From e57be00ab1d6395387004b2c2a44d8f07bc4406d Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Thu, 25 Nov 2021 09:10:06 -0600 Subject: incorporate diffs from 3.4.1 not tagged in upstream stable. --- patches/libcrypto_1.diff | 34 ++++++++++++++++++++++++++++ patches/libcrypto_2.diff | 59 ++++++++++++++++++++++++++++++++++++++++++++++++ update.sh | 4 ++++ 3 files changed, 97 insertions(+) create mode 100644 patches/libcrypto_1.diff create mode 100644 patches/libcrypto_2.diff diff --git a/patches/libcrypto_1.diff b/patches/libcrypto_1.diff new file mode 100644 index 0000000..ba5387a --- /dev/null +++ b/patches/libcrypto_1.diff @@ -0,0 +1,34 @@ +commit 43e306df17537f5033b9b61d33f555d19d1bec9d +Author: jsing <> +Date: Thu Sep 30 18:23:46 2021 +0000 + + Enable X509_V_FLAG_TRUSTED_FIRST by default in the legacy verifier. + + In order to work around the expired DST Root CA X3 certficiate, enable + X509_V_FLAG_TRUSTED_FIRST in the legacy verifier. This means that the + default chain provided by Let's Encrypt will stop at the ISRG Root X1 + intermediate, rather than following the DST Root CA X3 intermediate. + + Note that the new verifier does not suffer from this issue, so only a + small number of things will hit this code path. + + ok millert@ robert@ tb@ + +diff --git a/src/lib/libcrypto/x509/x509_vpm.c b/src/lib/libcrypto/x509/x509_vpm.c +index aaf0a57dcb..42ea6e72c9 100644 +--- a/src/lib/libcrypto/x509/x509_vpm.c ++++ b/src/lib/libcrypto/x509/x509_vpm.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: x509_vpm.c,v 1.26 2021/04/24 18:10:12 tb Exp $ */ ++/* $OpenBSD: x509_vpm.c,v 1.27 2021/09/30 18:23:46 jsing Exp $ */ + /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL + * project 2004. + */ +@@ -598,6 +598,7 @@ static const X509_VERIFY_PARAM_ID _empty_id = { NULL }; + static const X509_VERIFY_PARAM default_table[] = { + { + .name = "default", ++ .flags = X509_V_FLAG_TRUSTED_FIRST, + .depth = 100, + .trust = 0, /* XXX This is not the default trust value */ + .id = vpm_empty_id diff --git a/patches/libcrypto_2.diff b/patches/libcrypto_2.diff new file mode 100644 index 0000000..8bc2b0a --- /dev/null +++ b/patches/libcrypto_2.diff @@ -0,0 +1,59 @@ +commit 5dd3c162296b91c3ec61aec1ad52a10fdde8d142 +Author: claudio <> +Date: Wed Oct 6 08:29:41 2021 +0000 + + X509_STORE_CTX_init() allows the store to be NULL on init. Add checks + for a NULL ctx->ctx in the lookup functions using X509_STORE_CTX. + This affects X509_STORE_get1_certs(), X509_STORE_get1_crls(), + X509_STORE_CTX_get1_issuer() and X509_STORE_get_by_subject(). + With this X509_verify_cert() no longer crashes with a NULL store. + With and OK tb@ + +diff --git a/src/lib/libcrypto/x509/x509_lu.c b/src/lib/libcrypto/x509/x509_lu.c +index f21103c700..315eddf612 100644 +--- a/src/lib/libcrypto/x509/x509_lu.c ++++ b/src/lib/libcrypto/x509/x509_lu.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: x509_lu.c,v 1.30 2018/08/24 19:21:09 tb Exp $ */ ++/* $OpenBSD: x509_lu.c,v 1.31 2021/10/06 08:29:41 claudio Exp $ */ + /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) + * All rights reserved. + * +@@ -312,6 +312,9 @@ X509_STORE_get_by_subject(X509_STORE_CTX *vs, int type, X509_NAME *name, + X509_OBJECT stmp, *tmp; + int i, j; + ++ if (ctx == NULL) ++ return 0; ++ + CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE); + tmp = X509_OBJECT_retrieve_by_subject(ctx->objs, type, name); + CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); +@@ -561,6 +564,8 @@ X509_STORE_get1_certs(X509_STORE_CTX *ctx, X509_NAME *nm) + X509 *x; + X509_OBJECT *obj; + ++ if (ctx->ctx == NULL) ++ return NULL; + sk = sk_X509_new_null(); + if (sk == NULL) + return NULL; +@@ -610,6 +615,8 @@ X509_STORE_get1_crls(X509_STORE_CTX *ctx, X509_NAME *nm) + X509_CRL *x; + X509_OBJECT *obj, xobj; + ++ if (ctx->ctx == NULL) ++ return NULL; + sk = sk_X509_CRL_new_null(); + if (sk == NULL) + return NULL; +@@ -718,6 +725,9 @@ X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) + } + X509_OBJECT_free_contents(&obj); + ++ if (ctx->ctx == NULL) ++ return 0; ++ + /* Else find index of first cert accepted by 'check_issued' */ + ret = 0; + CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE); diff --git a/update.sh b/update.sh index fe91b51..3956eb4 100755 --- a/update.sh +++ b/update.sh @@ -360,6 +360,10 @@ for i in patches/*.patch; do $PATCH -p0 < $i done +for i in patches/libcrypto*.diff; do + (cd crypto; $PATCH -p4 < ../$i) +done + # copy manpages echo "copying manpages" echo EXTRA_DIST = CMakeLists.txt > man/Makefile.am -- cgit v1.2.3-55-g6feb