Bug#908893: stretch-pu: package globus-gsi-credential_7.11-1+deb9u1

[Mattias Ellert <mattias.ellert@physics.uu.se>]

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

This is a proposed update to the globus-gsi-credential package in
Debian 9 (stretch). I have created it in response to a request that was
sent to me via e-mail (included below).

	Mattias

-------- Vidarebefordrat meddelande --------
Från: Dave Dykstra <dwd@fnal.gov>
Till: Mattias Ellert <mattias.ellert@physics.uu.se>
Ämne: libglobus-gsi-credential1 fix for stretch
Datum: Fri, 14 Sep 2018 15:56:24 -0500

Hi Mattias,

There's been a fix
    https://github.com/globus/globus-toolkit/issues/115
affecting cvmfs-x509-helper in Debian testing libglobus-gsi-credential1
version 7.14-1 since last November, but it still hasn't made it into
Debian 9 stretch or stretch-updates.  Could you backport it there?
Meanwhile I have been maintaining a patched copy in the cvmfs-contrib
repository (https://cvmfs-contrib.github.io).

Dave

diff -Nru globus-gsi-credential-7.11/debian/changelog globus-gsi-credential-7.11/debian/changelog
--- globus-gsi-credential-7.11/debian/changelog	2016-11-08 23:25:05.000000000 +0100
+++ globus-gsi-credential-7.11/debian/changelog	2018-09-15 16:15:42.000000000 +0200
@@ -1,3 +1,11 @@
+globus-gsi-credential (7.11-1+deb9u1) stretch; urgency=medium
+
+  * Fix issue with voms proxy and openssl 1.1
+  * https://github.com/globus/globus-toolkit/issues/115
+  * https://github.com/globus/globus-toolkit/pull/116
+
+ -- Mattias Ellert <mattias.ellert@physics.uu.se>  Sat, 15 Sep 2018 16:15:42 +0200
+
 globus-gsi-credential (7.11-1) unstable; urgency=medium
 
   * GT6 update
diff -Nru globus-gsi-credential-7.11/debian/patches/globus-gsi-credential-voms-openssl-1.1.patch globus-gsi-credential-7.11/debian/patches/globus-gsi-credential-voms-openssl-1.1.patch
--- globus-gsi-credential-7.11/debian/patches/globus-gsi-credential-voms-openssl-1.1.patch	1970-01-01 01:00:00.000000000 +0100
+++ globus-gsi-credential-7.11/debian/patches/globus-gsi-credential-voms-openssl-1.1.patch	2018-09-15 16:09:00.000000000 +0200
@@ -0,0 +1,70 @@
+From 924cb64dda4dae571456772bd1db62d5bbe25ccf Mon Sep 17 00:00:00 2001
+From: Mischa Salle <msalle@nikhef.nl>
+Date: Mon, 23 Oct 2017 20:16:26 +0200
+Subject: [PATCH] Simple patch for GT issue #115
+
+This patch reorders the the setting of the check_issued and the initialization
+of the X509_STORE_CTX object with the X509_STORE thereby solving
+https://github.com/globus/globus-toolkit/issues/115
+---
+ .../source/library/globus_gsi_cred_handle.c   | 28 +++++++++----------
+ 1 file changed, 14 insertions(+), 14 deletions(-)
+
+diff --git a/library/globus_gsi_cred_handle.c b/library/globus_gsi_cred_handle.c
+index 9877ad603d..e890f56abf 100644
+--- a/library/globus_gsi_cred_handle.c
++++ b/library/globus_gsi_cred_handle.c
+@@ -1745,19 +1745,19 @@ globus_gsi_cred_verify_cert_chain(
+     
+     if (X509_STORE_load_locations(cert_store, NULL, cert_dir))
+     {
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
++        /* override the check_issued with our version */
++        cert_store->check_issued = globus_gsi_callback_check_issued;
++#else
++        X509_STORE_set_check_issued(cert_store, globus_gsi_callback_check_issued);
++#endif
++
+         store_context = X509_STORE_CTX_new();
+         X509_STORE_CTX_init(store_context, cert_store, cert,
+                             cred_handle->cert_chain);
+         X509_STORE_CTX_set_depth(store_context,
+                                  GLOBUS_GSI_CALLBACK_VERIFY_DEPTH);
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+-        /* override the check_issued with our version */
+-        store_context->check_issued = globus_gsi_callback_check_issued;
+-#else
+-        X509_STORE_set_check_issued(X509_STORE_CTX_get0_store(store_context), globus_gsi_callback_check_issued);
+-#endif
+-
+         globus_gsi_callback_get_X509_STORE_callback_data_index(
+             &callback_data_index);
+ 
+@@ -1937,19 +1937,19 @@ globus_gsi_cred_verify_cert_chain_when(
+     
+     if (X509_STORE_load_locations(cert_store, NULL, cert_dir))
+     {
++        /* override the check_issued with our version */
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
++        cert_store->check_issued = globus_gsi_callback_check_issued;
++#else
++        X509_STORE_set_check_issued(cert_store, globus_gsi_callback_check_issued);
++#endif
++
+         store_context = X509_STORE_CTX_new();
+         X509_STORE_CTX_init(store_context, cert_store, cert,
+                             cred_handle->cert_chain);
+         X509_STORE_CTX_set_depth(store_context,
+                                  GLOBUS_GSI_CALLBACK_VERIFY_DEPTH);
+ 
+-        /* override the check_issued with our version */
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+-        store_context->check_issued = globus_gsi_callback_check_issued;
+-#else
+-        X509_STORE_set_check_issued(X509_STORE_CTX_get0_store(store_context), globus_gsi_callback_check_issued);
+-#endif
+-
+         globus_gsi_callback_get_X509_STORE_callback_data_index(
+             &callback_data_index);
+ 
diff -Nru globus-gsi-credential-7.11/debian/patches/series globus-gsi-credential-7.11/debian/patches/series
--- globus-gsi-credential-7.11/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ globus-gsi-credential-7.11/debian/patches/series	2018-09-15 16:14:04.000000000 +0200
@@ -0,0 +1,4 @@
+# Fix issue with voms proxy and openssl 1.1
+# https://github.com/globus/globus-toolkit/issues/115
+# https://github.com/globus/globus-toolkit/pull/116
+globus-gsi-credential-voms-openssl-1.1.patch

Attachment: smime.p7s
Description: S/MIME cryptographic signature