Date: Thu, 11 Dec 2008 17:00:30 +0300 (MSK) From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> To: FreeBSD-gnats-submit@freebsd.org Subject: ports/129572: [patch] security/gnutls: remove functional regression caused by fix for CVE-2008-4989 Message-ID: <20081211140030.415F317116@shadow.codelabs.ru> Resent-Message-ID: <200812111410.mBBEA2df017689@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 129572 >Category: ports >Synopsis: [patch] security/gnutls: remove functional regression caused by fix for CVE-2008-4989 >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Dec 11 14:10:01 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Eygene Ryabinkin >Release: FreeBSD 7.1-PRERELEASE amd64 >Organization: Code Labs >Environment: System: FreeBSD 7.1-PRERELEASE amd64 >Description: As was reported by some users and discuissed in the gnutls mailing list, http://lists.gnu.org/archive/html/gnutls-devel/2008-12/msg00008.html patch for CVE-2008-4989 introduced a functional regression in respect to the validation of the self-signed certificates with MD2 signatures. Generally speaking, any certificate in chain that uses MD2 won't be verified, because MD2 is unsupported for GnuTLS as a very dated and currently abandoned algorithm. No sufficiently new end-entity certificates should use this algorithm, but some CAs that started their operations long ago could still use it. So, by the current fix, GnuTLS allowed such root certs to be used. Please, note: even 2.6.2 has this regression, so if one will just upgrade to 2.6.2 (as was discuissed during port slush), this patch should be applied anyway. >How-To-Repeat: GnuTLS from 2.4.2_1: ----- $ gnutls-cli -p 443 www.verisign.com --x509cafile 7651b327.0 Processed 1 CA certificate(s). Resolving 'www.verisign.com'... Connecting to '65.205.249.60:443'... - Certificate type: X.509 - Got a certificate list of 4 certificates. - Certificate[0] info: # The hostname in the certificate matches 'www.verisign.com'. # valid since: Wed May 9 04:00:00 MSD 2007 # expires at: Sat May 9 03:59:59 MSD 2009 # fingerprint: DC:E1:93:EB:63:01:B6:10:70:84:27:B2:E1:DD:AA:F2 # Issuer's DN: C=US,O=VeriSign\, Inc.,OU=VeriSign Trust Network,OU=Terms of use at https://www.verisign.com/rpa (c)06,CN=VeriSign Class 3 Extended Validation SSL SGC CA - Certificate[1] info: # valid since: Wed Nov 8 03:00:00 MSK 2006 # expires at: Tue Nov 8 02:59:59 MSK 2016 # fingerprint: 15:37:78:6E:D5:89:C8:CF:11:DC:9D:61:70:75:25:E9 # Subject's DN: C=US,O=VeriSign\, Inc.,OU=VeriSign Trust Network,OU=Terms of use at https://www.verisign.com/rpa (c)06,CN=VeriSign Class 3 Extended Validation SSL SGC CA # Issuer's DN: C=US,O=VeriSign\, Inc.,OU=VeriSign Trust Network,OU=(c) 2006 VeriSign\, Inc. - For authorized use only,CN=VeriSign Class 3 Public Primary Certification Authority - G5 - Certificate[2] info: # valid since: Wed Nov 8 03:00:00 MSK 2006 # expires at: Mon Nov 8 02:59:59 MSK 2021 # fingerprint: 9D:69:8D:F3:CB:F0:00:40:D4:58:06:25:26:CA:9D:3C # Subject's DN: C=US,O=VeriSign\, Inc.,OU=VeriSign Trust Network,OU=(c) 2006 VeriSign\, Inc. - For authorized use only,CN=VeriSign Class 3 Public Primary Certification Authority - G5 # Issuer's DN: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary Certification Authority - Certificate[3] info: # valid since: Mon Jan 29 03:00:00 MSK 1996 # expires at: Wed Aug 2 03:59:59 MSD 2028 # fingerprint: 10:FC:63:5D:F6:26:3E:0D:F3:25:BE:5F:79:CD:67:67 # Subject's DN: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary Certification Authority # Issuer's DN: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary