mpapis · October 23, 2013 15:16
diff --git a/MRI-41812.patch b/MRI-41812.patch
 --- branches/ruby_2_0_0/ChangeLog	2013/07/06 16:58:40	41811
 +++ branches/ruby_2_0_0/ChangeLog	2013/07/06 17:05:08	41812
 @@ -1,3 +1,20 @@
 +Sun Jul  7 02:00:41 2013  Martin Bosslet  <[email protected]>
 +
 +	* lib/openssl/ssl.rb: Fix SSL client connection crash for SAN marked
 +	  critical.
 +	  The patch for CVE-2013-4073 caused SSL crash when a SSL server returns
 +	  the certificate that has critical SAN value.  X509 extension could
 +	  include 2 or 3 elements in it:
 +
 +	  [id, criticality, octet_string] if critical,
 +	  [id, octet_string] if not.
 +
 +	  Making sure to pick the last element of X509 extension and use it as
 +	  SAN value.
 +	  [ruby-core:55685] [Bug #8575]
 +
 +	  Thank you @nahi for providing the patch!
 +
 Sun Jul  7 01:58:25 2013  Akinori MUSHA  <[email protected]>
 
 	* lib/fileutils.rb (FileUtils#symbolic_modes_to_i): Fix the wrong
 --- branches/ruby_2_0_0/ext/openssl/lib/openssl/ssl.rb	2013/07/06 16:58:40	41811
 +++ branches/ruby_2_0_0/ext/openssl/lib/openssl/ssl.rb	2013/07/06 17:05:08	41812
 @@ -98,7 +98,7 @@
       should_verify_common_name = true
       cert.extensions.each{|ext|
         next if ext.oid != "subjectAltName"
 -        id, ostr = OpenSSL::ASN1.decode(ext.to_der).value
 +        ostr = OpenSSL::ASN1.decode(ext.to_der).value.last
         sequence = OpenSSL::ASN1.decode(ostr.value)
         sequence.value.each{|san|
           case san.tag
 --- branches/ruby_2_0_0/test/openssl/test_ssl.rb	2013/07/06 16:58:40	41811
 +++ branches/ruby_2_0_0/test/openssl/test_ssl.rb	2013/07/06 17:05:08	41812
 @@ -338,25 +338,32 @@
   end
 
   def test_verify_certificate_identity
 -    # creating NULL byte SAN certificate
 +    [true, false].each do |criticality|
 +      cert = create_null_byte_SAN_certificate(criticality)
 +      assert_equal(false, OpenSSL::SSL.verify_certificate_identity(cert, 'www.example.com'))
 +      assert_equal(true,  OpenSSL::SSL.verify_certificate_identity(cert, 'www.example.com\0.evil.com'))
 +      assert_equal(false, OpenSSL::SSL.verify_certificate_identity(cert, '192.168.7.255'))
 +      assert_equal(true,  OpenSSL::SSL.verify_certificate_identity(cert, '192.168.7.1'))
 +      assert_equal(false, OpenSSL::SSL.verify_certificate_identity(cert, '13::17'))
 +      assert_equal(true,  OpenSSL::SSL.verify_certificate_identity(cert, '13:0:0:0:0:0:0:17'))
 +    end
 +  end
 +
 +  # Create NULL byte SAN certificate
 +  def create_null_byte_SAN_certificate(critical = false)
     ef = OpenSSL::X509::ExtensionFactory.new
     cert = OpenSSL::X509::Certificate.new
     cert.subject = OpenSSL::X509::Name.parse "/DC=some/DC=site/CN=Some Site"
 -    ext = ef.create_ext('subjectAltName', 'DNS:placeholder,IP:192.168.7.1,IP:13::17')
 +    ext = ef.create_ext('subjectAltName', 'DNS:placeholder,IP:192.168.7.1,IP:13::17', critical)
     ext_asn1 = OpenSSL::ASN1.decode(ext.to_der)
     san_list_der = ext_asn1.value.reduce(nil) { |memo,val| val.tag == 4 ? val.value : memo }
     san_list_asn1 = OpenSSL::ASN1.decode(san_list_der)
     san_list_asn1.value[0].value = 'www.example.com\0.evil.com'
 -    ext_asn1.value[1].value = san_list_asn1.to_der
 +    pos = critical ? 2 : 1
 +    ext_asn1.value[pos].value = san_list_asn1.to_der
     real_ext = OpenSSL::X509::Extension.new ext_asn1
     cert.add_extension(real_ext)
 -
 -    assert_equal(false, OpenSSL::SSL.verify_certificate_identity(cert, 'www.example.com'))
 -    assert_equal(true,  OpenSSL::SSL.verify_certificate_identity(cert, 'www.example.com\0.evil.com'))
 -    assert_equal(false, OpenSSL::SSL.verify_certificate_identity(cert, '192.168.7.255'))
 -    assert_equal(true,  OpenSSL::SSL.verify_certificate_identity(cert, '192.168.7.1'))
 -    assert_equal(false, OpenSSL::SSL.verify_certificate_identity(cert, '13::17'))
 -    assert_equal(true,  OpenSSL::SSL.verify_certificate_identity(cert, '13:0:0:0:0:0:0:17'))
 +    cert
   end
 
   def test_tlsext_hostname
 --- branches/ruby_2_0_0/version.h	2013/07/06 16:58:40	41811
 +++ branches/ruby_2_0_0/version.h	2013/07/06 17:05:08	41812
 @@ -1,6 +1,6 @@
 #define RUBY_VERSION "2.0.0"
 #define RUBY_RELEASE_DATE "2013-07-07"
 -#define RUBY_PATCHLEVEL 254
 +#define RUBY_PATCHLEVEL 255
 
