[packages/php.git] / CVE-2013-4073.patch

From: Stanislav Malyshev <stas@php.net>
Date: Wed, 14 Aug 2013 05:20:33 +0000 (-0700)
Subject: Fix CVE-2013-4073 - handling of certs with null bytes
X-Git-Tag: php-5.3.28~3
X-Git-Url: http://git.php.net/?p=php-src.git;a=commitdiff;h=dcea4ec698dcae39b7bba6f6aa08933cbfee6755

Fix CVE-2013-4073 - handling of certs with null bytes
---

- Openssl:
  . Fixed handling null bytes in subjectAltName (CVE-2013-4073).
    (Christian Heimes)
diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
index 15696be..c7a9f5c 100644
--- a/ext/openssl/openssl.c
+++ b/ext/openssl/openssl.c
@@ -1326,6 +1326,74 @@ PHP_FUNCTION(openssl_x509_check_private_key)
 }
 /* }}} */
 
+/* Special handling of subjectAltName, see CVE-2013-4073
+ * Christian Heimes
+ */
+
+static int openssl_x509v3_subjectAltName(BIO *bio, X509_EXTENSION *extension)
+{
+	GENERAL_NAMES *names;
+	const X509V3_EXT_METHOD *method = NULL;
+	long i, length, num;
+	const unsigned char *p;
+
+	method = X509V3_EXT_get(extension);
+	if (method == NULL) {
+		return -1;
+	}
+
+	p = extension->value->data;
+	length = extension->value->length;
+	if (method->it) {
+		names = (GENERAL_NAMES*)(ASN1_item_d2i(NULL, &p, length,
+						       ASN1_ITEM_ptr(method->it)));
+	} else {
+		names = (GENERAL_NAMES*)(method->d2i(NULL, &p, length));
+	}
+	if (names == NULL) {
+		return -1;
+	}
+
+	num = sk_GENERAL_NAME_num(names);
+	for (i = 0; i < num; i++) {
+			GENERAL_NAME *name;
+			ASN1_STRING *as;
+			name = sk_GENERAL_NAME_value(names, i);
+			switch (name->type) {
+				case GEN_EMAIL:
+					BIO_puts(bio, "email:");
+					as = name->d.rfc822Name;
+					BIO_write(bio, ASN1_STRING_data(as),
+						  ASN1_STRING_length(as));
+					break;
+				case GEN_DNS:
+					BIO_puts(bio, "DNS:");
+					as = name->d.dNSName;
+					BIO_write(bio, ASN1_STRING_data(as),
+						  ASN1_STRING_length(as));
+					break;
+				case GEN_URI:
+					BIO_puts(bio, "URI:");
+					as = name->d.uniformResourceIdentifier;
+					BIO_write(bio, ASN1_STRING_data(as),
+						  ASN1_STRING_length(as));
+					break;
+				default:
+					/* use builtin print for GEN_OTHERNAME, GEN_X400,
+					 * GEN_EDIPARTY, GEN_DIRNAME, GEN_IPADD and GEN_RID
+					 */
+					GENERAL_NAME_print(bio, name);
+			}
+			/* trailing ', ' except for last element */
+			if (i < (num - 1)) {
+				BIO_puts(bio, ", ");
+			}
+	}
+	sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free);
+
+	return 0;
+}
+
 /* {{{ proto array openssl_x509_parse(mixed x509 [, bool shortnames=true])
    Returns an array of the fields/values of the CERT */
 PHP_FUNCTION(openssl_x509_parse)
@@ -1422,15 +1490,29 @@ PHP_FUNCTION(openssl_x509_parse)
 
 
 	for (i = 0; i < X509_get_ext_count(cert); i++) {
+		int nid;
 		extension = X509_get_ext(cert, i);
-		if (OBJ_obj2nid(X509_EXTENSION_get_object(extension)) != NID_undef) {
+		nid = OBJ_obj2nid(X509_EXTENSION_get_object(extension));
+		if (nid != NID_undef) {
 			extname = (char *)OBJ_nid2sn(OBJ_obj2nid(X509_EXTENSION_get_object(extension)));
 		} else {
 			OBJ_obj2txt(buf, sizeof(buf)-1, X509_EXTENSION_get_object(extension), 1);
 			extname = buf;
 		}
 		bio_out = BIO_new(BIO_s_mem());
-		if (X509V3_EXT_print(bio_out, extension, 0, 0)) {
+		if (nid == NID_subject_alt_name) {
+			if (openssl_x509v3_subjectAltName(bio_out, extension) == 0) {
+				add_assoc_stringl(subitem, extname, bio_buf->data, bio_buf->length, 1);
+			} else {
+				zval_dtor(return_value);
+				if (certresource == -1 && cert) {
+					X509_free(cert);
+				}
+				BIO_free(bio_out);
+				RETURN_FALSE;
+			}
+		}
+		else if (X509V3_EXT_print(bio_out, extension, 0, 0)) {
 			BIO_get_mem_ptr(bio_out, &bio_buf);
 			add_assoc_stringl(subitem, extname, bio_buf->data, bio_buf->length, 1);
 		} else {
diff --git a/ext/openssl/tests/cve2013_4073.pem b/ext/openssl/tests/cve2013_4073.pem
new file mode 100644
index 0000000..7ebb994
--- /dev/null
+++ b/ext/openssl/tests/cve2013_4073.pem
@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIE2DCCA8CgAwIBAgIBADANBgkqhkiG9w0BAQUFADCBxTELMAkGA1UEBhMCVVMx
+DzANBgNVBAgMBk9yZWdvbjESMBAGA1UEBwwJQmVhdmVydG9uMSMwIQYDVQQKDBpQ
+eXRob24gU29mdHdhcmUgRm91bmRhdGlvbjEgMB4GA1UECwwXUHl0aG9uIENvcmUg
+RGV2ZWxvcG1lbnQxJDAiBgNVBAMMG251bGwucHl0aG9uLm9yZwBleGFtcGxlLm9y
+ZzEkMCIGCSqGSIb3DQEJARYVcHl0aG9uLWRldkBweXRob24ub3JnMB4XDTEzMDgw
+NzEzMTE1MloXDTEzMDgwNzEzMTI1MlowgcUxCzAJBgNVBAYTAlVTMQ8wDQYDVQQI
+DAZPcmVnb24xEjAQBgNVBAcMCUJlYXZlcnRvbjEjMCEGA1UECgwaUHl0aG9uIFNv
+ZnR3YXJlIEZvdW5kYXRpb24xIDAeBgNVBAsMF1B5dGhvbiBDb3JlIERldmVsb3Bt
+ZW50MSQwIgYDVQQDDBtudWxsLnB5dGhvbi5vcmcAZXhhbXBsZS5vcmcxJDAiBgkq
+hkiG9w0BCQEWFXB5dGhvbi1kZXZAcHl0aG9uLm9yZzCCASIwDQYJKoZIhvcNAQEB
+BQADggEPADCCAQoCggEBALXq7cn7Rn1vO3aA3TrzA5QLp6bb7B3f/yN0CJ2XFj+j
+pHs+Gw6WWSUDpybiiKnPec33BFawq3kyblnBMjBU61ioy5HwQqVkJ8vUVjGIUq3P
+vX/wBmQfzCe4o4uM89gpHyUL9UYGG8oCRa17dgqcv7u5rg0Wq2B1rgY+nHwx3JIv
+KRrgSwyRkGzpN8WQ1yrXlxWjgI9de0mPVDDUlywcWze1q2kwaEPTM3hLAmD1PESA
+oY/n8A/RXoeeRs9i/Pm/DGUS8ZPINXk/yOzsR/XvvkTVroIeLZqfmFpnZeF0cHzL
+08LODkVJJ9zjLdT7SA4vnne4FEbAxDbKAq5qkYzaL4UCAwEAAaOB0DCBzTAMBgNV
+HRMBAf8EAjAAMB0GA1UdDgQWBBSIWlXAUv9hzVKjNQ/qWpwkOCL3XDALBgNVHQ8E
+BAMCBeAwgZAGA1UdEQSBiDCBhYIeYWx0bnVsbC5weXRob24ub3JnAGV4YW1wbGUu
+Y29tgSBudWxsQHB5dGhvbi5vcmcAdXNlckBleGFtcGxlLm9yZ4YpaHR0cDovL251
+bGwucHl0aG9uLm9yZwBodHRwOi8vZXhhbXBsZS5vcmeHBMAAAgGHECABDbgAAAAA
+AAAAAAAAAAEwDQYJKoZIhvcNAQEFBQADggEBAKxPRe99SaghcI6IWT7UNkJw9aO9
+i9eo0Fj2MUqxpKbdb9noRDy2CnHWf7EIYZ1gznXPdwzSN4YCjV5d+Q9xtBaowT0j
+HPERs1ZuytCNNJTmhyqZ8q6uzMLoht4IqH/FBfpvgaeC5tBTnTT0rD5A/olXeimk
+kX4LxlEx5RAvpGB2zZVRGr6LobD9rVK91xuHYNIxxxfEGE8tCCWjp0+3ksri9SXx
+VHWBnbM9YaL32u3hxm8sYB/Yb8WSBavJCWJJqRStVRHM1koZlJmXNx2BX4vPo6iW
+RFEIPQsFZRLrtnCAiEhyT8bC2s/Njlu6ly9gtJZWSV46Q3ZjBL4q9sHKqZQ=
+-----END CERTIFICATE-----
diff --git a/ext/openssl/tests/cve2013_4073.phpt b/ext/openssl/tests/cve2013_4073.phpt
new file mode 100644
index 0000000..e676ddf
--- /dev/null
+++ b/ext/openssl/tests/cve2013_4073.phpt
@@ -0,0 +1,19 @@
+--TEST--
+CVE 2013-4073: Null-byte certificate handling
+--SKIPIF--
+<?php 
+if (!extension_loaded("openssl")) die("skip");
+--FILE--
+<?php
+$cert = file_get_contents(__DIR__ . '/cve2013_4073.pem');
+$info = openssl_x509_parse($cert);
+var_export($info['extensions']);
+
+--EXPECTF--
+array (
+  'basicConstraints' => 'CA:FALSE',
+  'subjectKeyIdentifier' => '88:5A:55:C0:52:FF:61:CD:52:A3:35:0F:EA:5A:9C:24:38:22:F7:5C',
+  'keyUsage' => 'Digital Signature, Non Repudiation, Key Encipherment',
+  'subjectAltName' => 'DNS:altnull.python.org' . "\0" . 'example.com, email:null@python.org' . "\0" . 'user@example.org, URI:http://null.python.org' . "\0" . 'http://example.org, IP Address:192.0.2.1, IP Address:2001:DB8:0:0:0:0:0:1
+',
+)
Commit	Line	Data
b16376f6 ER	1	From: Stanislav Malyshev <stas@php.net>
	2	Date: Wed, 14 Aug 2013 05:20:33 +0000 (-0700)
	3	Subject: Fix CVE-2013-4073 - handling of certs with null bytes
	4	X-Git-Tag: php-5.3.28~3
	5	X-Git-Url: http://git.php.net/?p=php-src.git;a=commitdiff;h=dcea4ec698dcae39b7bba6f6aa08933cbfee6755
	6
	7	Fix CVE-2013-4073 - handling of certs with null bytes
	8	---
	9
	10	- Openssl:
	11	. Fixed handling null bytes in subjectAltName (CVE-2013-4073).
	12	(Christian Heimes)
	13	diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
	14	index 15696be..c7a9f5c 100644
	15	--- a/ext/openssl/openssl.c
	16	+++ b/ext/openssl/openssl.c
	17	@@ -1326,6 +1326,74 @@ PHP_FUNCTION(openssl_x509_check_private_key)
	18	}
	19	/* }}} */
	20
	21	+/* Special handling of subjectAltName, see CVE-2013-4073
	22	+ * Christian Heimes
	23	+ */
	24	+
	25	+static int openssl_x509v3_subjectAltName(BIO bio, X509_EXTENSION extension)
	26	+{
	27	+ GENERAL_NAMES *names;
	28	+ const X509V3_EXT_METHOD *method = NULL;
	29	+ long i, length, num;
	30	+ const unsigned char *p;
	31	+
	32	+ method = X509V3_EXT_get(extension);
	33	+ if (method == NULL) {
	34	+ return -1;
	35	+ }
	36	+
	37	+ p = extension->value->data;
	38	+ length = extension->value->length;
	39	+ if (method->it) {
	40	+ names = (GENERAL_NAMES*)(ASN1_item_d2i(NULL, &p, length,
	41	+ ASN1_ITEM_ptr(method->it)));
	42	+ } else {
	43	+ names = (GENERAL_NAMES*)(method->d2i(NULL, &p, length));
	44	+ }
	45	+ if (names == NULL) {
	46	+ return -1;
	47	+ }
	48	+
	49	+ num = sk_GENERAL_NAME_num(names);
	50	+ for (i = 0; i < num; i++) {
	51	+ GENERAL_NAME *name;
	52	+ ASN1_STRING *as;
	53	+ name = sk_GENERAL_NAME_value(names, i);
	54	+ switch (name->type) {
	55	+ case GEN_EMAIL:
	56	+ BIO_puts(bio, "email:");
	57	+ as = name->d.rfc822Name;
	58	+ BIO_write(bio, ASN1_STRING_data(as),
	59	+ ASN1_STRING_length(as));
	60	+ break;
	61	+ case GEN_DNS:
	62	+ BIO_puts(bio, "DNS:");
	63	+ as = name->d.dNSName;
	64	+ BIO_write(bio, ASN1_STRING_data(as),
65	+ ASN1_STRING_length(as));
66	+ break;
67	+ case GEN_URI:
68	+ BIO_puts(bio, "URI:");
69	+ as = name->d.uniformResourceIdentifier;
70	+ BIO_write(bio, ASN1_STRING_data(as),
71	+ ASN1_STRING_length(as));
72	+ break;
73	+ default:
74	+ /* use builtin print for GEN_OTHERNAME, GEN_X400,
75	+ * GEN_EDIPARTY, GEN_DIRNAME, GEN_IPADD and GEN_RID
76	+ */
77	+ GENERAL_NAME_print(bio, name);
78	+ }
79	+ /* trailing ', ' except for last element */
80	+ if (i < (num - 1)) {
81	+ BIO_puts(bio, ", ");
82	+ }
83	+ }
84	+ sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free);
85	+
86	+ return 0;
87	+}
88	+
89	/* {{{ proto array openssl_x509_parse(mixed x509 [, bool shortnames=true])
90	Returns an array of the fields/values of the CERT */
91	PHP_FUNCTION(openssl_x509_parse)
92	@@ -1422,15 +1490,29 @@ PHP_FUNCTION(openssl_x509_parse)
93
94
95	for (i = 0; i < X509_get_ext_count(cert); i++) {
96	+ int nid;
97	extension = X509_get_ext(cert, i);
98	- if (OBJ_obj2nid(X509_EXTENSION_get_object(extension)) != NID_undef) {
99	+ nid = OBJ_obj2nid(X509_EXTENSION_get_object(extension));
100	+ if (nid != NID_undef) {
101	extname = (char *)OBJ_nid2sn(OBJ_obj2nid(X509_EXTENSION_get_object(extension)));
102	} else {
103	OBJ_obj2txt(buf, sizeof(buf)-1, X509_EXTENSION_get_object(extension), 1);
104	extname = buf;
105	}
106	bio_out = BIO_new(BIO_s_mem());
107	- if (X509V3_EXT_print(bio_out, extension, 0, 0)) {
108	+ if (nid == NID_subject_alt_name) {
109	+ if (openssl_x509v3_subjectAltName(bio_out, extension) == 0) {
110	+ add_assoc_stringl(subitem, extname, bio_buf->data, bio_buf->length, 1);
111	+ } else {
112	+ zval_dtor(return_value);
113	+ if (certresource == -1 && cert) {
114	+ X509_free(cert);
115	+ }
116	+ BIO_free(bio_out);
117	+ RETURN_FALSE;
118	+ }
119	+ }
120	+ else if (X509V3_EXT_print(bio_out, extension, 0, 0)) {
121	BIO_get_mem_ptr(bio_out, &bio_buf);
122	add_assoc_stringl(subitem, extname, bio_buf->data, bio_buf->length, 1);
123	} else {
124	diff --git a/ext/openssl/tests/cve2013_4073.pem b/ext/openssl/tests/cve2013_4073.pem
125	new file mode 100644
126	index 0000000..7ebb994
127	--- /dev/null
128	+++ b/ext/openssl/tests/cve2013_4073.pem
129	@@ -0,0 +1,28 @@
130	+-----BEGIN CERTIFICATE-----
131	+MIIE2DCCA8CgAwIBAgIBADANBgkqhkiG9w0BAQUFADCBxTELMAkGA1UEBhMCVVMx
132	+DzANBgNVBAgMBk9yZWdvbjESMBAGA1UEBwwJQmVhdmVydG9uMSMwIQYDVQQKDBpQ
133	+eXRob24gU29mdHdhcmUgRm91bmRhdGlvbjEgMB4GA1UECwwXUHl0aG9uIENvcmUg
134	+RGV2ZWxvcG1lbnQxJDAiBgNVBAMMG251bGwucHl0aG9uLm9yZwBleGFtcGxlLm9y
135	+ZzEkMCIGCSqGSIb3DQEJARYVcHl0aG9uLWRldkBweXRob24ub3JnMB4XDTEzMDgw
136	+NzEzMTE1MloXDTEzMDgwNzEzMTI1MlowgcUxCzAJBgNVBAYTAlVTMQ8wDQYDVQQI
137	+DAZPcmVnb24xEjAQBgNVBAcMCUJlYXZlcnRvbjEjMCEGA1UECgwaUHl0aG9uIFNv
138	+ZnR3YXJlIEZvdW5kYXRpb24xIDAeBgNVBAsMF1B5dGhvbiBDb3JlIERldmVsb3Bt
139	+ZW50MSQwIgYDVQQDDBtudWxsLnB5dGhvbi5vcmcAZXhhbXBsZS5vcmcxJDAiBgkq
140	+hkiG9w0BCQEWFXB5dGhvbi1kZXZAcHl0aG9uLm9yZzCCASIwDQYJKoZIhvcNAQEB
141	+BQADggEPADCCAQoCggEBALXq7cn7Rn1vO3aA3TrzA5QLp6bb7B3f/yN0CJ2XFj+j
142	+pHs+Gw6WWSUDpybiiKnPec33BFawq3kyblnBMjBU61ioy5HwQqVkJ8vUVjGIUq3P
143	+vX/wBmQfzCe4o4uM89gpHyUL9UYGG8oCRa17dgqcv7u5rg0Wq2B1rgY+nHwx3JIv
144	+KRrgSwyRkGzpN8WQ1yrXlxWjgI9de0mPVDDUlywcWze1q2kwaEPTM3hLAmD1PESA
145	+oY/n8A/RXoeeRs9i/Pm/DGUS8ZPINXk/yOzsR/XvvkTVroIeLZqfmFpnZeF0cHzL
146	+08LODkVJJ9zjLdT7SA4vnne4FEbAxDbKAq5qkYzaL4UCAwEAAaOB0DCBzTAMBgNV
147	+HRMBAf8EAjAAMB0GA1UdDgQWBBSIWlXAUv9hzVKjNQ/qWpwkOCL3XDALBgNVHQ8E
148	+BAMCBeAwgZAGA1UdEQSBiDCBhYIeYWx0bnVsbC5weXRob24ub3JnAGV4YW1wbGUu
149	+Y29tgSBudWxsQHB5dGhvbi5vcmcAdXNlckBleGFtcGxlLm9yZ4YpaHR0cDovL251
150	+bGwucHl0aG9uLm9yZwBodHRwOi8vZXhhbXBsZS5vcmeHBMAAAgGHECABDbgAAAAA
151	+AAAAAAAAAAEwDQYJKoZIhvcNAQEFBQADggEBAKxPRe99SaghcI6IWT7UNkJw9aO9
152	+i9eo0Fj2MUqxpKbdb9noRDy2CnHWf7EIYZ1gznXPdwzSN4YCjV5d+Q9xtBaowT0j
153	+HPERs1ZuytCNNJTmhyqZ8q6uzMLoht4IqH/FBfpvgaeC5tBTnTT0rD5A/olXeimk
154	+kX4LxlEx5RAvpGB2zZVRGr6LobD9rVK91xuHYNIxxxfEGE8tCCWjp0+3ksri9SXx
155	+VHWBnbM9YaL32u3hxm8sYB/Yb8WSBavJCWJJqRStVRHM1koZlJmXNx2BX4vPo6iW
156	+RFEIPQsFZRLrtnCAiEhyT8bC2s/Njlu6ly9gtJZWSV46Q3ZjBL4q9sHKqZQ=
157	+-----END CERTIFICATE-----
158	diff --git a/ext/openssl/tests/cve2013_4073.phpt b/ext/openssl/tests/cve2013_4073.phpt
159	new file mode 100644
160	index 0000000..e676ddf
161	--- /dev/null
162	+++ b/ext/openssl/tests/cve2013_4073.phpt
163	@@ -0,0 +1,19 @@
164	+--TEST--
165	+CVE 2013-4073: Null-byte certificate handling
166	+--SKIPIF--
167	+<?php
168	+if (!extension_loaded("openssl")) die("skip");
169	+--FILE--
170	+<?php
171	+$cert = file_get_contents(__DIR__ . '/cve2013_4073.pem');
172	+$info = openssl_x509_parse($cert);
173	+var_export($info['extensions']);
174	+
175	+--EXPECTF--
176	+array (
177	+ 'basicConstraints' => 'CA:FALSE',
178	+ 'subjectKeyIdentifier' => '88:5A:55:C0:52:FF:61:CD:52:A3:35:0F:EA:5A:9C:24:38:22:F7:5C',
179	+ 'keyUsage' => 'Digital Signature, Non Repudiation, Key Encipherment',
180	+ 'subjectAltName' => 'DNS:altnull.python.org' . "\0" . 'example.com, email:null@python.org' . "\0" . 'user@example.org, URI:http://null.python.org' . "\0" . 'http://example.org, IP Address:192.0.2.1, IP Address:2001:DB8:0:0:0:0:0:1
181	+',
182	+)