Attachment #189704 for bug #267774

Lines 248-254 extern "C" { Link Here

(-)a/lib/includes/gnutls/gnutls.h.in (-1 / +7 lines)
248	*/	248	*/
249	GNUTLS_CERT_SIGNER_NOT_FOUND = 64,	249	GNUTLS_CERT_SIGNER_NOT_FOUND = 64,
250	GNUTLS_CERT_SIGNER_NOT_CA = 128,	250	GNUTLS_CERT_SIGNER_NOT_CA = 128,
251	GNUTLS_CERT_INSECURE_ALGORITHM = 256	251	GNUTLS_CERT_INSECURE_ALGORITHM = 256,
		252
		253	/* Time verification.
		254	*/
		255	GNUTLS_CERT_NOT_ACTIVATED = 512,
		256	GNUTLS_CERT_EXPIRED = 1024
		257
252	} gnutls_certificate_status_t;	258	} gnutls_certificate_status_t;
253		259
254	typedef enum	260	typedef enum

Lines 504-510 extern "C" Link Here

(-)a/lib/includes/gnutls/x509.h (-1 / +7 lines)
504		504
505	/* Allow certificates to be signed using the broken MD5 algorithm.	505	/* Allow certificates to be signed using the broken MD5 algorithm.
506	*/	506	*/
507	GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5 = 32	507	GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5 = 32,
		508
		509	/* Disable checking of activation and expiration validity
		510	* periods of certificate chains. Don't set this unless you
		511	* understand the security implications.
		512	*/
		513	GNUTLS_VERIFY_DISABLE_TIME_CHECKS = 64
508	} gnutls_certificate_verify_flags;	514	} gnutls_certificate_verify_flags;
509		515
510	int gnutls_x509_crt_check_issuer (gnutls_x509_crt_t cert,	516	int gnutls_x509_crt_check_issuer (gnutls_x509_crt_t cert,




    }
#endif

  /* Check activation/expiration times
   */
  if (!(flags & GNUTLS_VERIFY_DISABLE_TIME_CHECKS))
    {
      time_t t, now = time (0);

      for (i = 0; i < clist_size; i++)
	{
	  t = gnutls_x509_crt_get_activation_time (certificate_list[i]);
	  if (t == (time_t) -1 || now < t)
	    {
	      status |= GNUTLS_CERT_NOT_ACTIVATED;
	      status |= GNUTLS_CERT_INVALID;
	      return status;
	    }

	  t = gnutls_x509_crt_get_expiration_time (certificate_list[i]);
	  if (t == (time_t) -1 || now > t)
	    {
	      status |= GNUTLS_CERT_EXPIRED;
	      status |= GNUTLS_CERT_INVALID;
	      return status;
	    }
	}
    }

  /* Verify the certificate path (chain)
   */
  for (i = clist_size - 1; i > 0; i--)

Lines 272-277 print_cert_vrfy (gnutls_session_t session) Link Here

(-)a/src/common.c (+4 lines)
272	printf ("- Peer's certificate issuer is not a CA\n");	272	printf ("- Peer's certificate issuer is not a CA\n");
273	if (status & GNUTLS_CERT_INSECURE_ALGORITHM)	273	if (status & GNUTLS_CERT_INSECURE_ALGORITHM)
274	printf ("- Peer's certificate chain uses insecure algorithm\n");	274	printf ("- Peer's certificate chain uses insecure algorithm\n");
		275	if (status & GNUTLS_CERT_NOT_ACTIVATED)
		276	printf ("- Peer's certificate chain uses not yet valid certificate\n");
		277	if (status & GNUTLS_CERT_EXPIRED)
		278	printf ("- Peer's certificate chain uses expired certificate\n");
275	if (status & GNUTLS_CERT_INVALID)	279	if (status & GNUTLS_CERT_INVALID)
276	printf ("- Peer's certificate is NOT trusted\n");	280	printf ("- Peer's certificate is NOT trusted\n");
277	else	281	else

Return to bug 267774

Lines 493-498 _gnutls_x509_verify_certificate (const gnutls_x509_crt_t * certificate_list, Link Here

(-)a/lib/x509/verify.c (+26 lines)
493	}	493	}
494	#endif	494	#endif
495		495
		496	/* Check activation/expiration times
		497	*/
		498	if (!(flags & GNUTLS_VERIFY_DISABLE_TIME_CHECKS))
		499	{
		500	time_t t, now = time (0);
		501
		502	for (i = 0; i < clist_size; i++)
		503	{
		504	t = gnutls_x509_crt_get_activation_time (certificate_list[i]);
		505	if (t == (time_t) -1 \|\| now < t)
		506	{
		507	status \|= GNUTLS_CERT_NOT_ACTIVATED;
		508	status \|= GNUTLS_CERT_INVALID;
		509	return status;
		510	}
		511
		512	t = gnutls_x509_crt_get_expiration_time (certificate_list[i]);
		513	if (t == (time_t) -1 \|\| now > t)
		514	{
		515	status \|= GNUTLS_CERT_EXPIRED;
		516	status \|= GNUTLS_CERT_INVALID;
		517	return status;
		518	}
		519	}
		520	}
		521
496	/* Verify the certificate path (chain)	522	/* Verify the certificate path (chain)
497	*/	523	*/
498	for (i = clist_size - 1; i > 0; i--)	524	for (i = clist_size - 1; i > 0; i--)