summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--meta/recipes-devtools/subversion/subversion-1.8.9/subversion-CVE-2014-3522.patch444
-rw-r--r--meta/recipes-devtools/subversion/subversion/subversion-CVE-2014-3522.patch439
-rw-r--r--meta/recipes-devtools/subversion/subversion_1.6.15.bb4
-rw-r--r--meta/recipes-devtools/subversion/subversion_1.8.9.bb1
4 files changed, 887 insertions, 1 deletions
diff --git a/meta/recipes-devtools/subversion/subversion-1.8.9/subversion-CVE-2014-3522.patch b/meta/recipes-devtools/subversion/subversion-1.8.9/subversion-CVE-2014-3522.patch
new file mode 100644
index 0000000000..f259e5490a
--- /dev/null
+++ b/meta/recipes-devtools/subversion/subversion-1.8.9/subversion-CVE-2014-3522.patch
@@ -0,0 +1,444 @@
1Upstream-Status: Backport
2
3Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
4
5Index: subversion/include/private/svn_cert.h
6===================================================================
7--- subversion/include/private/svn_cert.h (nonexistent)
8+++ subversion/include/private/svn_cert.h (working copy)
9@@ -0,0 +1,68 @@
10+/**
11+ * @copyright
12+ * ====================================================================
13+ * Licensed to the Apache Software Foundation (ASF) under one
14+ * or more contributor license agreements. See the NOTICE file
15+ * distributed with this work for additional information
16+ * regarding copyright ownership. The ASF licenses this file
17+ * to you under the Apache License, Version 2.0 (the
18+ * "License"); you may not use this file except in compliance
19+ * with the License. You may obtain a copy of the License at
20+ *
21+ * http://www.apache.org/licenses/LICENSE-2.0
22+ *
23+ * Unless required by applicable law or agreed to in writing,
24+ * software distributed under the License is distributed on an
25+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
26+ * KIND, either express or implied. See the License for the
27+ * specific language governing permissions and limitations
28+ * under the License.
29+ * ====================================================================
30+ * @endcopyright
31+ *
32+ * @file svn_cert.h
33+ * @brief Implementation of certificate validation functions
34+ */
35+
36+#ifndef SVN_CERT_H
37+#define SVN_CERT_H
38+
39+#include <apr.h>
40+
41+#include "svn_types.h"
42+#include "svn_string.h"
43+
44+#ifdef __cplusplus
45+extern "C" {
46+#endif /* __cplusplus */
47+
48+
49+/* Return TRUE iff @a pattern matches @a hostname as defined
50+ * by the matching rules of RFC 6125. In the context of RFC
51+ * 6125 the pattern is the domain name portion of the presented
52+ * identifier (which comes from the Common Name or a DNSName
53+ * portion of the subjectAltName of an X.509 certificate) and
54+ * the hostname is the source domain (i.e. the host portion
55+ * of the URI the user entered).
56+ *
57+ * @note With respect to wildcards we only support matching
58+ * wildcards in the left-most label and as the only character
59+ * in the left-most label (i.e. we support RFC 6125 s. 6.4.3
60+ * Rule 1 and 2 but not the optional Rule 3). This may change
61+ * in the future.
62+ *
63+ * @note Subversion does not at current support internationalized
64+ * domain names. Both values are presumed to be in NR-LDH label
65+ * or A-label form (see RFC 5890 for the definition).
66+ *
67+ * @since New in 1.9.
