diff options
| author |   Alexander Kanavin <alexander.kanavin@linux.intel.com> | 2017-08-18 22:31:29 +0300 |
|---|---|---|
| committer |   Richard Purdie <richard.purdie@linuxfoundation.org> | 2017-08-19 09:19:12 +0100 |
| commit | 5585103c195104e85ed7ac1455bef91b2e88a04d (patch) | |
| tree | f6e0c1281fb9658fd6705060cbf191f14992c13c /meta/recipes-connectivity/openssl/openssl-1.0.2l/debian1.0.2/block_diginotar.patch | |
| parent | e31c9d32072b9cf62c0e9e55b4d421849d3d489b (diff) | |
| download | openembedded-core-contrib-5585103c195104e85ed7ac1455bef91b2e88a04d.tar.gz | |
openssl10: rename back to openssl and make it the default via PREFERRED_VERSION
openssl 1.1 broke 3rd party layers a lot more than was expected; let's flip
the switch at the start of next development cycle.
Add a PROVIDES = "openssl10" to openssl 1.0 recipe; any dependency that is
not compatible with 1.1 should use that in its DEPENDS, as the 1.0
recipe will later be renamed back to openssl10. This does not always work:
http://lists.openembedded.org/pipermail/openembedded-core/2017-August/140957.html
but for many recipes it does.
Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-connectivity/openssl/openssl-1.0.2l/debian1.0.2/block_diginotar.patch')
| -rw-r--r-- | meta/recipes-connectivity/openssl/openssl-1.0.2l/debian1.0.2/block_diginotar.patch | 68 |
1 files changed, 68 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2l/debian1.0.2/block_diginotar.patch b/meta/recipes-connectivity/openssl/openssl-1.0.2l/debian1.0.2/block_diginotar.patch new file mode 100644 index 0000000000..d81e22cd8d --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.2l/debian1.0.2/block_diginotar.patch @@ -0,0 +1,68 @@ +From: Raphael Geissert <geissert@debian.org> +Description: make X509_verify_cert indicate that any certificate whose + name contains "DigiNotar" is revoked. +Forwarded: not-needed +Origin: vendor +Last-Update: 2011-09-08 +Bug: http://bugs.debian.org/639744 +Reviewed-by: Kurt Roeckx <kurt@roeckx.be> +Reviewed-by: Dr Stephen N Henson <shenson@drh-consultancy.co.uk> + +This is not meant as final patch. + +Upstream-Status: Backport [debian] + +Signed-off-by: Armin Kuster <akuster@mvista.com> + +Index: openssl-1.0.2g/crypto/x509/x509_vfy.c +=================================================================== +--- openssl-1.0.2g.orig/crypto/x509/x509_vfy.c ++++ openssl-1.0.2g/crypto/x509/x509_vfy.c +@@ -119,6 +119,7 @@ static int check_trust(X509_STORE_CTX *c + static int check_revocation(X509_STORE_CTX *ctx); + static int check_cert(X509_STORE_CTX *ctx); + static int check_policy(X509_STORE_CTX *ctx); ++static int check_ca_blacklist(X509_STORE_CTX *ctx); + + static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, + unsigned int *preasons, X509_CRL *crl, X509 *x); +@@ -489,6 +490,9 @@ int X509_verify_cert(X509_STORE_CTX *ctx + if (!ok) + goto err; + ++ ok = check_ca_blacklist(ctx); ++ if(!ok) goto err; ++ + #ifndef OPENSSL_NO_RFC3779 + /* RFC 3779 path validation, now that CRL check has been done */ + ok = v3_asid_validate_path(ctx); +@@ -996,6 +1000,29 @@ static int check_crl_time(X509_STORE_CTX + return 1; + } + ++static int check_ca_blacklist(X509_STORE_CTX *ctx) ++ { ++ X509 *x; ++ int i; ++ /* Check all certificates against the blacklist */ ++ for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--) ++ { ++ x = sk_X509_value(ctx->chain, i); ++ /* Mark DigiNotar certificates as revoked, no matter ++ * where in the chain they are. ++ */ ++ if (x->name && strstr(x->name, "DigiNotar")) ++ { ++ ctx->error = X509_V_ERR_CERT_REVOKED; ++ ctx->error_depth = i; ++ ctx->current_cert = x; ++ if (!ctx->verify_cb(0,ctx)) ++ return 0; ++ } ++ } ++ return 1; ++ } ++ + static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl, + X509 **pissuer, int *pscore, unsigned int *preasons, + STACK_OF(X509_CRL) *crls) |