1 |
chiiph 11/03/31 01:10:24 |
2 |
|
3 |
Added: blacklist_ssl.patch |
4 |
Log: |
5 |
Revbump qt-core: add SSL blacklist patch from upstream |
6 |
|
7 |
(Portage version: 2.2.0_alpha28/cvs/Linux i686) |
8 |
|
9 |
Revision Changes Path |
10 |
1.1 x11-libs/qt-core/files/blacklist_ssl.patch |
11 |
|
12 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/x11-libs/qt-core/files/blacklist_ssl.patch?rev=1.1&view=markup |
13 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/x11-libs/qt-core/files/blacklist_ssl.patch?rev=1.1&content-type=text/plain |
14 |
|
15 |
Index: blacklist_ssl.patch |
16 |
=================================================================== |
17 |
diff --git a/src/network/ssl/qsslcertificate.cpp b/src/network/ssl/qsslcertificate.cpp |
18 |
index 618ac79..a5cdf01 100644 |
19 |
--- a/src/network/ssl/qsslcertificate.cpp |
20 |
+++ b/src/network/ssl/qsslcertificate.cpp |
21 |
@@ -219,17 +219,19 @@ bool QSslCertificate::isNull() const |
22 |
Returns true if this certificate is valid; otherwise returns |
23 |
false. |
24 |
|
25 |
- Note: Currently, this function only checks that the current |
26 |
+ Note: Currently, this function checks that the current |
27 |
data-time is within the date-time range during which the |
28 |
- certificate is considered valid. No other checks are |
29 |
- currently performed. |
30 |
+ certificate is considered valid, and checks that the |
31 |
+ certificate is not in a blacklist of fraudulent certificates. |
32 |
|
33 |
\sa isNull() |
34 |
*/ |
35 |
bool QSslCertificate::isValid() const |
36 |
{ |
37 |
const QDateTime currentTime = QDateTime::currentDateTime(); |
38 |
- return currentTime >= d->notValidBefore && currentTime <= d->notValidAfter; |
39 |
+ return currentTime >= d->notValidBefore && |
40 |
+ currentTime <= d->notValidAfter && |
41 |
+ ! QSslCertificatePrivate::isBlacklisted(*this); |
42 |
} |
43 |
|
44 |
/*! |
45 |
@@ -798,6 +800,30 @@ QList<QSslCertificate> QSslCertificatePrivate::certificatesFromDer(const QByteAr |
46 |
return certificates; |
47 |
} |
48 |
|
49 |
+// These certificates are known to be fraudulent and were created during the comodo |
50 |
+// compromise. See http://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html |
51 |
+static const char *certificate_blacklist[] = { |
52 |
+ "04:7e:cb:e9:fc:a5:5f:7b:d0:9e:ae:36:e1:0c:ae:1e", |
53 |
+ "f5:c8:6a:f3:61:62:f1:3a:64:f5:4f:6d:c9:58:7c:06", |
54 |
+ "d7:55:8f:da:f5:f1:10:5b:b2:13:28:2b:70:77:29:a3", |
55 |
+ "39:2a:43:4f:0e:07:df:1f:8a:a3:05:de:34:e0:c2:29", |
56 |
+ "3e:75:ce:d4:6b:69:30:21:21:88:30:ae:86:a8:2a:71", |
57 |
+ "e9:02:8b:95:78:e4:15:dc:1a:71:0a:2b:88:15:44:47", |
58 |
+ "92:39:d5:34:8f:40:d1:69:5a:74:54:70:e1:f2:3f:43", |
59 |
+ "b0:b7:13:3e:d0:96:f9:b5:6f:ae:91:c8:74:bd:3a:c0", |
60 |
+ "d8:f3:5f:4e:b7:87:2b:2d:ab:06:92:e3:15:38:2f:b0", |
61 |
+ 0 |
62 |
+}; |
63 |
+ |
64 |
+bool QSslCertificatePrivate::isBlacklisted(const QSslCertificate &certificate) |
65 |
+{ |
66 |
+ for (int a = 0; certificate_blacklist[a] != 0; a++) { |
67 |
+ if (certificate.serialNumber() == certificate_blacklist[a]) |
68 |
+ return true; |
69 |
+ } |
70 |
+ return false; |
71 |
+} |
72 |
+ |
73 |
#ifndef QT_NO_DEBUG_STREAM |
74 |
QDebug operator<<(QDebug debug, const QSslCertificate &certificate) |
75 |
{ |
76 |
diff --git a/src/network/ssl/qsslcertificate_p.h b/src/network/ssl/qsslcertificate_p.h |
77 |
index cdceb0f..1ce33d3 100644 |
78 |
--- a/src/network/ssl/qsslcertificate_p.h |
79 |
+++ b/src/network/ssl/qsslcertificate_p.h |
80 |
@@ -96,6 +96,7 @@ public: |
81 |
static QSslCertificate QSslCertificate_from_X509(X509 *x509); |
82 |
static QList<QSslCertificate> certificatesFromPem(const QByteArray &pem, int count = -1); |
83 |
static QList<QSslCertificate> certificatesFromDer(const QByteArray &der, int count = -1); |
84 |
+ static bool isBlacklisted(const QSslCertificate &certificate); |
85 |
|
86 |
friend class QSslSocketBackendPrivate; |
87 |
|
88 |
diff --git a/src/network/ssl/qsslsocket_openssl.cpp b/src/network/ssl/qsslsocket_openssl.cpp |
89 |
index 0866534..2427193 100644 |
90 |
--- a/src/network/ssl/qsslsocket_openssl.cpp |
91 |
+++ b/src/network/ssl/qsslsocket_openssl.cpp |
92 |
@@ -1193,6 +1193,13 @@ bool QSslSocketBackendPrivate::startHandshake() |
93 |
X509 *x509 = q_SSL_get_peer_certificate(ssl); |
94 |
configuration.peerCertificate = QSslCertificatePrivate::QSslCertificate_from_X509(x509); |
95 |
q_X509_free(x509); |
96 |
+ if (QSslCertificatePrivate::isBlacklisted(configuration.peerCertificate)) { |
97 |
+ q->setErrorString(QSslSocket::tr("The peer certificate is blacklisted")); |
98 |
+ q->setSocketError(QAbstractSocket::SslHandshakeFailedError); |
99 |
+ emit q->error(QAbstractSocket::SslHandshakeFailedError); |
100 |
+ plainSocket->disconnectFromHost(); |
101 |
+ return false; |
102 |
+ } |
103 |
|
104 |
// Start translating errors. |
105 |
QList<QSslError> errors; |