[gentoo-commits] gentoo-x86 commit in x11-libs/qt-core/files: blacklist_ssl.patch - gentoo-commits

From:	"TomAs Touceda (chiiph)" <chiiph@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] gentoo-x86 commit in x11-libs/qt-core/files: blacklist_ssl.patch
Date:	Thu, 31 Mar 2011 01:10:41
Message-Id:	`20110331011024.1DC002004B@flycatcher.gentoo.org`

1

chiiph      11/03/31 01:10:24

2

3

  Added:                blacklist_ssl.patch

4

  Log:

5

  Revbump qt-core: add SSL blacklist patch from upstream

6

7

  (Portage version: 2.2.0_alpha28/cvs/Linux i686)

8

9

Revision  Changes    Path

10

1.1                  x11-libs/qt-core/files/blacklist_ssl.patch

11

12

file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/x11-libs/qt-core/files/blacklist_ssl.patch?rev=1.1&view=markup

13

plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/x11-libs/qt-core/files/blacklist_ssl.patch?rev=1.1&content-type=text/plain

14

15

Index: blacklist_ssl.patch

16

===================================================================

17

diff --git a/src/network/ssl/qsslcertificate.cpp b/src/network/ssl/qsslcertificate.cpp

18

index 618ac79..a5cdf01 100644

19

--- a/src/network/ssl/qsslcertificate.cpp

20

+++ b/src/network/ssl/qsslcertificate.cpp

21

@@ -219,17 +219,19 @@ bool QSslCertificate::isNull() const

22

     Returns true if this certificate is valid; otherwise returns

23

     false.

24

25

-    Note: Currently, this function only checks that the current

26

+    Note: Currently, this function checks that the current

27

     data-time is within the date-time range during which the

28

-    certificate is considered valid. No other checks are

29

-    currently performed.

30

+    certificate is considered valid, and checks that the

31

+    certificate is not in a blacklist of fraudulent certificates.

32

33

     \sa isNull()

34

*/

35

 bool QSslCertificate::isValid() const

36

{

37

     const QDateTime currentTime = QDateTime::currentDateTime();

38

-    return currentTime >= d->notValidBefore && currentTime <= d->notValidAfter;

39

+    return currentTime >= d->notValidBefore &&

40

+            currentTime <= d->notValidAfter &&

41

+            ! QSslCertificatePrivate::isBlacklisted(*this);

42

}

43

44

/*!

45

@@ -798,6 +800,30 @@ QList<QSslCertificate> QSslCertificatePrivate::certificatesFromDer(const QByteAr

46

     return certificates;

47

}

48

49

+// These certificates are known to be fraudulent and were created during the comodo

50

+// compromise. See http://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html

51

+static const char *certificate_blacklist[] = {

52

+    "04:7e:cb:e9:fc:a5:5f:7b:d0:9e:ae:36:e1:0c:ae:1e",

53

+    "f5:c8:6a:f3:61:62:f1:3a:64:f5:4f:6d:c9:58:7c:06",

54

+    "d7:55:8f:da:f5:f1:10:5b:b2:13:28:2b:70:77:29:a3",

55

+    "39:2a:43:4f:0e:07:df:1f:8a:a3:05:de:34:e0:c2:29",

56

+    "3e:75:ce:d4:6b:69:30:21:21:88:30:ae:86:a8:2a:71",

57

+    "e9:02:8b:95:78:e4:15:dc:1a:71:0a:2b:88:15:44:47",

58

+    "92:39:d5:34:8f:40:d1:69:5a:74:54:70:e1:f2:3f:43",

59

+    "b0:b7:13:3e:d0:96:f9:b5:6f:ae:91:c8:74:bd:3a:c0",

60

+    "d8:f3:5f:4e:b7:87:2b:2d:ab:06:92:e3:15:38:2f:b0",

61

+    0

62

+};

63

+

64

+bool QSslCertificatePrivate::isBlacklisted(const QSslCertificate &certificate)

65

+{

66

+    for (int a = 0; certificate_blacklist[a] != 0; a++) {

67

+        if (certificate.serialNumber() == certificate_blacklist[a])