 #define RUBY_RELEASE_YEAR 2013
 #define RUBY_RELEASE_MONTH 7
	--- branches/ruby_2_0_0/ChangeLog 2013/07/06 16:58:40 41811
	+++ branches/ruby_2_0_0/ChangeLog 2013/07/06 17:05:08 41812
	@@ -1,3 +1,20 @@
	+Sun Jul 7 02:00:41 2013 Martin Bosslet <[email protected]>
	+
	+ * lib/openssl/ssl.rb: Fix SSL client connection crash for SAN marked
	+ critical.
	+ The patch for CVE-2013-4073 caused SSL crash when a SSL server returns
	+ the certificate that has critical SAN value. X509 extension could
	+ include 2 or 3 elements in it:
	+
	+ [id, criticality, octet_string] if critical,
	+ [id, octet_string] if not.
	+
	+ Making sure to pick the last element of X509 extension and use it as
	+ SAN value.
	+ [ruby-core:55685] [Bug #8575]
	+
	+ Thank you @nahi for providing the patch!
	+
	Sun Jul 7 01:58:25 2013 Akinori MUSHA <[email protected]>

	* lib/fileutils.rb (FileUtils#symbolic_modes_to_i): Fix the wrong
	--- branches/ruby_2_0_0/ext/openssl/lib/openssl/ssl.rb 2013/07/06 16:58:40 41811
	+++ branches/ruby_2_0_0/ext/openssl/lib/openssl/ssl.rb 2013/07/06 17:05:08 41812
	@@ -98,7 +98,7 @@
	should_verify_common_name = true
	cert.extensions.each{\|ext\|
	next if ext.oid != "subjectAltName"
	- id, ostr = OpenSSL::ASN1.decode(ext.to_der).value
	+ ostr = OpenSSL::ASN1.decode(ext.to_der).value.last
	sequence = OpenSSL::ASN1.decode(ostr.value)
	sequence.value.each{\|san\|
	case san.tag
	--- branches/ruby_2_0_0/test/openssl/test_ssl.rb 2013/07/06 16:58:40 41811
	+++ branches/ruby_2_0_0/test/openssl/test_ssl.rb 2013/07/06 17:05:08 41812
	@@ -338,25 +338,32 @@
	end

	def test_verify_certificate_identity
	- # creating NULL byte SAN certificate
	+ [true, false].each do \|criticality\|
	+ cert = create_null_byte_SAN_certificate(criticality)
	+ assert_equal(false, OpenSSL::SSL.verify_certificate_identity(cert, 'www.example.com'))
	+ assert_equal(true, OpenSSL::SSL.verify_certificate_identity(cert, 'www.example.com\0.evil.com'))
	+ assert_equal(false, OpenSSL::SSL.verify_certificate_identity(cert, '192.168.7.255'))
	+ assert_equal(true, OpenSSL::SSL.verify_certificate_identity(cert, '192.168.7.1'))
	+ assert_equal(false, OpenSSL::SSL.verify_certificate_identity(cert, '13::17'))
	+ assert_equal(true, OpenSSL::SSL.verify_certificate_identity(cert, '13:0:0:0:0:0:0:17'))
	+ end
	+ end
	+
	+ # Create NULL byte SAN certificate
	+ def create_null_byte_SAN_certificate(critical = false)
	ef = OpenSSL::X509::ExtensionFactory.new
	cert = OpenSSL::X509::Certificate.new
	cert.subject = OpenSSL::X509::Name.parse "/DC=some/DC=site/CN=Some Site"
	- ext = ef.create_ext('subjectAltName', 'DNS:placeholder,IP:192.168.7.1,IP:13::17')
	+ ext = ef.create_ext('subjectAltName', 'DNS:placeholder,IP:192.168.7.1,IP:13::17', critical)
	ext_asn1 = OpenSSL::ASN1.decode(ext.to_der)
	san_list_der = ext_asn1.value.reduce(nil) { \|memo,val\| val.tag == 4 ? val.value : memo }
	san_list_asn1 = OpenSSL::ASN1.decode(san_list_der)
	san_list_asn1.value[0].value = 'www.example.com\0.evil.com'
	- ext_asn1.value[1].value = san_list_asn1.to_der
	+ pos = critical ? 2 : 1
	+ ext_asn1.value[pos].value = san_list_asn1.to_der
	real_ext = OpenSSL::X509::Extension.new ext_asn1
	cert.add_extension(real_ext)
	-
	- assert_equal(false, OpenSSL::SSL.verify_certificate_identity(cert, 'www.example.com'))
	- assert_equal(true, OpenSSL::SSL.verify_certificate_identity(cert, 'www.example.com\0.evil.com'))
	- assert_equal(false, OpenSSL::SSL.verify_certificate_identity(cert, '192.168.7.255'))
	- assert_equal(true, OpenSSL::SSL.verify_certificate_identity(cert, '192.168.7.1'))
	- assert_equal(false, OpenSSL::SSL.verify_certificate_identity(cert, '13::17'))
	- assert_equal(true, OpenSSL::SSL.verify_certificate_identity(cert, '13:0:0:0:0:0:0:17'))
	+ cert
	end

	def test_tlsext_hostname
	--- branches/ruby_2_0_0/version.h 2013/07/06 16:58:40 41811
	+++ branches/ruby_2_0_0/version.h 2013/07/06 17:05:08 41812
	@@ -1,6 +1,6 @@
	#define RUBY_VERSION "2.0.0"
	#define RUBY_RELEASE_DATE "2013-07-07"
	-#define RUBY_PATCHLEVEL 254
	+#define RUBY_PATCHLEVEL 255

	#define RUBY_RELEASE_YEAR 2013
	#define RUBY_RELEASE_MONTH 7
No results found