forked from pool/openldap2
Accepting request 20160 from network:ldap
Copy from network:ldap/openldap2 based on submit request 20160 from user rhafer OBS-URL: https://build.opensuse.org/request/show/20160 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openldap2?expand=0&rev=52
This commit is contained in:
parent
76e2ca63a5
commit
925621842f
125
libldap-tls_chkhost-its6239.dif
Normal file
125
libldap-tls_chkhost-its6239.dif
Normal file
@ -0,0 +1,125 @@
|
|||||||
|
Index: libraries/libldap/tls_o.c
|
||||||
|
===================================================================
|
||||||
|
RCS file: /repo/OpenLDAP/pkg/ldap/libraries/libldap/tls_o.c,v
|
||||||
|
retrieving revision 1.5.2.4
|
||||||
|
retrieving revision 1.5.2.6
|
||||||
|
diff -u -r1.5.2.4 -r1.5.2.6
|
||||||
|
--- libraries/libldap/tls_o.c 1 Jul 2009 23:04:49 -0000 1.5.2.4
|
||||||
|
+++ libraries/libldap/tls_o.c 13 Aug 2009 00:52:04 -0000 1.5.2.6
|
||||||
|
@@ -466,7 +466,7 @@
|
||||||
|
X509 *x;
|
||||||
|
const char *name;
|
||||||
|
char *ptr;
|
||||||
|
- int ntype = IS_DNS;
|
||||||
|
+ int ntype = IS_DNS, nlen;
|
||||||
|
#ifdef LDAP_PF_INET6
|
||||||
|
struct in6_addr addr;
|
||||||
|
#else
|
||||||
|
@@ -480,6 +480,7 @@
|
||||||
|
} else {
|
||||||
|
name = name_in;
|
||||||
|
}
|
||||||
|
+ nlen = strlen(name);
|
||||||
|
|
||||||
|
x = tlso_get_cert(s);
|
||||||
|
if (!x) {
|
||||||
|
@@ -513,15 +514,14 @@
|
||||||
|
ex = X509_get_ext(x, i);
|
||||||
|
alt = X509V3_EXT_d2i(ex);
|
||||||
|
if (alt) {
|
||||||
|
- int n, len1 = 0, len2 = 0;
|
||||||
|
+ int n, len2 = 0;
|
||||||
|
char *domain = NULL;
|
||||||
|
GENERAL_NAME *gn;
|
||||||
|
|
||||||
|
if (ntype == IS_DNS) {
|
||||||
|
- len1 = strlen(name);
|
||||||
|
domain = strchr(name, '.');
|
||||||
|
if (domain) {
|
||||||
|
- len2 = len1 - (domain-name);
|
||||||
|
+ len2 = nlen - (domain-name);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
n = sk_GENERAL_NAME_num(alt);
|
||||||
|
@@ -539,7 +539,7 @@
|
||||||
|
if (sl == 0) continue;
|
||||||
|
|
||||||
|
/* Is this an exact match? */
|
||||||
|
- if ((len1 == sl) && !strncasecmp(name, sn, len1)) {
|
||||||
|
+ if ((nlen == sl) && !strncasecmp(name, sn, nlen)) {
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -579,13 +579,28 @@
|
||||||
|
|
||||||
|
if (ret != LDAP_SUCCESS) {
|
||||||
|
X509_NAME *xn;
|
||||||
|
- char buf[2048];
|
||||||
|
- buf[0] = '\0';
|
||||||
|
+ X509_NAME_ENTRY *ne;
|
||||||
|
+ ASN1_OBJECT *obj;
|
||||||
|
+ ASN1_STRING *cn = NULL;
|
||||||
|
+ int navas;
|
||||||
|
+
|
||||||
|
+ /* find the last CN */
|
||||||
|
+ obj = OBJ_nid2obj( NID_commonName );
