1 files changed, 68 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2p/debian1.0.2/block_diginotar.patch b/meta/recipes-connectivity/openssl/openssl-1.0.2p/debian1.0.2/block_diginotar.patch
new file mode 100644
index 0000000000..d81e22cd8d
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl-1.0.2p/debian1.0.2/block_diginotar.patch
@@ -0,0 +1,68 @@
+From: Raphael Geissert <geissert@debian.org>
+Description: make X509_verify_cert indicate that any certificate whose
+ name contains "DigiNotar" is revoked.
+Forwarded: not-needed
+Origin: vendor
+Last-Update: 2011-09-08
+Bug: http://bugs.debian.org/639744
+Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
+Reviewed-by: Dr Stephen N Henson <shenson@drh-consultancy.co.uk>
+This is not meant as final patch.  
+Upstream-Status: Backport [debian]
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+Index: openssl-1.0.2g/crypto/x509/x509_vfy.c
+===================================================================
+--- openssl-1.0.2g.orig/crypto/x509/x509_vfy.c
+++ openssl-1.0.2g/crypto/x509/x509_vfy.c
+@@ -119,6 +119,7 @@ static int check_trust(X509_STORE_CTX *c
+ static int check_revocation(X509_STORE_CTX *ctx);
+ static int check_cert(X509_STORE_CTX *ctx);
+ static int check_policy(X509_STORE_CTX *ctx);
+static int check_ca_blacklist(X509_STORE_CTX *ctx);
+ 
+ static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer,
+                          unsigned int *preasons, X509_CRL *crl, X509 *x);
+@@ -489,6 +490,9 @@ int X509_verify_cert(X509_STORE_CTX *ctx
+     if (!ok)
+         goto err;
+ 
+       ok = check_ca_blacklist(ctx);
+       if(!ok) goto err;
+
+ #ifndef OPENSSL_NO_RFC3779
+     /* RFC 3779 path validation, now that CRL check has been done */
+     ok = v3_asid_validate_path(ctx);
+@@ -996,6 +1000,29 @@ static int check_crl_time(X509_STORE_CTX
+     return 1;
+ }
+ 
+static int check_ca_blacklist(X509_STORE_CTX *ctx)
+       {
+       X509 *x;
+       int i;
+       /* Check all certificates against the blacklist */
+       for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--)
+               {
+               x = sk_X509_value(ctx->chain, i);
+               /* Mark DigiNotar certificates as revoked, no matter
+                * where in the chain they are.
+                */
+               if (x->name && strstr(x->name, "DigiNotar"))
+                       {
+                       ctx->error = X509_V_ERR_CERT_REVOKED;
+                       ctx->error_depth = i;
+                       ctx->current_cert = x;
+                       if (!ctx->verify_cb(0,ctx))
+                               return 0;
+                       }
+               }
+       return 1;
+       }
+
+ static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl,
+                       X509 **pissuer, int *pscore, unsigned int *preasons,
+                       STACK_OF(X509_CRL) *crls)

diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.2p/debian1.0.2/block_diginotar.patch b/meta/recipes-connectivity/openssl/openssl-1.0.2p/debian1.0.2/block_diginotar.patch new file mode 100644 index 0000000000..d81e22cd8d --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.2p/debian1.0.2/block_diginotar.patch
@@ -0,0 +1,68 @@
	1	From: Raphael Geissert <geissert@debian.org>
	2	Description: make X509_verify_cert indicate that any certificate whose
	3	name contains "DigiNotar" is revoked.
	4	Forwarded: not-needed
	5	Origin: vendor
	6	Last-Update: 2011-09-08
	7	Bug: http://bugs.debian.org/639744
	8	Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
	9	Reviewed-by: Dr Stephen N Henson <shenson@drh-consultancy.co.uk>
	10
	11	This is not meant as final patch.
	12
	13	Upstream-Status: Backport [debian]
	14
	15	Signed-off-by: Armin Kuster <akuster@mvista.com>
	16
	17	Index: openssl-1.0.2g/crypto/x509/x509_vfy.c
	18	===================================================================
	19	--- openssl-1.0.2g.orig/crypto/x509/x509_vfy.c
	20	+++ openssl-1.0.2g/crypto/x509/x509_vfy.c
	21	@@ -119,6 +119,7 @@ static int check_trust(X509_STORE_CTX *c
	22	static int check_revocation(X509_STORE_CTX *ctx);
	23	static int check_cert(X509_STORE_CTX *ctx);
	24	static int check_policy(X509_STORE_CTX *ctx);
	25	+static int check_ca_blacklist(X509_STORE_CTX *ctx);
	26
	27	static int get_crl_score(X509_STORE_CTX ctx, X509 *pissuer,
	28	unsigned int preasons, X509_CRL crl, X509 *x);
	29	@@ -489,6 +490,9 @@ int X509_verify_cert(X509_STORE_CTX *ctx
	30	if (!ok)
	31	goto err;
	32
	33	+ ok = check_ca_blacklist(ctx);
	34	+ if(!ok) goto err;
	35	+
	36	#ifndef OPENSSL_NO_RFC3779
	37	/* RFC 3779 path validation, now that CRL check has been done */
	38	ok = v3_asid_validate_path(ctx);
	39	@@ -996,6 +1000,29 @@ static int check_crl_time(X509_STORE_CTX
	40	return 1;
	41	}
	42
	43	+static int check_ca_blacklist(X509_STORE_CTX *ctx)
	44	+ {
	45	+ X509 *x;
	46	+ int i;
	47	+ /* Check all certificates against the blacklist */
	48	+ for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--)
	49	+ {
	50	+ x = sk_X509_value(ctx->chain, i);
	51	+ /* Mark DigiNotar certificates as revoked, no matter
	52	+ * where in the chain they are.
	53	+ */
	54	+ if (x->name && strstr(x->name, "DigiNotar"))
	55	+ {
	56	+ ctx->error = X509_V_ERR_CERT_REVOKED;
	57	+ ctx->error_depth = i;
	58	+ ctx->current_cert = x;
	59	+ if (!ctx->verify_cb(0,ctx))
	60	+ return 0;
	61	+ }
	62	+ }
	63	+ return 1;
	64	+ }
	65	+
	66	static int get_crl_sk(X509_STORE_CTX ctx, X509_CRL pcrl, X509_CRL *pdcrl,
	67	X509 *pissuer, int pscore, unsigned int *preasons,
	68	STACK_OF(X509_CRL) *crls)