From 2ba5f0fe973f7ab0311beafc90fa2a0f7ffd7f52 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Feb 04 2020 10:18:42 +0000 Subject: import openldap-2.4.46-11.el8_1 --- diff --git a/SOURCES/openldap-tlso-dont-check-cn-when-bad-san.patch b/SOURCES/openldap-tlso-dont-check-cn-when-bad-san.patch deleted file mode 100644 index 9fc9b01..0000000 --- a/SOURCES/openldap-tlso-dont-check-cn-when-bad-san.patch +++ /dev/null @@ -1,29 +0,0 @@ -Do not check CN when checking SAN failed - -This is to make it compliant with RFC 6125: -https://tools.ietf.org/html/rfc6125#section-6.4.4 - -Author: Matus Honek - -diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c -index 92c708be0..46b48a3fb 100644 ---- a/libraries/libldap/tls_o.c -+++ b/libraries/libldap/tls_o.c -@@ -675,11 +675,16 @@ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in ) - GENERAL_NAMES_free(alt); - if (i < n) { /* Found a match */ - ret = LDAP_SUCCESS; -+ } else { /* None matched */ -+ Debug( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match any " -+ "SAN in certificate.\n", -+ name, NULL, NULL ); -+ ret = LDAP_CONNECT_ERROR; - } - } - } - -- if (ret != LDAP_SUCCESS) { -+ if (ret == LDAP_LOCAL_ERROR) { - X509_NAME *xn; - X509_NAME_ENTRY *ne; - ASN1_OBJECT *obj; diff --git a/SOURCES/openldap-tlso-use-openssl-api-to-verify-host.patch b/SOURCES/openldap-tlso-use-openssl-api-to-verify-host.patch new file mode 100644 index 0000000..f7a1259 --- /dev/null +++ b/SOURCES/openldap-tlso-use-openssl-api-to-verify-host.patch @@ -0,0 +1,224 @@ +From f2978fefa13eb92b73922e49d2f6c12b4f92ea85 Mon Sep 17 00:00:00 2001 +From: Christian Heimes +Date: Fri, 10 Jan 2020 18:35:02 +0100 +Subject: [PATCH] Use OpenSSL API to verify host + +Replace custom hostname and IP address verification with OpenSSL 1.0.2 +APIs. +--- + libraries/libldap/tls_o.c | 184 ++++++-------------------------------- + 1 file changed, 28 insertions(+), 156 deletions(-) + +diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c +index e52c5507c..5adf7b74f 100644 +--- a/libraries/libldap/tls_o.c ++++ b/libraries/libldap/tls_o.c +@@ -660,25 +660,15 @@ tlso_session_peer_dn( tls_session *sess, struct berval *der_dn ) + return 0; + } + +-/* what kind of hostname were we given? */ +-#define IS_DNS 0 +-#define IS_IP4 1 +-#define IS_IP6 2 +- + static int + tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in ) + { + tlso_session *s = (tlso_session *)sess; +- int i, ret = LDAP_LOCAL_ERROR; ++ int ret = LDAP_LOCAL_ERROR; + X509 *x; + const char *name; +- char *ptr; +- int ntype = IS_DNS, nlen; +-#ifdef LDAP_PF_INET6 +- struct in6_addr addr; +-#else +- struct in_addr addr; +-#endif ++ int flags = X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS; ++ ASN1_OCTET_STRING *ip; + + if( ldap_int_hostname && + ( !name_in || !strcasecmp( name_in, "localhost" ) ) ) +@@ -687,7 +677,6 @@ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in ) + } else { + name = name_in; + } +- nlen = strlen(name); + + x = tlso_get_cert(s); + if (!x) { +@@ -619,150 +619,32 @@ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in ) + return LDAP_SUCCESS; + } + +-#ifdef LDAP_PF_INET6 +- if (inet_pton(AF_INET6, name, &addr)) { +- ntype = IS_IP6; +- } else +-#endif +- if ((ptr = strrchr(name, '.')) && isdigit((unsigned char)ptr[1])) { +- if (inet_aton(name, (struct in_addr *)&addr)) ntype = IS_IP4; +- } +- +- i = X509_get_ext_by_NID(x, NID_subject_alt_name, -1); +- if (i >= 0) { +- X509_EXTENSION *ex; +- STACK_OF(GENERAL_NAME) *alt; +- +- ex = X509_get_ext(x, i); +- alt = X509V3_EXT_d2i(ex); +- if (alt) { +- int n, len2 = 0; +- char *domain = NULL; +- GENERAL_NAME *gn; +- +- if (ntype == IS_DNS) { +- domain = strchr(name, '.'); +- if (domain) { +- len2 = nlen - (domain-name); +- } +- } +- n = sk_GENERAL_NAME_num(alt); +- for (i=0; itype == GEN_DNS) { +- if (ntype != IS_DNS) continue; +- +- sn = (char *) ASN1_STRING_data(gn->d.ia5); +- sl = ASN1_STRING_length(gn->d.ia5); +- +- /* ignore empty */ +- if (sl == 0) continue; +- +- /* Is this an exact match? */ +- if ((nlen == sl) && !strncasecmp(name, sn, nlen)) { +- break; +- } +- +- /* Is