[csw-devel] SF.net SVN: gar:[15667] csw/mgar/pkg/openssl/trunk

chninkel at users.sourceforge.net chninkel at users.sourceforge.net
Mon Sep 19 22:23:25 CEST 2011 

Revision: 15667
          http://gar.svn.sourceforge.net/gar/?rev=15667&view=rev
Author:   chninkel
Date:     2011-09-19 20:23:24 +0000 (Mon, 19 Sep 2011)
Log Message:
-----------
openssl: added patch to block DigiNotar CA

Modified Paths:
--------------
    csw/mgar/pkg/openssl/trunk/Makefile
    csw/mgar/pkg/openssl/trunk/files/changelog.CSW

Added Paths:
-----------
    csw/mgar/pkg/openssl/trunk/files/block_diginotar.patch

Modified: csw/mgar/pkg/openssl/trunk/Makefile
===================================================================
--- csw/mgar/pkg/openssl/trunk/Makefile	2011-09-19 20:15:15 UTC (rev 15666)
+++ csw/mgar/pkg/openssl/trunk/Makefile	2011-09-19 20:23:24 UTC (rev 15667)
@@ -27,7 +27,7 @@
   as a full-strength general-purpose cryptography library.
 endef
 
-PACKAGES = CSWossl CSWosslrt CSWossldevel CSWosslutils
+PACKAGES = CSWossl CSWosslrt CSWossldevel CSWosslutils CSWossldoc
 
 SPKG_DESC_CSWossl = Openssl meta package
 CATALOGNAME_CSWossl = openssl
@@ -38,10 +38,13 @@
 CATALOGNAME_CSWosslrt = openssl_rt
 RUNTIME_DEP_PKGS_CSWosslrt = CSWcacertificates
 
-SPKG_DESC_CSWossldevel = Openssl development files
+SPKG_DESC_CSWossldevel = Openssl development libraries and headers
 CATALOGNAME_CSWossldevel = openssl_devel
 RUNTIME_DEP_PKGS_CSWossldevel = CSWosslrt
 
+SPKG_DESC_CSWossldoc = Openssl development documentation files
+CATALOGNAME_CSWossldoc = openssl_doc
+
 SPKG_DESC_CSWosslutils = Openssl binaries and related tools 
 CATALOGNAME_CSWosslutils = openssl_utils
 RUNTIME_DEP_PKGS_CSWosslutils = CSWosslrt
@@ -99,10 +102,14 @@
 CHECKPKG_OVERRIDES_CSWossldevel += file-with-bad-content|/usr/local|root/opt/csw/share/doc/openssl_devel/CHANGES
 CHECKPKG_OVERRIDES_CSWossldevel += file-with-bad-content|/usr/local|root/opt/csw/share/doc/openssl_devel/INSTALL
 CHECKPKG_OVERRIDES_CSWossldevel += file-with-bad-content|/usr/local|root/opt/csw/share/doc/openssl_devel/FAQ
+CHECKPKG_OVERRIDES_CSWossldoc += file-with-bad-content|/usr/local|root/opt/csw/share/doc/openssl_doc/CHANGES
+CHECKPKG_OVERRIDES_CSWossldoc += file-with-bad-content|/usr/local|root/opt/csw/share/doc/openssl_doc/INSTALL
+CHECKPKG_OVERRIDES_CSWossldoc += file-with-bad-content|/usr/local|root/opt/csw/share/doc/openssl_doc/FAQ
 
 # We will not fix this today
 CHECKPKG_OVERRIDES_CSWosslutils += catalogname-does-not-match-pkgname|pkgname=CSWosslutils|catalogname=openssl_utils|expected-catalogname=osslutils
 CHECKPKG_OVERRIDES_CSWossldevel += catalogname-does-not-match-pkgname|pkgname=CSWossldevel|catalogname=openssl_devel|expected-catalogname=ossldevel
+CHECKPKG_OVERRIDES_CSWossldoc += catalogname-does-not-match-pkgname|pkgname=CSWossldoc|catalogname=openssl_doc|expected-catalogname=ossldoc
 CHECKPKG_OVERRIDES_CSWossl += catalogname-does-not-match-pkgname|pkgname=CSWossl|catalogname=openssl|expected-catalogname=ossl
 CHECKPKG_OVERRIDES_CSWosslrt += catalogname-does-not-match-pkgname|pkgname=CSWosslrt|catalogname=openssl_rt|expected-catalogname=osslrt
 
