Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 189704 Details for
Bug 267774
<net-libs/gnutls-2.6.5-r1: Multiple vulnerabilities (CVE-2009-{1415,1416,1417})
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
CVE-2009-1417.patch
CVE-2009-1417.patch (text/plain), 2.85 KB, created by
Alex Legler (RETIRED)
on 2009-04-28 12:31:32 UTC
(
hide
)
Description:
CVE-2009-1417.patch
Filename:
MIME Type:
Creator:
Alex Legler (RETIRED)
Created:
2009-04-28 12:31:32 UTC
Size:
2.85 KB
patch
obsolete
>diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in >index 3d8370b..46ef722 100644 >--- a/lib/includes/gnutls/gnutls.h.in >+++ b/lib/includes/gnutls/gnutls.h.in >@@ -248,7 +248,13 @@ extern "C" { > */ > GNUTLS_CERT_SIGNER_NOT_FOUND = 64, > GNUTLS_CERT_SIGNER_NOT_CA = 128, >- GNUTLS_CERT_INSECURE_ALGORITHM = 256 >+ GNUTLS_CERT_INSECURE_ALGORITHM = 256, >+ >+ /* Time verification. >+ */ >+ GNUTLS_CERT_NOT_ACTIVATED = 512, >+ GNUTLS_CERT_EXPIRED = 1024 >+ > } gnutls_certificate_status_t; > > typedef enum >diff --git a/lib/includes/gnutls/x509.h b/lib/includes/gnutls/x509.h >index 9c2800e..f554e47 100644 >--- a/lib/includes/gnutls/x509.h >+++ b/lib/includes/gnutls/x509.h >@@ -504,7 +504,13 @@ extern "C" > > /* Allow certificates to be signed using the broken MD5 algorithm. > */ >- GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5 = 32 >+ GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5 = 32, >+ >+ /* Disable checking of activation and expiration validity >+ * periods of certificate chains. Don't set this unless you >+ * understand the security implications. >+ */ >+ GNUTLS_VERIFY_DISABLE_TIME_CHECKS = 64 > } gnutls_certificate_verify_flags; > > int gnutls_x509_crt_check_issuer (gnutls_x509_crt_t cert, >diff --git a/lib/x509/verify.c b/lib/x509/verify.c >index 599eff7..399831e 100644 >--- a/lib/x509/verify.c >+++ b/lib/x509/verify.c >@@ -493,6 +493,32 @@ _gnutls_x509_verify_certificate (const gnutls_x509_crt_t * certificate_list, > } > #endif > >+ /* Check activation/expiration times >+ */ >+ if (!(flags & GNUTLS_VERIFY_DISABLE_TIME_CHECKS)) >+ { >+ time_t t, now = time (0); >+ >+ for (i = 0; i < clist_size; i++) >+ { >+ t = gnutls_x509_crt_get_activation_time (certificate_list[i]); >+ if (t == (time_t) -1 || now < t) >+ { >+ status |= GNUTLS_CERT_NOT_ACTIVATED; >+ status |= GNUTLS_CERT_INVALID; >+ return status; >+ } >+ >+ t = gnutls_x509_crt_get_expiration_time (certificate_list[i]); >+ if (t == (time_t) -1 || now > t) >+ { >+ status |= GNUTLS_CERT_EXPIRED; >+ status |= GNUTLS_CERT_INVALID; >+ return status; >+ } >+ } >+ } >+ > /* Verify the certificate path (chain) > */ > for (i = clist_size - 1; i > 0; i--) >diff --git a/src/common.c b/src/common.c >index c383d7d..226fdb7 100644 >--- a/src/common.c >+++ b/src/common.c >@@ -272,6 +272,10 @@ print_cert_vrfy (gnutls_session_t session) > printf ("- Peer's certificate issuer is not a CA\n"); > if (status & GNUTLS_CERT_INSECURE_ALGORITHM) > printf ("- Peer's certificate chain uses insecure algorithm\n"); >+ if (status & GNUTLS_CERT_NOT_ACTIVATED) >+ printf ("- Peer's certificate chain uses not yet valid certificate\n"); >+ if (status & GNUTLS_CERT_EXPIRED) >+ printf ("- Peer's certificate chain uses expired certificate\n"); > if (status & GNUTLS_CERT_INVALID) > printf ("- Peer's certificate is NOT trusted\n"); > else
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=189704">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 267774
:
189700
|
189702
|
189704
|
189707
|
189720
|
189787