this a wildcard match? */ +- if (domain && (sn[0] == '*') && (sn[1] == '.') && +- (len2 == sl-1) && !strncasecmp(domain, &sn[1], len2)) +- { +- break; +- } +- +- } else if (gn->type == GEN_IPADD) { +- if (ntype == IS_DNS) continue; +- +- sn = (char *) ASN1_STRING_data(gn->d.ia5); +- sl = ASN1_STRING_length(gn->d.ia5); +- +-#ifdef LDAP_PF_INET6 +- if (ntype == IS_IP6 && sl != sizeof(struct in6_addr)) { +- continue; +- } else +-#endif +- if (ntype == IS_IP4 && sl != sizeof(struct in_addr)) { +- continue; +- } +- if (!memcmp(sn, &addr, sl)) { +- break; +- } +- } +- } +- +- GENERAL_NAMES_free(alt); +- if (i < n) { /* Found a match */ +- ret = LDAP_SUCCESS; +- } +- } +- } +- +- if (ret != LDAP_SUCCESS) { +- X509_NAME *xn; +- X509_NAME_ENTRY *ne; +- ASN1_OBJECT *obj; +- ASN1_STRING *cn = NULL; +- int navas; +- +- /* find the last CN */ +- obj = OBJ_nid2obj( NID_commonName ); +- if ( !obj ) goto no_cn; /* should never happen */ +- +- xn = X509_get_subject_name(x); +- navas = X509_NAME_entry_count( xn ); +- for ( i=navas-1; i>=0; i-- ) { +- ne = X509_NAME_get_entry( xn, i ); +- if ( !OBJ_cmp( X509_NAME_ENTRY_get_object(ne), obj )) { +- cn = X509_NAME_ENTRY_get_data( ne ); +- break; +- } ++ /* attempt to encode name as IP address */ ++ ip = a2i_IPADDRESS(name); ++ if (ip == NULL) { ++ ERR_clear_error(); ++ /* it's a hostname */ ++ if (X509_check_host(x, name, strlen(name), flags, NULL) == 1) { ++ ret = LDAP_SUCCESS; + } +- +- if( !cn ) +- { +-no_cn: +- Debug( LDAP_DEBUG_ANY, +- "TLS: unable to get common name from peer certificate.\n", +- 0, 0, 0 ); +- ret = LDAP_CONNECT_ERROR; +- if ( ld->ld_error ) { +- LDAP_FREE( ld->ld_error ); +- } +- ld->ld_error = LDAP_STRDUP( +- _("TLS: unable to get CN from peer certificate")); +- +- } else if ( cn->length == nlen && +- strncasecmp( name, (char *) cn->data, nlen ) == 0 ) { ++ } else { ++ /* It's an IPv4 or IPv6 address */ ++ if (X509_check_ip(x, ASN1_STRING_data(ip), ++ ASN1_STRING_length(ip), 0) == 1) { + ret = LDAP_SUCCESS; +- +- } else if (( cn->data[0] == '*' ) && ( cn->data[1] == '.' )) { +- char *domain = strchr(name, '.'); +- if( domain ) { +- int dlen; +- +- dlen = nlen - (domain-name); +- +- /* Is this a wildcard match? */ +- if ((dlen == cn->length-1) && +- !strncasecmp(domain, (char *) &cn->data[1], dlen)) { +- ret = LDAP_SUCCESS; +- } +- } + } ++ ASN1_OCTET_STRING_free(ip); ++ } + +- if( ret == LDAP_LOCAL_ERROR ) { +- Debug( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match " +- "common name in certificate (%.*s).\n", +- name, cn->length, cn->data ); +- ret = LDAP_CONNECT_ERROR; +- if ( ld->ld_error ) { +- LDAP_FREE( ld->ld_error ); +- } +- ld->ld_error = LDAP_STRDUP( +- _("TLS: hostname does not match CN in peer certificate")); ++ if( ret == LDAP_LOCAL_ERROR ) { ++ Debug( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match " ++ "peer certificate.\n", name, 0, 0); ++ ret = LDAP_CONNECT_ERROR; ++ if ( ld->ld_error ) { ++ LDAP_FREE( ld->ld_error ); + } ++ ld->ld_error = LDAP_STRDUP( ++ _("TLS: hostname does not match peer certificate")); + } + X509_free(x); + return ret; diff --git a/SPECS/openldap.spec b/SPECS/openldap.spec index be01b99..61140f2 100644 --- a/SPECS/openldap.spec +++ b/SPECS/openldap.spec @@ -5,7 +5,7 @@ Name: openldap Version: 2.4.46 -Release: 10%{?dist} +Release: 11%{?dist} Summary: LDAP support libraries License: OpenLDAP URL: http://www.openldap.org/ @@ -37,7 +37,7 @@ Patch20: openldap-ldapi-sasl.patch Patch22: openldap-openssl-ITS7595-Add-EC-support-1.patch Patch23: openldap-openssl-ITS7595-Add-EC-support-2.patch Patch24: openldap-openssl-manpage-defaultCA.patch -Patch25: openldap-tlso-dont-check-cn-when-bad-san.patch +Patch25: openldap-tlso-use-openssl-api-to-verify-host.patch # check-password module specific patches Patch90: check-password-makefile.patch @@ -487,6 +487,9 @@ exit 0 %{_mandir}/man3/* %changelog +* Wed Jan 15 2020 Matus Honek - 2.4.46-11 +- Use OpenSSL-1.0.2+ API for host name verification (#1788572) + * Sun Aug 18 2019 Matus Honek - 2.4.46-10 - Do not fallback to checking CN when no SAN matched (#1740070)