← Back to branch summary

~andersk/ubuntu/oneiric/openssl/spurious-reboot

« back to all changes in this revision

Viewing changes to debian/patches/block_diginotar.patch

  • Committer: Package Import Robot
  • Author(s): Steve Beattie
  • Date: 2011-09-14 22:06:03 UTC
  • mfrom: (11.1.23 sid)
  • Revision ID: package-import@ubuntu.com-20110914220603-tsuxw8z3kt4lx9oc
Tags: 1.0.0e-2ubuntu1
https://launchpad.net/bugs/850608
https://launchpad.net/bugs/244250
* Resynchronise with Debian, fixes CVE-2011-1945, CVE-2011-3207 and
  CVE-2011-3210 (LP: #850608). Remaining changes:
  - debian/libssl1.0.0.postinst:
    + Display a system restart required notification bubble on libssl1.0.0
      upgrade.
    + Use a different priority for libssl1.0.0/restart-services depending
      on whether a desktop, or server dist-upgrade is being performed.
  - debian/{libssl1.0.0-udeb.dirs, control, rules}: Create
    libssl1.0.0-udeb, for the benefit of wget-udeb (no wget-udeb package
    in Debian).
  - debian/{libcrypto1.0.0-udeb.dirs, libssl1.0.0.dirs, libssl1.0.0.files,
    rules}: Move runtime libraries to /lib, for the benefit of
    wpasupplicant.
  - debian/patches/aesni.patch: Backport Intel AES-NI support, now from
    http://rt.openssl.org/Ticket/Display.html?id=2065 rather than the
    0.9.8 variant.
  - debian/patches/Bsymbolic-functions.patch: Link using
    -Bsymbolic-functions.
  - debian/patches/perlpath-quilt.patch: Don't change perl #! paths under
    .pc.
  - debian/rules:
    + Don't run 'make test' when cross-building.
    + Use host compiler when cross-building.  Patch from Neil Williams.
    + Don't build for processors no longer supported: i486, i586 (on
      i386), v8 (on sparc).
    + Fix Makefile to properly clean up libs/ dirs in clean target.
    + Replace duplicate files in the doc directory with symlinks.
* debian/libssl1.0.0.postinst: only display restart notification on
  servers (LP: #244250)

Show diffs side-by-side

added added

removed removed

Lines of Context:
debian/patches/block_diginotar.patch
 
1
From: Raphael Geissert <geissert@debian.org>
 
2
Description: make X509_verify_cert indicate that any certificate whose
 
3
 name contains "DigiNotar" is revoked.
 
4
Forwarded: not-needed
 
5
Origin: vendor
 
6
Last-Update: 2011-09-08
 
7
Bug: http://bugs.debian.org/639744
 
8
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
 
9
Reviewed-by: Dr Stephen N Henson <shenson@drh-consultancy.co.uk>
 
10
 
 
11
This is not meant as final patch.  
 
12
 
 
13
Index: openssl-1.0.0d/crypto/x509/x509_vfy.c
 
14
===================================================================
 
15
--- openssl-1.0.0d.orig/crypto/x509/x509_vfy.c
 
16
+++ openssl-1.0.0d/crypto/x509/x509_vfy.c
 
17
@@ -117,6 +117,7 @@ static int check_trust(X509_STORE_CTX *c
 
18
 static int check_revocation(X509_STORE_CTX *ctx);
 
19
 static int check_cert(X509_STORE_CTX *ctx);
 
20
 static int check_policy(X509_STORE_CTX *ctx);
 
21
+static int check_ca_blacklist(X509_STORE_CTX *ctx);
 
22
 
 
23
 static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer,
 
24
                        unsigned int *preasons,
 
25
@@ -374,6 +375,9 @@ int X509_verify_cert(X509_STORE_CTX *ctx
 
26
                ok=internal_verify(ctx);
 
27
        if(!ok) goto end;
 
28
 
 
29
+       ok = check_ca_blacklist(ctx);
 
30
+       if(!ok) goto end;
 
31
+
 
32
 #ifndef OPENSSL_NO_RFC3779
 
33
        /* RFC 3779 path validation, now that CRL check has been done */
 
34
        ok = v3_asid_validate_path(ctx);
 
35
@@ -820,6 +824,29 @@ static int check_crl_time(X509_STORE_CTX
 
36
        return 1;
 
37
        }
 
38
 
 
39
+static int check_ca_blacklist(X509_STORE_CTX *ctx)
 
40
+       {
 
41
+       X509 *x;
 
42
+       int i;
 
43
+       /* Check all certificates against the blacklist */
 
44
+       for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--)
 
45
+               {
 
46
+               x = sk_X509_value(ctx->chain, i);
 
47
+               /* Mark DigiNotar certificates as revoked, no matter
 
48
+                * where in the chain they are.
 
49
+                */
 
50
+               if (x->name && strstr(x->name, "DigiNotar"))
 
51
+                       {
 
52
+                       ctx->error = X509_V_ERR_CERT_REVOKED;
 
53
+                       ctx->error_depth = i;
 
54
+                       ctx->current_cert = x;
 
55
+                       if (!ctx->verify_cb(0,ctx))
 
56
+                               return 0;
 
57
+                       }
 
58
+               }
 
59
+       return 1;
 
60
+       }
 
61
+
 
62
 static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl,
 
63
                        X509 **pissuer, int *pscore, unsigned int *preasons,
 
64
                        STACK_OF(X509_CRL) *crls)