From 925621842f256953f9ca85017a73b4065947d22e03e4789b7f12603cb12e1367 Mon Sep 17 00:00:00 2001 From: OBS User autobuild Date: Thu, 10 Sep 2009 10:47:58 +0000 Subject: [PATCH] Accepting request 20160 from network:ldap Copy from network:ldap/openldap2 based on submit request 20160 from user rhafer OBS-URL: https://build.opensuse.org/request/show/20160 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openldap2?expand=0&rev=52 --- libldap-tls_chkhost-its6239.dif | 125 ++++++++++++++++++++++++++++++++ openldap2-client.changes | 8 ++ openldap2-client.spec | 4 +- openldap2.changes | 8 ++ openldap2.spec | 4 +- 5 files changed, 147 insertions(+), 2 deletions(-) create mode 100644 libldap-tls_chkhost-its6239.dif diff --git a/libldap-tls_chkhost-its6239.dif b/libldap-tls_chkhost-its6239.dif new file mode 100644 index 0000000..a5b780a --- /dev/null +++ b/libldap-tls_chkhost-its6239.dif @@ -0,0 +1,125 @@ +Index: libraries/libldap/tls_o.c +=================================================================== +RCS file: /repo/OpenLDAP/pkg/ldap/libraries/libldap/tls_o.c,v +retrieving revision 1.5.2.4 +retrieving revision 1.5.2.6 +diff -u -r1.5.2.4 -r1.5.2.6 +--- libraries/libldap/tls_o.c 1 Jul 2009 23:04:49 -0000 1.5.2.4 ++++ libraries/libldap/tls_o.c 13 Aug 2009 00:52:04 -0000 1.5.2.6 +@@ -466,7 +466,7 @@ + X509 *x; + const char *name; + char *ptr; +- int ntype = IS_DNS; ++ int ntype = IS_DNS, nlen; + #ifdef LDAP_PF_INET6 + struct in6_addr addr; + #else +@@ -480,6 +480,7 @@ + } else { + name = name_in; + } ++ nlen = strlen(name); + + x = tlso_get_cert(s); + if (!x) { +@@ -513,15 +514,14 @@ + ex = X509_get_ext(x, i); + alt = X509V3_EXT_d2i(ex); + if (alt) { +- int n, len1 = 0, len2 = 0; ++ int n, len2 = 0; + char *domain = NULL; + GENERAL_NAME *gn; + + if (ntype == IS_DNS) { +- len1 = strlen(name); + domain = strchr(name, '.'); + if (domain) { +- len2 = len1 - (domain-name); ++ len2 = nlen - (domain-name); + } + } + n = sk_GENERAL_NAME_num(alt); +@@ -539,7 +539,7 @@ + if (sl == 0) continue; + + /* Is this an exact match? */ +- if ((len1 == sl) && !strncasecmp(name, sn, len1)) { ++ if ((nlen == sl) && !strncasecmp(name, sn, nlen)) { + break; + } + +@@ -579,13 +579,28 @@ + + if (ret != LDAP_SUCCESS) { + X509_NAME *xn; +- char buf[2048]; +- buf[0] = '\0'; ++ X509_NAME_ENTRY *ne; ++ ASN1_OBJECT *obj; ++ ASN1_STRING *cn = NULL; ++ int navas; ++ ++ /* find the last CN */ ++ obj = OBJ_nid2obj( NID_commonName ); ++ if ( !obj ) goto no_cn; /* should never happen */ + + xn = X509_get_subject_name(x); +- if( X509_NAME_get_text_by_NID( xn, NID_commonName, +- buf, sizeof(buf)) == -1) ++ navas = X509_NAME_entry_count( xn ); ++ for ( i=navas-1; i>=0; i-- ) { ++ ne = X509_NAME_get_entry( xn, i ); ++ if ( !OBJ_cmp( ne->object, obj )) { ++ cn = X509_NAME_ENTRY_get_data( ne ); ++ break; ++ } ++ } ++ ++ if( !cn ) + { ++no_cn: + Debug( LDAP_DEBUG_ANY, + "TLS: unable to get common name from peer certificate.\n", + 0, 0, 0 ); +@@ -596,21 +611,20 @@ + ld->ld_error = LDAP_STRDUP( + _("TLS: unable to get CN from peer certificate")); + +- } else if (strcasecmp(name, buf) == 0 ) { ++ } else if ( cn->length == nlen && ++ strncasecmp( name, (char *) cn->data, nlen ) == 0 ) { + ret = LDAP_SUCCESS; + +- } else if (( buf[0] == '*' ) && ( buf[1] == '.' )) { ++ } else if (( cn->data[0] == '*' ) && ( cn->data[1] == '.' )) { + char *domain = strchr(name, '.'); + if( domain ) { +- size_t dlen = 0; +- size_t sl; ++ size_t dlen; + +- sl = strlen(name); +- dlen = sl - (domain-name); +- sl = strlen(buf); ++ dlen = nlen - (domain-name); + + /* Is this a wildcard match? */ +- if ((dlen == sl-1) && !strncasecmp(domain, &buf[1], dlen)) { ++ if ((dlen == cn->length-1) && ++ !strncasecmp(domain, (char *) &cn->data[1], dlen)) { + ret = LDAP_SUCCESS; + } + } +@@ -618,8 +632,8 @@ + + if( ret == LDAP_LOCAL_ERROR ) { + Debug( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match " +- "common name in certificate (%s).