[SCM] Qt 4 packaging branch, squeeze, updated. debian/4.6.3-4-3-gca7ca43

José Manuel Santamaría Lema santa-guest at alioth.debian.org
Sun Apr 17 16:29:35 UTC 2011


The following commit has been merged in the squeeze branch:
commit f8f083cf53ff7b82dc516c7fc1b361d3993b1f40
Author: José Manuel Santamaría Lema <panfaust at gmail.com>
Date:   Sat Apr 16 22:57:58 2011 +0200

    Blacklist a set of fraudulent ssl certificates.
---
 debian/changelog                                   |    5 +-
 .../blacklist_fraudulent_comodo_certificates.diff  |   85 ++++++++++++++++++++
 debian/patches/series                              |    2 +
 debian/patches/ssl_certificate_large_sn.diff       |   54 ++++++++++++
 4 files changed, 145 insertions(+), 1 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 0a98147..ee589b2 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,9 @@
 qt4-x11 (4:4.6.3-4+squeeze1) UNRELEASED; urgency=low
 
-  * 
+  * Blacklist a set of fraudulent ssl certificates; to perform this
+    blacklisting we need these patches:
+    - blacklist_fraudulent_comodo_certificates.diff
+    - ssl_certificate_large_sn.diff
 
  -- José Manuel Santamaría Lema <panfaust at gmail.com>  Fri, 15 Apr 2011 19:13:13 +0200
 
diff --git a/debian/patches/blacklist_fraudulent_comodo_certificates.diff b/debian/patches/blacklist_fraudulent_comodo_certificates.diff
new file mode 100644
index 0000000..0142822
--- /dev/null
+++ b/debian/patches/blacklist_fraudulent_comodo_certificates.diff
@@ -0,0 +1,85 @@
+Origin: http://labs.qt.nokia.com/2011/03/29/security-advisory-fraudulent-certificates/
+Description: This patch blacklists a set of fraudulent ssl certificates.
+--- a/src/network/ssl/qsslcertificate.cpp
++++ b/src/network/ssl/qsslcertificate.cpp
+@@ -219,17 +219,19 @@
+     Returns true if this certificate is valid; otherwise returns
+     false.
+ 
+-    Note: Currently, this function only checks that the current
++    Note: Currently, this function checks that the current
+     data-time is within the date-time range during which the
+-    certificate is considered valid. No other checks are
+-    currently performed.
++    certificate is considered valid, and checks that the
++    certificate is not in a blacklist of fraudulent certificates.
+ 
+     \sa isNull()
+ */
+ bool QSslCertificate::isValid() const
+ {
+     const QDateTime currentTime = QDateTime::currentDateTime();
+-    return currentTime >= d->notValidBefore && currentTime <= d->notValidAfter;
++    return currentTime >= d->notValidBefore &&
++            currentTime <= d->notValidAfter &&
++            ! QSslCertificatePrivate::isBlacklisted(*this);
+ }
+ 
+ /*!
+@@ -778,6 +780,30 @@
+     return certificates;
+ }
+ 
++// These certificates are known to be fraudulent and were created during the comodo
++// compromise. See http://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html
++static const char *certificate_blacklist[] = {
++    "04:7e:cb:e9:fc:a5:5f:7b:d0:9e:ae:36:e1:0c:ae:1e",
++    "f5:c8:6a:f3:61:62:f1:3a:64:f5:4f:6d:c9:58:7c:06",
++    "d7:55:8f:da:f5:f1:10:5b:b2:13:28:2b:70:77:29:a3",
++    "39:2a:43:4f:0e:07:df:1f:8a:a3:05:de:34:e0:c2:29",
++    "3e:75:ce:d4:6b:69:30:21:21:88:30:ae:86:a8:2a:71",
++    "e9:02:8b:95:78:e4:15:dc:1a:71:0a:2b:88:15:44:47",
++    "92:39:d5:34:8f:40:d1:69:5a:74:54:70:e1:f2:3f:43",
++    "b0:b7:13:3e:d0:96:f9:b5:6f:ae:91:c8:74:bd:3a:c0",
++    "d8:f3:5f:4e:b7:87:2b:2d:ab:06:92:e3:15:38:2f:b0",
++    0
++};
++
++bool QSslCertificatePrivate::isBlacklisted(const QSslCertificate &certificate)
++{
++    for (int a = 0; certificate_blacklist[a] != 0; a++) {
++        if (certificate.serialNumber() == certificate_blacklist[a])
++            return true;
++    }
++    return false;
++}
++
+ #ifndef QT_NO_DEBUG_STREAM
+ QDebug operator<<(QDebug debug, const QSslCertificate &certificate)
+ {
+--- a/src/network/ssl/qsslcertificate_p.h
++++ b/src/network/ssl/qsslcertificate_p.h
+@@ -96,6 +96,7 @@
+     static QSslCertificate QSslCertificate_from_X509(X509 *x509);
+     static QList<QSslCertificate> certificatesFromPem(const QByteArray &pem, int count = -1);
+     static QList<QSslCertificate> certificatesFromDer(const QByteArray &der, int count = -1);
++    static bool isBlacklisted(const QSslCertificate &certificate);
+ 
+     friend class QSslSocketBackendPrivate;
+ 
+--- a/src/network/ssl/qsslsocket_openssl.cpp
++++ b/src/network/ssl/qsslsocket_openssl.cpp
+@@ -810,6 +810,13 @@
+     X509 *x509 = q_SSL_get_peer_certificate(ssl);
+     configuration.peerCertificate = QSslCertificatePrivate::QSslCertificate_from_X509(x509);
+     q_X509_free(x509);
++    if (QSslCertificatePrivate::isBlacklisted(configuration.peerCertificate)) {
++        q->setErrorString(QSslSocket::tr("The peer certificate is blacklisted"));
++        q->setSocketError(QAbstractSocket::SslHandshakeFailedError);
++        emit q->error(QAbstractSocket::SslHandshakeFailedError);
++        plainSocket->disconnectFromHost();
++        return false;
++    }
+ 
+     // Start translating errors.
+     QList<QSslError> errors;
diff --git a/debian/patches/series b/debian/patches/series
index 2c90b91..3f3c0fe 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -3,6 +3,8 @@
 0005_fix_detection_of_headers_files.diff
 0006_webkit_propriotary_flash_init_gtk_first.diff
 0007_qsslsocket_improve_error_handling_CVE-2010-2621.patch
+ssl_certificate_large_sn.diff
+blacklist_fraudulent_comodo_certificates.diff
 
