← Back to branch summary

~ubuntu-branches/ubuntu/lucid/qt4-x11/lucid-updates

« back to all changes in this revision

Viewing changes to debian/patches/kubuntu_30_blacklist_ssl_certificates.diff

  • Committer: Bazaar Package Importer
  • Author(s): Jonathan Riddell
  • Date: 2011-03-27 23:55:30 UTC
  • mfrom: (103.1.1 lucid-proposed)
  • Revision ID: james.westby@ubuntu.com-20110327235530-0lhercpmuy3y4zh6
Tags: 4:4.6.2-0ubuntu5.2
https://launchpad.net/bugs/742377
* SECURITY UPDATE: Fake SSL certificates produced by Comodo, LP: #742377
  - Add kubuntu_30_blacklist_ssl_certificates.diff from upstream staging,
    lists and blocks known bad certificates
  - http://qt.gitorious.org/+qt-developers/qt/staging/commit/04e074e8d7c097295505e63565abdc7ca2b49f7b
  - http://bugreports.qt.nokia.com/browse/QTBUG-18338
  - http://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html

Show diffs side-by-side

added added

removed removed

Lines of Context:
debian/patches/kubuntu_30_blacklist_ssl_certificates.diff
 
1
From 04e074e8d7c097295505e63565abdc7ca2b49f7b Mon Sep 17 00:00:00 2001
 
2
From: Peter Hartmann <peter.hartmann@nokia.com>
 
3
Date: Thu, 24 Mar 2011 14:42:22 +0100
 
4
Subject: [PATCH] QSslCertificate: report fraudulent certificates as invalid
 
5
 
 
6
There are some fraudulent certificates in the wild that are not valid;
 
7
this patch introduces a blacklist of serial numbers of those
 
8
certificates.
 
9
 
 
10
Reviewed-by: Richard J. Moore
 
11
Reviewed-by: Markus Goetz
 
12
Task-number: QTBUG-18338
 
13
---
 
14
 src/network/ssl/qsslcertificate.cpp                |   34 +++++++++++++++++--
 
15
 src/network/ssl/qsslcertificate_p.h                |    1 +
 
16
 
 
17
Index: qt4-x11-4.7.2/src/network/ssl/qsslcertificate.cpp
 
18
===================================================================
 
19
--- qt4-x11-4.7.2.orig/src/network/ssl/qsslcertificate.cpp      2011-03-25 17:30:38.059644389 +0000
 
20
+++ qt4-x11-4.7.2/src/network/ssl/qsslcertificate.cpp   2011-03-25 17:31:17.879644378 +0000
 
21
@@ -219,17 +219,19 @@
 
22
     Returns true if this certificate is valid; otherwise returns
 
23
     false.
 
24
 
 
25
-    Note: Currently, this function only checks that the current
 
26
+    Note: Currently, this function checks that the current
 
27
     data-time is within the date-time range during which the
 
28
-    certificate is considered valid. No other checks are
 
29
-    currently performed.
 
30
+    certificate is considered valid, and checks that the
 
31
+    certificate is not in a blacklist of fraudulent certificates.
 
32
 
 
33
     \sa isNull()
 
34
 */
 
35
 bool QSslCertificate::isValid() const
 
36
 {
 
37
     const QDateTime currentTime = QDateTime::currentDateTime();
 
38
-    return currentTime >= d->notValidBefore && currentTime <= d->notValidAfter;
 
39
+    return currentTime >= d->notValidBefore &&
 
40
+            currentTime <= d->notValidAfter &&
 
41
+            ! QSslCertificatePrivate::isBlacklisted(*this);
 
42
 }
 
43
 
 
44
 /*!
 
