Bug#639744: [Pkg-openssl-devel] Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA
On Wednesday 07 September 2011 22:06:55 Raphael Geissert wrote:
> On Wednesday 07 September 2011 10:57:51 Raphael Geissert wrote:
> > On Monday 05 September 2011 14:55:50 Kurt Roeckx wrote:
> > > So you're basicly saying that X509_verify_cert() should give an
> > > error in case it finds DigiNotar somewhere in the chain?
> > >
> > > I'm not opposed to such a change, but would like to see a better
> > > option in the future.
> >
> > Yes. I will try to spend some time with a debugger later today to find
> > the right place to implement such check. Or do you have any hint? (the
> > cn validation functions didn't seem to be executed in one case I tried)
>
> Attached is the first version of patch against the 1.0.0 series that does
> that. I implemented it in check_name_constraints, but given that 0.9.8
> doesn't have support for name constraints I might as well move it to a
> separate function. I've tested it on the rogue *.google.com cert with
> verify(1) and a few others with different clients (tried the urls
> mentioned on the bug report, of which only ingcommercialbanking still uses
> a DigiNotar cert.)
> Attached are a bundle of the certs needed to verify(1) the rogue google
> cert, and the rogue cert itself. Perhaps they could be included in the
> test suite.
I somehow ended up adding an O instead of a 0 in the exported patch for 1.0.0.
Attached are the fixed 1.0.0 patch (as v2, to avoid confusions) and the
previous patch for 0.9.8.
> The patch for 0.9.8 is also attached, but I haven't tested it yet. It was
> made based on squeeze's openssl and it seems to apply fine to lenny's
> openssl (just a few lines of difference.)
>
> Kurt, what do you think? would upstream be interested in the patch, or at
> least in reviewing it?
Cheers,
--
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net
Description: make X509_verify_cert indicate that any certificate whose
name contains "DigiNotar" is revoked.
Origin: vendor
Forwarded: no
Last-Update: 2011-09-07
Bug: http://bugs.debian.org/639744
diff -urpN openssl-0.9.8o-4squeeze1.orig/crypto/x509/x509_vfy.c openssl-0.9.8o-4squeeze1/crypto/x509/x509_vfy.c
--- openssl-0.9.8o-4squeeze1.orig/crypto/x509/x509_vfy.c 2009-06-26 06:34:21.000000000 -0500
+++ openssl-0.9.8o-4squeeze1/crypto/x509/x509_vfy.c 2011-09-07 21:23:58.000000000 -0500
@@ -78,6 +78,7 @@ static int check_trust(X509_STORE_CTX *c
static int check_revocation(X509_STORE_CTX *ctx);
static int check_cert(X509_STORE_CTX *ctx);
static int check_policy(X509_STORE_CTX *ctx);
+static int check_ca_blacklist(X509_STORE_CTX *ctx);
static int internal_verify(X509_STORE_CTX *ctx);
const char X509_version[]="X.509" OPENSSL_VERSION_PTEXT;
@@ -312,6 +313,9 @@ int X509_verify_cert(X509_STORE_CTX *ctx
ok=internal_verify(ctx);
if(!ok) goto end;
+ ok = check_ca_blacklist(ctx);
+ if(!ok) goto end;
+
#ifndef OPENSSL_NO_RFC3779
/* RFC 3779 path validation, now that CRL check has been done */
ok = v3_asid_validate_path(ctx);
@@ -661,6 +665,29 @@ static int check_crl_time(X509_STORE_CTX
return 1;
}
+static int check_ca_blacklist(X509_STORE_CTX *ctx)
+ {
+ X509 *x;
+ int i;
+ /* Check all certificates against the blacklist */
+ for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--)
+ {
+ x = sk_X509_value(ctx->chain, i);
+ /* Mark DigiNotar certificates as revoked, no matter
+ * where in the chain they are.
+ */
+ if (x->name && strstr(x->name, "DigiNotar"))
+ {
+ ctx->error = X509_V_ERR_CERT_REVOKED;
+ ctx->error_depth = i;
+ ctx->current_cert = x;
+ if (!ctx->verify_cb(0,ctx))
+ return 0;
+ }
+ }
+ return 1;
+ }
+
/* Lookup CRLs from the supplied list. Look for matching isser name
* and validity. If we can't find a valid CRL return the last one
* with matching name. This gives more meaningful error codes. Otherwise
Description: make X509_verify_cert indicate that any certificate whose
name contains "DigiNotar" is revoked.
Origin: vendor
Forwarded: no
Last-Update: 2011-09-07
Bug: http://bugs.debian.org/639744
diff --git a/crypto/x509/x509_vfy.c.orig b/crypto/x509/x509_vfy.c
index bd6695d..1aaf5d3 100644
--- a/crypto/x509/x509_vfy.c.orig
+++ b/crypto/x509/x509_vfy.c
@@ -617,6 +617,17 @@ static int check_name_constraints(X509_STORE_CTX *ctx)
for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--)
{
x = sk_X509_value(ctx->chain, i);
+ /* Mark DigiNotar certificates as revoked, no matter
+ * where in the chain they are.
+ */
+ if (x->name && strstr(x->name, "DigiNotar"))
+ {
+ ctx->error = X509_V_ERR_CERT_REVOKED;
+ ctx->error_depth = i;
+ ctx->current_cert = x;
+ if (!ctx->verify_cb(0,ctx))
+ return 0;
+ }
/* Ignore self issued certs unless last in chain */
if (i && (x->ex_flags & EXFLAG_SI))
continue;
Reply to: