author | Erik Trauschke <Erik.Trauschke@oracle.com> |
Wed, 28 Aug 2013 13:41:11 -0700 | |
changeset 1456 | b367e3ae9667 |
permissions | -rw-r--r-- |
1456
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
1 |
# |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
2 |
# This patch contains the fixes for CVE-2013-4073 (NULL bytes in subjectAltName |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
3 |
# not correctly interpreted). |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
4 |
# The patch was taken from: |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
5 |
# https://code.launchpad.net/~heimes/pyopenssl/pyopenssl/+merge/179673 |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
6 |
# and modified to fit the the 0.13 release code (original fix was based off tip |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
7 |
# code in pyopenssl repo). |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
8 |
# |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
9 |
--- pyOpenSSL-0.13/ChangeLog 2011-09-02 08:46:13.000000000 -0700 |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
10 |
+++ pyOpenSSL-0.13/ChangeLog 2013-08-26 14:40:43.941191227 -0700 |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
11 |
@@ -1,3 +1,9 @@ |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
12 |
+2013-08-11 Christian Heimes <[email protected]> |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
13 |
+ |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
14 |
+ * OpenSSL/crypto/x509ext.c: Fix handling of NULL bytes inside |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
15 |
+ subjectAltName general names, CVE-2013-4073. |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
16 |
+ * OpenSSL/crypto/x509.c: Fix memory leak in get_extension(). |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
17 |
+ |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
18 |
2011-09-02 Jean-Paul Calderone <[email protected]> |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
19 |
|
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
20 |
* Release 0.13 |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
21 |
--- pyOpenSSL-0.13/OpenSSL/crypto/x509.c 2011-09-02 08:46:13.000000000 -0700 |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
22 |
+++ pyOpenSSL-0.13/OpenSSL/crypto/x509.c 2013-08-26 14:41:34.379545946 -0700 |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
23 |
@@ -756,6 +756,7 @@ |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
24 |
|
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
25 |
extobj = PyObject_New(crypto_X509ExtensionObj, &crypto_X509Extension_Type); |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
26 |
extobj->x509_extension = X509_EXTENSION_dup(ext); |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
27 |
+ extobj->dealloc = 1; |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
28 |
|
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
29 |
return (PyObject*)extobj; |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
30 |
} |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
31 |
--- pyOpenSSL-0.13/OpenSSL/crypto/x509ext.c 2011-09-02 08:46:13.000000000 -0700 |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
32 |
+++ pyOpenSSL-0.13/OpenSSL/crypto/x509ext.c 2013-08-26 14:53:08.501972021 -0700 |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
33 |
@@ -236,6 +236,75 @@ |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
34 |
PyObject_Del(self); |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
35 |
} |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
36 |
|
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
37 |
+ |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
38 |
+/* Special handling of subjectAltName, see CVE-2013-4073 */ |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
39 |
+ |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
40 |
+int |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
41 |
+crypto_X509Extension_str_san(crypto_X509ExtensionObj *self, BIO *bio) |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
42 |
+{ |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
43 |
+ GENERAL_NAMES *names; |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
44 |
+ const X509V3_EXT_METHOD *method = NULL; |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
45 |
+ long i, length, num; |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
46 |
+ const unsigned char *p; |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
47 |
+ |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
48 |
+ method = X509V3_EXT_get(self->x509_extension); |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
49 |
+ if (method == NULL) { |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
50 |
+ return -1; |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
51 |
+ } |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
52 |
+ |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
53 |
+ p = self->x509_extension->value->data; |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
54 |
+ length = self->x509_extension->value->length; |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
55 |
+ if (method->it) { |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
56 |
+ names = (GENERAL_NAMES*)(ASN1_item_d2i(NULL, &p, length, |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
57 |
+ ASN1_ITEM_ptr(method->it))); |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
58 |
+ } |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
59 |
+ else { |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
60 |
+ names = (GENERAL_NAMES*)(method->d2i(NULL, &p, length)); |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
61 |
+ } |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
62 |
+ if (names == NULL) { |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
63 |
+ return -1; |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
64 |
+ } |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
65 |
+ |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
66 |
+ num = sk_GENERAL_NAME_num(names); |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
67 |
+ for (i = 0; i < num; i++) { |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
68 |
+ GENERAL_NAME *name; |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
69 |
