hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dirk-Willem van Gulik <di...@webweaving.org>
Subject Re: CVE-2014-3577 postmortem
Date Thu, 21 Aug 2014 15:50:26 GMT

Op 21 aug. 2014, om 15:26 heeft Oleg Kalnichevski <olegk@apache.org> het volgende geschreven:

> I have pretty much completely rewritten every bit of code related to
> hostname verification in SVN trunk. 
> 
> https://github.com/apache/httpclient/tree/268d6cc113b305addc4a31a70bd7c3b6d545e337/httpclient/src/main/java/org/apache/http/conn/ssl
> 
> I would truly appreciate someone doing a peer review of the changes
> and / or giving me feedback with regards to further improvements.

Looks good. Couple of thoughts

- BAD_COUNTRY_2LDS, BAD_COUNTRY_WILDCARD_PATTERN 

My guess is that longer term you will get too many specials - and the end game is parsing
something like https://publicsuffix.org/ and specifically 

	https://publicsuffix.org/list/effective_tld_names.dat  

to get the depth right.

- regex for the pattern

From my read - it seems that you build with input under the user control if I am not mistaken
- yet it could be more than mere characters. 

So I am a bit worried about revil regexes slipping in (e.g. ReDoS); and then causing some
sort of exhaustion*.

- countDots function

Prolly no longer used.

Dw.


Having said that - I tried a few obvious ones - and have not gotten a decent example yet.

      /**
       * Evil Regex example(s) / openssl req -new -x509 -nodes -keyout /dev/null -subj "/CN=^(([a-z])+.)+[A-Z]([a-z])+$"
       */

    public final static byte[] X509_EVIL_REGEX_1= (
     "-----BEGIN CERTIFICATE-----\n" +
     "MIICGjCCAYOgAwIBAgIJAOo56cPW09+fMA0GCSqGSIb3DQEBBQUAMCYxJDAiBgNV\n" +
     "BAMMG14oKFthLXpdKSsuKStbQS1aXShbYS16XSkrJDAeFw0xNDA4MjExMzAzMTVa\n" +
     "Fw0xNDA5MjAxMzAzMTVaMCYxJDAiBgNVBAMMG14oKFthLXpdKSsuKStbQS1aXShb\n" +
     "YS16XSkrJDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA3Qo9S/QuEAmVnV9O\n" +
     "g7TsdUfjhV+szbCiia3S1Wyywmn70x7UOuxN05kEuYiQOljHk+lcLbZqFjkDoCde\n" +
     "3sTrYzocsDV1F44aoIDNf6FoTF4zvO5DrH5PQ7AXS0ot9QLwHbBbNnc8BUDUxcro\n" +
     "v4lpDbo7OHdneLPC3iMy6H+TTHUCAwEAAaNQME4wHQYDVR0OBBYEFER/UmoLTblm\n" +
     "HC4lnANRHTJJ81aBMB8GA1UdIwQYMBaAFER/UmoLTblmHC4lnANRHTJJ81aBMAwG\n" +
     "A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAQdpC4WQ15IN6lzaA0S3QjSRG\n" +
     "Sk9Ds4iepfM2xWDFI78oTtYvnffv0Ow+Yzs2QoDHVyRZO7IS9gBWAmGvVvZbTXJD\n" +
     "tNofNu074GddS9P1GSj+cd4XsX5pDW8QlYPupg3/5XV3l2i99Eo/EodP3U3WnZd7\n" +
     "pTUwN+iCW4sz516Tp40=\n" +
     "-----END CERTIFICATE-----").getBytes();

