aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPeter Wemm <peter@FreeBSD.org>2014-08-11 19:20:30 +0000
committerPeter Wemm <peter@FreeBSD.org>2014-08-11 19:20:30 +0000
commitb907131b5fff33b1842789f9dd77f77e61f8d7d1 (patch)
tree6d85cdd02f1ee2a4d8ab1d5406b7ad7acb553ec5
parentb42ed207213a85ee3a7aa59fdb3d32627c2aadea (diff)
downloadsrc-b907131b5fff33b1842789f9dd77f77e61f8d7d1.tar.gz
src-b907131b5fff33b1842789f9dd77f77e61f8d7d1.zip
Import serf-1.3.7vendor/serf/serf-1.3.7
Notes
Notes: svn path=/vendor/serf/dist/; revision=269831 svn path=/vendor/serf/serf-1.3.7/; revision=269832; tag=vendor/serf/serf-1.3.7
-rw-r--r--CHANGES7
-rw-r--r--buckets/ssl_buckets.c183
-rw-r--r--serf.h2
3 files changed, 153 insertions, 39 deletions
diff --git a/CHANGES b/CHANGES
index 441eb1edf630..6d39b0c5c096 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,8 +1,11 @@
-Serf 1.3.6 [2014-06-09, from /tags/1.3.6, rxxxx]
+Serf 1.3.7 [2014-08-11, from /tags/1.3.7, r2411]
+ Handle NUL bytes in fields of an X.509 certificate. (r2393, r2399)
+
+Serf 1.3.6 [2014-06-09, from /tags/1.3.6, r2372]
Revert r2319 from serf 1.3.5: this change was making serf call handle_response
multiple times in case of an error response, leading to unexpected behavior.
-Serf 1.3.5 [2014-04-27, from /tags/1.3.5, rxxxx]
+Serf 1.3.5 [2014-04-27, from /tags/1.3.5, r2355]
Fix issue #125: no reverse lookup during Negotiate authentication for proxies.
Fix a crash caused by incorrect reuse of the ssltunnel CONNECT request (r2316)
Cancel request if response parsing failed + authn callback set (r2319)
diff --git a/buckets/ssl_buckets.c b/buckets/ssl_buckets.c
index 1a27d3f8e4fe..d2fe51d71501 100644
--- a/buckets/ssl_buckets.c
+++ b/buckets/ssl_buckets.c
@@ -202,6 +202,8 @@ struct serf_ssl_certificate_t {
};
static void disable_compression(serf_ssl_context_t *ssl_ctx);
+static char *
+ pstrdup_escape_nul_bytes(const char *buf, int len, apr_pool_t *pool);
#if SSL_VERBOSE
/* Log all ssl alerts that we receive from the server. */
@@ -427,6 +429,85 @@ static BIO_METHOD bio_file_method = {
#endif
};
+typedef enum san_copy_t {
+ EscapeNulAndCopy = 0,
+ ErrorOnNul = 1,
+} san_copy_t;
+
+
+static apr_status_t
+get_subject_alt_names(apr_array_header_t **san_arr, X509 *ssl_cert,
+ san_copy_t copy_action, apr_pool_t *pool)
+{
+ STACK_OF(GENERAL_NAME) *names;
+
+ /* assert: copy_action == ErrorOnNul || (san_arr && pool) */
+
+ if (san_arr) {
+ *san_arr = NULL;
+ }
+
+ /* Get subjectAltNames */
+ names = X509_get_ext_d2i(ssl_cert, NID_subject_alt_name, NULL, NULL);
+ if (names) {
+ int names_count = sk_GENERAL_NAME_num(names);
+ int name_idx;
+
+ if (san_arr)
+ *san_arr = apr_array_make(pool, names_count, sizeof(char*));
+ for (name_idx = 0; name_idx < names_count; name_idx++) {
+ char *p = NULL;
+ GENERAL_NAME *nm = sk_GENERAL_NAME_value(names, name_idx);
+
+ switch (nm->type) {
+ case GEN_DNS:
+ if (copy_action == ErrorOnNul &&
+ strlen(nm->d.ia5->data) != nm->d.ia5->length)
+ return SERF_ERROR_SSL_CERT_FAILED;
+ if (san_arr && *san_arr)
+ p = pstrdup_escape_nul_bytes((const char *)nm->d.ia5->data,
+ nm->d.ia5->length,
+ pool);
+ break;
+ default:
+ /* Don't know what to do - skip. */
+ break;
+ }
+
+ if (p) {
+ APR_ARRAY_PUSH(*san_arr, char*) = p;
+ }
+ }
+ sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free);
+ }
+
+ return APR_SUCCESS;
+}
+
