Blame - import-layers/yocto-poky/meta/recipes-connectivity/openssl/openssl/debian1.0.2/block_diginotar.patch - openbmc/openbmc

blob: d81e22cd8dd541f6e629ad6ffa88c94352fbe10e [file] [log] [blame]

Patrick Williams	c124f4f	2015-09-15 14:41:29 -0500	[diff] [blame]	1	From: Raphael Geissert <geissert@debian.org>
				2	Description: make X509_verify_cert indicate that any certificate whose
				3	name contains "DigiNotar" is revoked.
				4	Forwarded: not-needed
				5	Origin: vendor
				6	Last-Update: 2011-09-08
				7	Bug: http://bugs.debian.org/639744
				8	Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
				9	Reviewed-by: Dr Stephen N Henson <shenson@drh-consultancy.co.uk>
				10
				11	This is not meant as final patch.
Patrick Williams	d8c66bc	2016-06-20 12:57:21 -0500	[diff] [blame]	12
Patrick Williams	c124f4f	2015-09-15 14:41:29 -0500	[diff] [blame]	13	Upstream-Status: Backport [debian]
				14
Patrick Williams	d8c66bc	2016-06-20 12:57:21 -0500	[diff] [blame]	15	Signed-off-by: Armin Kuster <akuster@mvista.com>
Patrick Williams	c124f4f	2015-09-15 14:41:29 -0500	[diff] [blame]	16
Patrick Williams	d8c66bc	2016-06-20 12:57:21 -0500	[diff] [blame]	17	Index: openssl-1.0.2g/crypto/x509/x509_vfy.c
Patrick Williams	c124f4f	2015-09-15 14:41:29 -0500	[diff] [blame]	18	===================================================================
Patrick Williams	d8c66bc	2016-06-20 12:57:21 -0500	[diff] [blame]	19	--- openssl-1.0.2g.orig/crypto/x509/x509_vfy.c
				20	+++ openssl-1.0.2g/crypto/x509/x509_vfy.c
Patrick Williams	c124f4f	2015-09-15 14:41:29 -0500	[diff] [blame]	21	@@ -119,6 +119,7 @@ static int check_trust(X509_STORE_CTX *c
				22	static int check_revocation(X509_STORE_CTX *ctx);
				23	static int check_cert(X509_STORE_CTX *ctx);
				24	static int check_policy(X509_STORE_CTX *ctx);
				25	+static int check_ca_blacklist(X509_STORE_CTX *ctx);
				26
				27	static int get_crl_score(X509_STORE_CTX ctx, X509 *pissuer,
				28	unsigned int preasons, X509_CRL crl, X509 *x);
Patrick Williams	d8c66bc	2016-06-20 12:57:21 -0500	[diff] [blame]	29	@@ -489,6 +490,9 @@ int X509_verify_cert(X509_STORE_CTX *ctx
Patrick Williams	c124f4f	2015-09-15 14:41:29 -0500	[diff] [blame]	30	if (!ok)
Patrick Williams	d8c66bc	2016-06-20 12:57:21 -0500	[diff] [blame]	31	goto err;
Patrick Williams	c124f4f	2015-09-15 14:41:29 -0500	[diff] [blame]	32
				33	+ ok = check_ca_blacklist(ctx);
Patrick Williams	d8c66bc	2016-06-20 12:57:21 -0500	[diff] [blame]	34	+ if(!ok) goto err;
Patrick Williams	c124f4f	2015-09-15 14:41:29 -0500	[diff] [blame]	35	+
				36	#ifndef OPENSSL_NO_RFC3779
				37	/* RFC 3779 path validation, now that CRL check has been done */
				38	ok = v3_asid_validate_path(ctx);
Patrick Williams	d8c66bc	2016-06-20 12:57:21 -0500	[diff] [blame]	39	@@ -996,6 +1000,29 @@ static int check_crl_time(X509_STORE_CTX
Patrick Williams	c124f4f	2015-09-15 14:41:29 -0500	[diff] [blame]	40	return 1;
				41	}
				42
				43	+static int check_ca_blacklist(X509_STORE_CTX *ctx)
				44	+ {
				45	+ X509 *x;
				46	+ int i;
				47	+ /* Check all certificates against the blacklist */
				48	+ for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--)
				49	+ {
				50	+ x = sk_X509_value(ctx->chain, i);
				51	+ /* Mark DigiNotar certificates as revoked, no matter
				52	+ * where in the chain they are.
				53	+ */
				54	+ if (x->name && strstr(x->name, "DigiNotar"))
				55	+ {
				56	+ ctx->error = X509_V_ERR_CERT_REVOKED;
				57	+ ctx->error_depth = i;
				58	+ ctx->current_cert = x;
				59	+ if (!ctx->verify_cb(0,ctx))
				60	+ return 0;
				61	+ }
				62	+ }
				63	+ return 1;
				64	+ }
				65	+
				66	static int get_crl_sk(X509_STORE_CTX ctx, X509_CRL pcrl, X509_CRL *pdcrl,
				67	X509 *pissuer, int pscore, unsigned int *preasons,
				68	STACK_OF(X509_CRL) *crls)