    public final static byte[] X509_EVIL_REGEX_2 = (
     "-----BEGIN CERTIFICATE-----\n" +
     "MIIB9jCCAV+gAwIBAgIJAKFcCPW2esygMA0GCSqGSIb3DQEBBQUAMBQxEjAQBgNV\n" +
     "BAMMCSguKmEpezMwfTAeFw0xNDA4MjExMzIxMDBaFw0xNDA5MjAxMzIxMDBaMBQx\n" +
     "EjAQBgNVBAMMCSguKmEpezMwfTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA\n" +
     "l4ajddWLAnNAbMkrInDgn5MH5bleFUm1Aq+HDxuBEmy1vabxoyV5GDexL9NquAsL\n" +
     "AxOLihWFMjG6NpPCB4rQa98vBSEaj2N+Yp4DTfS01INkOxxOQX+zNfh54GDeJfQS\n" +
     "0/+BdzZsGVhE6/ekPLh4He3MO9vC6hXaD79beIRdTN8CAwEAAaNQME4wHQYDVR0O\n" +
     "BBYEFODDhk2qLs0qraeXtwHBRE3C1VWPMB8GA1UdIwQYMBaAFODDhk2qLs0qraeX\n" +
     "twHBRE3C1VWPMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAQHwEiaOy\n" +
     "NMs8XbZfbovlXUDtIm20PiQ82TZHYb0kGd+UhcBfGMewi1wO2/ETYToVFbKaELTm\n" +
     "cQcad5TQM6KnACi1uZSJLLMO9eFT4sF9ZErcVPNPvszcE0K5PBWu7m4el7ZG4tOe\n" +
     "eMam4OzNiZpNy+9aXe4Zh4ZvxS/ReD7+PHM=\n" +
     "-----END CERTIFICATE-----").getBytes();

    public final static byte[] X509_EVIL_REGEX_3 = (
     "-----BEGIN CERTIFICATE-----\n" +
     "MIIB+DCCAWGgAwIBAgIJAJyEzt1ofEhdMA0GCSqGSIb3DQEBBQUAMBUxEzARBgNV\n" +
     "BAMMCihhYXxhYWI/KSswHhcNMTQwODIxMTQ1MzIwWhcNMTQwOTIwMTQ1MzIwWjAV\n" +
     "MRMwEQYDVQQDDAooYWF8YWFiPykrMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\n" +
     "gQC9XeUm4juhMbeqyMdUgU9Oiudec89Yp+68jfg1397w8yoSrxssUucicnpBS7Kf\n" +
     "M0JDy3E3CWSa/mphey9zS+rxxHE+p4u7h3uCZanTe4RcrkRy8jF4VdroDqugm+1T\n" +
     "PIV24mNFCsHQU7w4EiWLgvnxkCrBfFmpHEwOYp2GH7/E5QIDAQABo1AwTjAdBgNV\n" +
     "HQ4EFgQUdbxxDEpEMjiY0viM0EfNWWtZPIgwHwYDVR0jBBgwFoAUdbxxDEpEMjiY\n" +
     "0viM0EfNWWtZPIgwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQCuBjrr\n" +
     "Xdn9KxN5WMwLZ/K6zj403s7eia8Pl2SNofPj7V5t5vXbhCceM1g2NTy1XgB/remx\n" +
     "6o3V4Lw94uj3WFdp8UT3sL+PNUuUgg98zUgCcED9EMMU0mKdcHzrwjzZBTjQOF/I\n" +
     "ggNk2gVdv6awgBUel0hcWY9/F9a3pNWYMmFn5A==\n" +
     "-----END CERTIFICATE-----").getBytes();

    public final static byte[] X509_EVIL_REGEX_4 = (
     "-----BEGIN CERTIFICATE-----\n" +
     "MIIB8jCCAVugAwIBAgIJAPU+FLeLYdGUMA0GCSqGSIb3DQEBBQUAMBIxEDAOBgNV\n" +
     "BAMMB14oYSspKyQwHhcNMTQwODIxMTQ1NzExWhcNMTQwOTIwMTQ1NzExWjASMRAw\n" +
     "DgYDVQQDDAdeKGErKSskMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDYIkgN\n" +
     "N4Y8ZCIjztOzuzqth7gObsuSR7BjWp4FTg9T6J2hfyBrxu1WZY/J/4b01VdJMNE5\n" +
     "yMQI9A49i229DSSXKssv9VsLNgRN5X2el4HQg9ibialgB6KUwmL+c2vv4hJ92mrc\n" +
     "lnr54CVsXmxgABYhShkWZqIuTyAUE2r1FVqQtQIDAQABo1AwTjAdBgNVHQ4EFgQU\n" +
     "36WZSogs45HIg7G8MWKfU+NsSBQwHwYDVR0jBBgwFoAU36WZSogs45HIg7G8MWKf\n" +
     "U+NsSBQwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQBvzGB/5B4tF7dz\n" +
     "ME1AhudTbmHyuPAGhGg3DUpPBNNZHHgYS1zGpXgcDlOaXYuvFrb81sCVGNAhCijq\n" +
     "wMiQEwW2GWWKi7qNnj/W35OyVsXTchfRXuL75ZcVzABa8hdldijwhvFHev75X+HW\n" +
     "Nr5sa4rDYtwqkERMJCtSpE9lETID2A==\n" +
     "-----END CERTIFICATE-----").getBytes();