+ ASN1_STRING *as; |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
70 |
+ name = sk_GENERAL_NAME_value(names, i); |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
71 |
+ switch (name->type) { |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
72 |
+ case GEN_EMAIL: |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
73 |
+ BIO_puts(bio, "email:"); |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
74 |
+ as = name->d.rfc822Name; |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
75 |
+ BIO_write(bio, ASN1_STRING_data(as), |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
76 |
+ ASN1_STRING_length(as)); |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
77 |
+ break; |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
78 |
+ case GEN_DNS: |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
79 |
+ BIO_puts(bio, "DNS:"); |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
80 |
+ as = name->d.dNSName; |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
81 |
+ BIO_write(bio, ASN1_STRING_data(as), |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
82 |
+ ASN1_STRING_length(as)); |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
83 |
+ break; |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
84 |
+ case GEN_URI: |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
85 |
+ BIO_puts(bio, "URI:"); |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
86 |
+ as = name->d.uniformResourceIdentifier; |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
87 |
+ BIO_write(bio, ASN1_STRING_data(as), |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
88 |
+ ASN1_STRING_length(as)); |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
89 |
+ break; |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
90 |
+ default: |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
91 |
+ /* use builtin print for GEN_OTHERNAME, GEN_X400, |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
92 |
+ * GEN_EDIPARTY, GEN_DIRNAME, GEN_IPADD and GEN_RID |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
93 |
+ */ |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
94 |
+ GENERAL_NAME_print(bio, name); |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
95 |
+ } |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
96 |
+ /* trailing ', ' except for last element */ |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
97 |
+ if (i < (num - 1)) { |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
98 |
+ BIO_puts(bio, ", "); |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
99 |
+ } |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
100 |
+ } |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
101 |
+ sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free); |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
102 |
+ |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
103 |
+ return 0; |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
104 |
+} |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
105 |
+ |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
106 |
/* |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
107 |
* Print a nice text representation of the certificate request. |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
108 |
*/ |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
109 |
@@ -247,7 +316,14 @@ |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
110 |
PyObject *str; |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
111 |
BIO *bio = BIO_new(BIO_s_mem()); |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
112 |
|
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
113 |
- if (!X509V3_EXT_print(bio, self->x509_extension, 0, 0)) |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
114 |
+ if (OBJ_obj2nid(self->x509_extension->object) == NID_subject_alt_name) { |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
115 |
+ if (crypto_X509Extension_str_san(self, bio) == -1) { |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
116 |
+ BIO_free(bio); |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
117 |
+ exception_from_error_queue(crypto_Error); |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
118 |
+ return NULL; |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
119 |
+ } |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
120 |
+ } |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
121 |
+ else if (!X509V3_EXT_print(bio, self->x509_extension, 0, 0)) |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
122 |
{ |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
123 |
BIO_free(bio); |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
124 |
exception_from_error_queue(crypto_Error); |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
125 |
--- pyOpenSSL-0.13/OpenSSL/test/test_crypto.py 2011-09-02 08:46:13.000000000 -0700 |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
126 |
+++ pyOpenSSL-0.13/OpenSSL/test/test_crypto.py 2013-08-26 14:57:06.933614387 -0700 |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
127 |
@@ -265,6 +265,37 @@ |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
128 |
-----END RSA PRIVATE KEY----- |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
129 |
""") |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
130 |
|
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
131 |
+# certificate with NULL bytes in subjectAltName and common name |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
132 |
+ |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
133 |
+nullbyte_san_PEM = b("""-----BEGIN CERTIFICATE----- |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
134 |
+MIIE2DCCA8CgAwIBAgIBADANBgkqhkiG9w0BAQUFADCBxTELMAkGA1UEBhMCVVMx |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
135 |
+DzANBgNVBAgMBk9yZWdvbjESMBAGA1UEBwwJQmVhdmVydG9uMSMwIQYDVQQKDBpQ |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
136 |
+eXRob24gU29mdHdhcmUgRm91bmRhdGlvbjEgMB4GA1UECwwXUHl0aG9uIENvcmUg |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
137 |
+RGV2ZWxvcG1lbnQxJDAiBgNVBAMMG251bGwucHl0aG9uLm9yZwBleGFtcGxlLm9y |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
138 |
+ZzEkMCIGCSqGSIb3DQEJARYVcHl0aG9uLWRldkBweXRob24ub3JnMB4XDTEzMDgw |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
139 |
+NzEzMTE1MloXDTEzMDgwNzEzMTI1MlowgcUxCzAJBgNVBAYTAlVTMQ8wDQYDVQQI |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
