[pkg-java] r16374 - in trunk/axis/debian: . patches
Andreas Tille
tille at alioth.debian.org
Fri Dec 7 08:30:03 UTC 2012
Author: tille
Date: 2012-12-07 08:30:03 +0000 (Fri, 07 Dec 2012)
New Revision: 16374
Modified:
trunk/axis/debian/changelog
trunk/axis/debian/patches/06-fix-CVE-2012-5784.patch
Log:
Really fix CVE-2012-5784 (Closes: #692650)
Modified: trunk/axis/debian/changelog
===================================================================
--- trunk/axis/debian/changelog 2012-12-05 22:13:39 UTC (rev 16373)
+++ trunk/axis/debian/changelog 2012-12-07 08:30:03 UTC (rev 16374)
@@ -1,3 +1,12 @@
+axis (1.4-16.2) unstable; urgency=low
+
+ * Non-maintainer upload.
+ * Fix CVE-2012-5784 (Closes: #692650)
+ * Fix CN extraction from DN of X500 principal.
+ * Fix wildcard validation on ssl connections
+
+ -- Alberto Fernández Martínez <infjaf at gmail.com> Thu, 6 Dec 2012 14:28:00 +0100
+
axis (1.4-16.1) unstable; urgency=low
* Non-maintainer upload.
Modified: trunk/axis/debian/patches/06-fix-CVE-2012-5784.patch
===================================================================
--- trunk/axis/debian/patches/06-fix-CVE-2012-5784.patch 2012-12-05 22:13:39 UTC (rev 16373)
+++ trunk/axis/debian/patches/06-fix-CVE-2012-5784.patch 2012-12-07 08:30:03 UTC (rev 16374)
@@ -1,25 +1,33 @@
-Description: Validates the hostname requested is the same in the certificate in ssl-connections
- Fixes CVE-2012-5784, validates hostname certificate in SSL connections.
- Backported from http-client 4, and from Apache Synapse (plus some bugfixes).
+Description: Fixed CN extraction from DN of X500 principal and wildcard validation
-Author: Alberto Fernandez <infjaf at gmail.com>
-Bug-Debian: http://bugs.debian.org/692650
-Forwarded: no
+ axis (1.4-16.2) unstable; urgency=low
+ * Fixed CN extraction from DN of X500 principal and wildcard validation
+Author: Alberto Fernández Martínez <infjaf at gmail.com>
+
+Origin: other
+Bug-Debian: http://bugs.debian.org/692650
+Forwarded: https://issues.apache.org/jira/browse/AXIS-2883
+Last-Update: <2012-12-06>
+
--- axis-1.4.orig/src/org/apache/axis/components/net/JSSESocketFactory.java
+++ axis-1.4/src/org/apache/axis/components/net/JSSESocketFactory.java
-@@ -19,6 +19,8 @@ import org.apache.axis.utils.Messages;
- import org.apache.axis.utils.XMLUtils;
- import org.apache.axis.utils.StringUtils;
+@@ -15,12 +15,6 @@
+ */
+ package org.apache.axis.components.net;
-+import javax.net.ssl.SSLException;
-+import javax.net.ssl.SSLSession;
- import javax.net.ssl.SSLSocket;
- import javax.net.ssl.SSLSocketFactory;
+-import org.apache.axis.utils.Messages;
+-import org.apache.axis.utils.XMLUtils;
+-import org.apache.axis.utils.StringUtils;
+-
+-import javax.net.ssl.SSLSocket;
+-import javax.net.ssl.SSLSocketFactory;
import java.io.BufferedWriter;
-@@ -28,7 +30,15 @@ import java.io.OutputStream;
+ import java.io.IOException;
+ import java.io.InputStream;
+@@ -28,7 +22,27 @@ import java.io.OutputStream;
import java.io.OutputStreamWriter;
import java.io.PrintWriter;
import java.net.Socket;
@@ -32,10 +40,22 @@
+import java.util.Iterator;
+import java.util.LinkedList;
+import java.util.List;
++import java.util.Locale;
++import java.util.StringTokenizer;
++import java.util.regex.Pattern;
++
++import javax.net.ssl.SSLException;
++import javax.net.ssl.SSLSession;
++import javax.net.ssl.SSLSocket;
++import javax.net.ssl.SSLSocketFactory;
++
++import org.apache.axis.utils.Messages;
++import org.apache.axis.utils.StringUtils;
++import org.apache.axis.utils.XMLUtils;
/**
-@@ -41,6 +51,10 @@ import java.util.Hashtable;
+@@ -41,6 +55,10 @@ import java.util.Hashtable;
*/
public class JSSESocketFactory extends DefaultSocketFactory implements SecureSocketFactory {
@@ -46,7 +66,7 @@
/** Field sslFactory */
protected SSLSocketFactory sslFactory = null;
-@@ -187,6 +201,255 @@ public class JSSESocketFactory extends D
+@@ -187,6 +205,260 @@ public class JSSESocketFactory extends D
if (log.isDebugEnabled()) {
log.debug(Messages.getMessage("createdSSL00"));
}
@@ -104,7 +124,7 @@
+ }
+
+ Certificate[] certs = session.getPeerCertificates();
-+ verifyHostName(host.trim().toLowerCase(), (X509Certificate) certs[0]);
++ verifyHostName(host.trim().toLowerCase(Locale.US), (X509Certificate) certs[0]);
+ }
+ /**
+ * Extract the names from the certificate and tests host matches one of them
@@ -121,7 +141,7 @@
+
+ String cn = getCN(cert);
