← Back to branch summary

~ubuntu-branches/ubuntu/edgy/curl/edgy-security

« back to all changes in this revision

Viewing changes to lib/gtls.c

  • Committer: Bazaar Package Importer
  • Author(s): Kees Cook
  • Date: 2007-06-27 12:16:00 UTC
  • mfrom: (9.1.2 edgy-updates)
  • Revision ID: james.westby@ubuntu.com-20070627121600-1tbatxed60iaq00p
Tags: 7.15.4-1ubuntu2.2
lib/gtls.c: actually perform expiration and activation verifications
(CVE-2007-3564).

Show diffs side-by-side

added added

removed removed

Lines of Context:
lib/gtls.c
379
379
  else
380
380
    infof(data, "\t common name: %s (matched)\n", certbuf);
381
381
 
 
382
  /* Check for time-based validity */
 
383
  clock = gnutls_x509_crt_get_expiration_time(x509_cert);
 
384
 
 
385
  if(clock == (time_t)-1) {
 
386
    failf(data, "server cert expiration date verify failed");
 
387
    return CURLE_SSL_CONNECT_ERROR;
 
388
  }
 
389
 
 
390
  if(clock < time(NULL)) {
 
391
    if (data->set.ssl.verifypeer) {
 
392
      failf(data, "server certificate expiration date has passed.");
 
393
      return CURLE_SSL_PEER_CERTIFICATE;
 
394
    }
 
395
    else
 
396
      infof(data, "\t server certificate expiration date FAILED\n");
 
397
  }
 
398
  else
 
399
    infof(data, "\t server certificate expiration date OK\n");
 
400
    
 
401
  clock = gnutls_x509_crt_get_activation_time(x509_cert);
 
402
 
 
403
  if(clock == (time_t)-1) {
 
404
    failf(data, "server cert activation date verify failed");
 
405
    return CURLE_SSL_CONNECT_ERROR;
 
406
  }
 
407
 
 
408
  if(clock > time(NULL)) {
 
409
    if (data->set.ssl.verifypeer) {
 
410
      failf(data, "server certificate not activated yet.");
 
411
      return CURLE_SSL_PEER_CERTIFICATE;
 
412
    }
 
413
    else
 
414
      infof(data, "\t server certificate activation date FAILED\n");
 
415
  }
 
416
  else
 
417
    infof(data, "\t server certificate activation date OK\n");
 
418
 
382
419
  /* Show:
383
420
 
384
421
  - ciphers used