68+ */
69+svn_boolean_t
70+svn_cert__match_dns_identity(svn_string_t *pattern, svn_string_t *hostname);
71+
72+
73+#ifdef __cplusplus
74+}
75+#endif /* __cplusplus */
76+
77+#endif /* SVN_CERT_H */
78Index: subversion/libsvn_ra_serf/util.c
79===================================================================
80--- subversion/libsvn_ra_serf/util.c (revision 1615128)
81+++ subversion/libsvn_ra_serf/util.c (working copy)
82@@ -28,7 +28,6 @@
83 #define APR_WANT_STRFUNC
84 #include <apr.h>
85 #include <apr_want.h>
86-#include <apr_fnmatch.h>
87
88 #include <serf.h>
89 #include <serf_bucket_types.h>
90@@ -49,6 +48,7 @@
91 #include "private/svn_fspath.h"
92 #include "private/svn_subr_private.h"
93 #include "private/svn_auth_private.h"
94+#include "private/svn_cert.h"
95
96 #include "ra_serf.h"
97
98@@ -274,7 +274,6 @@ ssl_server_cert(void *baton, int failures,
99 apr_hash_t *subject = NULL;
100 apr_hash_t *serf_cert = NULL;
101 void *creds;
102- int found_matching_hostname = 0;
103
104 svn_failures = (ssl_convert_serf_failures(failures)
105 | conn->server_cert_failures);
106@@ -286,26 +285,37 @@ ssl_server_cert(void *baton, int failures,
107 ### This should really be handled by serf, which should pass an error
108 for this case, but that has backwards compatibility issues. */
109 apr_array_header_t *san;
110+ svn_boolean_t found_san_entry = FALSE;
111+ svn_boolean_t found_matching_hostname = FALSE;
112+ svn_string_t *actual_hostname =
113+ svn_string_create(conn->session->session_url.hostname, scratch_pool);
114
115 serf_cert = serf_ssl_cert_certificate(cert, scratch_pool);
116
117 san = svn_hash_gets(serf_cert, "subjectAltName");
118 /* Try to find matching server name via subjectAltName first... */
119- if (san) {
120+ if (san)
121+ {
122 int i;
123- for (i = 0; i < san->nelts; i++) {
124+ found_san_entry = san->nelts > 0;
125+ for (i = 0; i < san->nelts; i++)
126+ {
127 const char *s = APR_ARRAY_IDX(san, i, const char*);
128- if (apr_fnmatch(s, conn->session->session_url.hostname,
129- APR_FNM_PERIOD | APR_FNM_CASE_BLIND) == APR_SUCCESS)
130- {
131- found_matching_hostname = 1;
132+ svn_string_t *cert_hostname = svn_string_create(s, scratch_pool);
133+
134+ if (svn_cert__match_dns_identity(cert_hostname, actual_hostname))
135+ {
136+ found_matching_hostname = TRUE;
137 break;
138- }
139- }
140- }
141+ }
142+ }
143+ }
144
145- /* Match server certificate CN with the hostname of the server */
146- if (!found_matching_hostname)
147+ /* Match server certificate CN with the hostname of the server iff
148+ * we didn't find any subjectAltName fields and try to match them.
149+ * Per RFC 2818 they are authoritative if present and CommonName
150+ * should be ignored. */
151+ if (!found_matching_hostname && !found_san_entry)
152 {
153 const char *hostname = NULL;
154
155@@ -314,13 +324,20 @@ ssl_server_cert(void *baton, int failures,
156 if (subject)
157 hostname = svn_hash_gets(subject, "CN");
158
159- if (!hostname
160- || apr_fnmatch(hostname, conn->session->session_url.hostname,
161- APR_FNM_PERIOD | APR_FNM_CASE_BLIND) != APR_SUCCESS)
162- {
163- svn_failures |= SVN_AUTH_SSL_CNMISMATCH;
164- }
165- }
166+ if (hostname)
167+ {
168+ svn_string_t *cert_hostname = svn_string_create(hostname,
169+ scratch_pool);
170+
171+ if (svn_cert__match_dns_identity(cert_hostname, actual_hostname))
172+ {
173+ found_matching_hostname = TRUE;
174+ }
175+ }
176+ }
177+
178+ if (!found_matching_hostname)
179+ svn_failures |= SVN_AUTH_SSL_CNMISMATCH;
180 }
181
182 if (!svn_failures)
183Index: subversion/libsvn_subr/dirent_uri.c
184===================================================================
185--- subversion/libsvn_subr/dirent_uri.c (revision 1615128)
186+++ subversion/libsvn_subr/dirent_uri.c (working copy)
187@@ -38,6 +38,7 @@
188
189 #include "dirent_uri.h"
190 #include "private/svn_fspath.h"
191+#include "private/svn_cert.h"
192
193 /* The canonical empty path. Can this be changed? Well, change the empty
194 test below and the path library will work, not so sure about the fs/wc
195@@ -2597,3 +2598,81 @@ svn_urlpath__canonicalize(const char *uri,
196 }
197 return uri;
198 }
199+
200+
201+/* -------------- The cert API (see private/svn_cert.h) ------------- */
202+
203+svn_boolean_t
204+svn_cert__match_dns_identity(svn_string_t *pattern, svn_string_t *hostname)
205+{
206+ apr_size_t pattern_pos = 0, hostname_pos = 0;
207+
208+ /* support leading wildcards that composed of the only character in the
209+ * left-most label. */
210+ if (pattern->len >= 2 &&
211+ pattern->data[pattern_pos] == '*' &&
212+ pattern->data[pattern_pos + 1] == '.')