+ String[] subjectAlts = getDNSSubjectAlts(cert);
-+ verifyHostName(host, cn.toLowerCase(), subjectAlts);
++ verifyHostName(host, cn.toLowerCase(Locale.US), subjectAlts);
+
+ }
+
@@ -174,7 +194,7 @@
+ for (int i = 0; i < subjectAlts.length; i++){
+ String name = subjectAlts[i];
+ if (name != null) {
-+ name = name.toLowerCase();
++ name = name.toLowerCase(Locale.US);
+ if (verifyHostName(host, name)){
+ return;
+ }
@@ -191,44 +211,41 @@
+ }
+
+ private static boolean verifyHostName(final String host, final String cn){
-+ if (doWildCard(cn)) {
++ if (doWildCard(cn) && !isIPAddress(host)) {
+ return matchesWildCard(cn, host);
+ }
-+ return host.equalsIgnoreCase(cn);
++ return host.equalsIgnoreCase(cn);
+ }
+ private static boolean doWildCard(String cn) {
+ // Contains a wildcard
+ // wildcard in the first block
+ // not an ipaddress (ip addres must explicitily be equal)
+ // not using 2nd level common tld : ex: not for *.co.uk
-+ return
-+ cn.indexOf("*.")>=0 &&
-+ cn.indexOf('.') > cn.indexOf("*.") &&
-+ !isIPAddress(cn) &&
-+ acceptableCountryWildcard(cn);
++ String parts[] = cn.split("\\.");
++ return parts.length >= 3 &&
++ parts[0].endsWith("*") &&
++ acceptableCountryWildcard(cn) &&
++ !isIPAddress(cn);
+ }
+
-+ private static boolean isIPAddress(final String cn) {
-+ // IPv6
-+ if (cn.contains(":")) {
-+ return true;
-+ }
-+ // IPb4
-+ boolean isIP4 = true;
-+ String tld = cn;
-+ int x = cn.lastIndexOf('.');
-+ // We only bother analyzing the characters after the final dot
-+ // in the name.
-+ if (x >= 0 && x + 1 < cn.length()) {
-+ tld = cn.substring(x + 1);
-+ }
-+ for (int i = 0; i < tld.length(); i++) {
-+ if (!Character.isDigit(tld.charAt(0))) {
-+ isIP4 = false;
-+ break;
-+ }
-+ }
-+ return isIP4;
++ private static final Pattern IPV4_PATTERN =
++ Pattern.compile("^(25[0-5]|2[0-4]\\d|[0-1]?\\d?\\d)(\\.(25[0-5]|2[0-4]\\d|[0-1]?\\d?\\d)){3}$");
++
++ private static final Pattern IPV6_STD_PATTERN =
++ Pattern.compile("^(?:[0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}$");
++
++ private static final Pattern IPV6_HEX_COMPRESSED_PATTERN =
++ Pattern.compile("^((?:[0-9A-Fa-f]{1,4}(?::[0-9A-Fa-f]{1,4})*)?)::((?:[0-9A-Fa-f]{1,4}(?::[0-9A-Fa-f]{1,4})*)?)$");
++
++
++ private static boolean isIPAddress(final String hostname) {
++ return hostname != null
++ && (
++ IPV4_PATTERN.matcher(hostname).matches()
++ || IPV6_STD_PATTERN.matcher(hostname).matches()
++ || IPV6_HEX_COMPRESSED_PATTERN.matcher(hostname).matches()
++ );
++
+ }
+
+ private static boolean acceptableCountryWildcard(final String cn) {
@@ -251,14 +268,15 @@
+ final String hostName) {
+ String parts[] = cn.split("\\.");
+ boolean match = false;
-+ if (parts[0].length() > 1) {
++ String firstpart = parts[0];
++ if (firstpart.length() > 1) {
+ // server∗
-+ String prefix = parts[0].substring(0, parts[0].length() - 2);
+ // e.g. server
-+ String suffix = cn.substring(parts[0].length());
++ String prefix = firstpart.substring(0, firstpart.length() - 1);
+ // skipwildcard part from cn
-+ String hostSuffix = hostName.substring(prefix.length());
++ String suffix = cn.substring(firstpart.length());
+ // skip wildcard part from host
++ String hostSuffix = hostName.substring(prefix.length());
+ match = hostName.startsWith(prefix) && hostSuffix.endsWith(suffix);
+ } else {
+ match = hostName.endsWith(cn.substring(1));
@@ -281,6 +299,7 @@
+ return dots;
+ }
+
++
+ private static String getCN(X509Certificate cert) {
+ // Note: toString() seems to do a better job than getName()
+ //
@@ -290,15 +309,21 @@
+ // whereas toString() gives me this:
+ // EMAILADDRESS=juliusdavies at cucbc.com
+ String subjectPrincipal = cert.getSubjectX500Principal().toString();
-+ int x = subjectPrincipal.indexOf("CN=");
-+ if (x >= 0) {
-+ int y = subjectPrincipal.indexOf(',', x);
-+ // If there are no more commas, then CN= is the last entry.
-+ y = (y >= 0) ? y : subjectPrincipal.length();
-+ return subjectPrincipal.substring(x + 3, y);
-+ } else {
-+ return null;
++
++ return getCN(subjectPrincipal);
++
++ }
++ private static String getCN(String subjectPrincipal) {
++ StringTokenizer st = new StringTokenizer(subjectPrincipal, ",");
++ while(st.hasMoreTokens()) {
++ String tok = st.nextToken().trim();
++ if (tok.length() > 3) {
++ if (tok.substring(0, 3).equalsIgnoreCase("CN=")) {
++ return tok.substring(3);
++ }
++ }
+ }
++ return null;
+ }
+
}
More information about the pkg-java-commits
mailing list