Google Git
Sign in
fuchsia / third_party / curl / refs/tags/curl-7_16_4^! / .
commit4b1782c37141b82aa118eaf05061bb9ba1759700[log] [tgz]
authorDaniel Stenberg <daniel@haxx.se>Tue Jul 10 21:36:30 2007 +0000
committerDaniel Stenberg <daniel@haxx.se>Tue Jul 10 21:36:30 2007 +0000
tree2ae4d54b8206e7297420535767052e527731c2f1
parentf84642197f618836bd371688fcfbb59e60902bc2 [diff]
7.16.4 preps

diff --git a/CHANGES b/CHANGES
index 2557530..dcf7b48 100644
--- a/CHANGES
+++ b/CHANGES

@@ -6,6 +6,14 @@
 
                                   Changelog
 
+Version 7.16.4 (10 July 2007)
+
+Daniel S (10 July 2007)
+- Kees Cook notified us about a security flaw
+  (http://curl.haxx.se/docs/adv_20070710.html) in which libcurl failed to
+  properly reject some outdated or not yet valid server certificates when
+  built with GnuTLS. Kees also provided the patch.
+
 James H (5 July 2007)
 - Gavrie Philipson provided a patch that will use a more specific error
   message for an scp:// upload failure.  If libssh2 has his matching

diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index 98b479e..acb4425 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES

@@ -22,6 +22,9 @@
  o fixed the 10-at-a-time.c example
  o FTP over SOCKS proxy
  o improved error messages on SCP upload failures
+ o security flaw (http://curl.haxx.se/docs/adv_20070710.html) in which libcurl
+   failed to properly reject some outdated or not yet valid server certificates
+   when built with GnuTLS
 
 This release includes the following known bugs:
 
@@ -39,6 +42,6 @@
 advice from friends like these:
 
  Robert Iakobashvili, James Housley, Günter Knauf, James Bursa, Song Ma,
- Thomas J. Moore, Gavrie Philipson
+ Thomas J. Moore, Gavrie Philipson, Kees Cook
 
         Thanks! (and sorry if I forgot to mention someone)

diff --git a/lib/gtls.c b/lib/gtls.c
index 0e100c6..a84128e 100644
--- a/lib/gtls.c
+++ b/lib/gtls.c

@@ -420,6 +420,43 @@
   else
     infof(data, "\t common name: %s (matched)\n", certbuf);
 
+  /* Check for time-based validity */
+  clock = gnutls_x509_crt_get_expiration_time(x509_cert);
+
+  if(clock == (time_t)-1) {
+    failf(data, "server cert expiration date verify failed");
+    return CURLE_SSL_CONNECT_ERROR;
+  }
+
+  if(clock < time(NULL)) {
+    if (data->set.ssl.verifypeer) {
+      failf(data, "server certificate expiration date has passed.");
+      return CURLE_SSL_PEER_CERTIFICATE;
+    }
+    else
+      infof(data, "\t server certificate expiration date FAILED\n");
+  }
+  else
+    infof(data, "\t server certificate expiration date OK\n");
+
+  clock = gnutls_x509_crt_get_activation_time(x509_cert);
+
+  if(clock == (time_t)-1) {
+    failf(data, "server cert activation date verify failed");
+    return CURLE_SSL_CONNECT_ERROR;
+  }
+
+  if(clock > time(NULL)) {
+    if (data->set.ssl.verifypeer) {
+      failf(data, "server certificate not activated yet.");
+      return CURLE_SSL_PEER_CERTIFICATE;
+    }
+    else
+      infof(data, "\t server certificate activation date FAILED\n");
+  }
+  else
+    infof(data, "\t server certificate activation date OK\n");
+
   /* Show:
 
   - ciphers used