summaryrefslogtreecommitdiffstats
path: root/meta/recipes-qt
diff options
context:
space:
mode:
authorDenys Dmytriyenko <denys@ti.com>2011-03-30 21:19:55 (GMT)
committerRichard Purdie <richard.purdie@linuxfoundation.org>2011-04-06 19:10:52 (GMT)
commite5a40cd6f8c6a8c3d40cbaf29bffe5e201056dad (patch)
tree9581543c8decaab7b904839b644a7be0e51e6735 /meta/recipes-qt
parentea738ee3d3999b1696d70ce7684b96cf4a26e9e6 (diff)
downloadpoky-e5a40cd6f8c6a8c3d40cbaf29bffe5e201056dad.tar.gz
qt4: security advisory - blacklist fraudulent comodo certificates
Security advisory: Blacklist fraudulent certificates. More info is in the patch and at the following links: http://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html http://qt.nokia.com/files/qt-patches/blacklist-fraudulent-comodo-certificates-patch.diff/view (Imported from OE rev 61eeeec1224c4f974f9185c2b93eeb19d13938af) (From OE-Core rev: 14419f4a4bc629b171281d46750c6abfa84bf83b) Signed-off-by: Denys Dmytriyenko <denys@ti.com> Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-qt')
-rw-r--r--meta/recipes-qt/qt4/files/blacklist-fraudulent-comodo-certificates-patch.diff134
-rw-r--r--meta/recipes-qt/qt4/qt-4.6.3.inc1
-rw-r--r--meta/recipes-qt/qt4/qt-4.7.2.inc1
-rw-r--r--meta/recipes-qt/qt4/qt4-embedded_4.6.3.bb2
-rw-r--r--meta/recipes-qt/qt4/qt4-embedded_4.7.2.bb2
-rw-r--r--meta/recipes-qt/qt4/qt4-x11-free_4.6.3.bb2
-rw-r--r--meta/recipes-qt/qt4/qt4-x11-free_4.7.2.bb2
7 files changed, 140 insertions, 4 deletions
diff --git a/meta/recipes-qt/qt4/files/blacklist-fraudulent-comodo-certificates-patch.diff b/meta/recipes-qt/qt4/files/blacklist-fraudulent-comodo-certificates-patch.diff
new file mode 100644
index 0000000..00faf75
--- /dev/null
+++ b/meta/recipes-qt/qt4/files/blacklist-fraudulent-comodo-certificates-patch.diff
@@ -0,0 +1,134 @@
1Security advisory: Fraudulent certificates
2
3Background:
4
5Recently a group of people managed to get fraudulent SSL certificates signed
6by a Certificate Authority (CA).
7
8These certificates potentially enable their owners to pretend to be other
9entities on the Web; the attackers can present valid certificates for e.g.
10mail.google.com, login.yahoo.com and login.live.com, among others.
11
12The patch below solves this problem by blacklisting those fake certificates
13and aborting an SSL handshake with entities that present these certificates.
14The patch applies to all 4.6 and 4.7 versions, and should be applied to all Qt
154.6.x and 4.7.x versions; upcoming Qt releases will contain a fix for this
16problem.
17
18More technical background:
19
20In order to trick a user into establishing an SSL connection to a site using
21one of those fake certificates, in addition to controlling the certificate, an
22attacker would need to either control the DNS server used by the victim, or
23have control over a proxy that the victim uses. That way, the attacker could
24trick the victim to connect to the attacker?s site and then present the user
25with a valid certificate.
26
27One obvious question now is: Should those certificates not just be revoked,
28which would solve the problem?
29
30First, they have been revoked by the affected Certificate Authority (see above
31link).
32
33However, the problem in this case, and probably part of the reason why most
34browser vendors release new versions blacklisting those certificates, is that
35by default browsers do not treat invalid responses from an OCSP server (a
36server used for checking the revocation status of a certificate) as fatal, and
37will allow the SSL connection to proceed anyway. Qt itself does not support
38OCSP yet, which makes blacklisting the certificates the only valid option (now
39would be a good moment to vote on the task for implementing OCSP in Qt); since
40Qt is relying on the system root certificates since version 4.7, it cannot
41control the root certificates that Qt trusts automatically anymore.
42
43http://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html
44http://qt.nokia.com/files/qt-patches/blacklist-fraudulent-comodo-certificates-patch.diff/view
45
46diff --git a/src/network/ssl/qsslcertificate.cpp b/src/network/ssl/qsslcertificate.cpp
47index 618ac79..a5cdf01 100644
48--- a/src/network/ssl/qsslcertificate.cpp
49+++ b/src/network/ssl/qsslcertificate.cpp
50@@ -219,17 +219,19 @@ bool QSslCertificate::isNull() const
51 Returns true if this certificate is valid; otherwise returns
52 false.
53
54- Note: Currently, this function only checks that the current
55+ Note: Currently, this function checks that the current
56 data-time is within the date-time range during which the
57- certificate is considered valid. No other checks are
58- currently performed.
59+ certificate is considered valid, and checks that the
60+ certificate is not in a blacklist of fraudulent certificates.
