diff options
| author | Mark H Weaver <mhw@netris.org> | 2014-04-21 10:04:17 -0400 |
|---|---|---|
| committer | Mark H Weaver <mhw@netris.org> | 2014-04-22 08:55:43 -0400 |
| commit | 0815f8f9a217ddc2bbe1cf74d10d54aafa2d9063 (patch) | |
| tree | 0c5a50f67074f74509a91cd09e968129f5cd11f1 /gnu/packages/patches/openssl-extension-checking-fixes.patch | |
| parent | 6ef3644e3462d4a98323f556eefa92a6765ed437 (diff) | |
| download | guix-0815f8f9a217ddc2bbe1cf74d10d54aafa2d9063.tar guix-0815f8f9a217ddc2bbe1cf74d10d54aafa2d9063.tar.gz | |
gnu: openssl: Fixes for CVE-2010-5298 and extension checking.
* gnu/packages/patches/openssl-CVE-2010-5298.patch: New file.
* gnu/packages/patches/openssl-extension-checking-fixes.patch: New file.
* gnu/packages/openssl.scm (openssl): Add them.
* gnu-system.am (dist_patch_DATA): Add them.
Diffstat (limited to 'gnu/packages/patches/openssl-extension-checking-fixes.patch')
| -rw-r--r-- | gnu/packages/patches/openssl-extension-checking-fixes.patch | 40 |
1 files changed, 40 insertions, 0 deletions
diff --git a/gnu/packages/patches/openssl-extension-checking-fixes.patch b/gnu/packages/patches/openssl-extension-checking-fixes.patch new file mode 100644 index 0000000000..3fdd893563 --- /dev/null +++ b/gnu/packages/patches/openssl-extension-checking-fixes.patch @@ -0,0 +1,40 @@ +From 300b9f0b704048f60776881f1d378c74d9c32fbd Mon Sep 17 00:00:00 2001 +From: "Dr. Stephen Henson" <steve@openssl.org> +Date: Tue, 15 Apr 2014 18:48:54 +0100 +Subject: [PATCH] Extension checking fixes. + +When looking for an extension we need to set the last found +position to -1 to properly search all extensions. + +PR#3309. +--- + crypto/x509v3/v3_purp.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c +index 6c40c7d..5f931db 100644 +--- a/crypto/x509v3/v3_purp.c ++++ b/crypto/x509v3/v3_purp.c +@@ -389,8 +389,8 @@ static void x509v3_cache_extensions(X509 *x) + /* Handle proxy certificates */ + if((pci=X509_get_ext_d2i(x, NID_proxyCertInfo, NULL, NULL))) { + if (x->ex_flags & EXFLAG_CA +- || X509_get_ext_by_NID(x, NID_subject_alt_name, 0) >= 0 +- || X509_get_ext_by_NID(x, NID_issuer_alt_name, 0) >= 0) { ++ || X509_get_ext_by_NID(x, NID_subject_alt_name, -1) >= 0 ++ || X509_get_ext_by_NID(x, NID_issuer_alt_name, -1) >= 0) { + x->ex_flags |= EXFLAG_INVALID; + } + if (pci->pcPathLengthConstraint) { +@@ -670,7 +670,7 @@ static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x, + return 0; + + /* Extended Key Usage MUST be critical */ +- i_ext = X509_get_ext_by_NID((X509 *) x, NID_ext_key_usage, 0); ++ i_ext = X509_get_ext_by_NID((X509 *) x, NID_ext_key_usage, -1); + if (i_ext >= 0) + { + X509_EXTENSION *ext = X509_get_ext((X509 *) x, i_ext); +-- +1.9.1 + |