1 |
xmw 11/03/31 10:11:01 |
2 |
|
3 |
Modified: blacklist_ssl.patch |
4 |
Log: |
5 |
echangelog |
6 |
|
7 |
(Portage version: 2.1.9.42/cvs/Linux x86_64) |
8 |
|
9 |
Revision Changes Path |
10 |
1.2 x11-libs/qt-core/files/blacklist_ssl.patch |
11 |
|
12 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/x11-libs/qt-core/files/blacklist_ssl.patch?rev=1.2&view=markup |
13 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/x11-libs/qt-core/files/blacklist_ssl.patch?rev=1.2&content-type=text/plain |
14 |
diff : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/x11-libs/qt-core/files/blacklist_ssl.patch?r1=1.1&r2=1.2 |
15 |
|
16 |
Index: blacklist_ssl.patch |
17 |
=================================================================== |
18 |
RCS file: /var/cvsroot/gentoo-x86/x11-libs/qt-core/files/blacklist_ssl.patch,v |
19 |
retrieving revision 1.1 |
20 |
retrieving revision 1.2 |
21 |
diff -u -r1.1 -r1.2 |
22 |
--- blacklist_ssl.patch 31 Mar 2011 01:10:24 -0000 1.1 |
23 |
+++ blacklist_ssl.patch 31 Mar 2011 10:11:01 -0000 1.2 |
24 |
@@ -1,89 +1,89 @@ |
25 |
-diff --git a/src/network/ssl/qsslcertificate.cpp b/src/network/ssl/qsslcertificate.cpp |
26 |
-index 618ac79..a5cdf01 100644 |
27 |
---- a/src/network/ssl/qsslcertificate.cpp |
28 |
-+++ b/src/network/ssl/qsslcertificate.cpp |
29 |
-@@ -219,17 +219,19 @@ bool QSslCertificate::isNull() const |
30 |
- Returns true if this certificate is valid; otherwise returns |
31 |
- false. |
32 |
- |
33 |
-- Note: Currently, this function only checks that the current |
34 |
-+ Note: Currently, this function checks that the current |
35 |
- data-time is within the date-time range during which the |
36 |
-- certificate is considered valid. No other checks are |
37 |
-- currently performed. |
38 |
-+ certificate is considered valid, and checks that the |
39 |
-+ certificate is not in a blacklist of fraudulent certificates. |
40 |
- |
41 |
- \sa isNull() |
42 |
- */ |
43 |
- bool QSslCertificate::isValid() const |
44 |
- { |
45 |
- const QDateTime currentTime = QDateTime::currentDateTime(); |
46 |
-- return currentTime >= d->notValidBefore && currentTime <= d->notValidAfter; |
47 |
-+ return currentTime >= d->notValidBefore && |
48 |
-+ currentTime <= d->notValidAfter && |
49 |
-+ ! QSslCertificatePrivate::isBlacklisted(*this); |
50 |
- } |
51 |
- |
52 |
- /*! |
53 |
-@@ -798,6 +800,30 @@ QList<QSslCertificate> QSslCertificatePrivate::certificatesFromDer(const QByteAr |
54 |
- return certificates; |
55 |
- } |
56 |
- |
57 |
-+// These certificates are known to be fraudulent and were created during the comodo |
58 |
-+// compromise. See http://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html |
59 |
-+static const char *certificate_blacklist[] = { |
60 |
-+ "04:7e:cb:e9:fc:a5:5f:7b:d0:9e:ae:36:e1:0c:ae:1e", |
61 |
-+ "f5:c8:6a:f3:61:62:f1:3a:64:f5:4f:6d:c9:58:7c:06", |
62 |
-+ "d7:55:8f:da:f5:f1:10:5b:b2:13:28:2b:70:77:29:a3", |
63 |
-+ "39:2a:43:4f:0e:07:df:1f:8a:a3:05:de:34:e0:c2:29", |
64 |
-+ "3e:75:ce:d4:6b:69:30:21:21:88:30:ae:86:a8:2a:71", |
65 |
-+ "e9:02:8b:95:78:e4:15:dc:1a:71:0a:2b:88:15:44:47", |
66 |
-+ "92:39:d5:34:8f:40:d1:69:5a:74:54:70:e1:f2:3f:43", |
67 |
-+ "b0:b7:13:3e:d0:96:f9:b5:6f:ae:91:c8:74:bd:3a:c0", |
68 |
-+ "d8:f3:5f:4e:b7:87:2b:2d:ab:06:92:e3:15:38:2f:b0", |
