[gnutls-devel] SSL certificate validation bugs in GnuTLS

Suman Jana suman at cs.utexas.edu
Tue Feb 11 11:35:19 CET 2014 

Hi,

We are computer security researchers at UT Austin and UC Davis, 
currently testing
several SSL/TLS implementations as part of a research project. When 
testing GnuTLS,
we discovered the following security issues related to SSL/TLS 
certificate validation.
Some of them may be deliberate violations of the X.509 standard, others 
appear to be
bugs. As far as we know, none of them is documented.

Please let us know how you intend to address these issues. The paper 
describing the
results of our analysis will appear in the 2014 IEEE Symposium on 
Security and Privacy
(“Oakland”), and we would like to include a report on the current status 
of all issues
we discovered.

1. v1 CA certificates should be rejected by default unless validated by 
external means but
GnuTLS accepts it.

In GnuTLS, the GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT is set by default. So, 
in default
settings, GnuTLS should accept only root v1 CAs but it accepts all v1 ca 
certs instead of
only v1 root CA certs due to a bug in lib/x509/verify.c as described below.

unsigned int _gnutls_x509_verify_certificate(...) {
...

/* verify the certificate path (chain) */
for (i = clist_size - 1; i > 0; i--)
{
/* note that here we disable this V1 CA flag. So that no version 1
* certificates can exist in a supplied chain.
*/
if (!(flags & GNUTLS_VERIFY_ALLOW_ANY_X509_V1_CA_CRT))
flags &= ˜(GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
if ((ret = _gnutls_verify_certificate2 (...)) ==0) {
/* return error */
}
}
...
}

int _gnutls_verify_certificate2(...)
{
...
if (!(flags & GNUTLS_VERIFY_DISABLE_CA_SIGN) &&
((flags & GNUTLS_VERIFY_DO_NOT_ALLOW_X509_V1_CA_CRT)
|| issuer_version != 1))
{
if (check_if_ca (cert, issuer, flags) == 0)
{
/*return error*/
...
}
}
/*perform other checks*/
...
}

As shown in the code above, after a root v1 certificate has been 
accepted, to prevent
any further v1 certificates from being accepted, GnuTLS clears the 
GNUTLS_VERIFY_ALLOW
_X509_V1_CA_CRT flag before calling _gnutls_verify_certificate2. However, 
the _gnutls_
verify_certificate2 function accepts v1 certificates unless a different 
flag, GNUTLS_VERIFY_
DO_NOT_ALLOW_X509_V1_CA_CRT is set. But the caller 
(_gnutls_x509_verify_certificate)
never sets that flag.

2. Path length constraints in CA certs should be enforced. GnuTLS 
ignores Path length constraints.

3. Name constraints in CA certs should be enforced. GnuTLS ignores name 
constraints.

4. keyUsage and extendedKeyUsage extensions in CA and leaf certificates 
should be checked
correctly. GnuTLS does not check any of them.

5. Certificate validation must fail if unknown critical extensions are 
present in the certificate
but GnuTLS accepts certificates with unknown critical extensions.

Thanks,
Suman

More information about the Gnutls-devel mailing list