|
||||||
|
+ if ( !obj ) goto no_cn; /* should never happen */
|
||||||
|
|
||||||
|
xn = X509_get_subject_name(x);
|
||||||
|
- if( X509_NAME_get_text_by_NID( xn, NID_commonName,
|
||||||
|
- buf, sizeof(buf)) == -1)
|
||||||
|
+ navas = X509_NAME_entry_count( xn );
|
||||||
|
+ for ( i=navas-1; i>=0; i-- ) {
|
||||||
|
+ ne = X509_NAME_get_entry( xn, i );
|
||||||
|
+ if ( !OBJ_cmp( ne->object, obj )) {
|
||||||
|
+ cn = X509_NAME_ENTRY_get_data( ne );
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if( !cn )
|
||||||
|
{
|
||||||
|
+no_cn:
|
||||||
|
Debug( LDAP_DEBUG_ANY,
|
||||||
|
"TLS: unable to get common name from peer certificate.\n",
|
||||||
|
0, 0, 0 );
|
||||||
|
@@ -596,21 +611,20 @@
|
||||||
|
ld->ld_error = LDAP_STRDUP(
|
||||||
|
_("TLS: unable to get CN from peer certificate"));
|
||||||
|
|
||||||
|
- } else if (strcasecmp(name, buf) == 0 ) {
|
||||||
|
+ } else if ( cn->length == nlen &&
|
||||||
|
+ strncasecmp( name, (char *) cn->data, nlen ) == 0 ) {
|
||||||
|
ret = LDAP_SUCCESS;
|
||||||
|
|
||||||
|
- } else if (( buf[0] == '*' ) && ( buf[1] == '.' )) {
|
||||||
|
+ } else if (( cn->data[0] == '*' ) && ( cn->data[1] == '.' )) {
|
||||||
|
char *domain = strchr(name, '.');
|
||||||
|
if( domain ) {
|
||||||
|
- size_t dlen = 0;
|
||||||
|
- size_t sl;
|
||||||
|
+ size_t dlen;
|
||||||
|
|
||||||
|
- sl = strlen(name);
|
||||||
|
- dlen = sl - (domain-name);
|
||||||
|
- sl = strlen(buf);
|
||||||
|
+ dlen = nlen - (domain-name);
|
||||||
|
|
||||||
|
/* Is this a wildcard match? */
|
||||||
|
- if ((dlen == sl-1) && !strncasecmp(domain, &buf[1], dlen)) {
|
||||||
|
+ if ((dlen == cn->length-1) &&
|
||||||
|
+ !strncasecmp(domain, (char *) &cn->data[1], dlen)) {
|
||||||
|
ret = LDAP_SUCCESS;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
@@ -618,8 +632,8 @@
|
||||||
|
|
||||||
|
if( ret == LDAP_LOCAL_ERROR ) {
|
||||||
|
Debug( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match "
|
||||||
|
- "common name in certificate (%s).\n",
|
||||||
|
- name, buf, 0 );
|
||||||
|
+ "common name in certificate (%.*s).\n",
|
||||||
|
+ name, cn->length, cn->data );
|
||||||
|
ret = LDAP_CONNECT_ERROR;
|
||||||
|
if ( ld->ld_error ) {
|
||||||
|
LDAP_FREE( ld->ld_error );
|
@ -1,3 +1,11 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Sep 9 07:48:20 UTC 2009 - rhafer@novell.com
|
||||||
|
|
||||||
|
- libldap's check of the hostname against the TLS Certificate's CN
|
||||||
|
Attribute did not handle possible NUL bytes in the CN correctly
|
||||||
|
and was vulnerable against attacks with spoofed Certificates.
