[Pkg-openssl-changes] r508 - in openssl/trunk/debian: . patches

Sat Sep 10 11:07:57 UTC 2011

Author: kroeckx
Date: 2011-09-10 11:07:57 +0000 (Sat, 10 Sep 2011)
New Revision: 508

Added:
   openssl/trunk/debian/patches/block_diginotar.patch
Modified:
   openssl/trunk/debian/changelog
   openssl/trunk/debian/patches/series
Log:
Block DigiNotar


Modified: openssl/trunk/debian/changelog
===================================================================

--- openssl/trunk/debian/changelog	2011-09-10 11:05:16 UTC (rev 507)
+++ openssl/trunk/debian/changelog	2011-09-10 11:07:57 UTC (rev 508)
@@ -6,6 +6,8 @@
     - Fix SSL memory handling for (EC)DH ciphersuites, in particular
       for multi-threaded use of ECDH. (CVE-2011-3210)
     - Add protection against ECDSA timing attacks (CVE-2011-1945)
+  * Block DigiNotar certifiates.  Patch from
+    Raphael Geissert <geissert at debian.org>
 
  -- Kurt Roeckx <kurt at roeckx.be>  Sat, 10 Sep 2011 12:03:13 +0200
 

Added: openssl/trunk/debian/patches/block_diginotar.patch
===================================================================
--- openssl/trunk/debian/patches/block_diginotar.patch	                        (rev 0)
+++ openssl/trunk/debian/patches/block_diginotar.patch	2011-09-10 11:07:57 UTC (rev 508)
@@ -0,0 +1,64 @@
+From: Raphael Geissert <geissert at debian.org>
+Description: make X509_verify_cert indicate that any certificate whose
+ name contains "DigiNotar" is revoked.
+Forwarded: not-needed
+Origin: vendor
+Last-Update: 2011-09-08
+Bug: http://bugs.debian.org/639744
+Reviewed-by: Kurt Roeckx <kurt at roeckx.be>
+Reviewed-by: Dr Stephen N Henson <shenson at drh-consultancy.co.uk>
+
+This is not meant as final patch.  
+
+Index: openssl-1.0.0d/crypto/x509/x509_vfy.c
+===================================================================
+--- openssl-1.0.0d.orig/crypto/x509/x509_vfy.c
++++ openssl-1.0.0d/crypto/x509/x509_vfy.c
+@@ -117,6 +117,7 @@ static int check_trust(X509_STORE_CTX *c
+ static int check_revocation(X509_STORE_CTX *ctx);
+ static int check_cert(X509_STORE_CTX *ctx);
+ static int check_policy(X509_STORE_CTX *ctx);
++static int check_ca_blacklist(X509_STORE_CTX *ctx);
+ 
+ static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer,
+ 			unsigned int *preasons,
+@@ -374,6 +375,9 @@ int X509_verify_cert(X509_STORE_CTX *ctx
+ 		ok=internal_verify(ctx);
+ 	if(!ok) goto end;
+ 
++	ok = check_ca_blacklist(ctx);
++	if(!ok) goto end;
++
+ #ifndef OPENSSL_NO_RFC3779
+ 	/* RFC 3779 path validation, now that CRL check has been done */
+ 	ok = v3_asid_validate_path(ctx);
+@@ -820,6 +824,29 @@ static int check_crl_time(X509_STORE_CTX
+ 	return 1;
+ 	}
+ 
++static int check_ca_blacklist(X509_STORE_CTX *ctx)
++	{
++	X509 *x;
++	int i;
++	/* Check all certificates against the blacklist */
++	for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--)
++		{
++		x = sk_X509_value(ctx->chain, i);
++		/* Mark DigiNotar certificates as revoked, no matter
++		 * where in the chain they are.
++		 */
++		if (x->name && strstr(x->name, "DigiNotar"))
++			{
++			ctx->error = X509_V_ERR_CERT_REVOKED;
++			ctx->error_depth = i;
++			ctx->current_cert = x;
++			if (!ctx->verify_cb(0,ctx))
++				return 0;
++			}
++		}
++	return 1;
++	}
++
+ static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl,
+ 			X509 **pissuer, int *pscore, unsigned int *preasons,
+ 			STACK_OF(X509_CRL) *crls)

Modified: openssl/trunk/debian/patches/series
===================================================================
--- openssl/trunk/debian/patches/series	2011-09-10 11:05:16 UTC (rev 507)
+++ openssl/trunk/debian/patches/series	2011-09-10 11:07:57 UTC (rev 508)
@@ -28,3 +28,4 @@
 pod_ec.misspell.patch
 pkcs12-doc.patch
 dgst_hmac.patch
+block_diginotar.patch


