3 files changed, 97 insertions, 0 deletions
diff --git a/patches/libcrypto_1.diff b/patches/libcrypto_1.diff
new file mode 100644
index 0000000..ba5387a
--- /dev/null
+++ b/patches/libcrypto_1.diff
@@ -0,0 +1,34 @@
+commit 43e306df17537f5033b9b61d33f555d19d1bec9d
+Author: jsing <>
+Date:   Thu Sep 30 18:23:46 2021 +0000
+    Enable X509_V_FLAG_TRUSTED_FIRST by default in the legacy verifier.
+    
+    In order to work around the expired DST Root CA X3 certficiate, enable
+    X509_V_FLAG_TRUSTED_FIRST in the legacy verifier. This means that the
+    default chain provided by Let's Encrypt will stop at the ISRG Root X1
+    intermediate, rather than following the DST Root CA X3 intermediate.
+    
+    Note that the new verifier does not suffer from this issue, so only a
+    small number of things will hit this code path.
+    
+    ok millert@ robert@ tb@
+diff --git a/src/lib/libcrypto/x509/x509_vpm.c b/src/lib/libcrypto/x509/x509_vpm.c
+index aaf0a57dcb..42ea6e72c9 100644
+--- a/src/lib/libcrypto/x509/x509_vpm.c
+++ b/src/lib/libcrypto/x509/x509_vpm.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: x509_vpm.c,v 1.26 2021/04/24 18:10:12 tb Exp $ */
+/* $OpenBSD: x509_vpm.c,v 1.27 2021/09/30 18:23:46 jsing Exp $ */
+ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+  * project 2004.
+  */
+@@ -598,6 +598,7 @@ static const X509_VERIFY_PARAM_ID _empty_id = { NULL };
+ static const X509_VERIFY_PARAM default_table[] = {
+        {
+                .name = "default",
+               .flags = X509_V_FLAG_TRUSTED_FIRST,
+                .depth = 100,
+                .trust = 0,  /* XXX This is not the default trust value */
+                .id = vpm_empty_id
diff --git a/patches/libcrypto_2.diff b/patches/libcrypto_2.diff
new file mode 100644
index 0000000..8bc2b0a
--- /dev/null
+++ b/patches/libcrypto_2.diff
@@ -0,0 +1,59 @@
+commit 5dd3c162296b91c3ec61aec1ad52a10fdde8d142
+Author: claudio <>
+Date:   Wed Oct 6 08:29:41 2021 +0000
+    X509_STORE_CTX_init() allows the store to be NULL on init. Add checks
+    for a NULL ctx->ctx in the lookup functions using X509_STORE_CTX.
+    This affects X509_STORE_get1_certs(), X509_STORE_get1_crls(),
+    X509_STORE_CTX_get1_issuer() and X509_STORE_get_by_subject().
+    With this X509_verify_cert() no longer crashes with a NULL store.
+    With and OK tb@
+diff --git a/src/lib/libcrypto/x509/x509_lu.c b/src/lib/libcrypto/x509/x509_lu.c
+index f21103c700..315eddf612 100644
+--- a/src/lib/libcrypto/x509/x509_lu.c
+++ b/src/lib/libcrypto/x509/x509_lu.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: x509_lu.c,v 1.30 2018/08/24 19:21:09 tb Exp $ */
+/* $OpenBSD: x509_lu.c,v 1.31 2021/10/06 08:29:41 claudio Exp $ */
+ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+  * All rights reserved.
+  *
+@@ -312,6 +312,9 @@ X509_STORE_get_by_subject(X509_STORE_CTX *vs, int type, X509_NAME *name,
+        X509_OBJECT stmp, *tmp;
+        int i, j;
+ 
+       if (ctx == NULL)
+               return 0;
+
+        CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
+        tmp = X509_OBJECT_retrieve_by_subject(ctx->objs, type, name);
+        CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
+@@ -561,6 +564,8 @@ X509_STORE_get1_certs(X509_STORE_CTX *ctx, X509_NAME *nm)
+        X509 *x;
+        X509_OBJECT *obj;
+ 
+       if (ctx->ctx == NULL)
+               return NULL;
+        sk = sk_X509_new_null();
+        if (sk == NULL)
+                return NULL;
+@@ -610,6 +615,8 @@ X509_STORE_get1_crls(X509_STORE_CTX *ctx, X509_NAME *nm)
+        X509_CRL *x;
+        X509_OBJECT *obj, xobj;
+ 
+       if (ctx->ctx == NULL)
+               return NULL;
+        sk = sk_X509_CRL_new_null();
+        if (sk == NULL)
+                return NULL;
+@@ -718,6 +725,9 @@ X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
+        }
+        X509_OBJECT_free_contents(&obj);
+ 
+       if (ctx->ctx == NULL)
+               return 0;
+
+        /* Else find index of first cert accepted by 'check_issued' */
+        ret = 0;
+        CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
diff --git a/update.sh b/update.sh
index fe91b51..3956eb4 100755
--- a/update.sh
+++ b/update.sh
@@ -360,6 +360,10 @@ for i in patches/*.patch; do
    $PATCH -p0 < $i
 done
+for i in patches/libcrypto*.diff; do
+        (cd crypto; $PATCH -p4 < ../$i)
+done
 # copy manpages
 echo "copying manpages"
 echo EXTRA_DIST = CMakeLists.txt > man/Makefile.am

