Accepting request 20160 from network:ldap

Copy from network:ldap/openldap2 based on submit request 20160 from user rhafer

OBS-URL: https://build.opensuse.org/request/show/20160
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openldap2?expand=0&rev=52

libldap-tls_chkhost-its6239.dif

@@ -0,0 +1,125 @@
+Index: libraries/libldap/tls_o.c
+===================================================================
+RCS file: /repo/OpenLDAP/pkg/ldap/libraries/libldap/tls_o.c,v
+retrieving revision 1.5.2.4
+retrieving revision 1.5.2.6
+diff -u -r1.5.2.4 -r1.5.2.6
+--- libraries/libldap/tls_o.c	1 Jul 2009 23:04:49 -0000	1.5.2.4
++++ libraries/libldap/tls_o.c	13 Aug 2009 00:52:04 -0000	1.5.2.6
+@@ -466,7 +466,7 @@
+ 	X509 *x;
+ 	const char *name;
+ 	char *ptr;
+-	int ntype = IS_DNS;
++	int ntype = IS_DNS, nlen;
+ #ifdef LDAP_PF_INET6
+ 	struct in6_addr addr;
+ #else
+@@ -480,6 +480,7 @@
+ 	} else {
+ 		name = name_in;
+ 	}
++	nlen = strlen(name);
+ 
+ 	x = tlso_get_cert(s);
+ 	if (!x) {
+@@ -513,15 +514,14 @@
+ 		ex = X509_get_ext(x, i);
+ 		alt = X509V3_EXT_d2i(ex);
+ 		if (alt) {
+-			int n, len1 = 0, len2 = 0;
++			int n, len2 = 0;
+ 			char *domain = NULL;
+ 			GENERAL_NAME *gn;
+ 
+ 			if (ntype == IS_DNS) {
+-				len1 = strlen(name);
+ 				domain = strchr(name, '.');
+ 				if (domain) {
+-					len2 = len1 - (domain-name);
++					len2 = nlen - (domain-name);
+ 				}
+ 			}
+ 			n = sk_GENERAL_NAME_num(alt);
+@@ -539,7 +539,7 @@
+ 					if (sl == 0) continue;
+ 
+ 					/* Is this an exact match? */
+-					if ((len1 == sl) && !strncasecmp(name, sn, len1)) {
++					if ((nlen == sl) && !strncasecmp(name, sn, nlen)) {
+ 						break;
+ 					}
+ 
+@@ -579,13 +579,28 @@
+ 
+ 	if (ret != LDAP_SUCCESS) {
+ 		X509_NAME *xn;
+-		char buf[2048];
+-		buf[0] = '\0';
++		X509_NAME_ENTRY *ne;
++		ASN1_OBJECT *obj;
++		ASN1_STRING *cn = NULL;
++		int navas;
++
++		/* find the last CN */
++		obj = OBJ_nid2obj( NID_commonName );
++		if ( !obj ) goto no_cn;	/* should never happen */
+ 
+ 		xn = X509_get_subject_name(x);
+-		if( X509_NAME_get_text_by_NID( xn, NID_commonName,
+-			buf, sizeof(buf)) == -1)
++		navas = X509_NAME_entry_count( xn );
++		for ( i=navas-1; i>=0; i-- ) {
++			ne = X509_NAME_get_entry( xn, i );
++			if ( !OBJ_cmp( ne->object, obj )) {
++				cn = X509_NAME_ENTRY_get_data( ne );
++				break;
++			}
++		}
++
++		if( !cn )
+ 		{
++no_cn:
+ 			Debug( LDAP_DEBUG_ANY,
+ 				"TLS: unable to get common name from peer certificate.\n",
+ 				0, 0, 0 );
+@@ -596,21 +611,20 @@
+ 			ld->ld_error = LDAP_STRDUP(
+ 				_("TLS: unable to get CN from peer certificate"));
+ 
+-		} else if (strcasecmp(name, buf) == 0 ) {
++		} else if ( cn->length == nlen &&
++			strncasecmp( name, (char *) cn->data, nlen ) == 0 ) {
+ 			ret = LDAP_SUCCESS;
+ 
+-		} else if (( buf[0] == '*' ) && ( buf[1] == '.' )) {
++		} else if (( cn->data[0] == '*' ) && ( cn->data[1] == '.' )) {
+ 			char *domain = strchr(name, '.');
+ 			if( domain ) {
+-				size_t dlen = 0;
+-				size_t sl;
++				size_t dlen;
+ 
+-				sl = strlen(name);
+-				dlen = sl - (domain-name);
+-				sl = strlen(buf);
++				dlen = nlen - (domain-name);
+ 
+ 				/* Is this a wildcard match? */
+-				if ((dlen == sl-1) && !strncasecmp(domain, &buf[1], dlen)) {
++				if ((dlen == cn->length-1) &&
++					!strncasecmp(domain, (char *) &cn->data[1], dlen)) {
+ 					ret = LDAP_SUCCESS;
+ 				}
+ 			}
+@@ -618,8 +632,8 @@
+ 
+ 		if( ret == LDAP_LOCAL_ERROR ) {
+ 			Debug( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match "
+-				"common name in certificate (%s).\n", 
+-				name, buf, 0 );
++				"common name in certificate (%.*s).\n", 
++				name, cn->length, cn->data );
+ 			ret = LDAP_CONNECT_ERROR;
+ 			if ( ld->ld_error ) {
+ 				LDAP_FREE( ld->ld_error );