    public final static byte[] X509_EVIL_REGEX_5 = (
     "-----BEGIN CERTIFICATE-----\n" +
     "MIIB9DCCAV2gAwIBAgIJAJkLISjl9geAMA0GCSqGSIb3DQEBBQUAMBMxETAPBgNV\n" +
     "BAMMCCgqYSl7MzB9MB4XDTE0MDgyMTE1MDM1MFoXDTE0MDkyMDE1MDM1MFowEzER\n" +
     "MA8GA1UEAwwIKCphKXszMH0wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOLH\n" +
     "GTkGbs0+/7AQoVYG/nHgSLmr9pnd5oAcOVp/ncN7csMrQab4ftfZNFrEsAseRNl5\n" +
     "5b1CD0hkz3+sfXdocNUZl7bmkpIqhyHqo2QULbR9j7fTH8IIDbsipMj45FS6gm3P\n" +
     "ryL6n99z2jxpkUu6MgR9FNO9uUer57idANstbJwjAgMBAAGjUDBOMB0GA1UdDgQW\n" +
     "BBTmSxwccA9GPyAF7qhlUF9XTghFzDAfBgNVHSMEGDAWgBTmSxwccA9GPyAF7qhl\n" +
     "UF9XTghFzDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAEwPdipEPBGp\n" +
     "3ajUKj6Fq4AdI8lOZIFrghjSNDqRe2ANybjwETt/seYOAdIFxlhW2ALDp8mNJAKP\n" +
     "5s5aFjeNlUvQKmtLm2ZDIQ0GlrjXZ3R1et1Qwd9XPBGsHK8pmmJZB9pbqdWzVF+w\n" +
     "5cgEPhsWHxM16wVtFUIMskyhtlO+Ai/6\n" +
     "-----END CERTIFICATE-----").getBytes();

    public final static byte[] X509_EVIL_REGEX_6 = (
     "-----BEGIN CERTIFICATE-----\n" +
     "MIICVjCCAgCgAwIBAgIJAMskaCGIhO70MA0GCSqGSIb3DQEBBQUAMBIxEDAOBgNV\n" +
     "BAMMB2lnbm9yZWQwHhcNMTQwODIxMTUzNjA1WhcNMTQwOTIwMTUzNjA1WjASMRAw\n" +
     "DgYDVQQDDAdpZ25vcmVkMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANQg+BI6DYd0\n" +
     "RviglOAXhp58CKloK1pzenOugAJ8afCTszQVUzWN+cq5ZS0lxdLQ0WOS2jCDlJfW\n" +
     "j2XQOBLsuQUCAwEAAaOCATcwggEzMAsGA1UdDwQEAwIF4DAJBgNVHRMEAjAAMIIB\n" +
     "FwYDVR0RBIIBDjCCAQqgEAYDKgMEoAkMB14oYSspKySgEgYDKgMEoAsMCSguKmEp\n" +
     "ezMwfaARBgMqAwSgCgwIKCphKXszMH2gEwYDKgMEoAwMCihhYXxhYWI/KSuCFDEu\n" +
     "Mi4zLjQ7VVRGODpeKGErKSskghYxLjIuMy40O1VURjg6KC4qYSl7MzB9ghUxLjIu\n" +
     "My40O1VURjg6KCphKXszMH2CFzEuMi4zLjQ7VVRGODooYWF8YWFiPykrgRQxLjIu\n" +
     "My40O1VURjg6XihhKykrJIEWMS4yLjMuNDtVVEY4OiguKmEpezMwfYEVMS4yLjMu\n" +
     "NDtVVEY4OigqYSl7MzB9gRcxLjIuMy40O1VURjg6KGFhfGFhYj8pKzANBgkqhkiG\n" +
     "9w0BAQUFAANBAA+NxqNkEqYRWL0Z5940zk4ddZxgD4HnQiOcsEWm0Akys370T7iQ\n" +
     "KNiBrfnX7Uf8VF7ZkxmxXH39Xo6hIqHfTXo=\n" +
     "-----END CERTIFICATE-----").getBytes();
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org


Mime
View raw message