Bug#797470: libval14: val_dane_check: usage DANE-TA(2) may bypass cert validation entirely

Thu, 03 Sep 2015 06:31:26 -0700 

On Thu, Sep 3, 2015, at 15:21, Alessandro Ghedini wrote:
> On Mon, Aug 31, 2015 at 10:53:21am +0200, Ondřej Surý wrote:
> > Hi security team and Thomas,
> > 
> > I propose following patch for libval14 in stable:
> > 
> > Index: validator/libval/val_dane.c
> > ===================================================================
> > --- validator/libval/val_dane.c (revision 8325)
> > +++ validator/libval/val_dane.c (working copy)
> > @@ -766,23 +766,6 @@
> >                  break;
> >  
> >              case DANE_USE_TA_ASSERTION: /*2*/ {
> > -                SSL_CTX *ctx = SSL_get_SSL_CTX(con);
> > -                X509_STORE *store;
> > -                *do_pathval = 0;
> > -                if (store = X509_STORE_new()) {
> > -                    X509 *tlsa_cert = NULL;
> > -                    c = dane_cur->data;
> > -                    tlsa_cert = d2i_X509(NULL, (const unsigned char
> > **)&c, 
> > -                                         dane_cur->datalen);
> > -                    X509_STORE_add_cert(store, tlsa_cert);
> > -                    SSL_CTX_set_cert_store(ctx, store);
> > -                    if (SSL_get_verify_result(con) == X509_V_OK) {
> > -                        val_log(context, LOG_INFO, "DANE:
> > val_dane_match() success");
> > -                        rv = VAL_DANE_NOERROR;
> > -                        goto done;
> > -                    }
> > -                }
> > -
> >                  val_log(context, LOG_NOTICE, 
> >                          "DANE: val_dane_check() for usage %d failed",
> >                          dane_cur->usage);
> > 
> > 
> > It will just make the DANE validation fail when 2 usage scenario is
> > encountered.
> 
> I noticed that you applied this patch in unstable closing #797470, but
> then you reopened it. Does that mean that the patch is not enough?

Nope, I think the patch is enough. I reopened, so we don't forgot to fix
this in jessie.

> > Unfortunately the code in 2.1 has diverted too much (API change), so we
> > are not able to use the (possibly fixed) code from there.
> > 
> > I will also file a bug for irssi and kamailo to drop the libval usage
> > and remove the dnsval library from the Debian unless I have a strong
> > promise from upstream that they will take care of the library.
> 
> It would maybe make sense to drop dnsval from jessie as well (though both
> irssi and kamailio would need to be updated there too). Could you try to
> contact the Release Team and see what they think about this?

I spoke to the upstream and they are still working on the whole
dnssec-tools suite, but I would still rather see irssi and kamailio use
some better library to do the DNSSEC validation.

Cheers,
-- 
Ondřej Surý <ond...@sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server

Reply via email to