From f731f488aca71a74fcfeb75ab6e8b723fb73571b Mon Sep 17 00:00:00 2001
From: DistroBaker <osci-list@redhat.com>
Date: Thu, 11 Feb 2021 17:09:01 +0000
Subject: [PATCH] Merged update from upstream sources

This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.

Source: https://src.fedoraproject.org/rpms/openssl.git#fb8e66a58fb43344f23aefb4eaefe1b6ca04a80d
---
 openssl-1.1.1-verify-cert.patch | 113 ++++++++++++++++++++++++++++++++
 openssl.spec                    |   9 ++-
 2 files changed, 121 insertions(+), 1 deletion(-)
 create mode 100644 openssl-1.1.1-verify-cert.patch

diff --git a/openssl-1.1.1-verify-cert.patch b/openssl-1.1.1-verify-cert.patch
new file mode 100644
index 0000000..d3bafc3
--- /dev/null
+++ b/openssl-1.1.1-verify-cert.patch
@@ -0,0 +1,113 @@
+diff -up openssl-1.1.1i/crypto/x509/x509_vfy.c.verify-cert openssl-1.1.1i/crypto/x509/x509_vfy.c
+--- openssl-1.1.1i/crypto/x509/x509_vfy.c.verify-cert	2021-01-20 17:24:53.100175663 +0100
++++ openssl-1.1.1i/crypto/x509/x509_vfy.c	2021-01-20 17:24:53.156176315 +0100
+@@ -323,9 +323,10 @@ static int sk_X509_contains(STACK_OF(X50
+ }
+ 
+ /*
+- * Find in given STACK_OF(X509) sk a non-expired issuer cert (if any) of given cert x.
+- * The issuer must not be the same as x and must not yet be in ctx->chain, where the
+- * exceptional case x is self-issued and ctx->chain has just one element is allowed.
++ * Find in given STACK_OF(X509) sk an issuer cert of given cert x.
++ * The issuer must not yet be in ctx->chain, where the exceptional case
++ * that x is self-issued and ctx->chain has just one element is allowed.
++ * Prefer the first one that is not expired, else take the last expired one.
+  */
+ static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x)
+ {
+@@ -338,7 +339,7 @@ static X509 *find_issuer(X509_STORE_CTX
+          * Below check 'issuer != x' is an optimization and safety precaution:
+          * Candidate issuer cert cannot be the same as the subject cert 'x'.
+          */
+-        if (issuer != x && ctx->check_issued(ctx, x, issuer)
++        if (ctx->check_issued(ctx, x, issuer)
+             && (((x->ex_flags & EXFLAG_SI) != 0 && sk_X509_num(ctx->chain) == 1)
+                 || !sk_X509_contains(ctx->chain, issuer))) {
+             rv = issuer;
+ 
+diff -up openssl-1.1.1i/test/recipes/70-test_verify_extra.t.verify-cert openssl-1.1.1i/test/recipes/70-test_verify_extra.t
+--- openssl-1.1.1i/test/recipes/70-test_verify_extra.t.verify-cert	2020-12-08 14:20:59.000000000 +0100
++++ openssl-1.1.1i/test/recipes/70-test_verify_extra.t	2021-01-20 17:24:53.156176315 +0100
+@@ -16,4 +16,5 @@ plan tests => 1;
+ ok(run(test(["verify_extra_test",
+              srctop_file("test", "certs", "roots.pem"),
+              srctop_file("test", "certs", "untrusted.pem"),
+-             srctop_file("test", "certs", "bad.pem")])));
++             srctop_file("test", "certs", "bad.pem"),
++             srctop_file("test", "certs", "rootCA.pem")])));
+diff -up openssl-1.1.1i/test/verify_extra_test.c.verify-cert openssl-1.1.1i/test/verify_extra_test.c
+--- openssl-1.1.1i/test/verify_extra_test.c.verify-cert	2020-12-08 14:20:59.000000000 +0100
++++ openssl-1.1.1i/test/verify_extra_test.c	2021-01-20 17:24:53.156176315 +0100
+@@ -18,6 +18,21 @@