+static apr_status_t validate_cert_hostname(X509 *server_cert, apr_pool_t *pool)
+{
+ char buf[1024];
+ int length;
+ apr_status_t ret;
+
+ ret = get_subject_alt_names(NULL, server_cert, ErrorOnNul, NULL);
+ if (ret) {
+ return ret;
+ } else {
+ /* Fail if the subject's CN field contains \0 characters. */
+ X509_NAME *subject = X509_get_subject_name(server_cert);
+ if (!subject)
+ return SERF_ERROR_SSL_CERT_FAILED;
+
+ length = X509_NAME_get_text_by_NID(subject, NID_commonName, buf, 1024);
+ if (length != -1)
+ if (strlen(buf) != length)
+ return SERF_ERROR_SSL_CERT_FAILED;
+ }
+
+ return APR_SUCCESS;
+}
+
static int
validate_server_certificate(int cert_valid, X509_STORE_CTX *store_ctx)
{
@@ -435,6 +516,7 @@ validate_server_certificate(int cert_valid, X509_STORE_CTX *store_ctx)
X509 *server_cert;
int err, depth;
int failures = 0;
+ apr_status_t status;
ssl = X509_STORE_CTX_get_ex_data(store_ctx,
SSL_get_ex_data_X509_STORE_CTX_idx());
@@ -475,6 +557,11 @@ validate_server_certificate(int cert_valid, X509_STORE_CTX *store_ctx)
}
}
+ /* Validate hostname */
+ status = validate_cert_hostname(server_cert, ctx->pool);
+ if (status)
+ failures |= SERF_SSL_CERT_UNKNOWN_FAILURE;
+
/* Check certificate expiry dates. */
if (X509_cmp_current_time(X509_get_notBefore(server_cert)) >= 0) {
failures |= SERF_SSL_CERT_NOTYETVALID;
@@ -485,7 +572,6 @@ validate_server_certificate(int cert_valid, X509_STORE_CTX *store_ctx)
if (ctx->server_cert_callback &&
(depth == 0 || failures)) {
- apr_status_t status;
serf_ssl_certificate_t *cert;
apr_pool_t *subpool;
@@ -512,7 +598,6 @@ validate_server_certificate(int cert_valid, X509_STORE_CTX *store_ctx)
if (ctx->server_cert_chain_callback
&& (depth == 0 || failures)) {
- apr_status_t status;
STACK_OF(X509) *chain;
const serf_ssl_certificate_t **certs;
int certs_len;
@@ -1461,7 +1546,50 @@ serf_ssl_context_t *serf_bucket_ssl_encrypt_context_get(
/* Functions to read a serf_ssl_certificate structure. */
-/* Creates a hash_table with keys (E, CN, OU, O, L, ST and C). */
+/* Takes a counted length string and escapes any NUL bytes so that
+ * it can be used as a C string. NUL bytes are escaped as 3 characters
+ * "\00" (that's a literal backslash).
+ * The returned string is allocated in POOL.
+ */
+static char *
+pstrdup_escape_nul_bytes(const char *buf, int len, apr_pool_t *pool)
+{
+ int i, nul_count = 0;
+ char *ret;
+
+ /* First determine if there are any nul bytes in the string. */
+ for (i = 0; i < len; i++) {
+ if (buf[i] == '\0')
+ nul_count++;
+ }
+
+ if (nul_count == 0) {
+ /* There aren't so easy case to just copy the string */
+ ret = apr_pstrdup(pool, buf);
+ } else {
+ /* There are so we have to replace nul bytes with escape codes
+ * Proper length is the length of the original string, plus
+ * 2 times the number of nulls (for two digit hex code for
+ * the value) + the trailing null. */
+ char *pos;
+ ret = pos = apr_palloc(pool, len + 2 * nul_count + 1);
+ for (i = 0; i < len; i++) {
+ if (buf[i] != '\0') {
+ *(pos++) = buf[i];
+ } else {
+ *(pos++) = '\\';
+ *(pos++) = '0';
+ *(pos++) = '0';
+ }
+ }
+ *pos = '\0';
+ }
+
+ return ret;
+}
+
+/* Creates a hash_table with keys (E, CN, OU, O, L, ST and C). Any NUL bytes in
+ these fields in the certificate will be escaped as \00. */
static apr_hash_t *
convert_X509_NAME_to_table(X509_NAME *org, apr_pool_t *pool)
{