|
||||||
|
(bnc#537143, ITS#6239)
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Tue Jul 14 14:02:11 CEST 2009 - rhafer@novell.com
|
Tue Jul 14 14:02:11 CEST 2009 - rhafer@novell.com
|
||||||
|
|
||||||
|
@ -27,7 +27,7 @@ BuildRequires: -db-devel -libopenssl-devel -pwdutils libdb-4_5-devel openssl-de
|
|||||||
BuildRequires: -db-devel -libopenssl-devel -pwdutils libdb-4_5-devel openssl-devel
|
BuildRequires: -db-devel -libopenssl-devel -pwdutils libdb-4_5-devel openssl-devel
|
||||||
%endif
|
%endif
|
||||||
Version: 2.4.17
|
Version: 2.4.17
|
||||||
Release: 1
|
Release: 2
|
||||||
Url: http://www.openldap.org
|
Url: http://www.openldap.org
|
||||||
License: BSD 3-clause (or similar) ; openldap 2.8
|
License: BSD 3-clause (or similar) ; openldap 2.8
|
||||||
%if "%{name}" == "openldap2"
|
%if "%{name}" == "openldap2"
|
||||||
@ -60,6 +60,7 @@ Patch6: libldap-gethostbyname_r.dif
|
|||||||
Patch7: pie-compile.dif
|
Patch7: pie-compile.dif
|
||||||
Patch11: slapd-bconfig-del-db.dif
|
Patch11: slapd-bconfig-del-db.dif
|
||||||
Patch14: slapo-collect-include.dif
|
Patch14: slapo-collect-include.dif
|
||||||
|
Patch15: libldap-tls_chkhost-its6239.dif
|
||||||
Patch100: openldap-2.3.37.dif
|
Patch100: openldap-2.3.37.dif
|
||||||
Patch200: slapd_getaddrinfo_dupl.dif
|
Patch200: slapd_getaddrinfo_dupl.dif
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||||
@ -182,6 +183,7 @@ Authors:
|
|||||||
%endif
|
%endif
|
||||||
%patch11
|
%patch11
|
||||||
%patch14 -p1
|
%patch14 -p1
|
||||||
|
%patch15
|
||||||
%if %suse_version == 1100
|
%if %suse_version == 1100
|
||||||
%patch200 -p1
|
%patch200 -p1
|
||||||
%endif
|
%endif
|
||||||
|
@ -1,3 +1,11 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Sep 9 07:48:20 UTC 2009 - rhafer@novell.com
|
||||||
|
|
||||||
|
- libldap's check of the hostname against the TLS Certificate's CN
|
||||||
|
Attribute did not handle possible NUL bytes in the CN correctly
|
||||||
|
and was vulnerable against attacks with spoofed Certificates.
|
||||||
|
(bnc#537143, ITS#6239)
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Tue Jul 14 14:02:11 CEST 2009 - rhafer@novell.com
|
Tue Jul 14 14:02:11 CEST 2009 - rhafer@novell.com
|
||||||
|
|
||||||
|
@ -27,7 +27,7 @@ BuildRequires: -db-devel -libopenssl-devel -pwdutils libdb-4_5-devel openssl-de
|
|||||||
BuildRequires: -db-devel -libopenssl-devel -pwdutils libdb-4_5-devel openssl-devel
|
BuildRequires: -db-devel -libopenssl-devel -pwdutils libdb-4_5-devel openssl-devel
|
||||||
%endif
|
%endif
|
||||||
Version: 2.4.17
|
Version: 2.4.17
|
||||||
Release: 1
|
Release: 2
|
||||||
Url: http://www.openldap.org
|
Url: http://www.openldap.org
|
||||||
License: BSD 3-clause (or similar) ; openldap 2.8
|
License: BSD 3-clause (or similar) ; openldap 2.8
|
||||||
%if "%{name}" == "openldap2"
|
%if "%{name}" == "openldap2"
|
||||||
@ -60,6 +60,7 @@ Patch6: libldap-gethostbyname_r.dif
|
|||||||
Patch7: pie-compile.dif
|
Patch7: pie-compile.dif
|
||||||
Patch11: slapd-bconfig-del-db.dif
|
Patch11: slapd-bconfig-del-db.dif
|
||||||
Patch14: slapo-collect-include.dif
|
Patch14: slapo-collect-include.dif
|
||||||
|
Patch15: libldap-tls_chkhost-its6239.dif
|
||||||
Patch100: openldap-2.3.37.dif
|
Patch100: openldap-2.3.37.dif
|
||||||
Patch200: slapd_getaddrinfo_dupl.dif
|
Patch200: slapd_getaddrinfo_dupl.dif
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||||
@ -182,6 +183,7 @@ Authors:
|
|||||||
%endif
|
%endif
|
||||||
%patch11
|
%patch11
|
||||||
%patch14 -p1
|
%patch14 -p1
|
||||||
|
%patch15
|
||||||
%if %suse_version == 1100
|
%if %suse_version == 1100
|
||||||
%patch200 -p1
|
%patch200 -p1
|
||||||
%endif
|
%endif
|
||||||
|
Loading…
Reference in New Issue
Block a user