From 4b1782c37141b82aa118eaf05061bb9ba1759700 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Tue, 10 Jul 2007 21:36:30 +0000 Subject: 7.16.4 preps --- CHANGES | 8 ++++++++ RELEASE-NOTES | 5 ++++- lib/gtls.c | 37 +++++++++++++++++++++++++++++++++++++ 3 files changed, 49 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index 2557530c2..dcf7b48b9 100644 --- a/CHANGES +++ b/CHANGES @@ -6,6 +6,14 @@ Changelog +Version 7.16.4 (10 July 2007) + +Daniel S (10 July 2007) +- Kees Cook notified us about a security flaw + (http://curl.haxx.se/docs/adv_20070710.html) in which libcurl failed to + properly reject some outdated or not yet valid server certificates when + built with GnuTLS. Kees also provided the patch. + James H (5 July 2007) - Gavrie Philipson provided a patch that will use a more specific error message for an scp:// upload failure. If libssh2 has his matching diff --git a/RELEASE-NOTES b/RELEASE-NOTES index 98b479e09..acb4425b7 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -22,6 +22,9 @@ This release includes the following bugfixes: o fixed the 10-at-a-time.c example o FTP over SOCKS proxy o improved error messages on SCP upload failures + o security flaw (http://curl.haxx.se/docs/adv_20070710.html) in which libcurl + failed to properly reject some outdated or not yet valid server certificates + when built with GnuTLS This release includes the following known bugs: @@ -39,6 +42,6 @@ This release would not have looked like this without help, code, reports and advice from friends like these: Robert Iakobashvili, James Housley, Günter Knauf, James Bursa, Song Ma, - Thomas J. Moore, Gavrie Philipson + Thomas J. Moore, Gavrie Philipson, Kees Cook Thanks! (and sorry if I forgot to mention someone) diff --git a/lib/gtls.c b/lib/gtls.c index 0e100c621..a84128e3e 100644 --- a/lib/gtls.c +++ b/lib/gtls.c @@ -420,6 +420,43 @@ Curl_gtls_connect(struct connectdata *conn, else infof(data, "\t common name: %s (matched)\n", certbuf); + /* Check for time-based validity */ + clock = gnutls_x509_crt_get_expiration_time(x509_cert); + + if(clock == (time_t)-1) { + failf(data, "server cert expiration date verify failed"); + return CURLE_SSL_CONNECT_ERROR; + } + + if(clock < time(NULL)) { + if (data->set.ssl.verifypeer) { + failf(data, "server certificate expiration date has passed."); + return CURLE_SSL_PEER_CERTIFICATE; + } + else + infof(data, "\t server certificate expiration date FAILED\n"); + } + else + infof(data, "\t server certificate expiration date OK\n"); + + clock = gnutls_x509_crt_get_activation_time(x509_cert); + + if(clock == (time_t)-1) { + failf(data, "server cert activation date verify failed"); + return CURLE_SSL_CONNECT_ERROR; + } + + if(clock > time(NULL)) { + if (data->set.ssl.verifypeer) { + failf(data, "server certificate not activated yet."); + return CURLE_SSL_PEER_CERTIFICATE; + } + else + infof(data, "\t server certificate activation date FAILED\n"); + } + else + infof(data, "\t server certificate activation date OK\n"); + /* Show: - ciphers used -- cgit v1.2.3