Always revoke certificate on CRL #3433
Conversation
raoulstrackx
force-pushed
the
raoul/verify_crl_without_time
branch
from
2dd3f94 to
20f3ef7
Compare
A bug in the ARMmbed mbedtls library only revokes certificates when a time source is available. We temporarily disable the following test, until patch Mbed-TLS/mbedtls#3433 lands and we use the updated library
raoulstrackx
force-pushed
the
raoul/verify_crl_without_time
branch
2 times, most recently
from
7bf0395 to
7c14bc2
Compare
raoulstrackx
changed the title
mpg
added
bug
component-x509
needs-backports
|
Thanks for your contribution! I agree with your assessment: I looked at all instances of "revocationDate" in RFC 5280 and it never says that it should be checked. Moreover, point (j) on page 95 says to marked as revoked as soon as issuer name and serial number match. It looks like this field is more informational (a bit like the optional "reason" field.) Also, from a security perspective, if the certificate ended up on a CRL, it shouldn't be trusted regardless of the revocation date, especially considering the local clock can't always be trusted. The new behaviour should come with a test. Please generate a CRL with a revocation date in the far future (to make sure it's still in the future in a few years) for one of our existing certificate and add a test for verifying this certificate with that CRL using the function Since this changes the observable behaviour, it deserves an entry in our ChangeLog, I'd say under Finally, can you add a Signed-Off-By line to your commit message, ton indicate that you agree with our licensing terms? |
mpg
added
needs-work
and removed
needs-review
raoulstrackx
force-pushed
the
raoul/verify_crl_without_time
branch
2 times, most recently
from
dd3f370 to
1369231
Compare
| * A CRL's "revocationDate" entry field is on longer checked to be in the | ||
| past. This brings the implementation in line with RFC 5280. Note that | ||
| this also is a security fix in environments where the local clock cannot | ||
| be trusted (e.g., in an Intel SGX enclave). Reported by Raoul Strackx & |
There was a problem hiding this comment.
That's an interesting point. As you've noted when adding tests (thanks for that!), currently we have a config.h option MBEDTLS_HAVE_TIME_DATE whose documentation reads:
* System has time.h, time(), and an implementation for
* mbedtls_platform_gmtime_r() (see below).
* The time needs to be correct (not necessarily very accurate, but at least
* the date should be correct). This is used to verify the validity period of
* X.509 certificates.
*
* Comment if your system does not have a correct clock.
Perhaps this documentation should be made more explicit:
* \warning You should comment this out if the system's clock could be controlled by an attacker.
I'm mentioning this because my initial reaction was "but on systems where the local clock can't be trusted, people should just undefine MBEDTLS_HAVE_TIME_DATE" - then I checked if the documentation was actually making that clear, and perhaps not enough.
There was a problem hiding this comment.
“people should just undefine MBEDTLS_HAVE_TIME_DATE” That depends on your threat model. Undefining MBEDTLS_HAVE_TIME_DATE means that no certificate will ever be considered to have expired.
There was a problem hiding this comment.
I agree description could be more clear. The same applies for MBEDTLS_HAVE_TIME: when the system's clock can't be trusted, it also cannot be trusted for measuring time differences.
There was a problem hiding this comment.
Good point @gilles-peskine-arm but if you leave MBEDTLS_HAVE_TIME_DATE defined, things like SSL caches may never expire.
There was a problem hiding this comment.
Ok, after thinking a bit more about this, I think I was wrong to suggest placing the ChangeLog entry under "Bugfix". As the PR description says, when MBEDTLS_HAVE_TIME_DATE is unset, we would simply never consider any certificate as revoked. I'm not sure how I overlooked this before, but that's enough to qualify as a security issue.
I'm now thinking the ChangeLog entry should look more like:
Security
* When checking X.509 CRLs, a certificate was only considered as revoked if its revocationDate was in the past according to the local clock if available. In particular, on builds without MBEDTLS_HAVE_TIME_DATE, certificates were never considered as revoked. On builds with MBEDTLS_HAVE_TIME_DATE, an attacker able to control the local clock (for example, an untrusted OS attacking a secure enclave) could prevent revocation of certificates via CRLs. Fixed by no longer checking the revocationDate field, in accordance with RFC 5280. Reported and fixed by Raoul Strackx & Jethro Beekman.
1369231 to
3529f78
Compare
There was a problem hiding this comment.
Thanks for updating the PR according to our feedback.
As commented above, I think I was wrong to recommend a "bugfix" changelog entry.
Also, I'm afraid one of the tests you added is currently not exercised in our CI, which should be fixed.
Finally, regarding changes to the documentation and to the ChangeLog, you may want to wait for Gilles to weigh in, in case we're not immediately in agreement, to avoid making changes in different directions each time one of us comments.
mpg
added
the
needs-review
raoulstrackx
force-pushed
the
raoul/verify_crl_without_time
branch
from
3529f78 to
98122db
Compare
raoulstrackx
force-pushed
the
raoul/verify_crl_without_time
branch
from
98122db to
b21e509
Compare
|
@mpg could you send me the output of CI? Running the tests locally doesn't give me much insight. There are failed tests, but those fail on the development branch too. |
|
One of the tests that fail is: client: server: |
|
You don't need to do anything else to pass CI.
If you're getting failures with interoperability tests locally, it's probably because you're using different versions of OpenSSL and GnuTLS. Different tests need different versions because older versions lack some features or have bugs, and newer versions have removed some obsolete features. The docker image in |
|
Thanks for your help! Who would be backporting the patch? |
|
Well, if you're willing to do it, that would be much appreciated. It would involve raising two new PRs, one targeting mbedtls-2.16, the other targeting mbedtls-2.7, with the same content as this one (usually Otherwise, we can handle it ourselves, but that may be a bit slower as that means involving more people on our side (1 for creating the PRs, 2 for reviewing them, while if you can create the PRs, the 2 reviewers who approved the original can usually review the backports pretty quickly). Just let us know. |
|
Sure I can do that. |
gilles-peskine-arm
removed
the
needs-backports
|
Unfortunately, there's a conflict. It's a simple add/add conflict, but it prevents merging. Please either merge with the latest state of the |
RFC5280 does not state that the `revocationDate` should be checked. In addition, when no time source is available (i.e., when MBEDTLS_HAVE_TIME_DATE is not defined), `mbedtls_x509_time_is_past` always returns 0. This results in the CRL not being checked at all. https://tools.ietf.org/html/rfc5280 Signed-off-by: Raoul Strackx <[email protected]>
raoulstrackx
dismissed stale reviews from mpg and gilles-peskine-arm
via
a4e8614
raoulstrackx
force-pushed
the
raoul/verify_crl_without_time
branch
from
27c4a8d to
a4e8614
Compare
mpg
added
the
needs-review
gilles-peskine-arm
added
needs-backports
|
Thanks. Please resolve the similar conflict in the backports as well. |
|
Sorry for the late response. Merge conflicts have been resolved |
gilles-peskine-arm
added
approved
Description
Always revoke certificate on CRL
RFC5280 (https://tools.ietf.org/html/rfc5280) does not state that the
revocationDateshould be checked.In addition, when no time source is available (i.e., when MBEDTLS_HAVE_TIME_DATE is not defined),
mbedtls_x509_time_is_pastalways returns 0. This results in the CRL not being checked at all.Status
READY
Requires Backporting
Yes
Todos
Fix #3340