Certification Authority - Peer's certificate is NOT trusted - Version: SSL3.0 - Key Exchange: RSA - Cipher: ARCFOUR-128 - MAC: MD5 - Compression: NULL *** Verifying server certificate failed... ----- OpenSSL works fine for the same situation: ----- $ openssl s_client -host www.verisign.com -port 443 -CAfile 7651b327.0 CONNECTED(00000003) depth=3 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority verify return:1 depth=2 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 verify return:1 depth=1 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA verify return:1 depth=0 /serialNumber=2497886/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/C=US/postalCode=94043/ST=California/L=Mountain View/streetAddress=487 East Middlefield Road/O=VeriSign, Inc./OU=Production Security Services verify return:1 --- Certificate chain 0 s:/serialNumber=2497886/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/C=US/postalCode=94043/ST=California/L=Mountain View/streetAddress=487 East Middlefield Road/O=VeriSign, Inc./OU=Production Security Services/OU=Terms of use at www.verisign.com/rpa (c)06/CN=www.verisign.com i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority 3 s:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority --- Server certificate -----BEGIN CERTIFICATE----- MIIGCDCCBPCgAwIBAgIQakrDGzEQ5utI8PxRo5oXHzANBgkqhkiG9w0BAQUFADCB vjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNjE4MDYGA1UEAxMv VmVyaVNpZ24gQ2xhc3MgMyBFeHRlbmRlZCBWYWxpZGF0aW9uIFNTTCBTR0MgQ0Ew HhcNMDcwNTA5MDAwMDAwWhcNMDkwNTA4MjM1OTU5WjCCAUAxEDAOBgNVBAUTBzI0 OTc4ODYxEzARBgsrBgEEAYI3PAIBAxMCVVMxGTAXBgsrBgEEAYI3PAIBAhMIRGVs YXdhcmUxCzAJBgNVBAYTAlVTMQ4wDAYDVQQRFAU5NDA0MzETMBEGA1UECBMKQ2Fs aWZvcm5pYTEWMBQGA1UEBxQNTW91bnRhaW4gVmlldzEiMCAGA1UECRQZNDg3IEVh c3QgTWlkZGxlZmllbGQgUm9hZDEXMBUGA1UEChQOVmVyaVNpZ24sIEluYy4xJTAj BgNVBAsUHFByb2R1Y3Rpb24gU2VjdXJpdHkgU2VydmljZXMxMzAxBgNVBAsUKlRl cm1zIG9mIHVzZSBhdCB3d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNjEZMBcGA1UE AxQQd3d3LnZlcmlzaWduLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA xxA35ev879drgQCpENGRQ3ARaCPz/WneT9dtMe3qGNvzXQJs6cjm1Bx8XegyW1gB jJX5Zl4WWbr9wpAWZ1YyJ0bEyShIGmkU8fPfbcXYwSyWoWwvE5NRaUB2ztmfAVdv OaGMUKxny2Dnj3tAdaQ+FOeRDJJYg6K1hzczq/otOfsCAwEAAaOCAf8wggH7MAkG A1UdEwQCMAAwHQYDVR0OBBYEFPFaiZNVR0u6UfVO4MsWVfTXzDhnMAsGA1UdDwQE AwIFoDA+BgNVHR8ENzA1MDOgMaAvhi1odHRwOi8vRVZJbnRsLWNybC52ZXJpc2ln bi5jb20vRVZJbnRsMjAwNi5jcmwwRAYDVR0gBD0wOzA5BgtghkgBhvhFAQcXBjAq MCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMDQGA1Ud JQQtMCsGCCsGAQUFBwMBBggrBgEFBQcDAgYJYIZIAYb4QgQBBgorBgEEAYI3CgMD MB8GA1UdIwQYMBaAFE5DyB127zdTek/yWG+U8zji1b3fMHYGCCsGAQUFBwEBBGow aDArBggrBgEFBQcwAYYfaHR0cDovL0VWSW50bC1vY3NwLnZlcmlzaWduLmNvbTA5 BggrBgEFBQcwAoYtaHR0cDovL0VWSW50bC1haWEudmVyaXNpZ24uY29tL0VWSW50 bDIwMDYuY2VyMG0GCCsGAQUFBwEMBGEwX6FdoFswWTBXMFUWCWltYWdlL2dpZjAh MB8wBwYFKw4DAhoEFI/l0xqGrI2Oa8PPgGrUSBgsexkuMCUWI2h0dHA6Ly9sb2dv LnZlcmlzaWduLmNvbS92c2xvZ28uZ2lmMA0GCSqGSIb3DQEBBQUAA4IBAQBEueAg xZJrjGPKAZk1NT8VtTn0yi87i9XUnSOnkFkAuI3THDd+cWbNSUzc5uFJg42GhMK7 S1Rojm8FHxESovLvimH/w111BKF9wNU2XSOb9KohfYq3GRiQG8O7v9JwIjjLepkc iyITx7sYiJ+kwZlrNBwN6TwVHrONg6NzyzSnxCg+XgKRbJu2PqEQb6uQVkYhb+Oq Vi9d4by9YqpnuXImSffQ0OZ/6s3Rl6vY08zIPqa6OVfjGs/H45ETblzezcUKpX0L cqnOwUB9dVuPhtlX3X/hgz/ROxz96NBwwzha58HUgfEfkVtm+piI6TTI7XxS/7Av nKMfhbyFQYPQ6J9g -----END CERTIFICATE----- subject=/serialNumber=2497886/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/C=US/postalCode=94043/ST=California/L=Mountain View/streetAddress=487 East Middlefield Road/O=VeriSign, Inc./OU=Production Security Services/OU=Terms of use at www.verisign.com/rpa (c)06/CN=www.verisign.com issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA --- No client certificate CA names sent --- SSL handshake has read 5126 bytes and written 340 bytes --- New, TLSv1/SSLv3, Cipher is RC4-MD5 Server public key is 1024 bit Compression: NONE Expansion: NONE SSL-Session: Protocol : SSLv3 Cipher : RC4-MD5 Session-ID: 27A2E2CA054D9D06F7B0AA1D43F2A09718E8A79ADE24AFEC2AB1F4DD04578955 Session-ID-ctx: Master-Key: 8D5C859A19392F7900A7522DB13160C7DE2873CFDD6B1C457C6E245AA9B92AD2DFA08E4B1D329D283A960F78151AB32E Key-Arg : None Start Time: 1229003968 Timeout : 300 (sec) Verify return code: 0 (ok) --- ----- The file 7651b327.0 is a root certificate for some VeriSign CA. It is attached below. --- 7651b327.0 begins here --- -----BEGIN CERTIFICATE----- MIICPDCCAaUCEHC65B0Q2Sk0tjjKewPMur8wDQYJKoZIhvcNAQECBQAwXzELMAkG A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFz cyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2 MDEyOTAwMDAwMFoXDTI4MDgwMTIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNV BAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQcmlt YXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GN ADCBiQKBgQDJXFme8huKARS0EN8EQNvjV69qRUCPhAwL0TPZ2RHP7gJYHyX3KqhE BarsAx94f56TuZoAqiN91qyFomNFx3InzPRMxnVx0jnvT0Lwdd8KkMaOIG+YD/is I19wKTakyYbnsZogy1Olhec9vn2a/iRFM9x2Fe0PonFkTGUugWhFpwIDAQABMA0G CSqGSIb3DQEBAgUAA4GBALtMEivPLCYATxQT3ab7/AoRhIzzKBxnki98tsX63/Do lbwdj2wsqFHMc9ikwFPwTtYmwHYBV4GSXiHx0bH/59AhWM1pF+NEHJwZRDmJXNyc AA9WjQKZ7aKQRUzkuxCkPfAyAw7xzvjoyVGM5mKf5p/AfbdynMk2OmufTqj/ZA1k -----END CERTIFICATE----- --- 7651b327.0 ends here --- >Fix: The following patch replaces the patch with the upstream's one from the gnutls-devel mailing list: --- proper-fix-for-CVE-2008-4989.diff begins here --- >From 30d07c10fe61359d6ac543bdc29178fddf536c0b Mon Sep 17 00:00:00 2001 From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> Date: Thu, 11 Dec 2008 15:48:07 +0300 Previous fix introduced a regression: http://lists.gnu.org/archive/html/gnutls-devel/2008-12/msg00008.html In short, the certificate validation will fail, if the root certificate uses MD2 signatures. This is the case, for example, for some Verisign certificates, particularily for one with hash '7651b327' and DN equal to "OU=Class 3 Public Primary Certification Authority,O=VeriSign\, Inc.,C=US" Signed-off-by: Eygene Ryabinkin <rea-fbsd@codelabs.ru> --- security/gnutls/Makefile | 2 +- security/gnutls/files/patch-CVE-2008-4989 | 50 ++++++++++++++++++----------- 2 files changed, 32 insertions(+), 20 deletions(-) diff --git a/security/gnutls/Makefile b/security/gnutls/Makefile index e145558..5727151 100644 --- a/security/gnutls/Makefile +++ b/security/gnutls/Makefile @@ -7,7 +7,7 @@ PORTNAME= gnutls PORTVERSION= 2.4.2 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= security net MASTER_SITES= http://josefsson.org/gnutls/releases/ \ ftp://ftp.gnutls.org/pub/gnutls/ \ diff --git a/security/gnutls/files/patch-CVE-2008-4989 b/security/gnutls/files/patch-CVE-2008-4989 index 0fcbc83..5286f01 100644 --- a/security/gnutls/files/patch-CVE-2008-4989 +++ b/security/gnutls/files/patch-CVE-2008-4989 @@ -1,20 +1,32 @@ ---- lib/x509/verify.c.orig 2008-09-16 00:04:19.000000000 +0400 -+++ lib/x509/verify.c 2008-11-14 16:06:59.000000000 +0300 -@@ -414,17 +425,6 @@ - } - #endif +Really fixes CVE-2008-4989 eliminating the regression + +Obtained from: http://lists.gnu.org/archive/html/gnutls-devel/2008-12/msg00008.html + +index 92ef722..00e2422 100644 +--- lib/x509/verify.c ++++ lib/x509/verify.c +@@ -374,6 +374,24 @@ _gnutls_x509_verify_certificate (const gnutls_x509_crt_t * certificate_list, + int i = 0, ret; + unsigned int status = 0, output; -- /* Check if the last certificate in the path is self signed. -- * In that case ignore it (a certificate is trusted only if it -- * leads to a trusted party by us, not the server's). -- */ -- if (gnutls_x509_crt_check_issuer (certificate_list[clist_size - 1], -- certificate_list[clist_size - 1]) > 0 -- && clist_size > 0) -- { -- clist_size--; -- } -- - /* Verify the certificate path (chain) - */ - for (i = clist_size - 1; i > 0; i--) ++ if (clist_size > 1) ++ { ++ /* Check if the last certificate in the path is self signed. ++ * In that case ignore it (a certificate is trusted only if it ++ * leads to a trusted party by us, not the server's). ++ * ++ * This in addition prevents from verifying self signed certificates ++ * against themselves. This although not bad caused verification ++ * failures on some root self signed certificates that use the MD2 ++ * algorithm. ++ */ ++ if (gnutls_x509_crt_check_issuer (certificate_list[clist_size - 1], ++ certificate_list[clist_size - 1]) > 0) ++ { ++ clist_size--; ++ } ++ } ++ + /* Verify the last certificate in the certificate path + * against the trusted CA certificate list. + * -- 1.6.0.4 --- proper-fix-for-CVE-2008-4989.diff ends here --- With patched GnuTLS (2.4.2_2) connection to www.verisign.com establishes fine: ----- $ gnutls-cli -p 443 www.verisign.com --x509cafile 7651b327.0 Processed 1 CA certificate(s). Resolving 'www.verisign.com'... Connecting to '65.205.249.60:443'... - Certificate type: X.509 - Got a certificate list of 4 certificates. - Certificate[0] info: # The hostname in the certificate matches 'www.verisign.com'. # valid since: Wed May 9 04:00:00 MSD 2007 # expires at: Sat May 9 03:59:59 MSD 2009 # fingerprint: DC:E1:93:EB:63:01:B6:10:70:84:27:B2:E1:DD:AA:F2 # Issuer's DN: C=US,O=VeriSign\, Inc.,OU=VeriSign Trust Network,OU=Terms of use at https://www.verisign.com/rpa (c)06,CN=VeriSign Class 3 Extended Validation SSL SGC CA - Certificate[1] info: # valid since: Wed Nov 8 03:00:00 MSK 2006 # expires at: Tue Nov 8 02:59:59 MSK 2016 # fingerprint: 15:37:78:6E:D5:89:C8:CF:11:DC:9D:61:70:75:25:E9 # Subject's DN: C=US,O=VeriSign\, Inc.,OU=VeriSign Trust Network,OU=Terms of use at https://www.verisign.com/rpa (c)06,CN=VeriSign Class 3 Extended Validation SSL SGC CA # Issuer's DN: C=US,O=VeriSign\, Inc.,OU=VeriSign Trust Network,OU=(c) 2006 VeriSign\, Inc. - For authorized use only,CN=VeriSign Class 3 Public Primary Certification Authority - G5 - Certificate[2] info: # valid since: Wed Nov 8 03:00:00 MSK 2006 # expires at: Mon Nov 8 02:59:59 MSK 2021 # fingerprint: 9D:69:8D:F3:CB:F0:00:40:D4:58:06:25:26:CA:9D:3C # Subject's DN: C=US,O=VeriSign\, Inc.,OU=VeriSign Trust Network,OU=(c) 2006 VeriSign\, Inc. - For authorized use only,CN=VeriSign Class 3 Public Primary Certification Authority - G5 # Issuer's DN: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary Certification Authority - Certificate[3] info: # valid since: Mon Jan 29 03:00:00 MSK 1996 # expires at: Wed Aug 2 03:59:59 MSD 2028 # fingerprint: 10:FC:63:5D:F6:26:3E:0D:F3:25:BE:5F:79:CD:67:67 # Subject's DN: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary Certification Authority # Issuer's DN: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary Certification Authority - Peer's certificate is trusted - Version: SSL3.0 - Key Exchange: RSA - Cipher: ARCFOUR-128 - MAC: MD5 - Compression: NULL - Handshake was completed - Simple Client Mode: - Peer has closed the GNUTLS connection ----- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081211140030.415F317116>