openldap2-client.changes

@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Wed Sep  9 07:48:20 UTC 2009 - rhafer@novell.com
+
+- libldap's check of the hostname against the TLS Certificate's CN
+  Attribute did not handle possible NUL bytes in the CN correctly
+  and was vulnerable against attacks with spoofed Certificates.
+  (bnc#537143, ITS#6239)
+
 -------------------------------------------------------------------
 Tue Jul 14 14:02:11 CEST 2009 - rhafer@novell.com
 

openldap2-client.spec

@@ -27,7 +27,7 @@ BuildRequires:  -db-devel -libopenssl-devel -pwdutils libdb-4_5-devel openssl-de
 BuildRequires:  -db-devel -libopenssl-devel -pwdutils libdb-4_5-devel openssl-devel
 %endif
 Version:        2.4.17
-Release:        1
+Release:        2
 Url:            http://www.openldap.org
 License:        BSD 3-clause (or similar) ; openldap 2.8
 %if "%{name}" == "openldap2"
@@ -60,6 +60,7 @@ Patch6:         libldap-gethostbyname_r.dif
 Patch7:         pie-compile.dif
 Patch11:        slapd-bconfig-del-db.dif
 Patch14:        slapo-collect-include.dif
+Patch15:        libldap-tls_chkhost-its6239.dif
 Patch100:       openldap-2.3.37.dif
 Patch200:       slapd_getaddrinfo_dupl.dif
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
@@ -182,6 +183,7 @@ Authors:
 %endif
 %patch11
 %patch14 -p1
+%patch15
 %if %suse_version == 1100
 %patch200 -p1
 %endif

openldap2.changes

@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Wed Sep  9 07:48:20 UTC 2009 - rhafer@novell.com
+
+- libldap's check of the hostname against the TLS Certificate's CN
+  Attribute did not handle possible NUL bytes in the CN correctly
+  and was vulnerable against attacks with spoofed Certificates.
+  (bnc#537143, ITS#6239)
+
 -------------------------------------------------------------------
 Tue Jul 14 14:02:11 CEST 2009 - rhafer@novell.com
 

openldap2.spec

@@ -27,7 +27,7 @@ BuildRequires:  -db-devel -libopenssl-devel -pwdutils libdb-4_5-devel openssl-de
 BuildRequires:  -db-devel -libopenssl-devel -pwdutils libdb-4_5-devel openssl-devel
 %endif
 Version:        2.4.17
-Release:        1
+Release:        2
 Url:            http://www.openldap.org
 License:        BSD 3-clause (or similar) ; openldap 2.8
 %if "%{name}" == "openldap2"
@@ -60,6 +60,7 @@ Patch6:         libldap-gethostbyname_r.dif
 Patch7:         pie-compile.dif
 Patch11:        slapd-bconfig-del-db.dif
 Patch14:        slapo-collect-include.dif
+Patch15:        libldap-tls_chkhost-its6239.dif
 Patch100:       openldap-2.3.37.dif
 Patch200:       slapd_getaddrinfo_dupl.dif
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
@@ -182,6 +183,7 @@ Authors:
 %endif
 %patch11
 %patch14 -p1
+%patch15
 %if %suse_version == 1100
 %patch200 -p1
 %endif