Add patch to fix Symantec issued certificates no longer being trusted

2025-02-24 18:12:47 +00:00 · 2016-11-23 17:06:19 +10:00 · 2016-11-23 17:06:19 +10:00 · 6a57615035
commit 6a57615035
parent 0f373ff0b1
2 changed files with 39 additions and 1 deletions
--- a/chromium-53-defang-ct-timebomb.patch
+++ b/chromium-53-defang-ct-timebomb.patch
@ -0,0 +1,34 @@
+
+--- a/net/quic/crypto/proof_verifier_chromium.cc
+++ b/net/quic/crypto/proof_verifier_chromium.cc
+@@ -345,6 +345,8 @@ int ProofVerifierChromium::Job::DoVerify
+     int ct_result = OK;
+     if (verify_details_->ct_verify_result.cert_policy_compliance !=
+             ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS &&
+        verify_details_->ct_verify_result.cert_policy_compliance !=
+            ct::CertPolicyCompliance::CERT_POLICY_BUILD_NOT_TIMELY &&
+         transport_security_state_->ShouldRequireCT(
+             hostname_, cert_verify_result.verified_cert.get(),
+             cert_verify_result.public_key_hashes)) {
+--- a/net/socket/ssl_client_socket_impl.cc
+++ b/net/socket/ssl_client_socket_impl.cc
+@@ -1819,6 +1819,8 @@ int SSLClientSocketImpl::VerifyCT() {
+ 
+   if (ct_verify_result_.cert_policy_compliance !=
+           ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS &&
+      ct_verify_result_.cert_policy_compliance !=
+          ct::CertPolicyCompliance::CERT_POLICY_BUILD_NOT_TIMELY &&
+       transport_security_state_->ShouldRequireCT(
+           host_and_port_.host(), server_cert_verify_result_.verified_cert.get(),
+           server_cert_verify_result_.public_key_hashes)) {
+--- a/net/spdy/spdy_session.cc
+++ b/net/spdy/spdy_session.cc
+@@ -672,6 +672,8 @@ bool SpdySession::CanPool(TransportSecur
+ 
+   if (ssl_info.ct_cert_policy_compliance !=
+           ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS &&
+      ssl_info.ct_cert_policy_compliance !=
+          ct::CertPolicyCompliance::CERT_POLICY_BUILD_NOT_TIMELY &&
+       transport_security_state->ShouldRequireCT(
+           new_hostname, ssl_info.cert.get(), ssl_info.public_key_hashes)) {
+     return false;
--- a/chromium-browser-stable.spec
+++ b/chromium-browser-stable.spec
@ -20,7 +20,7 @@
 Summary:	A fast web browser based on the Blink engine
 Name:		chromium-browser-stable
 Version:	53.0.2785.92
-Release:	1
+Release:	2
 License:	BSD, LGPL
 Group:		Networking/WWW
 Source0:	https://commondatastorage.googleapis.com/chromium-browser-official/chromium-%{version}.tar.xz
@ -34,6 +34,8 @@ Source997:	depot_tools.tar.xz
 Source998:	gn-binaries.tar.xz
 Source999:	new-system-icons.tar.xz
 Source1000:	README.urpmi
+# See https://bugs.chromium.org/p/chromium/issues/detail?id=664177
+Patch0:		chromium-53-defang-ct-timebomb.patch
 Patch4:		chromium-30.0.1599.66-master-prefs-path.patch
 # PATCH-FIX-UPSTREAM Add more charset aliases
 Patch6:		chromium-more-codec-aliases.patch
@ -282,6 +284,8 @@ rm -rf v8/test/
 find third_party/icu -type f \! -regex '.*\.\(gyp\|gypi\|isolate\)' -delete
 %endif

+%patch0 -p1
+
 %patch4 -p1 -b .prefs

 %patch6 -p0