ruby-changes:29624
From: shyouhei <ko1@a...>
Date: Thu, 27 Jun 2013 20:22:40 +0900 (JST)
Subject: [ruby-changes:29624] shyouhei:r41676 (ruby_1_8_7): * ext/openssl/lib/openssl/ssl-internal.rb (OpenSSL::SSL#verify_certificate_identity):
shyouhei 2013-06-27 20:22:26 +0900 (Thu, 27 Jun 2013) New Revision: 41676 http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=41676 Log: * ext/openssl/lib/openssl/ssl-internal.rb (OpenSSL::SSL#verify_certificate_identity): fix hostname verification. Patch by nahi. * test/openssl/test_ssl.rb (OpenSSL#test_verify_certificate_identity): test for above. Modified files: branches/ruby_1_8_7/ChangeLog branches/ruby_1_8_7/ext/openssl/lib/openssl/ssl-internal.rb branches/ruby_1_8_7/test/openssl/test_ssl.rb branches/ruby_1_8_7/version.h Index: ruby_1_8_7/ext/openssl/lib/openssl/ssl-internal.rb =================================================================== --- ruby_1_8_7/ext/openssl/lib/openssl/ssl-internal.rb (revision 41675) +++ ruby_1_8_7/ext/openssl/lib/openssl/ssl-internal.rb (revision 41676) @@ -90,14 +90,22 @@ module OpenSSL https://github.com/ruby/ruby/blob/trunk/ruby_1_8_7/ext/openssl/lib/openssl/ssl-internal.rb#L90 should_verify_common_name = true cert.extensions.each{|ext| next if ext.oid != "subjectAltName" - ext.value.split(/,\s+/).each{|general_name| - if /\ADNS:(.*)/ =~ general_name + id, ostr = OpenSSL::ASN1.decode(ext.to_der).value + sequence = OpenSSL::ASN1.decode(ostr.value) + sequence.value.each{|san| + case san.tag + when 2 # dNSName in GeneralName (RFC5280) should_verify_common_name = false - reg = Regexp.escape($1).gsub(/\\\*/, "[^.]+") + reg = Regexp.escape(san.value).gsub(/\\\*/, "[^.]+") return true if /\A#{reg}\z/i =~ hostname - elsif /\AIP Address:(.*)/ =~ general_name + when 7 # iPAddress in GeneralName (RFC5280) should_verify_common_name = false - return true if $1 == hostname + # follows GENERAL_NAME_print() in x509v3/v3_alt.c + if san.value.size == 4 + return true if san.value.unpack('C*').join('.') == hostname + elsif san.value.size == 16 + return true if san.value.unpack('n*').map { |e| sprintf("%X", e) }.join(':') == hostname + end end } } Index: ruby_1_8_7/ChangeLog =================================================================== --- ruby_1_8_7/ChangeLog (revision 41675) +++ ruby_1_8_7/ChangeLog (revision 41676) @@ -1,3 +1,11 @@ https://github.com/ruby/ruby/blob/trunk/ruby_1_8_7/ChangeLog#L1 +Thu Jun 27 20:21:18 2013 URABE Shyouhei <shyouhei@r...> + + * ext/openssl/lib/openssl/ssl-internal.rb (OpenSSL::SSL#verify_certificate_identity): + fix hostname verification. Patch by nahi. + + * test/openssl/test_ssl.rb (OpenSSL#test_verify_certificate_identity): + test for above. + Sat May 18 23:34:50 2013 Kouhei Sutou <kou@c...> * lib/rexml/document.rb: move entity_expansion_text_limit accessor to ... Index: ruby_1_8_7/version.h =================================================================== --- ruby_1_8_7/version.h (revision 41675) +++ ruby_1_8_7/version.h (revision 41676) @@ -1,15 +1,15 @@ https://github.com/ruby/ruby/blob/trunk/ruby_1_8_7/version.h#L1 #define RUBY_VERSION "1.8.7" -#define RUBY_RELEASE_DATE "2013-05-18" +#define RUBY_RELEASE_DATE "2013-06-27" #define RUBY_VERSION_CODE 187 -#define RUBY_RELEASE_CODE 20130518 -#define RUBY_PATCHLEVEL 372 +#define RUBY_RELEASE_CODE 20130627 +#define RUBY_PATCHLEVEL 373 #define RUBY_VERSION_MAJOR 1 #define RUBY_VERSION_MINOR 8 #define RUBY_VERSION_TEENY 7 #define RUBY_RELEASE_YEAR 2013 -#define RUBY_RELEASE_MONTH 5 -#define RUBY_RELEASE_DAY 18 +#define RUBY_RELEASE_MONTH 6 +#define RUBY_RELEASE_DAY 27 #ifdef RUBY_EXTERN RUBY_EXTERN const char ruby_version[]; Index: ruby_1_8_7/test/openssl/test_ssl.rb =================================================================== --- ruby_1_8_7/test/openssl/test_ssl.rb (revision 41675) +++ ruby_1_8_7/test/openssl/test_ssl.rb (revision 41676) @@ -547,6 +547,29 @@ class OpenSSL::TestSSL < Test::Unit::Tes https://github.com/ruby/ruby/blob/trunk/ruby_1_8_7/test/openssl/test_ssl.rb#L547 ssl.close } end + + def test_verify_certificate_identity + # creating NULL byte SAN certificate + ef = OpenSSL::X509::ExtensionFactory.new + cert = OpenSSL::X509::Certificate.new + cert.subject = OpenSSL::X509::Name.parse "/DC=some/DC=site/CN=Some Site" + ext = ef.create_ext('subjectAltName', 'DNS:placeholder,IP:192.168.7.1,IP:13::17') + ext_asn1 = OpenSSL::ASN1.decode(ext.to_der) + san_list_der = ext_asn1.value.reduce(nil) { |memo,val| val.tag == 4 ? val.value : memo } + san_list_asn1 = OpenSSL::ASN1.decode(san_list_der) + san_list_asn1.value[0].value = 'www.example.com\0.evil.com' + ext_asn1.value[1].value = san_list_asn1.to_der + real_ext = OpenSSL::X509::Extension.new ext_asn1 + cert.add_extension(real_ext) + + assert_equal(false, OpenSSL::SSL.verify_certificate_identity(cert, 'www.example.com')) + assert_equal(true, OpenSSL::SSL.verify_certificate_identity(cert, 'www.example.com\0.evil.com')) + assert_equal(false, OpenSSL::SSL.verify_certificate_identity(cert, '192.168.7.255')) + assert_equal(true, OpenSSL::SSL.verify_certificate_identity(cert, '192.168.7.1')) + assert_equal(false, OpenSSL::SSL.verify_certificate_identity(cert, '13::17')) + assert_equal(true, OpenSSL::SSL.verify_certificate_identity(cert, '13:0:0:0:0:0:0:17')) + end +L end end -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/