140 |
+DAZPcmVnb24xEjAQBgNVBAcMCUJlYXZlcnRvbjEjMCEGA1UECgwaUHl0aG9uIFNv |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
141 |
+ZnR3YXJlIEZvdW5kYXRpb24xIDAeBgNVBAsMF1B5dGhvbiBDb3JlIERldmVsb3Bt |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
142 |
+ZW50MSQwIgYDVQQDDBtudWxsLnB5dGhvbi5vcmcAZXhhbXBsZS5vcmcxJDAiBgkq |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
143 |
+hkiG9w0BCQEWFXB5dGhvbi1kZXZAcHl0aG9uLm9yZzCCASIwDQYJKoZIhvcNAQEB |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
144 |
+BQADggEPADCCAQoCggEBALXq7cn7Rn1vO3aA3TrzA5QLp6bb7B3f/yN0CJ2XFj+j |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
145 |
+pHs+Gw6WWSUDpybiiKnPec33BFawq3kyblnBMjBU61ioy5HwQqVkJ8vUVjGIUq3P |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
146 |
+vX/wBmQfzCe4o4uM89gpHyUL9UYGG8oCRa17dgqcv7u5rg0Wq2B1rgY+nHwx3JIv |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
147 |
+KRrgSwyRkGzpN8WQ1yrXlxWjgI9de0mPVDDUlywcWze1q2kwaEPTM3hLAmD1PESA |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
148 |
+oY/n8A/RXoeeRs9i/Pm/DGUS8ZPINXk/yOzsR/XvvkTVroIeLZqfmFpnZeF0cHzL |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
149 |
+08LODkVJJ9zjLdT7SA4vnne4FEbAxDbKAq5qkYzaL4UCAwEAAaOB0DCBzTAMBgNV |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
150 |
+HRMBAf8EAjAAMB0GA1UdDgQWBBSIWlXAUv9hzVKjNQ/qWpwkOCL3XDALBgNVHQ8E |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
151 |
+BAMCBeAwgZAGA1UdEQSBiDCBhYIeYWx0bnVsbC5weXRob24ub3JnAGV4YW1wbGUu |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
152 |
+Y29tgSBudWxsQHB5dGhvbi5vcmcAdXNlckBleGFtcGxlLm9yZ4YpaHR0cDovL251 |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
153 |
+bGwucHl0aG9uLm9yZwBodHRwOi8vZXhhbXBsZS5vcmeHBMAAAgGHECABDbgAAAAA |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
154 |
+AAAAAAAAAAEwDQYJKoZIhvcNAQEFBQADggEBAKxPRe99SaghcI6IWT7UNkJw9aO9 |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
155 |
+i9eo0Fj2MUqxpKbdb9noRDy2CnHWf7EIYZ1gznXPdwzSN4YCjV5d+Q9xtBaowT0j |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
156 |
+HPERs1ZuytCNNJTmhyqZ8q6uzMLoht4IqH/FBfpvgaeC5tBTnTT0rD5A/olXeimk |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
157 |
+kX4LxlEx5RAvpGB2zZVRGr6LobD9rVK91xuHYNIxxxfEGE8tCCWjp0+3ksri9SXx |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
158 |
+VHWBnbM9YaL32u3hxm8sYB/Yb8WSBavJCWJJqRStVRHM1koZlJmXNx2BX4vPo6iW |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
159 |
+RFEIPQsFZRLrtnCAiEhyT8bC2s/Njlu6ly9gtJZWSV46Q3ZjBL4q9sHKqZQ= |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
160 |
+-----END CERTIFICATE-----""") |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
161 |
+ |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
162 |
|
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
163 |
class X509ExtTests(TestCase): |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
164 |
""" |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
165 |
@@ -1382,6 +1413,36 @@ |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
166 |
self.assertRaises(TypeError, cert.get_extension, "hello") |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
167 |
|
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
168 |
|
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
169 |
+ def test_nullbyte_san(self): |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
170 |
+ """ |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
171 |
+ Test correct handling of CN and SAN with NULL bytes |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
172 |
+ |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
173 |
+ see CVE-2013-4073 |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
174 |
+ """ |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
175 |
+ cert = load_certificate(FILETYPE_PEM, nullbyte_san_PEM) |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
176 |
+ subject = cert.get_subject() |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
177 |
+ self.assertEqual(subject.CN, 'null.python.org\x00example.org') |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
178 |
+ issuer = cert.get_issuer() |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
179 |
+ self.assertEqual(issuer.CN, 'null.python.org\x00example.org') |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
180 |
+ |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
181 |
+ ext = cert.get_extension(0) |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
182 |
+ self.assertEqual(ext.get_short_name(), b('basicConstraints')) |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
183 |
+ |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
184 |
+ ext = cert.get_extension(1) |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
185 |
+ self.assertEqual(ext.get_short_name(), b('subjectKeyIdentifier')) |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
186 |
+ |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
187 |
+ ext = cert.get_extension(2) |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
188 |
+ self.assertEqual(ext.get_short_name(), b('keyUsage')) |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
189 |
+ |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
190 |
+ ext = cert.get_extension(3) |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
191 |
+ self.assertEqual(ext.get_short_name(), b('subjectAltName')) |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
192 |
+ self.assertEqual(str(ext), |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
193 |
+ 'DNS:altnull.python.org\x00example.com, ' |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
194 |
+ 'email:[email protected]\[email protected], ' |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
195 |
+ 'URI:http://null.python.org\x00http://example.org, ' |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
196 |
+ 'IP Address:192.0.2.1, IP Address:2001:DB8:0:0:0:0:0:1\n') |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
197 |
+ |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
198 |
+ |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
199 |
def test_invalid_digest_algorithm(self): |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
200 |
""" |
b367e3ae9667
17085362 pyopenssl should be updated to 0.13
Erik Trauschke <Erik.Trauschke@oracle.com>
parents:
diff
changeset
|
201 |
L{X509.digest} raises L{ValueError} if called with an unrecognized hash |