213+ {
214+ while (hostname_pos < hostname->len &&
215+ hostname->data[hostname_pos] != '.')
216+ {
217+ hostname_pos++;
218+ }
219+ /* Assume that the wildcard must match something. Rule 2 says
220+ * that *.example.com should not match example.com. If the wildcard
221+ * ends up not matching anything then it matches .example.com which
222+ * seems to be essentially the same as just example.com */
223+ if (hostname_pos == 0)
224+ return FALSE;
225+
226+ pattern_pos++;
227+ }
228+
229+ while (pattern_pos < pattern->len && hostname_pos < hostname->len)
230+ {
231+ char pattern_c = pattern->data[pattern_pos];
232+ char hostname_c = hostname->data[hostname_pos];
233+
234+ /* fold case as described in RFC 4343.
235+ * Note: We actually convert to lowercase, since our URI
236+ * canonicalization code converts to lowercase and generally
237+ * most certs are issued with lowercase DNS names, meaning
238+ * this avoids the fold operation in most cases. The RFC
239+ * suggests the opposite transformation, but doesn't require
240+ * any specific implementation in any case. It is critical
241+ * that this folding be locale independent so you can't use
242+ * tolower(). */
243+ pattern_c = canonicalize_to_lower(pattern_c);
244+ hostname_c = canonicalize_to_lower(hostname_c);
245+
246+ if (pattern_c != hostname_c)
247+ {
248+ /* doesn't match */
249+ return FALSE;
250+ }
251+ else
252+ {
253+ /* characters match so skip both */
254+ pattern_pos++;
255+ hostname_pos++;
256+ }
257+ }
258+
259+ /* ignore a trailing period on the hostname since this has no effect on the
260+ * security of the matching. See the following for the long explanation as
261+ * to why:
262+ * https://bugzilla.mozilla.org/show_bug.cgi?id=134402#c28
263+ */
264+ if (pattern_pos == pattern->len &&
265+ hostname_pos == hostname->len - 1 &&
266+ hostname->data[hostname_pos] == '.')
267+ hostname_pos++;
268+
269+ if (pattern_pos != pattern->len || hostname_pos != hostname->len)
270+ {
271+ /* end didn't match */
272+ return FALSE;
273+ }
274+
275+ return TRUE;
276+}
277Index: subversion/tests/libsvn_subr/dirent_uri-test.c
278===================================================================
279--- subversion/tests/libsvn_subr/dirent_uri-test.c (revision 1615128)
280+++ subversion/tests/libsvn_subr/dirent_uri-test.c (working copy)
281@@ -37,6 +37,7 @@
282 #include "svn_pools.h"
283 #include "svn_dirent_uri.h"
284 #include "private/svn_fspath.h"
285+#include "private/svn_cert.h"
286
287 #include "../svn_test.h"
288
289@@ -2714,6 +2715,145 @@ test_fspath_get_longest_ancestor(apr_pool_t *pool)
290 return SVN_NO_ERROR;
291 }
292
293+struct cert_match_dns_test {
294+ const char *pattern;
295+ const char *hostname;
296+ svn_boolean_t expected;
297+};
298+
299+static svn_error_t *
300+run_cert_match_dns_tests(struct cert_match_dns_test *tests, apr_pool_t *pool)
301+{
302+ struct cert_match_dns_test *ct;
303+ apr_pool_t *iterpool = svn_pool_create(pool);
304+
305+ for (ct = tests; ct->pattern; ct++)
306+ {
307+ svn_boolean_t result;
308+ svn_string_t *pattern, *hostname;
309+
310+ svn_pool_clear(iterpool);
311+
312+ pattern = svn_string_create(ct->pattern, iterpool);
313+ hostname = svn_string_create(ct->hostname, iterpool);
314+
315+ result = svn_cert__match_dns_identity(pattern, hostname);
316+ if (result != ct->expected)
317+ return svn_error_createf(SVN_ERR_TEST_FAILED, NULL,
318+ "Expected %s but got %s for pattern '%s' on "
319+ "hostname '%s'",
320+ ct->expected ? "match" : "no match",
