--- a/includes/gnutls/gnutls.h.in
+++ b/includes/gnutls/gnutls.h.in
@@ -251,7 +251,13 @@ extern "C"
*/
GNUTLS_CERT_SIGNER_NOT_FOUND = 64,
GNUTLS_CERT_SIGNER_NOT_CA = 128,
- GNUTLS_CERT_INSECURE_ALGORITHM = 256
+ GNUTLS_CERT_INSECURE_ALGORITHM = 256,
+
+ /* Time verification.
+ */
+ GNUTLS_CERT_NOT_ACTIVATED = 512,
+ GNUTLS_CERT_EXPIRED = 1024
+
} gnutls_certificate_status_t;
typedef enum
diff --git a/includes/gnutls/x509.h b/includes/gnutls/x509.h
index 452247a..c750c87 100644
--- a/includes/gnutls/x509.h
+++ b/includes/gnutls/x509.h
@@ -481,7 +481,13 @@ extern "C"
/* Allow certificates to be signed using the broken MD5 algorithm.
*/
- GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5 = 32
+ GNUTLS_VERIFY_ALLOW_SIGN_RSA_MD5 = 32,
+
+ /* Disable checking of activation and expiration validity
+ * periods of certificate chains. Don't set this unless you
+ * understand the security implications.
+ */
+ GNUTLS_VERIFY_DISABLE_TIME_CHECKS = 64
} gnutls_certificate_verify_flags;
int gnutls_x509_crt_check_issuer (gnutls_x509_crt_t cert,
diff --git a/lib/gnutls_cert.c b/lib/gnutls_cert.c
index 94038eb..6b126bc 100644
--- a/lib/gnutls_cert.c
+++ b/lib/gnutls_cert.c
@@ -656,6 +656,8 @@ gnutls_certificate_verify_peers (gnutls_session_t session)
* This function will return the peer's certificate expiration time.
*
* Returns: (time_t)-1 on error.
+ *
+ * Deprecated: gnutls_certificate_verify_peers2() now verifies expiration times.
**/
time_t
gnutls_certificate_expiration_time_peers (gnutls_session_t session)
@@ -701,6 +703,8 @@ gnutls_certificate_expiration_time_peers (gnutls_session_t session)
* This is the creation time for openpgp keys.
*
* Returns: (time_t)-1 on error.
+ *
+ * Deprecated: gnutls_certificate_verify_peers2() now verifies activation times.
**/
time_t
gnutls_certificate_activation_time_peers (gnutls_session_t session)
diff --git a/lib/x509/verify.c b/lib/x509/verify.c
index 4b1252e..538d96e 100644
--- a/lib/x509/verify.c.cve-2009-1417 2009-05-01 20:16:30.000000000 +0200
+++ b/lib/x509/verify.c 2009-05-01 20:24:19.000000000 +0200
@@ -417,6 +417,31 @@
}
#endif
+ /* Check activation/expiration times
+ */
+ if (!(flags & GNUTLS_VERIFY_DISABLE_TIME_CHECKS))
+ {
+ time_t t, now = time (0);
+
+ for (i = 0; i < clist_size; i++)
+ {
+ t = gnutls_x509_crt_get_activation_time (certificate_list[i]);
+ if (t == (time_t) -1 || now < t)
+ {
+ status |= GNUTLS_CERT_NOT_ACTIVATED;
+ status |= GNUTLS_CERT_INVALID;
+ return status;
+ }
+
+ t = gnutls_x509_crt_get_expiration_time (certificate_list[i]);
+ if (t == (time_t) -1 || now > t)
+ {
+ status |= GNUTLS_CERT_EXPIRED;
+ status |= GNUTLS_CERT_INVALID;
+ return status;
+ }
+ }
+ }
/* Verify the certificate path (chain)
*/
for (i = clist_size - 1; i > 0; i--)
@@ -734,9 +759,6 @@
* @verify: will hold the certificate verification output.
*
* This function will try to verify the given certificate list and return its status.
- * Note that expiration and activation dates are not checked
- * by this function, you should check them using the appropriate functions.
- *
* If no flags are specified (0), this function will use the
* basicConstraints (2.5.29.19) PKIX extension. This means that only a certificate
* authority is allowed to sign a certificate.
diff --git a/src/common.c b/src/common.c
index cc50888..c60900b 100644
--- a/src/common.c
+++ b/src/common.c
@@ -427,6 +427,10 @@ print_cert_vrfy (gnutls_session_t session)
{
if (status & GNUTLS_CERT_SIGNER_NOT_FOUND)
printf ("- Peer's certificate issuer is unknown\n");
+ if (status & GNUTLS_CERT_NOT_ACTIVATED)
+ printf ("- Peer's certificate chain uses not yet valid certificate\n");
+ if (status & GNUTLS_CERT_EXPIRED)
+ printf ("- Peer's certificate chain uses expired certificate\n");
if (status & GNUTLS_CERT_INVALID)
printf ("- Peer's certificate is NOT trusted\n");
else
distrib
>
Mandriva
>
2009.0
>
x86_64
>
media
>
main-testing-src
>
by-pkgid
>
4d732fcb1a944466429eb2eec5088d12
>
files
>
3
