Tobias Ringstrom wrote:
> 1. Add a manual hostname comparison. This will definately make it
> into 0.30.
...and here is the patch.
/Tobias
Log message:
A quick solution to prevent alternate CN hostname spoofing.
* subversion/include/svn_auth.h
Added SVN_AUTH_PARAM_SSL_SERVER_HOSTNAME
* subversion/libsvn_client/auth.c
(server_ssl_file_first_credentials): Manually verify that the
certificate hostname matches the name of the remote host.
* subversion/libsvn_ra_dav/session.c
Add the name of the remote to the remote host in the auth hash.
Index: subversion/include/svn_auth.h
===================================================================
--- subversion/include/svn_auth.h (revision 7154)
+++ subversion/include/svn_auth.h (working copy)
@@ -364,6 +364,11 @@
"ssl:failures"
/** The following property is for ssl server cert providers. This
+ provides the name of the remote host. */
+#define SVN_AUTH_PARAM_SSL_SERVER_HOSTNAME SVN_AUTH_PARAM_PREFIX \
+ "ssl:hostname"
+
+/** The following property is for ssl server cert providers. This
provides the cert info (svn_auth_ssl_server_cert_info_t). */
#define SVN_AUTH_PARAM_SSL_SERVER_CERT_INFO SVN_AUTH_PARAM_PREFIX \
"ssl:cert-info"
Index: subversion/libsvn_client/auth.c
===================================================================
--- subversion/libsvn_client/auth.c (revision 7154)
+++ subversion/libsvn_client/auth.c (working copy)
@@ -459,6 +459,9 @@
int failures = (int) apr_hash_get (parameters,
SVN_AUTH_PARAM_SSL_SERVER_FAILURES,
APR_HASH_KEY_STRING);
+ const char *hostname = apr_hash_get (parameters,
+ SVN_AUTH_PARAM_SSL_SERVER_HOSTNAME,
+ APR_HASH_KEY_STRING);
const svn_auth_ssl_server_cert_info_t *cert_info =
apr_hash_get (parameters,
SVN_AUTH_PARAM_SSL_SERVER_CERT_INFO,
@@ -476,6 +479,29 @@
*credentials = NULL;
*iter_baton = NULL;
+ /* Check if this is a permanently accepted cert */
+ if (failures & SVN_AUTH_SSL_UNKNOWNCA)
+ {
+ pb->realmstring = apr_pstrdup (pool, realmstring);
+ config_dir = apr_hash_get (parameters,
+ SVN_AUTH_PARAM_CONFIG_DIR,
+ APR_HASH_KEY_STRING);
+ error = svn_config_read_auth_data (&creds_hash, pb->cred_kind,
+ pb->realmstring, config_dir, pool);
+ svn_error_clear(error);
+ if (!error && creds_hash)
+ {
+ failures &= ~SVN_AUTH_SSL_UNKNOWNCA;
+ /* The following is a quick hack to prevent alternate CN
+ * hostname spoofing. It will be replaced by a better more
+ * secure solution shortly. */
+ if (strcmp(cert_info->hostname, hostname) != 0)
+ {
+ failures |= SVN_AUTH_SSL_CNMISMATCH;
+ }
+ }
+ }
+
/* Check for ignored cert dates */
if (failures & (SVN_AUTH_SSL_NOTYETVALID | SVN_AUTH_SSL_EXPIRED))
{
@@ -501,24 +527,7 @@
failures &= ~SVN_AUTH_SSL_CNMISMATCH;
}
}
-
- /* Check if this is a permanently accepted cert */
- if (failures & SVN_AUTH_SSL_UNKNOWNCA)
- {
- pb->realmstring = apr_pstrdup (pool, realmstring);
- config_dir = apr_hash_get (parameters,
- SVN_AUTH_PARAM_CONFIG_DIR,
- APR_HASH_KEY_STRING);
- error = svn_config_read_auth_data (&creds_hash, pb->cred_kind,
- pb->realmstring, config_dir, pool);
- svn_error_clear(error);
- if (!error && creds_hash)
- {
- failures &= ~SVN_AUTH_SSL_UNKNOWNCA;
- }
- }
-
/* Update the set of failures */
apr_hash_set (parameters,
SVN_AUTH_PARAM_SSL_SERVER_FAILURES,
Index: subversion/libsvn_ra_dav/session.c
===================================================================
--- subversion/libsvn_ra_dav/session.c (revision 7154)
+++ subversion/libsvn_ra_dav/session.c (working copy)
@@ -132,6 +132,10 @@
SVN_AUTH_PARAM_SSL_SERVER_FAILURES,
(void*)failures);
+ svn_auth_set_parameter(ras->callbacks->auth_baton,
+ SVN_AUTH_PARAM_SSL_SERVER_HOSTNAME,
+ ras->root.host);
+
/* Extract the info from the certificate */
cert_info.hostname = ne_ssl_cert_identity(cert);
if (ne_ssl_cert_digest(cert, fingerprint) != 0)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Tue Sep 23 18:36:41 2003