321+ result ? "match" : "no match",
322+ pattern->data, hostname->data);
323+
324+ }
325+
326+ svn_pool_destroy(iterpool);
327+
328+ return SVN_NO_ERROR;
329+}
330+
331+static struct cert_match_dns_test cert_match_dns_tests[] = {
332+ { "foo.example.com", "foo.example.com", TRUE }, /* exact match */
333+ { "foo.example.com", "FOO.EXAMPLE.COM", TRUE }, /* case differences */
334+ { "FOO.EXAMPLE.COM", "foo.example.com", TRUE },
335+ { "*.example.com", "FoO.ExAmPlE.CoM", TRUE },
336+ { "*.ExAmPlE.CoM", "foo.example.com", TRUE },
337+ { "ABCDEFGHIJKLMNOPQRSTUVWXYZ", "abcdefghijklmnopqrstuvwxyz", TRUE },
338+ { "abcdefghijklmnopqrstuvwxyz", "ABCDEFGHIJKLMNOPQRSTUVWXYZ", TRUE },
339+ { "foo.example.com", "bar.example.com", FALSE }, /* difference at start */
340+ { "foo.example.com", "foo.example.net", FALSE }, /* difference at end */
341+ { "foo.example.com", "foo.example.commercial", FALSE }, /* hostname longer */
342+ { "foo.example.commercial", "foo.example.com", FALSE }, /* pattern longer */
343+ { "foo.example.comcom", "foo.example.com", FALSE }, /* repeated suffix */
344+ { "foo.example.com", "foo.example.comcom", FALSE },
345+ { "foo.example.com.com", "foo.example.com", FALSE },
346+ { "foo.example.com", "foo.example.com.com", FALSE },
347+ { "foofoo.example.com", "foo.example.com", FALSE }, /* repeated prefix */
348+ { "foo.example.com", "foofoo.example.com", FALSE },
349+ { "foo.foo.example.com", "foo.example.com", FALSE },
350+ { "foo.example.com", "foo.foo.example.com", FALSE },
351+ { "foo.*.example.com", "foo.bar.example.com", FALSE }, /* RFC 6125 s. 6.4.3
352+ Rule 1 */
353+ { "*.example.com", "foo.example.com", TRUE }, /* RFC 6125 s. 6.4.3 Rule 2 */
354+ { "*.example.com", "bar.foo.example.com", FALSE }, /* Rule 2 */
355+ { "*.example.com", "example.com", FALSE }, /* Rule 2 */
356+ { "*.example.com", ".example.com", FALSE }, /* RFC doesn't say what to do
357+ here and a leading period on
358+ a hostname doesn't make sense
359+ so we'll just reject this. */
360+ { "*", "foo.example.com", FALSE }, /* wildcard must be left-most label,
361+ implies that there must be more than
362+ one label. */
363+ { "*", "example.com", FALSE },
364+ { "*", "com", FALSE },
365+ { "*.example.com", "foo.example.net", FALSE }, /* difference in literal text
366+ with a wildcard. */
367+ { "*.com", "example.com", TRUE }, /* See Errata ID 3090 for RFC 6125,
368+ probably shouldn't allow this but
369+ we do for now. */
370+ { "*.", "example.com", FALSE }, /* test some dubious 2 character wildcard
371+ patterns */
372+ { "*.", "example.", TRUE }, /* This one feels questionable */
373+ { "*.", "example", FALSE },
374+ { "*.", ".", FALSE },
375+ { "a", "a", TRUE }, /* check that single letter exact matches work */
376+ { "a", "b", FALSE }, /* and single letter not matches shouldn't */
377+ { "*.*.com", "foo.example.com", FALSE }, /* unsupported wildcards */
378+ { "*.*.com", "example.com", FALSE },
379+ { "**.example.com", "foo.example.com", FALSE },
380+ { "**.example.com", "example.com", FALSE },
381+ { "f*.example.com", "foo.example.com", FALSE },
382+ { "f*.example.com", "bar.example.com", FALSE },
383+ { "*o.example.com", "foo.example.com", FALSE },
384+ { "*o.example.com", "bar.example.com", FALSE },
385+ { "f*o.example.com", "foo.example.com", FALSE },
386+ { "f*o.example.com", "bar.example.com", FALSE },
387+ { "foo.e*.com", "foo.example.com", FALSE },
388+ { "foo.*e.com", "foo.example.com", FALSE },
389+ { "foo.e*e.com", "foo.example.com", FALSE },