45
@@ -798,6 +800,30 @@
 
46
     return certificates;
 
47
 }
 
48
 
 
49
+// These certificates are known to be fraudulent and were created during the comodo
 
50
+// compromise. See http://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html
 
51
+static const char *certificate_blacklist[] = {
 
52
+    "04:7e:cb:e9:fc:a5:5f:7b:d0:9e:ae:36:e1:0c:ae:1e",
 
53
+    "f5:c8:6a:f3:61:62:f1:3a:64:f5:4f:6d:c9:58:7c:06",
 
54
+    "d7:55:8f:da:f5:f1:10:5b:b2:13:28:2b:70:77:29:a3",
 
55
+    "39:2a:43:4f:0e:07:df:1f:8a:a3:05:de:34:e0:c2:29",
 
56
+    "3e:75:ce:d4:6b:69:30:21:21:88:30:ae:86:a8:2a:71",
 
57
+    "e9:02:8b:95:78:e4:15:dc:1a:71:0a:2b:88:15:44:47",
 
58
+    "92:39:d5:34:8f:40:d1:69:5a:74:54:70:e1:f2:3f:43",
 
59
+    "b0:b7:13:3e:d0:96:f9:b5:6f:ae:91:c8:74:bd:3a:c0",
 
60
+    "d8:f3:5f:4e:b7:87:2b:2d:ab:06:92:e3:15:38:2f:b0",
 
61
+    0
 
62
+};
 
63
+
 
64
+bool QSslCertificatePrivate::isBlacklisted(const QSslCertificate &certificate)
 
65
+{
 
66
+    for (int a = 0; certificate_blacklist[a] != 0; a++) {
 
67
+        if (certificate.serialNumber() == certificate_blacklist[a])
 
68
+            return true;
 
69
+    }
 
70
+    return false;
 
71
+}
 
72
+
 
73
 #ifndef QT_NO_DEBUG_STREAM
 
74
 QDebug operator<<(QDebug debug, const QSslCertificate &certificate)
 
75
 {
 
76
Index: qt4-x11-4.7.2/src/network/ssl/qsslcertificate_p.h
 
77
===================================================================
 
78
--- qt4-x11-4.7.2.orig/src/network/ssl/qsslcertificate_p.h      2011-03-25 17:30:38.039644389 +0000
 
79
+++ qt4-x11-4.7.2/src/network/ssl/qsslcertificate_p.h   2011-03-25 17:31:17.889644378 +0000
 
80
@@ -96,6 +96,7 @@
 
81
     static QSslCertificate QSslCertificate_from_X509(X509 *x509);
 
82
     static QList<QSslCertificate> certificatesFromPem(const QByteArray &pem, int count = -1);
 
83
     static QList<QSslCertificate> certificatesFromDer(const QByteArray &der, int count = -1);
 
84
+    static bool isBlacklisted(const QSslCertificate &certificate);
 
85
 
 
86
     friend class QSslSocketBackendPrivate;
 
87
 
 
88
Index: qt4-x11-4.7.2/src/network/ssl/qsslsocket_openssl.cpp
 
89
===================================================================
 
90
--- qt4-x11-4.7.2.orig/src/network/ssl/qsslsocket_openssl.cpp   2011-02-22 12:04:00.000000000 +0000
 
91
+++ qt4-x11-4.7.2/src/network/ssl/qsslsocket_openssl.cpp        2011-03-25 17:31:17.899644378 +0000
 
92
@@ -1183,6 +1183,13 @@
 
93
     X509 *x509 = q_SSL_get_peer_certificate(ssl);
 
94
     configuration.peerCertificate = QSslCertificatePrivate::QSslCertificate_from_X509(x509);
 
95
     q_X509_free(x509);
 
96
+    if (QSslCertificatePrivate::isBlacklisted(configuration.peerCertificate)) {
 
97
+        q->setErrorString(QSslSocket::tr("The peer certificate is blacklisted"));
 
98
+        q->setSocketError(QAbstractSocket::SslHandshakeFailedError);
 
99
+        emit q->error(QAbstractSocket::SslHandshakeFailedError);
 
100
+        plainSocket->disconnectFromHost();
 
101
+        return false;
 
102
+    }
 
103
 
 
104
     // Start translating errors.
 
105
     QList<QSslError> errors;