python3.12/00183-cve-2013-2099-fix-ssl-match_hostname-dos.patch

# HG changeset patch
# User Antoine Pitrou <solipsis@pitrou.net>
# Date 1368892602 -7200
# Node ID c627638753e2d25a98950585b259104a025937a9
# Parent  9682241dc8fcb4b1aef083bd30860efa070c3d6d
Issue #17980: Fix possible abuse of ssl.match_hostname() for denial of service using certificates with many wildcards (CVE-2013-2099).

diff --git a/Lib/ssl.py b/Lib/ssl.py
--- a/Lib/ssl.py
+++ b/Lib/ssl.py
@@ -129,9 +129,16 @@ class CertificateError(ValueError):
     pass
 
 
-def _dnsname_to_pat(dn):
+def _dnsname_to_pat(dn, max_wildcards=1):
     pats = []
     for frag in dn.split(r'.'):
+        if frag.count('*') > max_wildcards:
+            # Issue #17980: avoid denials of service by refusing more
+            # than one wildcard per fragment.  A survery of established
+            # policy among SSL implementations showed it to be a
+            # reasonable choice.
+            raise CertificateError(
+                "too many wildcards in certificate DNS name: " + repr(dn))
         if frag == '*':
             # When '*' is a fragment by itself, it matches a non-empty dotless
             # fragment.
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -349,6 +349,17 @@ class BasicSocketTests(unittest.TestCase
         self.assertRaises(ValueError, ssl.match_hostname, None, 'example.com')
         self.assertRaises(ValueError, ssl.match_hostname, {}, 'example.com')
 
+        # Issue #17980: avoid denials of service by refusing more than one
+        # wildcard per fragment.
+        cert = {'subject': ((('commonName', 'a*b.com'),),)}
+        ok(cert, 'axxb.com')
+        cert = {'subject': ((('commonName', 'a*b.co*'),),)}
+        ok(cert, 'axxb.com')
+        cert = {'subject': ((('commonName', 'a*b*.com'),),)}
+        with self.assertRaises(ssl.CertificateError) as cm:
+            ssl.match_hostname(cert, 'axxbxxc.com')
+        self.assertIn("too many wildcards", str(cm.exception))
+
     def test_server_side(self):
         # server_hostname doesn't work for server sockets
         ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
Add patch for CVE-2013-2099 (rhbz#963261). 2013-05-20 06:04:03 +00:00			`# HG changeset patch`
			`# User Antoine Pitrou <solipsis@pitrou.net>`
			`# Date 1368892602 -7200`
			`# Node ID c627638753e2d25a98950585b259104a025937a9`
			`# Parent 9682241dc8fcb4b1aef083bd30860efa070c3d6d`
			`Issue #17980: Fix possible abuse of ssl.match_hostname() for denial of service using certificates with many wildcards (CVE-2013-2099).`

			`diff --git a/Lib/ssl.py b/Lib/ssl.py`
			`--- a/Lib/ssl.py`
			`+++ b/Lib/ssl.py`
			`@@ -129,9 +129,16 @@ class CertificateError(ValueError):`
			`pass`


			`-def _dnsname_to_pat(dn):`
			`+def _dnsname_to_pat(dn, max_wildcards=1):`
			`pats = []`
			`for frag in dn.split(r'.'):`
			`+ if frag.count('*') > max_wildcards:`
			`+ # Issue #17980: avoid denials of service by refusing more`
			`+ # than one wildcard per fragment. A survery of established`
			`+ # policy among SSL implementations showed it to be a`
			`+ # reasonable choice.`
			`+ raise CertificateError(`
			`+ "too many wildcards in certificate DNS name: " + repr(dn))`
			`if frag == '*':`
			`# When '*' is a fragment by itself, it matches a non-empty dotless`
			`# fragment.`
			`diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py`
			`--- a/Lib/test/test_ssl.py`
			`+++ b/Lib/test/test_ssl.py`
			`@@ -349,6 +349,17 @@ class BasicSocketTests(unittest.TestCase`
			`self.assertRaises(ValueError, ssl.match_hostname, None, 'example.com')`
			`self.assertRaises(ValueError, ssl.match_hostname, {}, 'example.com')`

			`+ # Issue #17980: avoid denials of service by refusing more than one`
			`+ # wildcard per fragment.`
			`+ cert = {'subject': ((('commonName', 'a*b.com'),),)}`
			`+ ok(cert, 'axxb.com')`
			`+ cert = {'subject': ((('commonName', 'ab.co'),),)}`
			`+ ok(cert, 'axxb.com')`
			`+ cert = {'subject': ((('commonName', 'ab.com'),),)}`
			`+ with self.assertRaises(ssl.CertificateError) as cm:`
			`+ ssl.match_hostname(cert, 'axxbxxc.com')`
			`+ self.assertIn("too many wildcards", str(cm.exception))`
			`+`
			`def test_server_side(self):`
			`# server_hostname doesn't work for server sockets`
			`ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)`