390+ { "foo.example.com", "foo.example.com.", TRUE }, /* trailing dot */
391+ { "*.example.com", "foo.example.com.", TRUE },
392+ { "foo", "foo.", TRUE },
393+ { "foo.example.com.", "foo.example.com", FALSE },
394+ { "*.example.com.", "foo.example.com", FALSE },
395+ { "foo.", "foo", FALSE },
396+ { "foo.example.com", "foo.example.com..", FALSE },
397+ { "*.example.com", "foo.example.com..", FALSE },
398+ { "foo", "foo..", FALSE },
399+ { "foo.example.com..", "foo.example.com", FALSE },
400+ { "*.example.com..", "foo.example.com", FALSE },
401+ { "foo..", "foo", FALSE },
402+ { NULL }
403+};
404+
405+static svn_error_t *
406+test_cert_match_dns_identity(apr_pool_t *pool)
407+{
408+ return run_cert_match_dns_tests(cert_match_dns_tests, pool);
409+}
410+
411+/* This test table implements results that should happen if we supported
412+ * RFC 6125 s. 6.4.3 Rule 3. We don't so it's expected to fail for now. */
413+static struct cert_match_dns_test rule3_tests[] = {
414+ { "baz*.example.net", "baz1.example.net", TRUE },
415+ { "*baz.example.net", "foobaz.example.net", TRUE },
416+ { "b*z.example.net", "buuz.example.net", TRUE },
417+ { "b*z.example.net", "bz.example.net", FALSE }, /* presume wildcard can't
418+ match nothing */
419+ { "baz*.example.net", "baz.example.net", FALSE },
420+ { "*baz.example.net", "baz.example.net", FALSE },
421+ { "b*z.example.net", "buuzuuz.example.net", TRUE }, /* presume wildcard
422+ should be greedy */
423+ { NULL }
424+};
425+
426+static svn_error_t *
427+test_rule3(apr_pool_t *pool)
428+{
429+ return run_cert_match_dns_tests(rule3_tests, pool);
430+}
431+
432
433 /* The test table. */
434
435@@ -2812,5 +2952,9 @@ struct svn_test_descriptor_t test_funcs[] =
436 "test svn_fspath__dirname/basename/split"),
437 SVN_TEST_PASS2(test_fspath_get_longest_ancestor,
438 "test svn_fspath__get_longest_ancestor"),
439+ SVN_TEST_PASS2(test_cert_match_dns_identity,
440+ "test svn_cert__match_dns_identity"),
441+ SVN_TEST_XFAIL2(test_rule3,
442+ "test match with RFC 6125 s. 6.4.3 Rule 3"),
443 SVN_TEST_NULL
444 };
diff --git a/meta/recipes-devtools/subversion/subversion/subversion-CVE-2014-3522.patch b/meta/recipes-devtools/subversion/subversion/subversion-CVE-2014-3522.patch
new file mode 100644
index 0000000000..03d5b9710f
--- /dev/null
+++ b/meta/recipes-devtools/subversion/subversion/subversion-CVE-2014-3522.patch
@@ -0,0 +1,439 @@
1Upstream-Status: Backport
2
3Signed-off-by: Yue Tao <yue.tao@windriver.com>
4
5diff --git a/subversion/libsvn_ra_serf/util.c.old b/subversion/libsvn_ra_serf/util.c
6index b6c0141..8b09770 100644
7--- a/subversion/libsvn_ra_serf/util.c.old
8+++ b/subversion/libsvn_ra_serf/util.c
9@@ -21,7 +21,6 @@
10 #define APR_WANT_STRFUNC
11 #include <apr.h>
12 #include <apr_want.h>
13-#include <apr_fnmatch.h>
14
15 #include <serf.h>
16 #include <serf_bucket_types.h>
17@@ -30,6 +29,7 @@
18 #include "svn_private_config.h"
19 #include "svn_xml.h"
20 #include "private/svn_dep_compat.h"
21+#include "private/svn_cert.h"
22
23 #include "ra_serf.h"
24
25@@ -113,7 +113,12 @@ ssl_server_cert(void *baton, int failures,
26 apr_uint32_t svn_failures;
27 svn_error_t *err;
28 apr_hash_t *issuer, *subject, *serf_cert;
29+ apr_array_header_t *san;
30 void *creds;
31+ svn_boolean_t found_matching_hostname = FALSE;
32+ svn_boolean_t found_san_entry = FALSE;
33+ svn_string_t *actual_hostname =
34+ svn_string_create(conn->hostname, scratch_pool);
35
36 /* Implicitly approve any non-server certs. */
37 if (serf_ssl_cert_depth(cert) > 0)
38@@ -129,6 +134,7 @@ ssl_server_cert(void *baton, int failures,
39 serf_cert = serf_ssl_cert_certificate(cert, subpool);
40
41 cert_info.hostname = apr_hash_get(subject, "CN", APR_HASH_KEY_STRING);
42+ san = apr_hash_get(serf_cert, "subjectAltName", APR_HASH_KEY_STRING);
43 cert_info.fingerprint = apr_hash_get(serf_cert, "sha1", APR_HASH_KEY_STRING);
44 if (! cert_info.fingerprint)
45 cert_info.fingerprint = apr_pstrdup(subpool, "<unknown>");
46@@ -145,16 +145,43 @@ ssl_server_cert(void *baton, int failures,
47
48 svn_failures = ssl_convert_serf_failures(failures);
49
50- /* Match server certificate CN with the hostname of the server */
51- if (cert_info.hostname)
52+ /* Try to find matching server name via subjectAltName first... */
53+ if (san)
54 {
55- if (apr_fnmatch(cert_info.hostname, conn->hostinfo,
56- APR_FNM_PERIOD) == APR_FNM_NOMATCH)
57+ int i;
58+ found_san_entry = san->nelts > 0;
59+ for (i = 0; i < san->nelts; i++)
60 {
61- svn_failures |= SVN_AUTH_SSL_CNMISMATCH;
62+ char *s = APR_ARRAY_IDX(san, i, char*);
63+ svn_string_t *cert_hostname = svn_string_create(s, scratch_pool);
64+
65+ if (svn_cert__match_dns_identity(cert_hostname, actual_hostname))
66+ {
67+ found_matching_hostname = TRUE;
68+ cert_info.hostname = s;
69+ break;
70+ }
71 }
72 }
73
74+ /* Match server certificate CN with the hostname of the server iff
75+ * we didn't find any subjectAltName fields and try to match them.
76+ * Per RFC 2818 they are authoritative if present and CommonName
77+ * should be ignored. */
78+ if (!found_matching_hostname && !found_san_entry && cert_info.hostname)
79+ {
80+ svn_string_t *cert_hostname = svn_string_create(cert_info.hostname,
81+ scratch_pool);
82+
83+ if (svn_cert__match_dns_identity(cert_hostname, actual_hostname))
84+ {
85+ found_matching_hostname = TRUE;
86+ }
87+ }
88+
89+ if (!found_matching_hostname)
90+ svn_failures |= SVN_AUTH_SSL_CNMISMATCH;
91+
92 svn_auth_set_parameter(conn->session->wc_callbacks->auth_baton,
93 SVN_AUTH_PARAM_SSL_SERVER_FAILURES,
94 &svn_failures);
95@@ -261,6 +293,10 @@ svn_ra_serf__conn_setup(apr_socket_t *sock,
96 if (!conn->ssl_context)
97 {
98 conn->ssl_context = serf_bucket_ssl_encrypt_context_get(rb);
99+
100+#if SERF_VERSION_AT_LEAST(1,0,0)
101+ serf_ssl_set_hostname(conn->ssl_context, conn->hostinfo);
102+#endif
103
104 serf_ssl_client_cert_provider_set(conn->ssl_context,
105 svn_ra_serf__handle_client_cert,
106diff --git a/subversion/libsvn_subr/dirent_uri.c.old b/subversion/libsvn_subr/dirent_uri.c
107index eef99ba..a5f9e7e 100644
108--- a/subversion/libsvn_subr/dirent_uri.c.old
109+++ b/subversion/libsvn_subr/dirent_uri.c
110@@ -30,6 +30,7 @@
111 #include "svn_path.h"
112
113 #include "private_uri.h"
114+#include "private/svn_cert.h"
115
116 /* The canonical empty path. Can this be changed? Well, change the empty
117 test below and the path library will work, not so sure about the fs/wc
118@@ -1194,3 +1195,81 @@ svn_uri_is_canonical(const char *uri, apr_pool_t *pool)
119
120 return TRUE;
121 }
122+
123+
124+/* -------------- The cert API (see private/svn_cert.h) ------------- */
125+
126+svn_boolean_t
127+svn_cert__match_dns_identity(svn_string_t *pattern, svn_string_t *hostname)
128+{
129+ apr_size_t pattern_pos = 0, hostname_pos = 0;
130+
131+ /* support leading wildcards that composed of the only character in the
132+ * left-most label. */
133+ if (pattern->len >= 2 &&
134+ pattern->data[pattern_pos] == '*' &&
135+ pattern->data[pattern_pos + 1] == '.')