68

+            return true;

69

+    }

70

+    return false;

71

+}

72

+

73

 #ifndef QT_NO_DEBUG_STREAM

74

 QDebug operator<<(QDebug debug, const QSslCertificate &certificate)

75

{

76

diff --git a/src/network/ssl/qsslcertificate_p.h b/src/network/ssl/qsslcertificate_p.h

77

index cdceb0f..1ce33d3 100644

78

--- a/src/network/ssl/qsslcertificate_p.h

79

+++ b/src/network/ssl/qsslcertificate_p.h

80

@@ -96,6 +96,7 @@ public:

81

     static QSslCertificate QSslCertificate_from_X509(X509 *x509);

82

     static QList<QSslCertificate> certificatesFromPem(const QByteArray &pem, int count = -1);

83

     static QList<QSslCertificate> certificatesFromDer(const QByteArray &der, int count = -1);

84

+    static bool isBlacklisted(const QSslCertificate &certificate);

85

86

     friend class QSslSocketBackendPrivate;

87

88

diff --git a/src/network/ssl/qsslsocket_openssl.cpp b/src/network/ssl/qsslsocket_openssl.cpp

89

index 0866534..2427193 100644

90

--- a/src/network/ssl/qsslsocket_openssl.cpp

91

+++ b/src/network/ssl/qsslsocket_openssl.cpp

92

@@ -1193,6 +1193,13 @@ bool QSslSocketBackendPrivate::startHandshake()

93

     X509 *x509 = q_SSL_get_peer_certificate(ssl);

94

     configuration.peerCertificate = QSslCertificatePrivate::QSslCertificate_from_X509(x509);

95

     q_X509_free(x509);

96

+    if (QSslCertificatePrivate::isBlacklisted(configuration.peerCertificate)) {

97

+        q->setErrorString(QSslSocket::tr("The peer certificate is blacklisted"));

98

+        q->setSocketError(QAbstractSocket::SslHandshakeFailedError);

99

+        emit q->error(QAbstractSocket::SslHandshakeFailedError);

100

+        plainSocket->disconnectFromHost();

101

+        return false;

102

+    }

103

104

     // Start translating errors.

105

     QList<QSslError> errors;

