[tor-commits] [tor-browser-build/maint-10.0-android] Bug 40175: Update obfs4proxy's TLS certificate public key pinning

gk at torproject.org gk at torproject.org
Mon Dec 7 21:35:58 UTC 2020 

commit bdb60883a70c8ec906d3fb59d2f971a441b0d254
Author: Matthew Finkel <sysrqb at torproject.org>
Date:   Mon Dec 7 20:33:53 2020 +0000

    Bug 40175: Update obfs4proxy's TLS certificate public key pinning
---
 projects/obfs4/build                   |  1 +
 projects/obfs4/config                  |  1 +
 projects/obfs4/update_azure_hpkp.patch | 56 ++++++++++++++++++++++++++++++++++
 3 files changed, 58 insertions(+)

diff --git a/projects/obfs4/build b/projects/obfs4/build
index 47c7228..4840edf 100644
--- a/projects/obfs4/build
+++ b/projects/obfs4/build
@@ -29,6 +29,7 @@ mkdir -p "$GOPATH/src/gitlab.com/yawning"
 ln -sf "$PWD" "$GOPATH/src/gitlab.com/yawning/obfs4.git"
 
 cd obfs4proxy
+patch -p1 < $rootdir/update_azure_hpkp.patch
 go build -ldflags '-s'
 cp -a obfs4proxy[% IF c("var/windows") %].exe[% END %] $PTDIR
 
diff --git a/projects/obfs4/config b/projects/obfs4/config
index 21bdab6..749ff43 100644
--- a/projects/obfs4/config
+++ b/projects/obfs4/config
@@ -39,3 +39,4 @@ input_files:
   - name: '[% c("var/compiler") %]'
     project: '[% c("var/compiler") %]'
     enable: '[% c("var/android") %]'
+  - filename: update_azure_hpkp.patch
diff --git a/projects/obfs4/update_azure_hpkp.patch b/projects/obfs4/update_azure_hpkp.patch
new file mode 100644
index 0000000..a4324fc
--- /dev/null
+++ b/projects/obfs4/update_azure_hpkp.patch
@@ -0,0 +1,56 @@
+From 1115c2e2eaca1a96865ae47aead9838aab45787e Mon Sep 17 00:00:00 2001
+From: Philipp Winter <phw at nymity.ch>
+Date: Mon, 7 Dec 2020 10:23:44 -0800
+Subject: [PATCH] Update Azure's root CA certificate pins.
+
+Microsoft recently updated the root CA certificates that are served to
+Azure clients.  See the following article for more details:
+https://docs.microsoft.com/en-us/azure/security/fundamentals/tls-certificate-changes
+
+This change broke meek-lite because none of its pins work anymore.  That
+means that Tor Browser users can no longer use meek-azure or moat as
+both rely on meek-lite.
+
+This patch fixes the problem by updating the certificate pins.
+---
+ transports/meeklite/hpkp_lite.go | 21 ++++++++++++---------
+ 1 file changed, 12 insertions(+), 9 deletions(-)
+
+diff --git a/transports/meeklite/hpkp_lite.go b/transports/meeklite/hpkp_lite.go
+index 0ff56f9..97ac590 100644
+--- a/transports/meeklite/hpkp_lite.go
++++ b/transports/meeklite/hpkp_lite.go
+@@ -103,19 +103,22 @@ func init() {
+ 		pins: make(map[string]*pinEntry),
+ 	}
+ 
+-	// Pin all of Microsoft's CA intermediary certificates for the
+-	// Tor Browser Azure bridge.
++	// Pin all of Microsoft Azure's root CA certificates for the Tor Browser
++	// Azure bridge.
+ 	//
+-	// See: https://www.microsoft.com/pki/mscorp/cps/default.htm
++	// See: https://docs.microsoft.com/en-us/azure/security/fundamentals/tls-certificate-changes
+ 	builtinPinDB.Add(
+ 		"ajax.aspnetcdn.com",
+ 		[]string{
+-			"CzdPous1hY3sIkO55pUH7vklXyIHVZAl/UnprSQvpEI=", // Microsoft IT SSL SHA2 - 2018-05-07 17:03:30
+-			"xjXxgkOYlag7jCtR5DreZm9b61iaIhd+J3+b2LiybIw=", // Microsoft IT TLS CA 1 - 2024-05-20 12:51:28
+-			"wBdPad95AU7OgLRs0FU/E6ILO1MSCM84kJ9y0H+TT7s=", // Microsoft IT TLS CA 2 - 2024-05-20 12:51:57
+-			"wUY9EOTJmS7Aj4fDVCu/KeE++mV7FgIcbn4WhMz1I2k=", // Microsoft IT TLS CA 4 - 2024-05-20 12:52:38
+-			"RCbqB+W8nwjznTeP4O6VjqcwdxIgI79eBpnBKRr32gc=", // Microsoft IT TLS CA 5 - 2024-05-20 12:53:03
++			"i7WTqTvh0OioIruIfFR4kMPnBqrS2rdiVPl/s2uC/CY=", // DigiCert Global Root G2 - 2038-01-15 12:00:00
++			"r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E=", // DigiCert Global Root CA - 2031-11-10 00:00:00
++			"Y9mvm0exBk1JoQ57f9Vm28jKo5lFm/woKcVxrYxu80o=", // Baltimore CyberTrust Root - 2025-05-12 23:59:00
++			"7KDxgUAs56hlKzG00DbfJH46MLf0GlDZHsT5CwBrQ6E=", // D-TRUST Root Class 3 CA 2 2009 - 2029-11-05 08:35:58
++			"svcpi1K/LDysTd/nLeTWgqxYlXWVmC8rYjAa9ZfGmcU=", // Microsoft RSA Root Certificate Authority 2017 - 2042-07-18 23:00:23
++			"NfU84SZGEeAzQP434ex9TMmGxWE9ynD9BKpEVF8tryg=", // Microsoft ECC Root Certificate Authority 2017 - 2042-07-18 23:16:04
+ 		},
+-		time.Date(2024, time.May, 20, 00, 00, 00, 00, time.UTC),
++		// As of 2020-12-07, we're getting the "DigiCert Global Root CA"
++		// certificate, so our expiration time matches this certificate.
++		time.Date(2031, time.November, 20, 00, 00, 00, 00, time.UTC),
+ 	)
+ }
+-- 
+2.20.1

More information about the tor-commits mailing list