Author: glen Date: Wed Jul 21 08:41:37 2010 GMT Module: packages Tag: HEAD ---- Log message: - make cert check to accept subjectAltNames, patch from: http://savannah.gnu.org/bugs/?23934
---- Files affected: packages/wget: wget-subjectAltNames.patch (NONE -> 1.1) (NEW) ---- Diffs: ================================================================ Index: packages/wget/wget-subjectAltNames.patch diff -u /dev/null packages/wget/wget-subjectAltNames.patch:1.1 --- /dev/null Wed Jul 21 10:41:37 2010 +++ packages/wget/wget-subjectAltNames.patch Wed Jul 21 10:41:32 2010 @@ -0,0 +1,208 @@ +http://savannah.gnu.org/bugs/?23934 + +http://savannah.gnu.org/file/wget-1.12-subjectAltNames.diff?file_id=18828 + +diff --git a/src/openssl.c b/src/openssl.c +index b55ca8b..b036a3b 100644 +--- a/src/openssl.c ++++ b/src/openssl.c +@@ -39,7 +39,7 @@ as that of the covered work. */ + #include <string.h> + + #include <openssl/ssl.h> +-#include <openssl/x509.h> ++#include <openssl/x509v3.h> + #include <openssl/err.h> + #include <openssl/rand.h> + +@@ -486,9 +486,11 @@ bool + ssl_check_certificate (int fd, const char *host) + { + X509 *cert; ++ GENERAL_NAMES *subjectAltNames; + char common_name[256]; + long vresult; + bool success = true; ++ bool alt_name_checked = false; + + /* If the user has specified --no-check-cert, we still want to warn + him about problems with the server's certificate. */ +@@ -558,10 +560,6 @@ ssl_check_certificate (int fd, const char *host) + /* Check that HOST matches the common name in the certificate. + #### The following remains to be done: + +- - It should use dNSName/ipAddress subjectAltName extensions if +- available; according to rfc2818: "If a subjectAltName extension +- of type dNSName is present, that MUST be used as the identity." +- + - When matching against common names, it should loop over all + common names and choose the most specific one, i.e. the last + one, not the first one, which the current code picks. +@@ -569,51 +567,123 @@ ssl_check_certificate (int fd, const char *host) + - Ensure that ASN1 strings from the certificate are encoded as + UTF-8 which can be meaningfully compared to HOST. */ + +- X509_NAME *xname = X509_get_subject_name(cert); +- common_name[0] = '\0'; +- X509_NAME_get_text_by_NID (xname, NID_commonName, common_name, +- sizeof (common_name)); ++ subjectAltNames = X509_get_ext_d2i (cert, NID_subject_alt_name, NULL, NULL); + +- if (!pattern_match (common_name, host)) ++ if (subjectAltNames) + { +- logprintf (LOG_NOTQUIET, _("\ +-%s: certificate common name %s doesn't match requested host name %s.\n"), +- severity, quote_n (0, common_name), quote_n (1, host)); +- success = false; ++ /* Test subject alternative names */ ++ ++ /* Do we want to check for dNSNAmes or ipAddresses (see RFC 2818)? ++ * Signal it by host_in_octet_string. */ ++ ASN1_OCTET_STRING *host_in_octet_string = NULL; ++ host_in_octet_string = a2i_IPADDRESS (host); ++ ++ int numaltnames = sk_GENERAL_NAME_num (subjectAltNames); ++ int i; ++ for (i=0; i < numaltnames; i++) ++ { ++ const GENERAL_NAME *name = ++ sk_GENERAL_NAME_value (subjectAltNames, i); ++ if (name) ++ { ++ if (host_in_octet_string) ++ { ++ if (name->type == GEN_IPADD) ++ { ++ /* Check for ipAddress */ ++ /* TODO: Should we convert between IPv4-mapped IPv6 ++ * addresses and IPv4 addresses? */ ++ alt_name_checked = true; ++ if (!ASN1_STRING_cmp (host_in_octet_string, ++ name->d.iPAddress)) ++ break; ++ } ++ } ++ else if (name->type == GEN_DNS) ++ { ++ /* Check for dNSName */ ++ alt_name_checked = true; ++ /* dNSName should be IA5String (i.e. ASCII), however who ++ * does trust