Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: "Michael Weber (xmw)" <xmw@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] gentoo-x86 commit in x11-libs/qt-core/files: blacklist_ssl.patch
Date: Thu, 31 Mar 2011 10:11:12
Message-Id: 20110331101101.D662120057@flycatcher.gentoo.org
1 xmw 11/03/31 10:11:01
2
3 Modified: blacklist_ssl.patch
4 Log:
5 echangelog
6
7 (Portage version: 2.1.9.42/cvs/Linux x86_64)
8
9 Revision Changes Path
10 1.2 x11-libs/qt-core/files/blacklist_ssl.patch
11
12 file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/x11-libs/qt-core/files/blacklist_ssl.patch?rev=1.2&view=markup
13 plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/x11-libs/qt-core/files/blacklist_ssl.patch?rev=1.2&content-type=text/plain
14 diff : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/x11-libs/qt-core/files/blacklist_ssl.patch?r1=1.1&r2=1.2
15
16 Index: blacklist_ssl.patch
17 ===================================================================
18 RCS file: /var/cvsroot/gentoo-x86/x11-libs/qt-core/files/blacklist_ssl.patch,v
19 retrieving revision 1.1
20 retrieving revision 1.2
21 diff -u -r1.1 -r1.2
22 --- blacklist_ssl.patch 31 Mar 2011 01:10:24 -0000 1.1
23 +++ blacklist_ssl.patch 31 Mar 2011 10:11:01 -0000 1.2
24 @@ -1,89 +1,89 @@
25 -diff --git a/src/network/ssl/qsslcertificate.cpp b/src/network/ssl/qsslcertificate.cpp
26 -index 618ac79..a5cdf01 100644
27 ---- a/src/network/ssl/qsslcertificate.cpp
28 -+++ b/src/network/ssl/qsslcertificate.cpp
29 -@@ -219,17 +219,19 @@ bool QSslCertificate::isNull() const
30 - Returns true if this certificate is valid; otherwise returns
31 - false.
32 -
33 -- Note: Currently, this function only checks that the current
34 -+ Note: Currently, this function checks that the current
35 - data-time is within the date-time range during which the
36 -- certificate is considered valid. No other checks are
37 -- currently performed.
38 -+ certificate is considered valid, and checks that the
39 -+ certificate is not in a blacklist of fraudulent certificates.
40 -
41 - \sa isNull()
42 - */
43 - bool QSslCertificate::isValid() const
44 - {
45 - const QDateTime currentTime = QDateTime::currentDateTime();
46 -- return currentTime >= d->notValidBefore && currentTime <= d->notValidAfter;
47 -+ return currentTime >= d->notValidBefore &&
48 -+ currentTime <= d->notValidAfter &&
49 -+ ! QSslCertificatePrivate::isBlacklisted(*this);
50 - }
51 -
52 - /*!
53 -@@ -798,6 +800,30 @@ QList<QSslCertificate> QSslCertificatePrivate::certificatesFromDer(const QByteAr
54 - return certificates;
55 - }
56 -
57 -+// These certificates are known to be fraudulent and were created during the comodo
58 -+// compromise. See http://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html
59 -+static const char *certificate_blacklist[] = {
60 -+ "04:7e:cb:e9:fc:a5:5f:7b:d0:9e:ae:36:e1:0c:ae:1e",
61 -+ "f5:c8:6a:f3:61:62:f1:3a:64:f5:4f:6d:c9:58:7c:06",
62 -+ "d7:55:8f:da:f5:f1:10:5b:b2:13:28:2b:70:77:29:a3",
63 -+ "39:2a:43:4f:0e:07:df:1f:8a:a3:05:de:34:e0:c2:29",
64 -+ "3e:75:ce:d4:6b:69:30:21:21:88:30:ae:86:a8:2a:71",
65 -+ "e9:02:8b:95:78:e4:15:dc:1a:71:0a:2b:88:15:44:47",
66 -+ "92:39:d5:34:8f:40:d1:69:5a:74:54:70:e1:f2:3f:43",