+ static const char *roots_f;
+ static const char *untrusted_f;
+ static const char *bad_f;
++static const char *good_f;
++
++static X509 *load_cert_pem(const char *file)
++{
++    X509 *cert = NULL;
++    BIO *bio = NULL;
++
++    if (!TEST_ptr(bio = BIO_new(BIO_s_file())))
++        return NULL;
++    if (TEST_int_gt(BIO_read_filename(bio, file), 0))
++        (void)TEST_ptr(cert = PEM_read_bio_X509(bio, NULL, NULL, NULL));
++
++    BIO_free(bio);
++    return cert;
++}
+ 
+ static STACK_OF(X509) *load_certs_from_file(const char *filename)
+ {
+@@ -175,16 +190,48 @@ static int test_store_ctx(void)
+     return testresult;
+ }
+ 
++static int test_self_signed(const char *filename, int expected)
++{
++    X509 *cert = load_cert_pem(filename);
++    STACK_OF(X509) *trusted = sk_X509_new_null();
++    X509_STORE_CTX *ctx = X509_STORE_CTX_new();
++    int ret;
++
++    ret = TEST_ptr(cert)
++        && TEST_true(sk_X509_push(trusted, cert))
++        && TEST_true(X509_STORE_CTX_init(ctx, NULL, cert, NULL));
++    X509_STORE_CTX_trusted_stack(ctx, trusted);
++    ret = ret && TEST_int_eq(X509_verify_cert(ctx), expected);
++
++    X509_STORE_CTX_free(ctx);
++    sk_X509_free(trusted);
++    X509_free(cert);
++    return ret;
++}
++
++static int test_self_signed_good(void)
++{
++    return test_self_signed(good_f, 1);
++}
++
++static int test_self_signed_bad(void)
++{
++    return test_self_signed(bad_f, 0);
++}
++
+ int setup_tests(void)
+ {
+     if (!TEST_ptr(roots_f = test_get_argument(0))
+             || !TEST_ptr(untrusted_f = test_get_argument(1))
+-            || !TEST_ptr(bad_f = test_get_argument(2))) {
+-        TEST_error("usage: verify_extra_test roots.pem untrusted.pem bad.pem\n");
++            || !TEST_ptr(bad_f = test_get_argument(2))
++            || !TEST_ptr(good_f = test_get_argument(3))) {
++        TEST_error("usage: verify_extra_test roots.pem untrusted.pem bad.pem good.pem\n");
+         return 0;
+     }
+ 
+     ADD_TEST(test_alt_chains_cert_forgery);
+     ADD_TEST(test_store_ctx);
++    ADD_TEST(test_self_signed_good);
++    ADD_TEST(test_self_signed_bad);
+     return 1;
+ }
diff --git a/openssl.spec b/openssl.spec
index 66cf8de..0a09d29 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -22,7 +22,7 @@
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 1.1.1i
-Release: 2%{?dist}
+Release: 3%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@@ -44,6 +44,9 @@ Patch3: openssl-1.1.1-no-html.patch
 Patch4: openssl-1.1.1-man-rename.patch
 # Bug fixes
 Patch21: openssl-1.1.0-issuer-hash.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1916594
+Patch71: openssl-1.1.1-verify-cert.patch
+
 # Functionality changes
 Patch31: openssl-1.1.1-conf-paths.patch
 Patch32: openssl-1.1.1-version-add-engines.patch
@@ -186,6 +189,7 @@ cp %{SOURCE13} test/
 %patch67 -p1 -b .kdf-selftest
 %patch69 -p1 -b .alpn-cb
 %patch70 -p1 -b .rewire-fips-drbg
+%patch71 -p1 -b .verify-cert
 
 
 %build
@@ -474,6 +478,9 @@ export LD_LIBRARY_PATH
 %ldconfig_scriptlets libs
 
 %changelog
+* Wed Feb 10 2021 Sahana Prasad <sahana@redhat.com> - 1:1.1.1i-3
+- Fix regression in X509_verify_cert() (bz1916594)
+
 * Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.1.1i-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild