Hello community,
here is the log from the commit of package kdelibs4 for openSUSE:11.3
checked in at Fri Mar 25 10:39:12 CET 2011.
--------
--- old-versions/11.3/UPDATES/all/kdelibs4/kdelibs4.changes 2010-08-09 16:12:18.000000000 +0200
+++ 11.3/kdelibs4/kdelibs4.changes 2011-03-22 22:48:53.000000000 +0100
@@ -1,0 +2,5 @@
+Tue Mar 22 20:05:02 UTC 2011 - wstephenson@novell.com
+
+- Harden SSL verification against poisoned DNS attacks (bnc#669222)
+
+-------------------------------------------------------------------
calling whatdependson for 11.3-i586
New:
----
3735e2ee-ssl-wildcards.diff
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ kdelibs4.spec ++++++
--- /var/tmp/diff_new_pack.A9ymLQ/_old 2011-03-25 10:38:57.000000000 +0100
+++ /var/tmp/diff_new_pack.A9ymLQ/_new 2011-03-25 10:38:57.000000000 +0100
@@ -1,7 +1,7 @@
#
-# spec file for package kdelibs4 (Version 4.4.4)
+# spec file for package kdelibs4
#
-# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -49,7 +49,7 @@
Summary: KDE Base Libraries
Url: http://www.kde.org
Version: 4.4.4
-Release: 3.<RELEASE1>
+Release: 3.<RELEASE3>
Requires: soprano >= %( echo `rpm -q --queryformat '%{VERSION}' libsoprano-devel`)
Recommends: strigi >= %( echo `rpm -q --queryformat '%{VERSION}' strigi-devel`)
Requires: kdelibs4-core = %version
@@ -91,6 +91,7 @@
Patch30: shared-mime-info-070.diff
Patch31: spellchecking_fixes.diff
Patch32: nepomuk_branch.diff
+Patch33: 3735e2ee-ssl-wildcards.diff
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%if %suse_version > 1010
%requires_ge libqt4-x11
@@ -182,6 +183,7 @@
fi
%patch31
%patch32
+%patch33 -p1
##KDE44 is this still needed?
#%patch21 -p1
#
++++++ 3735e2ee-ssl-wildcards.diff ++++++
diff --git a/kio/kio/tcpslavebase.cpp b/kio/kio/tcpslavebase.cpp
index f721bfc..bd7b421 100644
--- a/kio/kio/tcpslavebase.cpp
+++ b/kio/kio/tcpslavebase.cpp
@@ -4,6 +4,7 @@
* Copyright (C) 2001 Dawit Alemayehu
* Copyright (C) 2007,2008 Andreas Hartmetz
* Copyright (C) 2008 Roland Harnau
+ * Copyright (C) 2010 Richard Moore
*
* This file is part of the KDE project
*
@@ -436,6 +437,49 @@ bool TCPSlaveBase::startSsl()
return startTLSInternal(KTcpSocket::TlsV1) & ResultOk;
}
+// Find out if a hostname matches an SSL certificate's Common Name (including wildcards)
+static bool isMatchingHostname(const QString &cnIn, const QString &hostnameIn)
+{
+ const QString cn = cnIn.toLower();
+ const QString hostname = hostnameIn.toLower();
+
+ const int wildcard = cn.indexOf(QLatin1Char('*'));
+
+ // Check this is a wildcard cert, if not then just compare the strings
+ if (wildcard < 0)
+ return cn == hostname;
+
+ const int firstCnDot = cn.indexOf(QLatin1Char('.'));
+ const int secondCnDot = cn.indexOf(QLatin1Char('.'), firstCnDot+1);
+
+ // Check at least 3 components
+ if ((-1 == secondCnDot) || (secondCnDot+1 >= cn.length()))
+ return false;
+
+ // Check * is last character of 1st component (ie. there's a following .)
+ if (wildcard+1 != firstCnDot)
+ return false;
+
+ // Check only one star
+ if (cn.lastIndexOf(QLatin1Char('*')) != wildcard)
+ return false;
+
+ // Check characters preceding * (if any) match
+ if (wildcard && (hostname.leftRef(wildcard) != cn.leftRef(wildcard)))
+ return false;
+
+ // Check characters following first . match
+ if (hostname.midRef(hostname.indexOf(QLatin1Char('.'))) != cn.midRef(firstCnDot))
+ return false;
+
+ // Check if the hostname is an IP address, if so then wildcards are not allowed
+ QHostAddress addr(hostname);
+ if (!addr.isNull())
+ return false;
+
+ // Ok, I guess this was a wildcard CN and the hostname matches.
+ return true;
+}
TCPSlaveBase::SslResult TCPSlaveBase::startTLSInternal(uint v_)
{
@@ -490,25 +534,34 @@ TCPSlaveBase::SslResult TCPSlaveBase::startTLSInternal(uint v_)
// domain<->certificate matching here.
d->sslErrors = d->socket.sslErrors();
QSslCertificate peerCert = d->socket.peerCertificateChain().first();
- QStringList domainPatterns(peerCert.subjectInfo(QSslCertificate::CommonName));
- domainPatterns += peerCert.alternateSubjectNames().values(QSsl::DnsEntry);
- QRegExp domainMatcher(QString(), Qt::CaseInsensitive, QRegExp::Wildcard);
QMutableListIterator<KSslError> it(d->sslErrors);
while (it.hasNext()) {
// As of 4.4.0 Qt does not assign a certificate to the QSslError it emits
// *in the case of HostNameMismatch*. A HostNameMismatch, however, will always
// be an error of the peer certificate so we just don't check the error's
// certificate().
- if (it.next().error() != KSslError::HostNameMismatch) {
- continue;
+
+ // Remove all HostNameMismatch, we have to redo name checking later.
+ if (it.next().error() == KSslError::HostNameMismatch) {
+ it.remove();
}
- foreach (const QString &dp, domainPatterns) {
- domainMatcher.setPattern(dp);
- if (domainMatcher.exactMatch(d->host)) {
- it.remove();
- }
+ }
+ // Redo name checking here and (re-)insert HostNameMismatch to sslErrors if
+ // host name does not match any of the names in server certificate.
+ // QSslSocket may not report HostNameMismatch error, when server
+ // certificate was issued for the IP we are connecting to.
+ QStringList domainPatterns(peerCert.subjectInfo(QSslCertificate::CommonName));
+ domainPatterns += peerCert.alternateSubjectNames().values(QSsl::DnsEntry);
+ bool names_match = false;
+ foreach (const QString &dp, domainPatterns) {
+ if (isMatchingHostname(dp,d->host)) {
+ names_match = true;
+ break;
}
}
+ if (!names_match) {
+ d->sslErrors.insert(0, KSslError(KSslError::HostNameMismatch, peerCert));
+ }
// The app side needs the metadata now for the SSL error dialog (if any) but
// the same metadata will be needed later, too. When "later" arrives the slave
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Remember to have fun...
--
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org