\n", +- name, buf, 0 ); ++ "common name in certificate (%.*s).\n", ++ name, cn->length, cn->data ); + ret = LDAP_CONNECT_ERROR; + if ( ld->ld_error ) { + LDAP_FREE( ld->ld_error ); diff --git a/openldap2-client.changes b/openldap2-client.changes index 80fc25e..b4d7f06 100644 --- a/openldap2-client.changes +++ b/openldap2-client.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Wed Sep 9 07:48:20 UTC 2009 - rhafer@novell.com + +- libldap's check of the hostname against the TLS Certificate's CN + Attribute did not handle possible NUL bytes in the CN correctly + and was vulnerable against attacks with spoofed Certificates. + (bnc#537143, ITS#6239) + ------------------------------------------------------------------- Tue Jul 14 14:02:11 CEST 2009 - rhafer@novell.com diff --git a/openldap2-client.spec b/openldap2-client.spec index 58200f3..845e3ff 100644 --- a/openldap2-client.spec +++ b/openldap2-client.spec @@ -27,7 +27,7 @@ BuildRequires: -db-devel -libopenssl-devel -pwdutils libdb-4_5-devel openssl-de BuildRequires: -db-devel -libopenssl-devel -pwdutils libdb-4_5-devel openssl-devel %endif Version: 2.4.17 -Release: 1 +Release: 2 Url: http://www.openldap.org License: BSD 3-clause (or similar) ; openldap 2.8 %if "%{name}" == "openldap2" @@ -60,6 +60,7 @@ Patch6: libldap-gethostbyname_r.dif Patch7: pie-compile.dif Patch11: slapd-bconfig-del-db.dif Patch14: slapo-collect-include.dif +Patch15: libldap-tls_chkhost-its6239.dif Patch100: openldap-2.3.37.dif Patch200: slapd_getaddrinfo_dupl.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -182,6 +183,7 @@ Authors: %endif %patch11 %patch14 -p1 +%patch15 %if %suse_version == 1100 %patch200 -p1 %endif diff --git a/openldap2.changes b/openldap2.changes index 80fc25e..b4d7f06 100644 --- a/openldap2.changes +++ b/openldap2.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Wed Sep 9 07:48:20 UTC 2009 - rhafer@novell.com + +- libldap's check of the hostname against the TLS Certificate's CN + Attribute did not handle possible NUL bytes in the CN correctly + and was vulnerable against attacks with spoofed Certificates. + (bnc#537143, ITS#6239) + ------------------------------------------------------------------- Tue Jul 14 14:02:11 CEST 2009 - rhafer@novell.com diff --git a/openldap2.spec b/openldap2.spec index c9ef327..a87a604 100644 --- a/openldap2.spec +++ b/openldap2.spec @@ -27,7 +27,7 @@ BuildRequires: -db-devel -libopenssl-devel -pwdutils libdb-4_5-devel openssl-de BuildRequires: -db-devel -libopenssl-devel -pwdutils libdb-4_5-devel openssl-devel %endif Version: 2.4.17 -Release: 1 +Release: 2 Url: http://www.openldap.org License: BSD 3-clause (or similar) ; openldap 2.8 %if "%{name}" == "openldap2" @@ -60,6 +60,7 @@ Patch6: libldap-gethostbyname_r.dif Patch7: pie-compile.dif Patch11: slapd-bconfig-del-db.dif Patch14: slapo-collect-include.dif +Patch15: libldap-tls_chkhost-its6239.dif Patch100: openldap-2.3.37.dif Patch200: slapd_getaddrinfo_dupl.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -182,6 +183,7 @@ Authors: %endif %patch11 %patch14 -p1 +%patch15 %if %suse_version == 1100 %patch200 -p1 %endif