# --- T2-COPYRIGHT-NOTE-BEGIN --- # This copyright note is auto-generated by ./scripts/Create-CopyPatch. # # T2 SDE: package/.../curl/CVE-2007-3564.patch # Copyright (C) 2007 The T2 SDE Project # # More information can be found in the files COPYING and README. # # This patch file is dual-licensed. It is available under the license the # patched project is licensed under, as long as it is an OpenSource license # as defined at http://www.opensource.org/ (e.g. BSD, X11) or under the terms # of the GNU General Public License as published by the Free Software # Foundation; either version 2 of the License, or (at your option) any later # version. # --- T2-COPYRIGHT-NOTE-END --- diff -Nur curl-7.15.5-orig/lib/gtls.c curl-7.15.5/lib/gtls.c --- curl-7.15.5-orig/lib/gtls.c 2006-05-05 11:24:27.000000000 +0100 +++ curl-7.15.5/lib/gtls.c 2007-07-25 11:14:42.000000000 +0100 @@ -379,6 +379,43 @@ else infof(data, "\t common name: %s (matched)\n", certbuf); + /* Check for time-based validity */ + clock = gnutls_x509_crt_get_expiration_time(x509_cert); + + if(clock == (time_t)-1) { + failf(data, "server cert expiration date verify failed"); + return CURLE_SSL_CONNECT_ERROR; + } + + if(clock < time(NULL)) { + if (data->set.ssl.verifypeer) { + failf(data, "server certificate expiration date has passed."); + return CURLE_SSL_PEER_CERTIFICATE; + } + else + infof(data, "\t server certificate expiration date FAILED\n"); + } + else + infof(data, "\t server certificate expiration date OK\n"); + + clock = gnutls_x509_crt_get_activation_time(x509_cert); + + if(clock == (time_t)-1) { + failf(data, "server cert activation date verify failed"); + return CURLE_SSL_CONNECT_ERROR; + } + + if(clock > time(NULL)) { + if (data->set.ssl.verifypeer) { + failf(data, "server certificate not activated yet."); + return CURLE_SSL_PEER_CERTIFICATE; + } + else + infof(data, "\t server certificate activation date FAILED\n"); + } + else + infof(data, "\t server certificate activation date OK\n"); + /* Show: - ciphers used