Bug#797470: libval14: val_dane_check: usage DANE-TA(2) may bypass cert validation entirely

Mon, 31 Aug 2015 01:57:23 -0700 

Hi security team and Thomas,

I propose following patch for libval14 in stable:

Index: validator/libval/val_dane.c
===================================================================
--- validator/libval/val_dane.c (revision 8325)
+++ validator/libval/val_dane.c (working copy)
@@ -766,23 +766,6 @@
                 break;
 
             case DANE_USE_TA_ASSERTION: /*2*/ {
-                SSL_CTX *ctx = SSL_get_SSL_CTX(con);
-                X509_STORE *store;
-                *do_pathval = 0;
-                if (store = X509_STORE_new()) {
-                    X509 *tlsa_cert = NULL;
-                    c = dane_cur->data;
-                    tlsa_cert = d2i_X509(NULL, (const unsigned char
**)&c, 
-                                         dane_cur->datalen);
-                    X509_STORE_add_cert(store, tlsa_cert);
-                    SSL_CTX_set_cert_store(ctx, store);
-                    if (SSL_get_verify_result(con) == X509_V_OK) {
-                        val_log(context, LOG_INFO, "DANE:
val_dane_match() success");
-                        rv = VAL_DANE_NOERROR;
-                        goto done;
-                    }
-                }
-
                 val_log(context, LOG_NOTICE, 
                         "DANE: val_dane_check() for usage %d failed",
                         dane_cur->usage);


It will just make the DANE validation fail when 2 usage scenario is
encountered.

Unfortunately the code in 2.1 has diverted too much (API change), so we
are not able to use the (possibly fixed) code from there.

I will also file a bug for irssi and kamailo to drop the libval usage
and remove the dnsval library from the Debian unless I have a strong
promise from upstream that they will take care of the library.

Cheers,
Ondrej

On Mon, Aug 31, 2015, at 10:29, Ondřej Surý wrote:
> Hi,
> 
> this is now public, reported by Thomas Fargeix #797470
> 
> And I am emailing the folks I know from SPARTA (or how they are called
> now[*]), if they are still actively maintaining dnsval. The website,
> issue tracker and code repository is not very optimistic.
> 
> I think we might also consider the possibility of dropping dnsval from
> the archive.
> 
> * They got bought last year or so, so they priorities might have
> shifted, or that USG grant ran out...
> -- 
> Ondřej Surý <ond...@sury.org>
> Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server


-- 
Ondřej Surý <ond...@sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server

Reply via email to