Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
View | Details | Raw Unified | Return to bug 267774 | Differences between
and this patch

Collapse All | Expand All

(-)gnutls-2.6.5/includes/gnutls/gnutls.h.in (-1 / +7 lines)
Lines 251-257 extern "C" Link Here
251
     */
251
     */
252
    GNUTLS_CERT_SIGNER_NOT_FOUND = 64,
252
    GNUTLS_CERT_SIGNER_NOT_FOUND = 64,
253
    GNUTLS_CERT_SIGNER_NOT_CA = 128,
253
    GNUTLS_CERT_SIGNER_NOT_CA = 128,
254
    GNUTLS_CERT_INSECURE_ALGORITHM = 256
254
    GNUTLS_CERT_INSECURE_ALGORITHM = 256,
255
256
    /* Time verification.
257
     */
258
    GNUTLS_CERT_NOT_ACTIVATED = 512,
259
    GNUTLS_CERT_EXPIRED = 1024
260
255
  } gnutls_certificate_status_t;
261
  } gnutls_certificate_status_t;
256
262
257
  typedef enum
263
  typedef enum
(-)gnutls-2.6.5/includes/gnutls/x509.h (-1 / +7 lines)
Lines 481-487 extern "C" Link Here
481
481
482
    /* Allow certificates to be signed using the broken MD5 algorithm.
482
    /* Allow certificates to be signed using the broken MD5 algorithm.
483
     */
483
     */
484
    GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5 = 32
484
    GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5 = 32,
485
486
    /* Disable checking of activation and expiration validity
487
     * periods of certificate chains. Don't set this unless you
488
     * understand the security implications.
489
     */
490
    GNUTLS_VERIFY_DISABLE_TIME_CHECKS = 64
485
  } gnutls_certificate_verify_flags;
491
  } gnutls_certificate_verify_flags;
486
492
487
  int gnutls_x509_crt_check_issuer (gnutls_x509_crt_t cert,
493
  int gnutls_x509_crt_check_issuer (gnutls_x509_crt_t cert,
(-)gnutls-2.6.5/lib/x509/verify.c (+26 lines)
Lines 493-498 _gnutls_x509_verify_certificate (const g Link Here
493
    }
493
    }
494
#endif
494
#endif
495
495
496
  /* Check activation/expiration times
497
   */
498
  if (!(flags & GNUTLS_VERIFY_DISABLE_TIME_CHECKS))
499
    {
500
      time_t t, now = time (0);
501
502
      for (i = 0; i < clist_size; i++)
503
	{
504
	  t = gnutls_x509_crt_get_activation_time (certificate_list[i]);
505
	  if (t == (time_t) -1 || now < t)
506
	    {
507
	      status |= GNUTLS_CERT_NOT_ACTIVATED;
508
	      status |= GNUTLS_CERT_INVALID;
509
	      return status;
510
	    }
511
512
	  t = gnutls_x509_crt_get_expiration_time (certificate_list[i]);
513
	  if (t == (time_t) -1 || now > t)
514
	    {
515
	      status |= GNUTLS_CERT_EXPIRED;
516
	      status |= GNUTLS_CERT_INVALID;
517
	      return status;
518
	    }
519
	}
520
    }
521
496
  /* Verify the certificate path (chain)
522
  /* Verify the certificate path (chain)
497
   */
523
   */
498
  for (i = clist_size - 1; i > 0; i--)
524
  for (i = clist_size - 1; i > 0; i--)
(-)gnutls-2.6.5/src/common.c (+4 lines)
Lines 427-432 print_cert_vrfy (gnutls_session_t sessio Link Here
427
    {
427
    {
428
      if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
428
      if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
429
	printf ("- Peer's certificate issuer is unknown\n");
429
	printf ("- Peer's certificate issuer is unknown\n");
430
      if (status & GNUTLS_CERT_NOT_ACTIVATED)
431
    printf ("- Peer's certificate chain uses not yet valid certificate\n");
432
      if (status & GNUTLS_CERT_EXPIRED)
433
    printf ("- Peer's certificate chain uses expired certificate\n");
430
      if (status & GNUTLS_CERT_INVALID)
434
      if (status & GNUTLS_CERT_INVALID)
431
	printf ("- Peer's certificate is NOT trusted\n");
435
	printf ("- Peer's certificate is NOT trusted\n");
432
      else
436
      else

Return to bug 267774