CA? Convert it into UTF-8 for sure. */ ++ unsigned char *name_in_utf8 = NULL; ++ if (0 <= ASN1_STRING_to_UTF8 (&name_in_utf8, name->d.dNSName)) ++ { ++ /* Compare and check for NULL attack in ASN1_STRING */ ++ if (pattern_match ((char *)name_in_utf8, host) && ++ (strlen ((char *)name_in_utf8) == ++ ASN1_STRING_length (name->d.dNSName))) ++ { ++ OPENSSL_free (name_in_utf8); ++ break; ++ } ++ OPENSSL_free (name_in_utf8); ++ } ++ } ++ } ++ } ++ sk_GENERAL_NAME_free (subjectAltNames); ++ if (host_in_octet_string) ++ ASN1_OCTET_STRING_free(host_in_octet_string); ++ ++ if (alt_name_checked == true && i >= numaltnames) ++ { ++ logprintf (LOG_NOTQUIET, ++ _("%s: no certificate subject alternative name matches\n" ++ "\trequested host name %s.\n"), ++ severity, quote_n (1, host)); ++ success = false; ++ } + } +- else ++ ++ if (alt_name_checked == false) + { +- /* We now determine the length of the ASN1 string. If it differs from +- * common_name's length, then there is a \0 before the string terminates. +- * This can be an instance of a null-prefix attack. +- * +- * https://www.blackhat.com/html/bh-usa-09/bh-usa-09-archives.html#Marlinspike +- * */ +- +- int i = -1, j; +- X509_NAME_ENTRY *xentry; +- ASN1_STRING *sdata; +- +- if (xname) { +- for (;;) +- { +- j = X509_NAME_get_index_by_NID (xname, NID_commonName, i); +- if (j == -1) break; +- i = j; +- } +- } ++ /* Test commomName */ ++ X509_NAME *xname = X509_get_subject_name(cert); ++ common_name[0] = '\0'; ++ X509_NAME_get_text_by_NID (xname, NID_commonName, common_name, ++ sizeof (common_name)); + +- xentry = X509_NAME_get_entry(xname,i); +- sdata = X509_NAME_ENTRY_get_data(xentry); +- if (strlen (common_name) != ASN1_STRING_length (sdata)) ++ if (!pattern_match (common_name, host)) + { + logprintf (LOG_NOTQUIET, _("\ +-%s: certificate common name is invalid (contains a NUL character).\n\ +-This may be an indication that the host is not who it claims to be\n\ +-(that is, it is not the real %s).\n"), +- severity, quote (host)); ++ %s: certificate common name %s doesn't match requested host name %s.\n"), ++ severity, quote_n (0, common_name), quote_n (1, host)); + success = false; + } ++ else ++ { ++ /* We now determine the length of the ASN1 string. If it differs from ++ * common_name's length, then there is a \0 before the string terminates. ++ * This can be an instance of a null-prefix attack. ++ * ++ * https://www.blackhat.com/html/bh-usa-09/bh-usa-09-archives.html#Marlinspike ++ * */ ++ ++ int i = -1, j; ++ X509_NAME_ENTRY *xentry; ++ ASN1_STRING *sdata; ++ ++ if (xname) { ++ for (;;) ++ { ++ j = X509_NAME_get_index_by_NID (xname, NID_commonName, i); ++ if (j == -1) break; ++ i = j; ++ } ++ } ++ ++ xentry = X509_NAME_get_entry(xname,i); ++ sdata = X509_NAME_ENTRY_get_data(xentry); ++ if (strlen (common_name) != ASN1_STRING_length (sdata)) ++ { ++ logprintf (LOG_NOTQUIET, _("\ ++ %s: certificate common name is invalid (contains a NUL character).\n\ ++ This may be an indication that the host is not who it claims to be\n\ ++ (that is, it is not the real %s).\n"), ++ severity, quote (host)); ++ success = false; ++ } ++ } + } + + +@@ -631,3 +701,7 @@ To connect to %s insecurely, use `--no-check-certificate'.\n"), + /* Allow --no-check-cert to disable certificate checking. */ + return opt.check_cert ? success : true; + } ++ ++/* ++ * vim: tabstop=2 shiftwidth=2 softtabstop=2 ++ */ ================================================================ _______________________________________________ pld-cvs-commit mailing list [email protected] http://lists.pld-linux.org/mailman/listinfo/pld-cvs-commit
