0815f8f9a2
* gnu/packages/patches/openssl-CVE-2010-5298.patch: New file. * gnu/packages/patches/openssl-extension-checking-fixes.patch: New file. * gnu/packages/openssl.scm (openssl): Add them. * gnu-system.am (dist_patch_DATA): Add them.
41 lines
1.4 KiB
Diff
41 lines
1.4 KiB
Diff
From 300b9f0b704048f60776881f1d378c74d9c32fbd Mon Sep 17 00:00:00 2001
|
|
From: "Dr. Stephen Henson" <steve@openssl.org>
|
|
Date: Tue, 15 Apr 2014 18:48:54 +0100
|
|
Subject: [PATCH] Extension checking fixes.
|
|
|
|
When looking for an extension we need to set the last found
|
|
position to -1 to properly search all extensions.
|
|
|
|
PR#3309.
|
|
---
|
|
crypto/x509v3/v3_purp.c | 6 +++---
|
|
1 file changed, 3 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c
|
|
index 6c40c7d..5f931db 100644
|
|
--- a/crypto/x509v3/v3_purp.c
|
|
+++ b/crypto/x509v3/v3_purp.c
|
|
@@ -389,8 +389,8 @@ static void x509v3_cache_extensions(X509 *x)
|
|
/* Handle proxy certificates */
|
|
if((pci=X509_get_ext_d2i(x, NID_proxyCertInfo, NULL, NULL))) {
|
|
if (x->ex_flags & EXFLAG_CA
|
|
- || X509_get_ext_by_NID(x, NID_subject_alt_name, 0) >= 0
|
|
- || X509_get_ext_by_NID(x, NID_issuer_alt_name, 0) >= 0) {
|
|
+ || X509_get_ext_by_NID(x, NID_subject_alt_name, -1) >= 0
|
|
+ || X509_get_ext_by_NID(x, NID_issuer_alt_name, -1) >= 0) {
|
|
x->ex_flags |= EXFLAG_INVALID;
|
|
}
|
|
if (pci->pcPathLengthConstraint) {
|
|
@@ -670,7 +670,7 @@ static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x,
|
|
return 0;
|
|
|
|
/* Extended Key Usage MUST be critical */
|
|
- i_ext = X509_get_ext_by_NID((X509 *) x, NID_ext_key_usage, 0);
|
|
+ i_ext = X509_get_ext_by_NID((X509 *) x, NID_ext_key_usage, -1);
|
|
if (i_ext >= 0)
|
|
{
|
|
X509_EXTENSION *ext = X509_get_ext((X509 *) x, i_ext);
|
|
--
|
|
1.9.1
|
|
|