61
62 \sa isNull()
63 */
64 bool QSslCertificate::isValid() const
65 {
66 const QDateTime currentTime = QDateTime::currentDateTime();
67- return currentTime >= d->notValidBefore && currentTime <= d->notValidAfter;
68+ return currentTime >= d->notValidBefore &&
69+ currentTime <= d->notValidAfter &&
70+ ! QSslCertificatePrivate::isBlacklisted(*this);
71 }
72
73 /*!
74@@ -798,6 +800,30 @@ QList<QSslCertificate> QSslCertificatePrivate::certificatesFromDer(const QByteAr
75 return certificates;
76 }
77
78+// These certificates are known to be fraudulent and were created during the comodo
79+// compromise. See http://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html
80+static const char *certificate_blacklist[] = {
81+ "04:7e:cb:e9:fc:a5:5f:7b:d0:9e:ae:36:e1:0c:ae:1e",
82+ "f5:c8:6a:f3:61:62:f1:3a:64:f5:4f:6d:c9:58:7c:06",
83+ "d7:55:8f:da:f5:f1:10:5b:b2:13:28:2b:70:77:29:a3",
84+ "39:2a:43:4f:0e:07:df:1f:8a:a3:05:de:34:e0:c2:29",
85+ "3e:75:ce:d4:6b:69:30:21:21:88:30:ae:86:a8:2a:71",
86+ "e9:02:8b:95:78:e4:15:dc:1a:71:0a:2b:88:15:44:47",
87+ "92:39:d5:34:8f:40:d1:69:5a:74:54:70:e1:f2:3f:43",
88+ "b0:b7:13:3e:d0:96:f9:b5:6f:ae:91:c8:74:bd:3a:c0",
89+ "d8:f3:5f:4e:b7:87:2b:2d:ab:06:92:e3:15:38:2f:b0",
90+ 0
91+};
92+
93+bool QSslCertificatePrivate::isBlacklisted(const QSslCertificate &certificate)
94+{
95+ for (int a = 0; certificate_blacklist[a] != 0; a++) {
96+ if (certificate.serialNumber() == certificate_blacklist[a])
97+ return true;
98+ }
99+ return false;
100+}
101+
102 #ifndef QT_NO_DEBUG_STREAM
103 QDebug operator<<(QDebug debug, const QSslCertificate &certificate)
104 {
105diff --git a/src/network/ssl/qsslcertificate_p.h b/src/network/ssl/qsslcertificate_p.h
106index cdceb0f..1ce33d3 100644
107--- a/src/network/ssl/qsslcertificate_p.h
108+++ b/src/network/ssl/qsslcertificate_p.h
109@@ -96,6 +96,7 @@ public:
110 static QSslCertificate QSslCertificate_from_X509(X509 *x509);
111 static QList<QSslCertificate> certificatesFromPem(const QByteArray &pem, int count = -1);
112 static QList<QSslCertificate> certificatesFromDer(const QByteArray &der, int count = -1);
113+ static bool isBlacklisted(const QSslCertificate &certificate);
114
115 friend class QSslSocketBackendPrivate;
116
117diff --git a/src/network/ssl/qsslsocket_openssl.cpp b/src/network/ssl/qsslsocket_openssl.cpp
118index 0866534..2427193 100644
119--- a/src/network/ssl/qsslsocket_openssl.cpp
120+++ b/src/network/ssl/qsslsocket_openssl.cpp
121@@ -1193,6 +1193,13 @@ bool QSslSocketBackendPrivate::startHandshake()
122 X509 *x509 = q_SSL_get_peer_certificate(ssl);
123 configuration.peerCertificate = QSslCertificatePrivate::QSslCertificate_from_X509(x509);
124 q_X509_free(x509);
125+ if (QSslCertificatePrivate::isBlacklisted(configuration.peerCertificate)) {
126+ q->setErrorString(QSslSocket::tr("The peer certificate is blacklisted"));
127+ q->setSocketError(QAbstractSocket::SslHandshakeFailedError);
128+ emit q->error(QAbstractSocket::SslHandshakeFailedError);
129+ plainSocket->disconnectFromHost();
130+ return false;
131+ }
132
133 // Start translating errors.
