Hi,
I was reviewing CVE-2012-5821[1] and the associated paper[2] and noticed
that a change was made to lynx 2.8.8dev.13 based on feedback from one of
the authors of the paper. The change seems to be the addition of the
following right before the call to gnutls_certificate_verify_peers2():
gnutls_certificate_set_verify_flags(handle->gnutls_cred,
GNUTLS_VERIFY_DO_NOT_ALLOW_SAME |
GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
gnutls 3 will use GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT by default, but
gnutls 2 seems to not not, so setting this explicitly makes sense.
However, this is not enough to prompt for self-signed certificates. Per
docs/README.sslcerts, lynx is suppose to prompt on self-signed
certificates, but it will happily accept them so long as it otherwise is
valid and the hostname checks don't fail. The problem occurs here:
ret = gnutls_certificate_verify_peers2(handle->gnutls_state, \
&tls_status);
if (ret < 0) {
...
gnutls_certificate_verify_peers2() is returning '0' with a self-signed
certificate, but it does still set GNUTLS_CERT_SIGNER_NOT_FOUND.
Attached is a patch that prompts on a self-signed certificate and
removes the redundant 2nd check for GNUTLS_CERT_SIGNER_NOT_FOUND. This
patch is against 2.8.8dev.12 (so it includes the additional call to
gnutls_certificate_set_verify_flags()) and is lightly tested. I'd
appreciate any feedback you might have.
Thanks!
[1]http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4540
[2]http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
--
Jamie Strandboge http://www.ubuntu.com/
Index: lynx-cur-2.8.8dev.12/WWW/Library/Implementation/HTTP.c
===================================================================
--- lynx-cur-2.8.8dev.12.orig/WWW/Library/Implementation/HTTP.c 2012-11-07 17:06:22.000000000 -0600
+++ lynx-cur-2.8.8dev.12/WWW/Library/Implementation/HTTP.c 2012-11-07 17:38:56.000000000 -0600
@@ -764,17 +764,21 @@
#endif /* SSLEAY_VERSION_NUMBER >= 0x0900 */
}
#ifdef USE_GNUTLS_INCL
+ gnutls_certificate_set_verify_flags(handle->gnutls_cred,
+ GNUTLS_VERIFY_DO_NOT_ALLOW_SAME |
+ GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
ret = gnutls_certificate_verify_peers2(handle->gnutls_state, &tls_status);
- if (ret < 0) {
+ if (ret < 0 || (ret == 0 &&
+ tls_status & GNUTLS_CERT_SIGNER_NOT_FOUND)) {
int flag_continue = 1;
char *msg2;
- if (tls_status & GNUTLS_CERT_SIGNER_NOT_FOUND) {
+ if (ret == 0 && tls_status & GNUTLS_CERT_SIGNER_NOT_FOUND) {
+ msg2 = gettext("self signed certificate");
+ } else if (tls_status & GNUTLS_CERT_SIGNER_NOT_FOUND) {
msg2 = gettext("no issuer was found");
} else if (tls_status & GNUTLS_CERT_SIGNER_NOT_CA) {
msg2 = gettext("issuer is not a CA");
- } else if (tls_status & GNUTLS_CERT_SIGNER_NOT_FOUND) {
- msg2 = gettext("the certificate has no known issuer");
} else if (tls_status & GNUTLS_CERT_REVOKED) {
msg2 = gettext("the certificate has been revoked");
} else {
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Lynx-dev mailing list [email protected] https://lists.nongnu.org/mailman/listinfo/lynx-dev
