Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

handle blacklisted DigiNotar leaf with a leading 0x00

  • Loading branch information...
commit 52101672140f9ccfc82777f21c182467f804297f 1 parent bad29b0
sid77 authored September 01, 2011

Showing 1 changed file with 17 additions and 9 deletions. Show diff stats Hide diff stats

  1. 26  blacklist.c
26  blacklist.c
@@ -24,8 +24,6 @@ CFDataRef SecCertificateCopySerialNumber(SecCertificateRefP);
24 24
  * Added blacklisted DigiNotar certificate for *.google.com, from
25 25
  * https://bugzilla.mozilla.org/show_bug.cgi?id=682956
26 26
  *
27  
- * TODO: handle 0x00 leading certificate
28  
- *
29 27
  * TODO: handle DigiNotar Root CA public key
30 28
  *
31 29
  * TODO: handle DigiNotar Cyber CA public key
@@ -55,7 +53,7 @@ unsigned char issuer_blacklist[] = {
55 53
     0x41, 0x52, 0x44, 0x57, 0x41, 0x52, 0x45
56 54
 };
57 55
 
58  
-#define NSERIALS    257
  56
+#define NSERIALS    256
59 57
 #define SERIALSIZE  16
60 58
 unsigned char serial_blacklist[NSERIALS][SERIALSIZE]= {
61 59
     { 0xD8, 0xF3, 0x5F, 0x4E, 0xB7, 0x87, 0x2B, 0x2D,
@@ -549,11 +547,6 @@ unsigned char serial_blacklist[NSERIALS][SERIALSIZE]= {
549 547
     { 0x24, 0x70, 0x94, 0xDE, 0x01, 0x5A, 0xB4, 0xD7,
550 548
       0x66, 0xE2, 0x09, 0x1E, 0x4D, 0x28, 0xFD, 0xDE},
551 549
 
552  
-    // Leaf beginnning with a leading 0x00, Chromium sources handle this as a
553  
-    // special case.
554  
-    { 0x00, 0x17, 0x7F, 0xB6, 0x53, 0x6B, 0x98, 0xCE,
555  
-      0x40, 0xD5, 0x4B, 0x8B, 0x24, 0xE3, 0x16, 0x05},
556  
-
557 550
     { 0x90, 0x5D, 0x96, 0x0B, 0xB9, 0x2A, 0x4E, 0x49,
558 551
       0xD9, 0xDA, 0xB2, 0xBA, 0x00, 0x85, 0x0E, 0x3E},
559 552
 
@@ -835,6 +828,12 @@ unsigned char serial_blacklist[NSERIALS][SERIALSIZE]= {
835 828
     // End of bad DigiNotar leaf certificates for non-Google sites.
836 829
 };
837 830
 
  831
+// Special case for DigiNotar: this serial number had a leading 0x00 byte
  832
+unsigned char serial_blacklist_DigiNotar_leading_zero[SERIALSIZE - 1]= {
  833
+    0x17, 0x7F, 0xB6, 0x53, 0x6B, 0x98, 0xCE, 0x40,
  834
+    0xD5, 0x4B, 0x8B, 0x24, 0xE3, 0x16, 0x05
  835
+};
  836
+
838 837
 int isCertificateBlackListed(SecCertificateRefP cert)
839 838
 {
840 839
     int i;
@@ -863,7 +862,7 @@ int isCertificateBlackListed(SecCertificateRefP cert)
863 862
         sl--;
864 863
     }
865 864
     
866  
-    if (sl == 16)
  865
+    if (sl == SERIALSIZE)
867 866
     {
868 867
         for(i=0; i < NSERIALS; i++)
869 868
         {
@@ -876,6 +875,15 @@ int isCertificateBlackListed(SecCertificateRefP cert)
876 875
             }
877 876
         }
878 877
     }
  878
+    if (sl == SERIALSIZE - 1)
  879
+    {
  880
+        if(!memcmp(p, serial_blacklist_DigiNotar_leading_zero, SERIALSIZE - 1))
  881
+        {
  882
+            syslog(LOG_WARNING, "iSSLFix: blocking blacklisted certificate");
  883
+            CFRelease(serial);
  884
+            return 1;
  885
+        }
  886
+    }
879 887
     CFRelease(serial);
880 888
     return 0;
881 889
 }

0 notes on commit 5210167

Please sign in to comment.
Something went wrong with that request. Please try again.