136+ {
137+ while (hostname_pos < hostname->len &&
138+ hostname->data[hostname_pos] != '.')
139+ {
140+ hostname_pos++;
141+ }
142+ /* Assume that the wildcard must match something. Rule 2 says
143+ * that *.example.com should not match example.com. If the wildcard
144+ * ends up not matching anything then it matches .example.com which
145+ * seems to be essentially the same as just example.com */
146+ if (hostname_pos == 0)
147+ return FALSE;
148+
149+ pattern_pos++;
150+ }
151+
152+ while (pattern_pos < pattern->len && hostname_pos < hostname->len)
153+ {
154+ char pattern_c = pattern->data[pattern_pos];
155+ char hostname_c = hostname->data[hostname_pos];
156+
157+ /* fold case as described in RFC 4343.
158+ * Note: We actually convert to lowercase, since our URI
159+ * canonicalization code converts to lowercase and generally
160+ * most certs are issued with lowercase DNS names, meaning
161+ * this avoids the fold operation in most cases. The RFC
162+ * suggests the opposite transformation, but doesn't require
163+ * any specific implementation in any case. It is critical
164+ * that this folding be locale independent so you can't use
165+ * tolower(). */
166+ pattern_c = canonicalize_to_lower(pattern_c);
167+ hostname_c = canonicalize_to_lower(hostname_c);
168+
169+ if (pattern_c != hostname_c)
170+ {
171+ /* doesn't match */
172+ return FALSE;
173+ }
174+ else
175+ {
176+ /* characters match so skip both */
177+ pattern_pos++;
178+ hostname_pos++;
179+ }
180+ }
181+
182+ /* ignore a trailing period on the hostname since this has no effect on the
183+ * security of the matching. See the following for the long explanation as
184+ * to why:
185+ * https://bugzilla.mozilla.org/show_bug.cgi?id=134402#c28
186+ */
187+ if (pattern_pos == pattern->len &&
188+ hostname_pos == hostname->len - 1 &&
189+ hostname->data[hostname_pos] == '.')
190+ hostname_pos++;
191+
192+ if (pattern_pos != pattern->len || hostname_pos != hostname->len)
193+ {
194+ /* end didn't match */
195+ return FALSE;
196+ }
197+
198+ return TRUE;
199+}
200diff --git a/subversion/tests/libsvn_subr/dirent_uri-test.c.old b/subversion/tests/libsvn_subr/dirent_uri-test.c
201index d71d9c1..370b64a 100644
202--- a/subversion/tests/libsvn_subr/dirent_uri-test.c.old
203+++ b/subversion/tests/libsvn_subr/dirent_uri-test.c
204@@ -31,6 +31,7 @@
205
206 #include "svn_pools.h"
207 #include "svn_dirent_uri.h"
208+#include "private/svn_cert.h"
209
210 #include "../svn_test.h"
211 #include "../../libsvn_subr/private_uri.h"
212@@ -1671,6 +1672,145 @@ test_uri_internal_style(const char **msg,
213 return SVN_NO_ERROR;
214 }
215
216+struct cert_match_dns_test {
217+ const char *pattern;
218+ const char *hostname;
219+ svn_boolean_t expected;
220+};
221+
222+static svn_error_t *
223+run_cert_match_dns_tests(struct cert_match_dns_test *tests, apr_pool_t *pool)
224+{
225+ struct cert_match_dns_test *ct;
226+ apr_pool_t *iterpool = svn_pool_create(pool);
227+
228+ for (ct = tests; ct->pattern; ct++)
229+ {
230+ svn_boolean_t result;
231+ svn_string_t *pattern, *hostname;
232+
233+ svn_pool_clear(iterpool);
234+
235+ pattern = svn_string_create(ct->pattern, iterpool);
236+ hostname = svn_string_create(ct->hostname, iterpool);
237+
238+ result = svn_cert__match_dns_identity(pattern, hostname);
239+ if (result != ct->expected)
240+ return svn_error_createf(SVN_ERR_TEST_FAILED, NULL,