69 |
-+ 0 |
70 |
-+}; |
71 |
-+ |
72 |
-+bool QSslCertificatePrivate::isBlacklisted(const QSslCertificate &certificate) |
73 |
-+{ |
74 |
-+ for (int a = 0; certificate_blacklist[a] != 0; a++) { |
75 |
-+ if (certificate.serialNumber() == certificate_blacklist[a]) |
76 |
-+ return true; |
77 |
-+ } |
78 |
-+ return false; |
79 |
-+} |
80 |
-+ |
81 |
- #ifndef QT_NO_DEBUG_STREAM |
82 |
- QDebug operator<<(QDebug debug, const QSslCertificate &certificate) |
83 |
- { |
84 |
-diff --git a/src/network/ssl/qsslcertificate_p.h b/src/network/ssl/qsslcertificate_p.h |
85 |
-index cdceb0f..1ce33d3 100644 |
86 |
---- a/src/network/ssl/qsslcertificate_p.h |
87 |
-+++ b/src/network/ssl/qsslcertificate_p.h |
88 |
-@@ -96,6 +96,7 @@ public: |
89 |
- static QSslCertificate QSslCertificate_from_X509(X509 *x509); |
90 |
- static QList<QSslCertificate> certificatesFromPem(const QByteArray &pem, int count = -1); |
91 |
- static QList<QSslCertificate> certificatesFromDer(const QByteArray &der, int count = -1); |
92 |
-+ static bool isBlacklisted(const QSslCertificate &certificate); |
93 |
- |
94 |
- friend class QSslSocketBackendPrivate; |
95 |
- |
96 |
-diff --git a/src/network/ssl/qsslsocket_openssl.cpp b/src/network/ssl/qsslsocket_openssl.cpp |
97 |
-index 0866534..2427193 100644 |
98 |
---- a/src/network/ssl/qsslsocket_openssl.cpp |
99 |
-+++ b/src/network/ssl/qsslsocket_openssl.cpp |
100 |
-@@ -1193,6 +1193,13 @@ bool QSslSocketBackendPrivate::startHandshake() |
101 |
- X509 *x509 = q_SSL_get_peer_certificate(ssl); |
102 |
- configuration.peerCertificate = QSslCertificatePrivate::QSslCertificate_from_X509(x509); |
103 |
- q_X509_free(x509); |
104 |
-+ if (QSslCertificatePrivate::isBlacklisted(configuration.peerCertificate)) { |
105 |
-+ q->setErrorString(QSslSocket::tr("The peer certificate is blacklisted")); |
106 |
-+ q->setSocketError(QAbstractSocket::SslHandshakeFailedError); |
107 |
-+ emit q->error(QAbstractSocket::SslHandshakeFailedError); |
108 |
-+ plainSocket->disconnectFromHost(); |
109 |
-+ return false; |
110 |
-+ } |
111 |
- |
112 |
- // Start translating errors. |
113 |
- QList<QSslError> errors; |
114 |
+diff --git a/src/network/ssl/qsslcertificate.cpp b/src/network/ssl/qsslcertificate.cpp |
115 |
+index 618ac79..a5cdf01 100644 |
116 |
+--- a/src/network/ssl/qsslcertificate.cpp |
117 |
++++ b/src/network/ssl/qsslcertificate.cpp |
118 |
+@@ -219,17 +219,19 @@ bool QSslCertificate::isNull() const |
119 |
+ Returns true if this certificate is valid; otherwise returns |
120 |
+ false. |
121 |
+ |
122 |
+- Note: Currently, this function only checks that the current |
123 |
++ Note: Currently, this function checks that the current |
124 |
+ data-time is within the date-time range during which the |
125 |
+- certificate is considered valid. No other checks are |
126 |
+- currently performed. |
127 |
++ certificate is considered valid, and checks that the |
128 |
++ certificate is not in a blacklist of fraudulent certificates. |
129 |
+ |
130 |
+ \sa isNull() |
131 |
+ */ |
132 |
+ bool QSslCertificate::isValid() const |
133 |
+ { |
134 |
+ const QDateTime currentTime = QDateTime::currentDateTime(); |
135 |
+- return currentTime >= d->notValidBefore && currentTime <= d->notValidAfter; |
136 |
++ return currentTime >= d->notValidBefore && |