diff --git a/patches/libcrypto_1.diff b/patches/libcrypto_1.diff new file mode 100644 index 0000000..ba5387a --- /dev/null +++ b/patches/libcrypto_1.diff
@@ -0,0 +1,34 @@
		1	commit 43e306df17537f5033b9b61d33f555d19d1bec9d
		2	Author: jsing <>
		3	Date: Thu Sep 30 18:23:46 2021 +0000
		4
		5	Enable X509_V_FLAG_TRUSTED_FIRST by default in the legacy verifier.
		6
		7	In order to work around the expired DST Root CA X3 certficiate, enable
		8	X509_V_FLAG_TRUSTED_FIRST in the legacy verifier. This means that the
		9	default chain provided by Let's Encrypt will stop at the ISRG Root X1
		10	intermediate, rather than following the DST Root CA X3 intermediate.
		11
		12	Note that the new verifier does not suffer from this issue, so only a
		13	small number of things will hit this code path.
		14
		15	ok millert@ robert@ tb@
		16
		17	diff --git a/src/lib/libcrypto/x509/x509_vpm.c b/src/lib/libcrypto/x509/x509_vpm.c
		18	index aaf0a57dcb..42ea6e72c9 100644
		19	--- a/src/lib/libcrypto/x509/x509_vpm.c
		20	+++ b/src/lib/libcrypto/x509/x509_vpm.c
		21	@@ -1,4 +1,4 @@
		22	-/* $OpenBSD: x509_vpm.c,v 1.26 2021/04/24 18:10:12 tb Exp $ */
		23	+/* $OpenBSD: x509_vpm.c,v 1.27 2021/09/30 18:23:46 jsing Exp $ */
		24	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
		25	* project 2004.
		26	*/
		27	@@ -598,6 +598,7 @@ static const X509_VERIFY_PARAM_ID _empty_id = { NULL };
		28	static const X509_VERIFY_PARAM default_table[] = {
		29	{
		30	.name = "default",
		31	+ .flags = X509_V_FLAG_TRUSTED_FIRST,
		32	.depth = 100,
		33	.trust = 0, /* XXX This is not the default trust value */
		34	.id = vpm_empty_id


diff --git a/patches/libcrypto_2.diff b/patches/libcrypto_2.diff new file mode 100644 index 0000000..8bc2b0a --- /dev/null +++ b/patches/libcrypto_2.diff
@@ -0,0 +1,59 @@
		1	commit 5dd3c162296b91c3ec61aec1ad52a10fdde8d142
		2	Author: claudio <>
		3	Date: Wed Oct 6 08:29:41 2021 +0000
		4
		5	X509_STORE_CTX_init() allows the store to be NULL on init. Add checks
		6	for a NULL ctx->ctx in the lookup functions using X509_STORE_CTX.
		7	This affects X509_STORE_get1_certs(), X509_STORE_get1_crls(),
		8	X509_STORE_CTX_get1_issuer() and X509_STORE_get_by_subject().
		9	With this X509_verify_cert() no longer crashes with a NULL store.
		10	With and OK tb@
		11
		12	diff --git a/src/lib/libcrypto/x509/x509_lu.c b/src/lib/libcrypto/x509/x509_lu.c
		13	index f21103c700..315eddf612 100644
		14	--- a/src/lib/libcrypto/x509/x509_lu.c
		15	+++ b/src/lib/libcrypto/x509/x509_lu.c
		16	@@ -1,4 +1,4 @@
		17	-/* $OpenBSD: x509_lu.c,v 1.30 2018/08/24 19:21:09 tb Exp $ */
		18	+/* $OpenBSD: x509_lu.c,v 1.31 2021/10/06 08:29:41 claudio Exp $ */
		19	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
		20	* All rights reserved.
		21	*
		22	@@ -312,6 +312,9 @@ X509_STORE_get_by_subject(X509_STORE_CTX vs, int type, X509_NAME name,
		23	X509_OBJECT stmp, *tmp;
		24	int i, j;
		25
		26	+ if (ctx == NULL)
		27	+ return 0;
		28	+
		29	CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
		30	tmp = X509_OBJECT_retrieve_by_subject(ctx->objs, type, name);
		31	CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
		32	@@ -561,6 +564,8 @@ X509_STORE_get1_certs(X509_STORE_CTX ctx, X509_NAME nm)
		33	X509 *x;
		34	X509_OBJECT *obj;
		35
		36	+ if (ctx->ctx == NULL)
		37	+ return NULL;
		38	sk = sk_X509_new_null();
		39	if (sk == NULL)
		40	return NULL;
		41	@@ -610,6 +615,8 @@ X509_STORE_get1_crls(X509_STORE_CTX ctx, X509_NAME nm)
		42	X509_CRL *x;
		43	X509_OBJECT *obj, xobj;
		44
		45	+ if (ctx->ctx == NULL)
		46	+ return NULL;
		47	sk = sk_X509_CRL_new_null();
		48	if (sk == NULL)
		49	return NULL;
		50	@@ -718,6 +725,9 @@ X509_STORE_CTX_get1_issuer(X509 *issuer, X509_STORE_CTX ctx, X509 *x)
		51	}
		52	X509_OBJECT_free_contents(&obj);
		53
		54	+ if (ctx->ctx == NULL)
		55	+ return 0;
		56	+
		57	/* Else find index of first cert accepted by 'check_issued' */
		58	ret = 0;
		59	CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);


diff --git a/update.sh b/update.sh index fe91b51..3956eb4 100755 --- a/update.sh +++ b/update.sh
@@ -360,6 +360,10 @@ for i in patches/*.patch; do
360	$PATCH -p0 < $i	360	$PATCH -p0 < $i
361	done	361	done
362		362
		363	for i in patches/libcrypto*.diff; do
		364	(cd crypto; $PATCH -p4 < ../$i)
		365	done
		366
363	# copy manpages	367	# copy manpages
364	echo "copying manpages"	368	echo "copying manpages"
365	echo EXTRA_DIST = CMakeLists.txt > man/Makefile.am	369	echo EXTRA_DIST = CMakeLists.txt > man/Makefile.am