@@ -131,6 +138,10 @@
 # Update openssl.cnf path in man page to follow opencsw standard
 PATCHFILES += opencsw_paths.patch
 
+# Let's always block the compromised DigiNotar CA, whatever the CA configured
+# (patch taken from Debian Package)
+PATCHFILES += block_diginotar.patch
+
 LICENSE=LICENSE
 
 ##### Build and installation information #####

Added: csw/mgar/pkg/openssl/trunk/files/block_diginotar.patch
===================================================================
--- csw/mgar/pkg/openssl/trunk/files/block_diginotar.patch	                        (rev 0)
+++ csw/mgar/pkg/openssl/trunk/files/block_diginotar.patch	2011-09-19 20:23:24 UTC (rev 15667)
@@ -0,0 +1,59 @@
+From: Raphael Geissert <geissert at debian.org>
+Description: make X509_verify_cert indicate that any certificate whose
+ name contains "DigiNotar" is revoked.
+Origin: vendor
+Forwarded: not-needed
+Last-Update: 2011-09-07
+Bug: http://bugs.debian.org/639744
+
+diff -urpN openssl-0.9.8o-4squeeze1.orig/crypto/x509/x509_vfy.c openssl-0.9.8o-4squeeze1/crypto/x509/x509_vfy.c
+--- openssl-0.9.8o-4squeeze1.orig/crypto/x509/x509_vfy.c	2009-06-26 06:34:21.000000000 -0500
++++ openssl-0.9.8o-4squeeze1/crypto/x509/x509_vfy.c	2011-09-07 21:23:58.000000000 -0500
+@@ -78,6 +78,7 @@ static int check_trust(X509_STORE_CTX *c
+ static int check_revocation(X509_STORE_CTX *ctx);
+ static int check_cert(X509_STORE_CTX *ctx);
+ static int check_policy(X509_STORE_CTX *ctx);
++static int check_ca_blacklist(X509_STORE_CTX *ctx);
+ static int internal_verify(X509_STORE_CTX *ctx);
+ const char X509_version[]="X.509" OPENSSL_VERSION_PTEXT;
+ 
+@@ -312,6 +313,9 @@ int X509_verify_cert(X509_STORE_CTX *ctx
+ 		ok=internal_verify(ctx);
+ 	if(!ok) goto end;
+ 
++	ok = check_ca_blacklist(ctx);
++	if(!ok) goto end;
++
+ #ifndef OPENSSL_NO_RFC3779
+ 	/* RFC 3779 path validation, now that CRL check has been done */
+ 	ok = v3_asid_validate_path(ctx);
+@@ -661,6 +665,29 @@ static int check_crl_time(X509_STORE_CTX
+ 	return 1;
+ 	}
+ 
++static int check_ca_blacklist(X509_STORE_CTX *ctx)
++	{
++	X509 *x;
++	int i;
++	/* Check all certificates against the blacklist */
++	for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--)
++		{
++		x = sk_X509_value(ctx->chain, i);
++		/* Mark DigiNotar certificates as revoked, no matter                                                                            
++		 * where in the chain they are.                                                                                                 
++		 */
++		if (x->name && strstr(x->name, "DigiNotar"))
++			{
++			ctx->error = X509_V_ERR_CERT_REVOKED;
++			ctx->error_depth = i;
++			ctx->current_cert = x;
++			if (!ctx->verify_cb(0,ctx))
++				return 0;
++			}
++		}
++	return 1;
++	}
++
+ /* Lookup CRLs from the supplied list. Look for matching isser name
+  * and validity. If we can't find a valid CRL return the last one
+  * with matching name. This gives more meaningful error codes. Otherwise

Modified: csw/mgar/pkg/openssl/trunk/files/changelog.CSW
===================================================================
--- csw/mgar/pkg/openssl/trunk/files/changelog.CSW	2011-09-19 20:15:15 UTC (rev 15666)
+++ csw/mgar/pkg/openssl/trunk/files/changelog.CSW	2011-09-19 20:23:24 UTC (rev 15667)
@@ -1,3 +1,10 @@
+openssl (0.9.8r,REV=2011.09.19) unstable
+
+  * Added patch block_diginotar.patch, taken from Debian, to always blocks 
+  the compromised DigiNotar CA (Closes: #4822)
+
+   -- Yann Rouillard <yann at opencsw.org>  Wed, 20 Jul 2011 15:59:52 +0200
+
 openssl (0.9.8r,REV=2011.07.20) unstable
 
   * Fixed openssl.cnf paths in ca man page.

This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.

More information about the devel mailing list