From 92cbe1bdd585fb4dd747343388c04530f78a6ad0 Mon Sep 17 00:00:00 2001 From: Mike Frysinger Date: Fri, 26 Nov 2010 22:51:08 +0000 Subject: Add patch from upstream for SSL SAE #344939 by Michał Górny. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit (Portage version: 2.2.0_alpha5/cvs/Linux x86_64) --- net-misc/wget/ChangeLog | 8 +- net-misc/wget/files/wget-1.12-sae.patch | 224 ++++++++++++++++++++++++++++++++ net-misc/wget/wget-1.12-r3.ebuild | 77 +++++++++++ 3 files changed, 308 insertions(+), 1 deletion(-) create mode 100644 net-misc/wget/files/wget-1.12-sae.patch create mode 100644 net-misc/wget/wget-1.12-r3.ebuild (limited to 'net-misc') diff --git a/net-misc/wget/ChangeLog b/net-misc/wget/ChangeLog index 1bb923bbe815..46200b95933a 100644 --- a/net-misc/wget/ChangeLog +++ b/net-misc/wget/ChangeLog @@ -1,6 +1,12 @@ # ChangeLog for net-misc/wget # Copyright 1999-2010 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/net-misc/wget/ChangeLog,v 1.130 2010/09/19 17:50:58 armin76 Exp $ +# $Header: /var/cvsroot/gentoo-x86/net-misc/wget/ChangeLog,v 1.131 2010/11/26 22:51:07 vapier Exp $ + +*wget-1.12-r3 (26 Nov 2010) + + 26 Nov 2010; Mike Frysinger +wget-1.12-r3.ebuild, + +files/wget-1.12-sae.patch: + Add patch from upstream for SSL SAE #344939 by Michał Górny. 19 Sep 2010; Raúl Porcel wget-1.12-r2.ebuild: s390 stable wrt #329941 diff --git a/net-misc/wget/files/wget-1.12-sae.patch b/net-misc/wget/files/wget-1.12-sae.patch new file mode 100644 index 000000000000..1d3d456d6be1 --- /dev/null +++ b/net-misc/wget/files/wget-1.12-sae.patch @@ -0,0 +1,224 @@ +http://bugs.gentoo.org/344939 + +upstream commit 2317 + +2009-10-24 Petr Pisar + + * openssl.c: Implement support for (multiple) subjectAltNames in + X509 certificates, not just the commonName. + +--- src/openssl.c 2009-09-22 16:16:43 +0000 ++++ src/openssl.c 2009-10-24 23:06:44 +0000 +@@ -39,7 +39,7 @@ + #include + + #include +-#include ++#include + #include + #include + +@@ -486,9 +486,11 @@ + ssl_check_certificate (int fd, const char *host) + { + X509 *cert; ++ GENERAL_NAMES *subjectAltNames; + char common_name[256]; + long vresult; + bool success = true; ++ bool alt_name_checked = false; + + /* If the user has specified --no-check-cert, we still want to warn + him about problems with the server's certificate. */ +@@ -536,7 +538,8 @@ + break; + case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: + case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: +- logprintf (LOG_NOTQUIET, _(" Self-signed certificate encountered.\n")); ++ logprintf (LOG_NOTQUIET, ++ _(" Self-signed certificate encountered.\n")); + break; + case X509_V_ERR_CERT_NOT_YET_VALID: + logprintf (LOG_NOTQUIET, _(" Issued certificate not yet valid.\n")); +@@ -558,10 +561,6 @@ + /* Check that HOST matches the common name in the certificate. + #### The following remains to be done: + +- - It should use dNSName/ipAddress subjectAltName extensions if +- available; according to rfc2818: "If a subjectAltName extension +- of type dNSName is present, that MUST be used as the identity." +- + - When matching against common names, it should loop over all + common names and choose the most specific one, i.e. the last + one, not the first one, which the current code picks. +@@ -569,50 +568,123 @@ + - Ensure that ASN1 strings from the certificate are encoded as + UTF-8 which can be meaningfully compared to HOST. */ + +- X509_NAME *xname = X509_get_subject_name(cert); +- common_name[0] = '\0'; +- X509_NAME_get_text_by_NID (xname, NID_commonName, common_name, +- sizeof (common_name)); ++ subjectAltNames = X509_get_ext_d2i (cert, NID_subject_alt_name, NULL, NULL); + +- if (!pattern_match (common_name, host)) ++ if (subjectAltNames) + { +- logprintf (LOG_NOTQUIET, _("\ +-%s: certificate common name %s doesn't match requested host name %s.