67 -+ "b0:b7:13:3e:d0:96:f9:b5:6f:ae:91:c8:74:bd:3a:c0",
68 -+ "d8:f3:5f:4e:b7:87:2b:2d:ab:06:92:e3:15:38:2f:b0",
69 -+ 0
70 -+};
71 -+
72 -+bool QSslCertificatePrivate::isBlacklisted(const QSslCertificate &certificate)
73 -+{
74 -+ for (int a = 0; certificate_blacklist[a] != 0; a++) {
75 -+ if (certificate.serialNumber() == certificate_blacklist[a])
76 -+ return true;
77 -+ }
78 -+ return false;
79 -+}
80 -+
81 - #ifndef QT_NO_DEBUG_STREAM
82 - QDebug operator<<(QDebug debug, const QSslCertificate &certificate)
83 - {
84 -diff --git a/src/network/ssl/qsslcertificate_p.h b/src/network/ssl/qsslcertificate_p.h
85 -index cdceb0f..1ce33d3 100644
86 ---- a/src/network/ssl/qsslcertificate_p.h
87 -+++ b/src/network/ssl/qsslcertificate_p.h
88 -@@ -96,6 +96,7 @@ public:
89 - static QSslCertificate QSslCertificate_from_X509(X509 *x509);
90 - static QList<QSslCertificate> certificatesFromPem(const QByteArray &pem, int count = -1);
91 - static QList<QSslCertificate> certificatesFromDer(const QByteArray &der, int count = -1);
92 -+ static bool isBlacklisted(const QSslCertificate &certificate);
93 -
94 - friend class QSslSocketBackendPrivate;
95 -
96 -diff --git a/src/network/ssl/qsslsocket_openssl.cpp b/src/network/ssl/qsslsocket_openssl.cpp
97 -index 0866534..2427193 100644
98 ---- a/src/network/ssl/qsslsocket_openssl.cpp
99 -+++ b/src/network/ssl/qsslsocket_openssl.cpp
100 -@@ -1193,6 +1193,13 @@ bool QSslSocketBackendPrivate::startHandshake()
101 - X509 *x509 = q_SSL_get_peer_certificate(ssl);
102 - configuration.peerCertificate = QSslCertificatePrivate::QSslCertificate_from_X509(x509);
103 - q_X509_free(x509);
104 -+ if (QSslCertificatePrivate::isBlacklisted(configuration.peerCertificate)) {
105 -+ q->setErrorString(QSslSocket::tr("The peer certificate is blacklisted"));
106 -+ q->setSocketError(QAbstractSocket::SslHandshakeFailedError);
107 -+ emit q->error(QAbstractSocket::SslHandshakeFailedError);
108 -+ plainSocket->disconnectFromHost();
109 -+ return false;
110 -+ }
111 -
112 - // Start translating errors.
113 - QList<QSslError> errors;
114 +diff --git a/src/network/ssl/qsslcertificate.cpp b/src/network/ssl/qsslcertificate.cpp
115 +index 618ac79..a5cdf01 100644
116 +--- a/src/network/ssl/qsslcertificate.cpp
117 ++++ b/src/network/ssl/qsslcertificate.cpp
118 +@@ -219,17 +219,19 @@ bool QSslCertificate::isNull() const
119 + Returns true if this certificate is valid; otherwise returns
120 + false.
121 +
122 +- Note: Currently, this function only checks that the current
123 ++ Note: Currently, this function checks that the current
124 + data-time is within the date-time range during which the
125 +- certificate is considered valid. No other checks are
126 +- currently performed.
127 ++ certificate is considered valid, and checks that the
128 ++ certificate is not in a blacklist of fraudulent certificates.
129 +
130 + \sa isNull()
131 + */
132 + bool QSslCertificate::isValid() const
133 + {
134 + const QDateTime currentTime = QDateTime::currentDateTime();
135 +- return currentTime >= d->notValidBefore && currentTime <= d->notValidAfter;
136 ++ return currentTime >= d->notValidBefore &&
137 ++ currentTime <= d->notValidAfter &&
138 ++ ! QSslCertificatePrivate::isBlacklisted(*this);
139 + }
140 +
141 + /*!
