--- a/includes/gnutls/gnutls.h.in +++ b/includes/gnutls/gnutls.h.in @@ -251,7 +251,13 @@ extern "C" */ GNUTLS_CERT_SIGNER_NOT_FOUND = 64, GNUTLS_CERT_SIGNER_NOT_CA = 128, - GNUTLS_CERT_INSECURE_ALGORITHM = 256 + GNUTLS_CERT_INSECURE_ALGORITHM = 256, + + /* Time verification. + */ + GNUTLS_CERT_NOT_ACTIVATED = 512, + GNUTLS_CERT_EXPIRED = 1024 + } gnutls_certificate_status_t; typedef enum diff --git a/includes/gnutls/x509.h b/includes/gnutls/x509.h index 452247a..c750c87 100644 --- a/includes/gnutls/x509.h +++ b/includes/gnutls/x509.h @@ -481,7 +481,13 @@ extern "C" /* Allow certificates to be signed using the broken MD5 algorithm. */ - GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5 = 32 + GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5 = 32, + + /* Disable checking of activation and expiration validity + * periods of certificate chains. Don't set this unless you + * understand the security implications. + */ + GNUTLS_VERIFY_DISABLE_TIME_CHECKS = 64 } gnutls_certificate_verify_flags; int gnutls_x509_crt_check_issuer (gnutls_x509_crt_t cert, diff --git a/lib/gnutls_cert.c b/lib/gnutls_cert.c index 94038eb..6b126bc 100644 --- a/lib/gnutls_cert.c +++ b/lib/gnutls_cert.c @@ -656,6 +656,8 @@ gnutls_certificate_verify_peers (gnutls_session_t session) * This function will return the peer's certificate expiration time. * * Returns: (time_t)-1 on error. + * + * Deprecated: gnutls_certificate_verify_peers2() now verifies expiration times. **/ time_t gnutls_certificate_expiration_time_peers (gnutls_session_t session) @@ -701,6 +703,8 @@ gnutls_certificate_expiration_time_peers (gnutls_session_t session) * This is the creation time for openpgp keys. * * Returns: (time_t)-1 on error. + * + * Deprecated: gnutls_certificate_verify_peers2() now verifies activation times. **/ time_t gnutls_certificate_activation_time_peers (gnutls_session_t session) diff --git a/lib/x509/verify.c b/lib/x509/verify.c index 4b1252e..538d96e 100644 --- a/lib/x509/verify.c.cve-2009-1417 2009-05-01 20:16:30.000000000 +0200 +++ b/lib/x509/verify.c 2009-05-01 20:24:19.000000000 +0200 @@ -417,6 +417,31 @@ } #endif + /* Check activation/expiration times + */ + if (!(flags & GNUTLS_VERIFY_DISABLE_TIME_CHECKS)) + { + time_t t, now = time (0); + + for (i = 0; i < clist_size; i++) + { + t = gnutls_x509_crt_get_activation_time (certificate_list[i]); + if (t == (time_t) -1 || now < t) + { + status |= GNUTLS_CERT_NOT_ACTIVATED; + status |= GNUTLS_CERT_INVALID; + return status; + } + + t = gnutls_x509_crt_get_expiration_time (certificate_list[i]); + if (t == (time_t) -1 || now > t) + { + status |= GNUTLS_CERT_EXPIRED; + status |= GNUTLS_CERT_INVALID; + return status; + } + } + } /* Verify the certificate path (chain) */ for (i = clist_size - 1; i > 0; i--) @@ -734,9 +759,6 @@ * @verify: will hold the certificate verification output. * * This function will try to verify the given certificate list and return its status. - * Note that expiration and activation dates are not checked - * by this function, you should check them using the appropriate functions. - * * If no flags are specified (0), this function will use the * basicConstraints (2.5.29.19) PKIX extension. This means that only a certificate * authority is allowed to sign a certificate. diff --git a/src/common.c b/src/common.c index cc50888..c60900b 100644 --- a/src/common.c +++ b/src/common.c @@ -427,6 +427,10 @@ print_cert_vrfy (gnutls_session_t session) { if (status & GNUTLS_CERT_SIGNER_NOT_FOUND) printf ("- Peer's certificate issuer is unknown\n"); + if (status & GNUTLS_CERT_NOT_ACTIVATED) + printf ("- Peer's certificate chain uses not yet valid certificate\n"); + if (status & GNUTLS_CERT_EXPIRED) + printf ("- Peer's certificate chain uses expired certificate\n"); if (status & GNUTLS_CERT_INVALID) printf ("- Peer's certificate is NOT trusted\n"); else