\n"), +- severity, quote_n (0, common_name), quote_n (1, host)); +- success = false; ++ /* Test subject alternative names */ ++ ++ /* Do we want to check for dNSNAmes or ipAddresses (see RFC 2818)? ++ * Signal it by host_in_octet_string. */ ++ ASN1_OCTET_STRING *host_in_octet_string = NULL; ++ host_in_octet_string = a2i_IPADDRESS (host); ++ ++ int numaltnames = sk_GENERAL_NAME_num (subjectAltNames); ++ int i; ++ for (i=0; i < numaltnames; i++) ++ { ++ const GENERAL_NAME *name = ++ sk_GENERAL_NAME_value (subjectAltNames, i); ++ if (name) ++ { ++ if (host_in_octet_string) ++ { ++ if (name->type == GEN_IPADD) ++ { ++ /* Check for ipAddress */ ++ /* TODO: Should we convert between IPv4-mapped IPv6 ++ * addresses and IPv4 addresses? */ ++ alt_name_checked = true; ++ if (!ASN1_STRING_cmp (host_in_octet_string, ++ name->d.iPAddress)) ++ break; ++ } ++ } ++ else if (name->type == GEN_DNS) ++ { ++ /* Check for dNSName */ ++ alt_name_checked = true; ++ /* dNSName should be IA5String (i.e. ASCII), however who ++ * does trust CA? Convert it into UTF-8 for sure. */ ++ unsigned char *name_in_utf8 = NULL; ++ if (0 <= ASN1_STRING_to_UTF8 (&name_in_utf8, name->d.dNSName)) ++ { ++ /* Compare and check for NULL attack in ASN1_STRING */ ++ if (pattern_match ((char *)name_in_utf8, host) && ++ (strlen ((char *)name_in_utf8) == ++ ASN1_STRING_length (name->d.dNSName))) ++ { ++ OPENSSL_free (name_in_utf8); ++ break; ++ } ++ OPENSSL_free (name_in_utf8); ++ } ++ } ++ } ++ } ++ sk_GENERAL_NAME_free (subjectAltNames); ++ if (host_in_octet_string) ++ ASN1_OCTET_STRING_free(host_in_octet_string); ++ ++ if (alt_name_checked == true && i >= numaltnames) ++ { ++ logprintf (LOG_NOTQUIET, ++ _("%s: no certificate subject alternative name matches\n" ++ "\trequested host name %s.\n"), ++ severity, quote_n (1, host)); ++ success = false; ++ } + } +- else ++ ++ if (alt_name_checked == false) + { +- /* We now determine the length of the ASN1 string. If it differs from +- * common_name's length, then there is a \0 before the string terminates. +- * This can be an instance of a null-prefix attack. +- * +- * https://www.blackhat.com/html/bh-usa-09/bh-usa-09-archives.html#Marlinspike +- * */ +- +- int i = -1, j; +- X509_NAME_ENTRY *xentry; +- ASN1_STRING *sdata; +- +- if (xname) { +- for (;;) +- { +- j = X509_NAME_get_index_by_NID (xname, NID_commonName, i); +- if (j == -1) break; +- i = j; ++ /* Test commomName */ ++ X509_NAME *xname = X509_get_subject_name(cert); ++ common_name[0] = '\0'; ++ X509_NAME_get_text_by_NID (xname, NID_commonName, common_name, ++ sizeof (common_name)); ++ ++ if (!pattern_match (common_name, host)) ++ { ++ logprintf (LOG_NOTQUIET, _("\ ++ %s: certificate common name %s doesn't match requested host name %s.\n"), ++ severity, quote_n (0, common_name), quote_n (1, host)); ++ success = false; ++ } ++ else ++ { ++ /* We now determine the length of the ASN1 string. If it ++ * differs from common_name's length, then there is a \0 ++ * before the string terminates. This can be an instance of a ++ * null-prefix attack. ++ * ++ * https://www.blackhat.com/html/bh-usa-09/bh-usa-09-archives.html#Marlinspike ++ * */ ++ ++ int i = -1, j; ++ X509_NAME_ENTRY *xentry; ++ ASN1_STRING *sdata; ++ ++ if (xname) { ++ for (;;) ++ { ++ j = X509_NAME_get_index_by_NID (xname, NID_commonName, i); ++ if (j == -1) break; ++ i = j; ++ } + } +- } + +- xentry = X509_NAME_get_entry(xname,i); +- sdata = X509_NAME_ENTRY_get_data(xentry); +- if (strlen (common_name) != ASN1_STRING_length (sdata)) +- { +- logprintf (LOG_NOTQUIET, _("\ +-%s: certificate common name is invalid (contains a NUL character).