@@ -1474,37 +1602,44 @@ convert_X509_NAME_to_table(X509_NAME *org, apr_pool_t *pool)
NID_commonName,
buf, 1024);
if (ret != -1)
- apr_hash_set(tgt, "CN", APR_HASH_KEY_STRING, apr_pstrdup(pool, buf));
+ apr_hash_set(tgt, "CN", APR_HASH_KEY_STRING,
+ pstrdup_escape_nul_bytes(buf, ret, pool));
ret = X509_NAME_get_text_by_NID(org,
NID_pkcs9_emailAddress,
buf, 1024);
if (ret != -1)
- apr_hash_set(tgt, "E", APR_HASH_KEY_STRING, apr_pstrdup(pool, buf));
+ apr_hash_set(tgt, "E", APR_HASH_KEY_STRING,
+ pstrdup_escape_nul_bytes(buf, ret, pool));
ret = X509_NAME_get_text_by_NID(org,
NID_organizationalUnitName,
buf, 1024);
if (ret != -1)
- apr_hash_set(tgt, "OU", APR_HASH_KEY_STRING, apr_pstrdup(pool, buf));
+ apr_hash_set(tgt, "OU", APR_HASH_KEY_STRING,
+ pstrdup_escape_nul_bytes(buf, ret, pool));
ret = X509_NAME_get_text_by_NID(org,
NID_organizationName,
buf, 1024);
if (ret != -1)
- apr_hash_set(tgt, "O", APR_HASH_KEY_STRING, apr_pstrdup(pool, buf));
+ apr_hash_set(tgt, "O", APR_HASH_KEY_STRING,
+ pstrdup_escape_nul_bytes(buf, ret, pool));
ret = X509_NAME_get_text_by_NID(org,
NID_localityName,
buf, 1024);
if (ret != -1)
- apr_hash_set(tgt, "L", APR_HASH_KEY_STRING, apr_pstrdup(pool, buf));
+ apr_hash_set(tgt, "L", APR_HASH_KEY_STRING,
+ pstrdup_escape_nul_bytes(buf, ret, pool));
ret = X509_NAME_get_text_by_NID(org,
NID_stateOrProvinceName,
buf, 1024);
if (ret != -1)
- apr_hash_set(tgt, "ST", APR_HASH_KEY_STRING, apr_pstrdup(pool, buf));
+ apr_hash_set(tgt, "ST", APR_HASH_KEY_STRING,
+ pstrdup_escape_nul_bytes(buf, ret, pool));
ret = X509_NAME_get_text_by_NID(org,
NID_countryName,
buf, 1024);
if (ret != -1)
- apr_hash_set(tgt, "C", APR_HASH_KEY_STRING, apr_pstrdup(pool, buf));
+ apr_hash_set(tgt, "C", APR_HASH_KEY_STRING,
+ pstrdup_escape_nul_bytes(buf, ret, pool));
return tgt;
}
@@ -1550,7 +1685,7 @@ apr_hash_t *serf_ssl_cert_certificate(
unsigned int md_size, i;
unsigned char md[EVP_MAX_MD_SIZE];
BIO *bio;
- STACK_OF(GENERAL_NAME) *names;
+ apr_array_header_t *san_arr;
/* sha1 fingerprint */
if (X509_digest(cert->ssl_cert, EVP_sha1(), md, &md_size)) {
@@ -1595,32 +1730,8 @@ apr_hash_t *serf_ssl_cert_certificate(
BIO_free(bio);
/* Get subjectAltNames */
- names = X509_get_ext_d2i(cert->ssl_cert, NID_subject_alt_name, NULL, NULL);
- if (names) {
- int names_count = sk_GENERAL_NAME_num(names);
-
- apr_array_header_t *san_arr = apr_array_make(pool, names_count,
- sizeof(char*));
+ if (!get_subject_alt_names(&san_arr, cert->ssl_cert, EscapeNulAndCopy, pool))
apr_hash_set(tgt, "subjectAltName", APR_HASH_KEY_STRING, san_arr);
- for (i = 0; i < names_count; i++) {
- char *p = NULL;
- GENERAL_NAME *nm = sk_GENERAL_NAME_value(names, i);
-
- switch (nm->type) {
- case GEN_DNS:
- p = apr_pstrmemdup(pool, (const char *)nm->d.ia5->data,
- nm->d.ia5->length);
- break;
- default:
- /* Don't know what to do - skip. */
- break;
- }
- if (p) {
- APR_ARRAY_PUSH(san_arr, char*) = p;
- }
- }
- sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free);
- }
return tgt;
}
diff --git a/serf.h b/serf.h
index d3ac2f3548de..f6f34a7c7ddd 100644
--- a/serf.h
+++ b/serf.h
@@ -1062,7 +1062,7 @@ void serf_debug__bucket_alloc_check(
/* Version info */
#define SERF_MAJOR_VERSION 1
#define SERF_MINOR_VERSION 3
-#define SERF_PATCH_VERSION 6
+#define SERF_PATCH_VERSION 7
/* Version number string */
#define SERF_VERSION_STRING APR_STRINGIFY(SERF_MAJOR_VERSION) "." \