137 |
++ currentTime <= d->notValidAfter && |
138 |
++ ! QSslCertificatePrivate::isBlacklisted(*this); |
139 |
+ } |
140 |
+ |
141 |
+ /*! |
142 |
+@@ -798,6 +800,30 @@ QList<QSslCertificate> QSslCertificatePrivate::certificatesFromDer(const QByteAr |
143 |
+ return certificates; |
144 |
+ } |
145 |
+ |
146 |
++// These certificates are known to be fraudulent and were created during the comodo |
147 |
++// compromise. See http://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html |
148 |
++static const char *certificate_blacklist[] = { |
149 |
++ "04:7e:cb:e9:fc:a5:5f:7b:d0:9e:ae:36:e1:0c:ae:1e", |
150 |
++ "f5:c8:6a:f3:61:62:f1:3a:64:f5:4f:6d:c9:58:7c:06", |
151 |
++ "d7:55:8f:da:f5:f1:10:5b:b2:13:28:2b:70:77:29:a3", |
152 |
++ "39:2a:43:4f:0e:07:df:1f:8a:a3:05:de:34:e0:c2:29", |
153 |
++ "3e:75:ce:d4:6b:69:30:21:21:88:30:ae:86:a8:2a:71", |
154 |
++ "e9:02:8b:95:78:e4:15:dc:1a:71:0a:2b:88:15:44:47", |
155 |
++ "92:39:d5:34:8f:40:d1:69:5a:74:54:70:e1:f2:3f:43", |
156 |
++ "b0:b7:13:3e:d0:96:f9:b5:6f:ae:91:c8:74:bd:3a:c0", |
157 |
++ "d8:f3:5f:4e:b7:87:2b:2d:ab:06:92:e3:15:38:2f:b0", |
158 |
++ 0 |
159 |
++}; |
160 |
++ |
161 |
++bool QSslCertificatePrivate::isBlacklisted(const QSslCertificate &certificate) |
162 |
++{ |
163 |
++ for (int a = 0; certificate_blacklist[a] != 0; a++) { |
164 |
++ if (certificate.serialNumber() == certificate_blacklist[a]) |
165 |
++ return true; |
166 |
++ } |
167 |
++ return false; |
168 |
++} |
169 |
++ |
170 |
+ #ifndef QT_NO_DEBUG_STREAM |
171 |
+ QDebug operator<<(QDebug debug, const QSslCertificate &certificate) |
172 |
+ { |
173 |
+diff --git a/src/network/ssl/qsslcertificate_p.h b/src/network/ssl/qsslcertificate_p.h |
174 |
+index cdceb0f..1ce33d3 100644 |
175 |
+--- a/src/network/ssl/qsslcertificate_p.h |
176 |
++++ b/src/network/ssl/qsslcertificate_p.h |
177 |
+@@ -96,6 +96,7 @@ public: |
178 |
+ static QSslCertificate QSslCertificate_from_X509(X509 *x509); |
179 |
+ static QList<QSslCertificate> certificatesFromPem(const QByteArray &pem, int count = -1); |
180 |
+ static QList<QSslCertificate> certificatesFromDer(const QByteArray &der, int count = -1); |
181 |
++ static bool isBlacklisted(const QSslCertificate &certificate); |
182 |
+ |
183 |
+ friend class QSslSocketBackendPrivate; |
184 |
+ |
185 |
+diff --git a/src/network/ssl/qsslsocket_openssl.cpp b/src/network/ssl/qsslsocket_openssl.cpp |
186 |
+index 0866534..2427193 100644 |
187 |
+--- a/src/network/ssl/qsslsocket_openssl.cpp |
188 |
++++ b/src/network/ssl/qsslsocket_openssl.cpp |
189 |
+@@ -1193,6 +1193,13 @@ bool QSslSocketBackendPrivate::startHandshake() |
190 |
+ X509 *x509 = q_SSL_get_peer_certificate(ssl); |
191 |
+ configuration.peerCertificate = QSslCertificatePrivate::QSslCertificate_from_X509(x509); |
192 |
+ q_X509_free(x509); |
193 |
++ if (QSslCertificatePrivate::isBlacklisted(configuration.peerCertificate)) { |
194 |
++ q->setErrorString(QSslSocket::tr("The peer certificate is blacklisted")); |
195 |
++ q->setSocketError(QAbstractSocket::SslHandshakeFailedError); |
196 |
++ emit q->error(QAbstractSocket::SslHandshakeFailedError); |
197 |
++ plainSocket->disconnectFromHost(); |
198 |
++ return false; |
199 |
++ } |
200 |
+ |
201 |
+ // Start translating errors. |
202 |
+ QList<QSslError> errors; |