\n\ +-This may be an indication that the host is not who it claims to be\n\ +-(that is, it is not the real %s).\n"), +- severity, quote (host)); +- success = false; ++ xentry = X509_NAME_get_entry(xname,i); ++ sdata = X509_NAME_ENTRY_get_data(xentry); ++ if (strlen (common_name) != ASN1_STRING_length (sdata)) ++ { ++ logprintf (LOG_NOTQUIET, _("\ ++ %s: certificate common name is invalid (contains a NUL character).\n\ ++ This may be an indication that the host is not who it claims to be\n\ ++ (that is, it is not the real %s).\n"), ++ severity, quote (host)); ++ success = false; ++ } + } + } + +@@ -631,3 +703,7 @@ + /* Allow --no-check-cert to disable certificate checking. */ + return opt.check_cert ? success : true; + } ++ ++/* ++ * vim: tabstop=2 shiftwidth=2 softtabstop=2 ++ */ + diff --git a/net-misc/wget/wget-1.12-r3.ebuild b/net-misc/wget/wget-1.12-r3.ebuild new file mode 100644 index 000000000000..232f65192896 --- /dev/null +++ b/net-misc/wget/wget-1.12-r3.ebuild @@ -0,0 +1,77 @@ +# Copyright 1999-2010 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/net-misc/wget/wget-1.12-r3.ebuild,v 1.1 2010/11/26 22:51:07 vapier Exp $ + +EAPI="2" + +inherit eutils flag-o-matic + +DESCRIPTION="Network utility to retrieve files from the WWW" +HOMEPAGE="http://www.gnu.org/software/wget/" +SRC_URI="mirror://gnu/wget/${P}.tar.bz2" + +LICENSE="GPL-3" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~sparc-fbsd ~x86-fbsd" +IUSE="debug idn ipv6 nls ntlm +ssl static" + +RDEPEND="idn? ( net-dns/libidn ) + ssl? ( >=dev-libs/openssl-0.9.6b )" +DEPEND="${RDEPEND} + nls? ( sys-devel/gettext )" + +pkg_setup() { + if ! use ssl && use ntlm ; then + elog "USE=ntlm requires USE=ssl, so disabling ntlm support due to USE=-ssl" + fi +} + +src_prepare() { + epatch "${FILESDIR}"/${PN}-1.12-linking.patch + epatch "${FILESDIR}"/${PN}-1.12-sni.patch #301312 + epatch "${FILESDIR}"/${P}-debug-tests.patch #286173 + epatch "${FILESDIR}"/${P}-CVE-2010-2252.patch #329941 + epatch "${FILESDIR}"/${P}-sae.patch #344939 +} + +src_configure() { + # openssl-0.9.8 now builds with -pthread on the BSD's + use elibc_FreeBSD && use ssl && append-ldflags -pthread + + use static && append-ldflags -static + econf \ + --disable-rpath \ + $(use_with ssl) $(use_enable ssl opie) $(use_enable ssl digest) \ + $(use_enable idn iri) \ + $(use_enable ipv6) \ + $(use_enable nls) \ + $(use ssl && use_enable ntlm) \ + $(use_enable debug) +} + +src_install() { + emake DESTDIR="${D}" install || die + dodoc AUTHORS ChangeLog* MAILING-LIST NEWS README + dodoc doc/sample.wgetrc + + use ipv6 && cat "${FILESDIR}"/wgetrc-ipv6 >> "${D}"/etc/wgetrc + + sed -i \ + -e 's:/usr/local/etc:/etc:g' \ + "${D}"/etc/wgetrc \ + "${D}"/usr/share/man/man1/wget.1 \ + "${D}"/usr/share/info/wget.info +} + +pkg_preinst() { + ewarn "The /etc/wget/wgetrc file has been relocated to /etc/wgetrc" + if [[ -e ${ROOT}/etc/wget/wgetrc ]] ; then + if [[ -e ${ROOT}/etc/wgetrc ]] ; then + ewarn "You have both /etc/wget/wgetrc and /etc/wgetrc ... you should delete the former" + else + einfo "Moving /etc/wget/wgetrc to /etc/wgetrc for you" + mv "${ROOT}"/etc/wget/wgetrc "${ROOT}"/etc/wgetrc + rmdir "${ROOT}"/etc/wget 2>/dev/null + fi + fi +} -- cgit v1.2.3-65-gdbad