1	chiiph 11/03/31 01:10:24
2
3	Added: blacklist_ssl.patch
4	Log:
5	Revbump qt-core: add SSL blacklist patch from upstream
6
7	(Portage version: 2.2.0_alpha28/cvs/Linux i686)
8
9	Revision Changes Path
10	1.1 x11-libs/qt-core/files/blacklist_ssl.patch
11
12	file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/x11-libs/qt-core/files/blacklist_ssl.patch?rev=1.1&view=markup
13	plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/x11-libs/qt-core/files/blacklist_ssl.patch?rev=1.1&content-type=text/plain
14
15	Index: blacklist_ssl.patch
16	===================================================================
17	diff --git a/src/network/ssl/qsslcertificate.cpp b/src/network/ssl/qsslcertificate.cpp
18	index 618ac79..a5cdf01 100644
19	--- a/src/network/ssl/qsslcertificate.cpp
20	+++ b/src/network/ssl/qsslcertificate.cpp
21	@@ -219,17 +219,19 @@ bool QSslCertificate::isNull() const
22	Returns true if this certificate is valid; otherwise returns
23	false.
24
25	- Note: Currently, this function only checks that the current
26	+ Note: Currently, this function checks that the current
27	data-time is within the date-time range during which the
28	- certificate is considered valid. No other checks are
29	- currently performed.
30	+ certificate is considered valid, and checks that the
31	+ certificate is not in a blacklist of fraudulent certificates.
32
33	\sa isNull()
34	*/
35	bool QSslCertificate::isValid() const
36	{
37	const QDateTime currentTime = QDateTime::currentDateTime();
38	- return currentTime >= d->notValidBefore && currentTime <= d->notValidAfter;
39	+ return currentTime >= d->notValidBefore &&
40	+ currentTime <= d->notValidAfter &&
41	+ ! QSslCertificatePrivate::isBlacklisted(*this);
42	}
43
44	/*!
45	@@ -798,6 +800,30 @@ QList<QSslCertificate> QSslCertificatePrivate::certificatesFromDer(const QByteAr
46	return certificates;
47	}
48
49	+// These certificates are known to be fraudulent and were created during the comodo
50	+// compromise. See http://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html
51	+static const char *certificate_blacklist[] = {
52	+ "04:7e:cb:e9:fc:a5:5f:7b:d0:9e:ae:36:e1:0c:ae:1e",
53	+ "f5:c8:6a:f3:61:62:f1:3a:64:f5:4f:6d:c9:58:7c:06",
54	+ "d7:55:8f:da:f5:f1:10:5b:b2:13:28:2b:70:77:29:a3",
55	+ "39:2a:43:4f:0e:07:df:1f:8a:a3:05:de:34:e0:c2:29",
56	+ "3e:75:ce:d4:6b:69:30:21:21:88:30:ae:86:a8:2a:71",
57	+ "e9:02:8b:95:78:e4:15:dc:1a:71:0a:2b:88:15:44:47",
58	+ "92:39:d5:34:8f:40:d1:69:5a:74:54:70:e1:f2:3f:43",
59	+ "b0:b7:13:3e:d0:96:f9:b5:6f:ae:91:c8:74:bd:3a:c0",
60	+ "d8:f3:5f:4e:b7:87:2b:2d:ab:06:92:e3:15:38:2f:b0",
61	+ 0
62	+};
63	+
64	+bool QSslCertificatePrivate::isBlacklisted(const QSslCertificate &certificate)
65	+{
66	+ for (int a = 0; certificate_blacklist[a] != 0; a++) {
67	+ if (certificate.serialNumber() == certificate_blacklist[a])
68	+ return true;
69	+ }
70	+ return false;
71	+}
72	+
73	#ifndef QT_NO_DEBUG_STREAM
74	QDebug operator<<(QDebug debug, const QSslCertificate &certificate)
75	{
76	diff --git a/src/network/ssl/qsslcertificate_p.h b/src/network/ssl/qsslcertificate_p.h
77	index cdceb0f..1ce33d3 100644
78	--- a/src/network/ssl/qsslcertificate_p.h
79	+++ b/src/network/ssl/qsslcertificate_p.h
80	@@ -96,6 +96,7 @@ public:
81	static QSslCertificate QSslCertificate_from_X509(X509 *x509);
82	static QList<QSslCertificate> certificatesFromPem(const QByteArray &pem, int count = -1);
83	static QList<QSslCertificate> certificatesFromDer(const QByteArray &der, int count = -1);
84	+ static bool isBlacklisted(const QSslCertificate &certificate);
85
86	friend class QSslSocketBackendPrivate;
87
88	diff --git a/src/network/ssl/qsslsocket_openssl.cpp b/src/network/ssl/qsslsocket_openssl.cpp
89	index 0866534..2427193 100644
90	--- a/src/network/ssl/qsslsocket_openssl.cpp
91	+++ b/src/network/ssl/qsslsocket_openssl.cpp
92	@@ -1193,6 +1193,13 @@ bool QSslSocketBackendPrivate::startHandshake()
93	X509 *x509 = q_SSL_get_peer_certificate(ssl);
94	configuration.peerCertificate = QSslCertificatePrivate::QSslCertificate_from_X509(x509);
95	q_X509_free(x509);
96	+ if (QSslCertificatePrivate::isBlacklisted(configuration.peerCertificate)) {
97	+ q->setErrorString(QSslSocket::tr("The peer certificate is blacklisted"));
98	+ q->setSocketError(QAbstractSocket::SslHandshakeFailedError);
99	+ emit q->error(QAbstractSocket::SslHandshakeFailedError);
100	+ plainSocket->disconnectFromHost();
101	+ return false;
102	+ }
103
104	// Start translating errors.
105	QList<QSslError> errors;

Gentoo Archives: gentoo-commits