134 QList<QSslError> errors;
diff --git a/meta/recipes-qt/qt4/qt-4.6.3.inc b/meta/recipes-qt/qt4/qt-4.6.3.inc
index ec2c920..37a15f1 100644
--- a/meta/recipes-qt/qt4/qt-4.6.3.inc
+++ b/meta/recipes-qt/qt4/qt-4.6.3.inc
@@ -4,6 +4,7 @@ LIC_FILES_CHKSUM = "file://LICENSE.LGPL;md5=fbc093901857fcd118f065f900982c24 \
4 file://LGPL_EXCEPTION.txt;md5=411080a56ff917a5a1aa08c98acae354" 4 file://LGPL_EXCEPTION.txt;md5=411080a56ff917a5a1aa08c98acae354"
5 5
6SRC_URI = "http://get.qt.nokia.com/qt/source/qt-everywhere-opensource-src-${PV}.tar.gz \ 6SRC_URI = "http://get.qt.nokia.com/qt/source/qt-everywhere-opensource-src-${PV}.tar.gz \
7 file://blacklist-fraudulent-comodo-certificates-patch.diff \
7 file://0001-cross-compile.patch \ 8 file://0001-cross-compile.patch \
8 file://0002-fix-resinit-declaration.patch \ 9 file://0002-fix-resinit-declaration.patch \
9 file://0004-no-qmake.patch \ 10 file://0004-no-qmake.patch \
diff --git a/meta/recipes-qt/qt4/qt-4.7.2.inc b/meta/recipes-qt/qt4/qt-4.7.2.inc
index ed62bd3..0f75a46 100644
--- a/meta/recipes-qt/qt4/qt-4.7.2.inc
+++ b/meta/recipes-qt/qt4/qt-4.7.2.inc
@@ -6,6 +6,7 @@ LIC_FILES_CHKSUM = "file://LICENSE.LGPL;md5=fbc093901857fcd118f065f900982c24 \
6FILESPATH =. "${FILE_DIRNAME}/qt-${PV}:" 6FILESPATH =. "${FILE_DIRNAME}/qt-${PV}:"
7 7
8SRC_URI = "http://get.qt.nokia.com/qt/source/qt-everywhere-opensource-src-${PV}.tar.gz \ 8SRC_URI = "http://get.qt.nokia.com/qt/source/qt-everywhere-opensource-src-${PV}.tar.gz \
9 file://blacklist-fraudulent-comodo-certificates-patch.diff \
9 file://0004-no-qmake.patch \ 10 file://0004-no-qmake.patch \
10 file://hack-out-pg2-4.7.0.patch \ 11 file://hack-out-pg2-4.7.0.patch \
11 file://0006-freetype-host-includes.patch \ 12 file://0006-freetype-host-includes.patch \
diff --git a/meta/recipes-qt/qt4/qt4-embedded_4.6.3.bb b/meta/recipes-qt/qt4/qt4-embedded_4.6.3.bb
index dd662aa..5e289d2 100644
--- a/meta/recipes-qt/qt4/qt4-embedded_4.6.3.bb
+++ b/meta/recipes-qt/qt4/qt4-embedded_4.6.3.bb
@@ -3,7 +3,7 @@ require qt4-embedded.inc
3 3
4SRC_URI += "file://qthelp-lib-qtclucene.patch" 4SRC_URI += "file://qthelp-lib-qtclucene.patch"
5 5
6PR = "${INC_PR}.1" 6PR = "${INC_PR}.2"
7 7
8QT_CONFIG_FLAGS_append_armv6 = " -no-neon " 8QT_CONFIG_FLAGS_append_armv6 = " -no-neon "
9 9
diff --git a/meta/recipes-qt/qt4/qt4-embedded_4.7.2.bb b/meta/recipes-qt/qt4/qt4-embedded_4.7.2.bb
index b88b1e9..c3f6713 100644
--- a/meta/recipes-qt/qt4/qt4-embedded_4.7.2.bb
+++ b/meta/recipes-qt/qt4/qt4-embedded_4.7.2.bb
@@ -1,7 +1,7 @@
1require qt-${PV}.inc 1require qt-${PV}.inc
2require qt4-embedded.inc 2require qt4-embedded.inc
3 3
4PR = "${INC_PR}.0" 4PR = "${INC_PR}.1"
5 5
6QT_CONFIG_FLAGS_append_armv6 = " -no-neon " 6QT_CONFIG_FLAGS_append_armv6 = " -no-neon "
7 7
diff --git a/meta/recipes-qt/qt4/qt4-x11-free_4.6.3.bb b/meta/recipes-qt/qt4/qt4-x11-free_4.6.3.bb
index 8cf5449..9126284 100644
--- a/meta/recipes-qt/qt4/qt4-x11-free_4.6.3.bb
+++ b/meta/recipes-qt/qt4/qt4-x11-free_4.6.3.bb
@@ -1,6 +1,6 @@
1require qt-${PV}.inc 1require qt-${PV}.inc
2require qt4-x11-free.inc 2require qt4-x11-free.inc
3 3
4PR = "${INC_PR}.0" 4PR = "${INC_PR}.1"
5 5
6QT_CONFIG_FLAGS += " -xrandr " 6QT_CONFIG_FLAGS += " -xrandr "
diff --git a/meta/recipes-qt/qt4/qt4-x11-free_4.7.2.bb b/meta/recipes-qt/qt4/qt4-x11-free_4.7.2.bb
index 359a756..75c6314 100644
--- a/meta/recipes-qt/qt4/qt4-x11-free_4.7.2.bb
+++ b/meta/recipes-qt/qt4/qt4-x11-free_4.7.2.bb
@@ -1,7 +1,7 @@
1require qt4-x11-free.inc 1require qt4-x11-free.inc
2require qt-${PV}.inc 2require qt-${PV}.inc
3 3
4PR = "${INC_PR}.0" 4PR = "${INC_PR}.1"
5 5
6QT_CONFIG_FLAGS_append_armv6 = " -no-neon " 6QT_CONFIG_FLAGS_append_armv6 = " -no-neon "
7 7