef24
 [B<-in file>]
a5ef24
+[B<-CAfile file>]
a5ef24
+[B<-CApath dir>]
a5ef24
+[B<-trusted_first>]
a5ef24
 [B<-certfile file>]
a5ef24
 [B<-signer file>]
a5ef24
 [B<-recip  file>]
a5ef24
@@ -146,6 +149,12 @@ B<-verify>. This directory must be a sta
a5ef24
 is a hash of each subject name (using B<x509 -hash>) should be linked
a5ef24
 to each certificate.
a5ef24
 
a5ef24
+=item B<-trusted_first>
a5ef24
+
a5ef24
+Use certificates in CA file or CA directory over certificates provided
a5ef24
+in the message when building the trust chain to verify a certificate.
a5ef24
+This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
a5ef24
+
a5ef24
 =item B<-md digest>
a5ef24
 
a5ef24
 digest algorithm to use when signing or resigning. If not present then the
a5ef24
diff -up openssl-1.0.1e/doc/apps/s_server.pod.trusted-first openssl-1.0.1e/doc/apps/s_server.pod
a5ef24
--- openssl-1.0.1e/doc/apps/s_server.pod.trusted-first	2013-08-16 15:42:39.000000000 +0200
a5ef24
+++ openssl-1.0.1e/doc/apps/s_server.pod	2013-08-16 15:54:33.609873214 +0200
a5ef24
@@ -33,6 +33,7 @@ B<openssl> B<s_server>
a5ef24
 [B<-state>]
a5ef24
 [B<-CApath directory>]
a5ef24
 [B<-CAfile filename>]
a5ef24
+[B<-trusted_first>]
a5ef24
 [B<-nocert>]
a5ef24
 [B<-cipher cipherlist>]
a5ef24
 [B<-quiet>]
a5ef24
@@ -168,6 +169,12 @@ and to use when attempting to build the
a5ef24
 is also used in the list of acceptable client CAs passed to the client when
a5ef24
 a certificate is requested.
a5ef24
 
a5ef24
+=item B<-trusted_first>
a5ef24
+
a5ef24
+Use certificates in CA file or CA directory before other certificates 
a5ef24
+when building the trust chain to verify client certificates.
a5ef24
+This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
a5ef24
+
a5ef24
 =item B<-state>
a5ef24
 
a5ef24
 prints out the SSL session states.
a5ef24
diff -up openssl-1.0.1e/doc/apps/s_time.pod.trusted-first openssl-1.0.1e/doc/apps/s_time.pod
a5ef24
--- openssl-1.0.1e/doc/apps/s_time.pod.trusted-first	2013-02-11 16:02:48.000000000 +0100
a5ef24
+++ openssl-1.0.1e/doc/apps/s_time.pod	2013-08-16 15:55:12.651732938 +0200
a5ef24
@@ -14,6 +14,7 @@ B<openssl> B<s_time>
a5ef24
 [B<-key filename>]
a5ef24
 [B<-CApath directory>]
a5ef24
 [B<-CAfile filename>]
a5ef24
+[B<-trusted_first>]
a5ef24
 [B<-reuse>]
a5ef24
 [B<-new>]
a5ef24
 [B<-verify depth>]
a5ef24
@@ -76,6 +77,12 @@ also used when building the client certi
a5ef24
 A file containing trusted certificates to use during server authentication
a5ef24
 and to use when attempting to build the client certificate chain.
a5ef24
 
a5ef24
+=item B<-trusted_first>
a5ef24
+
a5ef24
+Use certificates in CA file or CA directory over the certificates provided
a5ef24
+by the server when building the trust chain to verify server certificate.
a5ef24
+This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
a5ef24
+
a5ef24
 =item B<-new>
a5ef24
 
a5ef24
 performs the timing test using a new session ID for each connection.
a5ef24
diff -up openssl-1.0.1e/doc/apps/ts.pod.trusted-first openssl-1.0.1e/doc/apps/ts.pod
a5ef24
--- openssl-1.0.1e/doc/apps/ts.pod.trusted-first	2013-02-11 16:26:04.000000000 +0100
a5ef24
+++ openssl-1.0.1e/doc/apps/ts.pod	2013-08-16 15:57:17.399479957 +0200
a5ef24
@@ -46,6 +46,7 @@ B<-verify>
a5ef24
 [B<-token_in>]
a5ef24
 [B<-CApath> trusted_cert_path]
a5ef24
 [B<-CAfile> trusted_certs.pem]
a5ef24
+[B<-trusted_first>]
a5ef24
 [B<-untrusted> cert_file.pem]
a5ef24
 
a5ef24
 =head1 DESCRIPTION
a5ef24
@@ -324,6 +325,12 @@ L<verify(1)|verify(1)> for additional de
a5ef24
 or B<-CApath> must be specified.
a5ef24
 (Optional)
a5ef24
 
a5ef24
+=item B<-trusted_first>
a5ef24
+
a5ef24
+Use certificates in CA file or CA directory before other certificates
a5ef24
+when building the trust chain to verify certificates.
a5ef24
+This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
a5ef24
+
a5ef24
 =item B<-untrusted> cert_file.pem
a5ef24
 
a5ef24
 Set of additional untrusted certificates in PEM format which may be
a5ef24
diff -up openssl-1.0.1e/doc/apps/verify.pod.trusted-first openssl-1.0.1e/doc/apps/verify.pod
a5ef24
--- openssl-1.0.1e/doc/apps/verify.pod.trusted-first	2013-02-11 16:26:04.000000000 +0100
a5ef24
+++ openssl-1.0.1e/doc/apps/verify.pod	2013-08-16 15:58:00.267423925 +0200
a5ef24
@@ -9,6 +9,7 @@ verify - Utility to verify certificates.
a5ef24
 B<openssl> B<verify>
a5ef24
 [B<-CApath directory>]
a5ef24
 [B<-CAfile file>]
a5ef24
+[B<-trusted_first>]
a5ef24
 [B<-purpose purpose>]
a5ef24
 [B<-policy arg>]
a5ef24
 [B<-ignore_critical>]
a5ef24
@@ -56,6 +57,12 @@ in PEM format concatenated together.
a5ef24
 A file of untrusted certificates. The file should contain multiple certificates
a5ef24
 in PEM format concatenated together.
a5ef24
 
a5ef24
+=item B<-trusted_first>
a5ef24
+
a5ef24
+Use certificates in CA file or CA directory before the certificates in the untrusted
a5ef24
+file when building the trust chain to verify certificates.
a5ef24
+This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
a5ef24
+
a5ef24
 =item B<-purpose purpose>
a5ef24
 
a5ef24
 The intended use for the certificate. If this option is not specified,