diff options
author | Saul Wold <sgw@linux.intel.com> | 2015-03-04 09:46:48 -0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2015-03-09 16:00:22 +0000 |
commit | 10b689033551c37d6cafa284d82bdccd43f6113e (patch) | |
tree | 7dc9e49980abc83cf791a91d23615625d6bf8efc /meta/recipes-connectivity/openssl/openssl/debian1.0.2 | |
parent | efbee563af4ab56f93ac0a6238426d1d3eb80b98 (diff) | |
download | openembedded-core-contrib-10b689033551c37d6cafa284d82bdccd43f6113e.tar.gz |
openssl: Upgrade to 1.0.2
Rebased numerous patches
removed aarch64 initial work since it's part of upstream now
Imported a few additional patches from Debian to support the version-script
and blacklist additional bad certificates.
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Diffstat (limited to 'meta/recipes-connectivity/openssl/openssl/debian1.0.2')
3 files changed, 127 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/debian1.0.2/block_digicert_malaysia.patch b/meta/recipes-connectivity/openssl/openssl/debian1.0.2/block_digicert_malaysia.patch new file mode 100644 index 0000000000..c43bcd1c77 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/debian1.0.2/block_digicert_malaysia.patch @@ -0,0 +1,29 @@ +From: Raphael Geissert <geissert@debian.org> +Description: make X509_verify_cert indicate that any certificate whose + name contains "Digicert Sdn. Bhd." (from Malaysia) is revoked. +Forwarded: not-needed +Origin: vendor +Last-Update: 2011-11-05 + +Upstream-Status: Backport [debian] + + +Index: openssl-1.0.2~beta1/crypto/x509/x509_vfy.c +=================================================================== +--- openssl-1.0.2~beta1.orig/crypto/x509/x509_vfy.c 2014-02-25 00:16:12.488028844 +0100 ++++ openssl-1.0.2~beta1/crypto/x509/x509_vfy.c 2014-02-25 00:16:12.484028929 +0100 +@@ -964,10 +964,11 @@ + for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--) + { + x = sk_X509_value(ctx->chain, i); +- /* Mark DigiNotar certificates as revoked, no matter +- * where in the chain they are. ++ /* Mark certificates containing the following names as ++ * revoked, no matter where in the chain they are. + */ +- if (x->name && strstr(x->name, "DigiNotar")) ++ if (x->name && (strstr(x->name, "DigiNotar") || ++ strstr(x->name, "Digicert Sdn. Bhd."))) + { + ctx->error = X509_V_ERR_CERT_REVOKED; + ctx->error_depth = i; diff --git a/meta/recipes-connectivity/openssl/openssl/debian1.0.2/block_diginotar.patch b/meta/recipes-connectivity/openssl/openssl/debian1.0.2/block_diginotar.patch new file mode 100644 index 0000000000..0c1a0b651f --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/debian1.0.2/block_diginotar.patch @@ -0,0 +1,67 @@ +From: Raphael Geissert <geissert@debian.org> +Description: make X509_verify_cert indicate that any certificate whose + name contains "DigiNotar" is revoked. +Forwarded: not-needed +Origin: vendor +Last-Update: 2011-09-08 +Bug: http://bugs.debian.org/639744 +Reviewed-by: Kurt Roeckx <kurt@roeckx.be> +Reviewed-by: Dr Stephen N Henson <shenson@drh-consultancy.co.uk> + +This is not meant as final patch. + +Upstream-Status: Backport [debian] + + +Index: openssl-1.0.2/crypto/x509/x509_vfy.c +=================================================================== +--- openssl-1.0.2.orig/crypto/x509/x509_vfy.c ++++ openssl-1.0.2/crypto/x509/x509_vfy.c +@@ -119,6 +119,7 @@ static int check_trust(X509_STORE_CTX *c + static int check_revocation(X509_STORE_CTX *ctx); + static int check_cert(X509_STORE_CTX *ctx); + static int check_policy(X509_STORE_CTX *ctx); ++static int check_ca_blacklist(X509_STORE_CTX *ctx); + + static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, + unsigned int *preasons, X509_CRL *crl, X509 *x); +@@ -438,6 +439,9 @@ int X509_verify_cert(X509_STORE_CTX *ctx + if (!ok) + goto end; + ++ ok = check_ca_blacklist(ctx); ++ if(!ok) goto end; ++ + #ifndef OPENSSL_NO_RFC3779 + /* RFC 3779 path validation, now that CRL check has been done */ + ok = v3_asid_validate_path(ctx); +@@ -938,6 +942,29 @@ static int check_crl_time(X509_STORE_CTX + return 1; + } + ++static int check_ca_blacklist(X509_STORE_CTX *ctx) ++ { ++ X509 *x; ++ int i; ++ /* Check all certificates against the blacklist */ ++ for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--) ++ { ++ x = sk_X509_value(ctx->chain, i); ++ /* Mark DigiNotar certificates as revoked, no matter ++ * where in the chain they are. ++ */ ++ if (x->name && strstr(x->name, "DigiNotar")) ++ { ++ ctx->error = X509_V_ERR_CERT_REVOKED; ++ ctx->error_depth = i; ++ ctx->current_cert = x; ++ if (!ctx->verify_cb(0,ctx)) ++ return 0; ++ } ++ } ++ return 1; ++ } ++ + static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl, + X509 **pissuer, int *pscore, unsigned int *preasons, + STACK_OF(X509_CRL) *crls) diff --git a/meta/recipes-connectivity/openssl/openssl/debian1.0.2/padlock_conf.patch b/meta/recipes-connectivity/openssl/openssl/debian1.0.2/padlock_conf.patch new file mode 100644 index 0000000000..61dcf457fe --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/debian1.0.2/padlock_conf.patch @@ -0,0 +1,31 @@ + +Upstream-Status: Backport [debian] + +--- openssl/apps/openssl.cnf.orig 2012-06-06 00:45:56.000000000 +0200 ++++ openssl/apps/openssl.cnf 2012-06-06 00:46:46.000000000 +0200 +@@ -19,6 +19,8 @@ + # (Alternatively, use a configuration file that has only + # X.509v3 extensions in its main [= default] section.) + ++openssl_conf = openssl_def ++ + [ new_oids ] + + # We can add new OIDs in here for use by 'ca', 'req' and 'ts'. +@@ -348,3 +350,16 @@ + # (optional, default: no) + ess_cert_id_chain = no # Must the ESS cert id chain be included? + # (optional, default: no) ++ ++[openssl_def] ++engines = engine_section ++ ++[engine_section] ++padlock = padlock_section ++ ++[padlock_section] ++soft_load=1 ++init=1 ++default_algorithms = ALL ++dynamic_path=padlock ++ |