142 +@@ -798,6 +800,30 @@ QList<QSslCertificate> QSslCertificatePrivate::certificatesFromDer(const QByteAr
143 + return certificates;
144 + }
145 +
146 ++// These certificates are known to be fraudulent and were created during the comodo
147 ++// compromise. See http://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html
148 ++static const char *certificate_blacklist[] = {
149 ++ "04:7e:cb:e9:fc:a5:5f:7b:d0:9e:ae:36:e1:0c:ae:1e",
150 ++ "f5:c8:6a:f3:61:62:f1:3a:64:f5:4f:6d:c9:58:7c:06",
151 ++ "d7:55:8f:da:f5:f1:10:5b:b2:13:28:2b:70:77:29:a3",
152 ++ "39:2a:43:4f:0e:07:df:1f:8a:a3:05:de:34:e0:c2:29",
153 ++ "3e:75:ce:d4:6b:69:30:21:21:88:30:ae:86:a8:2a:71",
154 ++ "e9:02:8b:95:78:e4:15:dc:1a:71:0a:2b:88:15:44:47",
155 ++ "92:39:d5:34:8f:40:d1:69:5a:74:54:70:e1:f2:3f:43",
156 ++ "b0:b7:13:3e:d0:96:f9:b5:6f:ae:91:c8:74:bd:3a:c0",
157 ++ "d8:f3:5f:4e:b7:87:2b:2d:ab:06:92:e3:15:38:2f:b0",
158 ++ 0
159 ++};
160 ++
161 ++bool QSslCertificatePrivate::isBlacklisted(const QSslCertificate &certificate)
162 ++{
163 ++ for (int a = 0; certificate_blacklist[a] != 0; a++) {
164 ++ if (certificate.serialNumber() == certificate_blacklist[a])
165 ++ return true;
166 ++ }
167 ++ return false;
168 ++}
169 ++
170 + #ifndef QT_NO_DEBUG_STREAM
171 + QDebug operator<<(QDebug debug, const QSslCertificate &certificate)
172 + {
173 +diff --git a/src/network/ssl/qsslcertificate_p.h b/src/network/ssl/qsslcertificate_p.h
174 +index cdceb0f..1ce33d3 100644
175 +--- a/src/network/ssl/qsslcertificate_p.h
176 ++++ b/src/network/ssl/qsslcertificate_p.h
177 +@@ -96,6 +96,7 @@ public:
178 + static QSslCertificate QSslCertificate_from_X509(X509 *x509);
179 + static QList<QSslCertificate> certificatesFromPem(const QByteArray &pem, int count = -1);
180 + static QList<QSslCertificate> certificatesFromDer(const QByteArray &der, int count = -1);
181 ++ static bool isBlacklisted(const QSslCertificate &certificate);
182 +
183 + friend class QSslSocketBackendPrivate;
184 +
185 +diff --git a/src/network/ssl/qsslsocket_openssl.cpp b/src/network/ssl/qsslsocket_openssl.cpp
186 +index 0866534..2427193 100644
187 +--- a/src/network/ssl/qsslsocket_openssl.cpp
188 ++++ b/src/network/ssl/qsslsocket_openssl.cpp
189 +@@ -1193,6 +1193,13 @@ bool QSslSocketBackendPrivate::startHandshake()
190 + X509 *x509 = q_SSL_get_peer_certificate(ssl);
191 + configuration.peerCertificate = QSslCertificatePrivate::QSslCertificate_from_X509(x509);
192 + q_X509_free(x509);
193 ++ if (QSslCertificatePrivate::isBlacklisted(configuration.peerCertificate)) {
194 ++ q->setErrorString(QSslSocket::tr("The peer certificate is blacklisted"));
195 ++ q->setSocketError(QAbstractSocket::SslHandshakeFailedError);
196 ++ emit q->error(QAbstractSocket::SslHandshakeFailedError);
197 ++ plainSocket->disconnectFromHost();
198 ++ return false;
199 ++ }
200 +
201 + // Start translating errors.
202 + QList<QSslError> errors;
Report Message
Find on MARC Find on Google Groups