followup patch for QTBUG-18338, blacklist fraudulent SSL certifcates

2011-03-25 14:12:33 -05:00 · 2011-03-25 14:12:33 -05:00 · 7bb24cd446
parent 0811c7ffc2
commit 7bb24cd446
2 changed files with 43 additions and 1 deletions
--- a/qt-ssl-QTBUG-18338-2.patch
+++ b/qt-ssl-QTBUG-18338-2.patch
@ -0,0 +1,35 @@
+From b87528a71b66e786c11804d7b79e408aae612748 Mon Sep 17 00:00:00 2001
+From: Peter Hartmann <peter.hartmann@nokia.com>
+Date: Fri, 25 Mar 2011 13:45:24 +0100
+Subject: [PATCH] QSslSocket internals: abort on encountering blacklisted certificates
+
+tested manually with "openssl s_server -cert blacklisted.pem -key
+key.pem" and connecting a QSslSocket.
+
+Reviewed-by: Markus Goetz
+Task-number: QTBUG-18338
+---
+ src/network/ssl/qsslsocket_openssl.cpp |    7 +++++++
+ 1 files changed, 7 insertions(+), 0 deletions(-)
+
+diff --git a/src/network/ssl/qsslsocket_openssl.cpp b/src/network/ssl/qsslsocket_openssl.cpp
+index 0866534..2427193 100644
+--- a/src/network/ssl/qsslsocket_openssl.cpp
+++ b/src/network/ssl/qsslsocket_openssl.cpp
+@@ -1193,6 +1193,13 @@ bool QSslSocketBackendPrivate::startHandshake()
+     X509 *x509 = q_SSL_get_peer_certificate(ssl);
+     configuration.peerCertificate = QSslCertificatePrivate::QSslCertificate_from_X509(x509);
+     q_X509_free(x509);
+    if (QSslCertificatePrivate::isBlacklisted(configuration.peerCertificate)) {
+        q->setErrorString(QSslSocket::tr("The peer certificate is blacklisted"));
+        q->setSocketError(QAbstractSocket::SslHandshakeFailedError);
+        emit q->error(QAbstractSocket::SslHandshakeFailedError);
+        plainSocket->disconnectFromHost();
+        return false;
+    }
+ 
+     // Start translating errors.
+     QList<QSslError> errors;
+-- 
+1.6.1
+
--- a/qt.spec
+++ b/qt.spec
@ -18,7 +18,7 @@ Summary: Qt toolkit
 Name:    qt
 Epoch:   1
 Version: 4.7.2
-Release: 6%{?dist}
+Release: 7%{?dist}

 # See LGPL_EXCEPTIONS.txt, LICENSE.GPL3, respectively, for exception details
 License: (LGPLv2 with exceptions or GPLv3 with exceptions) and ASL 2.0 and BSD and FTL and MIT
@ -106,6 +106,9 @@ Patch212: 0012-Add-context-to-tr-calls-in-QShortcut.patch
 # security patches
 Patch300: qt-everywhere-opensource-src-4.7.0-CVE-2010-1822-crash-svg-image.patch
 Patch301: qt-ssl-QTBUG-18338.patch
+# http://qt.gitorious.org/+qt-developers/qt/staging/commit/b87528a71b66e786c11804d7b79e408aae612748
+# followup to 301
+Patch302: qt-ssl-QTBUG-18338-2.patch

 # gstreamer logos
 Source10: http://gstreamer.freedesktop.org/data/images/artwork/gstreamer-logo.svg
@ -509,6 +512,7 @@ Qt libraries used for drawing widgets and OpenGL items.
 # security fixes
 %patch300 -p1 -b .CVE-2010-1822-crash-svg-image
 %patch301 -p1 -b .ssl-QTBUG-18338
+%patch302 -p1 -b .ssl-QTBUG-18338-2

 # drop -fexceptions from $RPM_OPT_FLAGS
 RPM_OPT_FLAGS=`echo $RPM_OPT_FLAGS | sed 's|-fexceptions||g'`
@ -1189,6 +1193,9 @@ fi


 %changelog
+* Fri Mar 25 2011 Rex Dieter <rdieter@fedoraproject.org> 1:4.7.2-7
+- followup patch for QTBUG-18338, blacklist fraudulent SSL certifcates
+
 * Fri Mar 25 2011 Rex Dieter <rdieter@fedoraproject.org> 1:4.7.2-6
 - drop qt-designer-plugin-phonon