From 3a2670c74a03cd2c6fac98a0dd45780b7f4d3010 Mon Sep 17 00:00:00 2001
From: Jaka Hudoklin <jakahudoklin@gmail.com>
Date: Sat, 24 Jan 2015 22:47:11 +0100
Subject: [PATCH] xca: fix ssl

---
 .../xca/0001-Fix-for-openssl-1.0.1i.patch     | 57 +++++++++++++++++++
 pkgs/applications/misc/xca/default.nix        |  2 +
 2 files changed, 59 insertions(+)
 create mode 100644 pkgs/applications/misc/xca/0001-Fix-for-openssl-1.0.1i.patch

diff --git a/pkgs/applications/misc/xca/0001-Fix-for-openssl-1.0.1i.patch b/pkgs/applications/misc/xca/0001-Fix-for-openssl-1.0.1i.patch
new file mode 100644
index 000000000000..9bfe3831c4aa
--- /dev/null
+++ b/pkgs/applications/misc/xca/0001-Fix-for-openssl-1.0.1i.patch
@@ -0,0 +1,57 @@
+From abd9d530776e8bb6d8f05312fc3ae3044796139c Mon Sep 17 00:00:00 2001
+From: Oliver Winker <oliver@oli1170.net>
+Date: Tue, 12 Aug 2014 19:08:05 +0200
+Subject: [PATCH] Fix for openssl 1.0.1i
+
+Fixes following application error
+---
+Errors
+error:0D0C40D8:asn1 encoding routines:c2i_ASN1_OBJECT:invalid object encoding error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error error:0D0C40D8:asn1 encoding routines:c2i_ASN1_OBJECT:invalid object encoding error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error error:0D0C40D8:asn1 encoding routines:c2i_ASN1_OBJECT:invalid object encoding error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error error:0D0C40D8:asn1 encoding routines:c2i_ASN1_OBJECT:invalid object encoding error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error error:0D0C40D8:asn1 encoding routines:c2i_ASN1_OBJECT:invalid object encoding error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error
+---
+
+Due to openssl 1.0.1i change:
+---
+commit 03b04ddac162c7b7fa3c57eadccc5a583a00d291
+Author: Emilia Kasper <emilia@openssl.org>
+Date:   Wed Jul 2 19:02:33 2014 +0200
+
+    Fix OID handling:
+
+    - Upon parsing, reject OIDs with invalid base-128 encoding.
+    - Always NUL-terminate the destination buffer in OBJ_obj2txt printing function.
+
+    CVE-2014-3508
+
+    Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
+    Reviewed-by: Kurt Roeckx <kurt@openssl.org>
+    Reviewed-by: Tim Hudson <tjh@openssl.org>
+---
+---
+ lib/x509v3ext.cpp | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/lib/x509v3ext.cpp b/lib/x509v3ext.cpp
+index cf74c32..d94cbda 100644
+--- a/lib/x509v3ext.cpp
++++ b/lib/x509v3ext.cpp
+@@ -27,6 +27,8 @@ x509v3ext::x509v3ext(const X509_EXTENSION *n)
+ x509v3ext::x509v3ext(const x509v3ext &n)
+ {
+ 	ext = NULL;
++	if (!n.isValid())
++		return;
+ 	set(n.ext);
+ }
+ 
+@@ -743,7 +745,7 @@ X509_EXTENSION *x509v3ext::get() const
+ 
+ bool x509v3ext::isValid() const
+ {
+-	return ext->value->length > 0 &&
++	return ext && ext->value && ext->value->length > 0 &&
+ 		OBJ_obj2nid(ext->object) != NID_undef;
+ }
+ 
+-- 
+2.0.1
+
diff --git a/pkgs/applications/misc/xca/default.nix b/pkgs/applications/misc/xca/default.nix
index 0bc2170340c8..1be4de8f9705 100644
--- a/pkgs/applications/misc/xca/default.nix
+++ b/pkgs/applications/misc/xca/default.nix
@@ -9,6 +9,8 @@ stdenv.mkDerivation rec {
     sha256 = "1fn6kh8mdy65rrgjif7j9wn3mxg1mrrcnhzpi86hfy24ic6bahk8";
   };
 
+  patches = [ ./0001-Fix-for-openssl-1.0.1i.patch ];
+
   configurePhase = ''
     export PATH=$PATH:${which}/bin
     export QTDIR=${qt4}