 # qt-copy patches
 0180-window-role.diff
diff --git a/debian/patches/ssl_certificate_large_sn.diff b/debian/patches/ssl_certificate_large_sn.diff
new file mode 100644
index 0000000..2d406ac
--- /dev/null
+++ b/debian/patches/ssl_certificate_large_sn.diff
@@ -0,0 +1,54 @@
+From 0f16c7ce8dcd6f4905d14875088c55148e41366a Mon Sep 17 00:00:00 2001
+From: Peter Hartmann <peter.hartmann at nokia.com>
+Date: Tue, 1 Jun 2010 16:50:55 +0200
+Subject: [PATCH] QSslCertificate: support large serial numbers
+
+We were calling an OpenSSL function that returned a long for the serial
+number; sometimes serial numbers are too big to fit into a long (up to
+20 octets). In that case, do not convert the serial number to decimal,
+but just output the hexadecimal value.
+
+Reviewed-by: Zeno Albisser
+Task-number: QTBUG-9973
+---
+ src/network/ssl/qsslcertificate.cpp                |   23 ++++++++++++++++---
+ .../more-certificates/cert-large-serial-number.pem |   14 ++++++++++++
+ tests/auto/qsslcertificate/tst_qsslcertificate.cpp |   13 +++++++++++
+ 3 files changed, 46 insertions(+), 4 deletions(-)
+ create mode 100644 tests/auto/qsslcertificate/more-certificates/cert-large-serial-number.pem
+
+--- a/src/network/ssl/qsslcertificate.cpp
++++ b/src/network/ssl/qsslcertificate.cpp
+@@ -259,13 +259,28 @@
+ 
+ /*!
+     Returns the certificate's serial number string in decimal format.
++    In case the serial number cannot be converted to decimal format
++    (i.e. if it is bigger than 4294967295, which means it does not fit into 4 bytes),
++    its hexadecimal version is returned.
+ */
+ QByteArray QSslCertificate::serialNumber() const
+ {
+-    if (d->serialNumberString.isEmpty() && d->x509)
+-        d->serialNumberString =
+-            QByteArray::number(qlonglong(q_ASN1_INTEGER_get(d->x509->cert_info->serialNumber)));
+-
++    if (d->serialNumberString.isEmpty() && d->x509) {
++        ASN1_INTEGER *serialNumber = d->x509->cert_info->serialNumber;
++        // if we cannot convert to a long, just output the hexadecimal number
++        if (serialNumber->length > 4) {
++            QByteArray hexString;
++            hexString.reserve(serialNumber->length * 3);
++            for (int a = 0; a < serialNumber->length; ++a) {
++                hexString += QByteArray::number(serialNumber->data[a], 16).rightJustified(2, '0');
++                hexString += ':';
++            }
++            hexString.chop(1);
++            d->serialNumberString = hexString;
++        } else {
++            d->serialNumberString = QByteArray::number(qlonglong(q_ASN1_INTEGER_get(serialNumber)));
++        }
++    }
+     return d->serialNumberString;
+ }
+ 

-- 
Qt 4 packaging



More information about the pkg-kde-commits mailing list