241+ "Expected %s but got %s for pattern '%s' on "
242+ "hostname '%s'",
243+ ct->expected ? "match" : "no match",
244+ result ? "match" : "no match",
245+ pattern->data, hostname->data);
246+
247+ }
248+
249+ svn_pool_destroy(iterpool);
250+
251+ return SVN_NO_ERROR;
252+}
253+
254+static struct cert_match_dns_test cert_match_dns_tests[] = {
255+ { "foo.example.com", "foo.example.com", TRUE }, /* exact match */
256+ { "foo.example.com", "FOO.EXAMPLE.COM", TRUE }, /* case differences */
257+ { "FOO.EXAMPLE.COM", "foo.example.com", TRUE },
258+ { "*.example.com", "FoO.ExAmPlE.CoM", TRUE },
259+ { "*.ExAmPlE.CoM", "foo.example.com", TRUE },
260+ { "ABCDEFGHIJKLMNOPQRSTUVWXYZ", "abcdefghijklmnopqrstuvwxyz", TRUE },
261+ { "abcdefghijklmnopqrstuvwxyz", "ABCDEFGHIJKLMNOPQRSTUVWXYZ", TRUE },
262+ { "foo.example.com", "bar.example.com", FALSE }, /* difference at start */
263+ { "foo.example.com", "foo.example.net", FALSE }, /* difference at end */
264+ { "foo.example.com", "foo.example.commercial", FALSE }, /* hostname longer */
265+ { "foo.example.commercial", "foo.example.com", FALSE }, /* pattern longer */
266+ { "foo.example.comcom", "foo.example.com", FALSE }, /* repeated suffix */
267+ { "foo.example.com", "foo.example.comcom", FALSE },
268+ { "foo.example.com.com", "foo.example.com", FALSE },
269+ { "foo.example.com", "foo.example.com.com", FALSE },
270+ { "foofoo.example.com", "foo.example.com", FALSE }, /* repeated prefix */
271+ { "foo.example.com", "foofoo.example.com", FALSE },
272+ { "foo.foo.example.com", "foo.example.com", FALSE },
273+ { "foo.example.com", "foo.foo.example.com", FALSE },
274+ { "foo.*.example.com", "foo.bar.example.com", FALSE }, /* RFC 6125 s. 6.4.3
275+ Rule 1 */
276+ { "*.example.com", "foo.example.com", TRUE }, /* RFC 6125 s. 6.4.3 Rule 2 */
277+ { "*.example.com", "bar.foo.example.com", FALSE }, /* Rule 2 */
278+ { "*.example.com", "example.com", FALSE }, /* Rule 2 */
279+ { "*.example.com", ".example.com", FALSE }, /* RFC doesn't say what to do
280+ here and a leading period on
281+ a hostname doesn't make sense
282+ so we'll just reject this. */
283+ { "*", "foo.example.com", FALSE }, /* wildcard must be left-most label,
284+ implies that there must be more than
285+ one label. */
286+ { "*", "example.com", FALSE },
287+ { "*", "com", FALSE },
288+ { "*.example.com", "foo.example.net", FALSE }, /* difference in literal text
289+ with a wildcard. */
290+ { "*.com", "example.com", TRUE }, /* See Errata ID 3090 for RFC 6125,
291+ probably shouldn't allow this but
292+ we do for now. */
293+ { "*.", "example.com", FALSE }, /* test some dubious 2 character wildcard
294+ patterns */
295+ { "*.", "example.", TRUE }, /* This one feels questionable */
296+ { "*.", "example", FALSE },
297+ { "*.", ".", FALSE },
298+ { "a", "a", TRUE }, /* check that single letter exact matches work */
299+ { "a", "b", FALSE }, /* and single letter not matches shouldn't */
300+ { "*.*.com", "foo.example.com", FALSE }, /* unsupported wildcards */
301+ { "*.*.com", "example.com", FALSE },
302+ { "**.example.com", "foo.example.com", FALSE },
303+ { "**.example.com", "example.com", FALSE },
304+ { "f*.example.com", "foo.example.com", FALSE },
305+ { "f*.example.com", "bar.example.com", FALSE },
306+ { "*o.example.com", "foo.example.com", FALSE },
307+ { "*o.example.com", "bar.example.com", FALSE },
308+ { "f*o.example.com", "foo.example.com", FALSE },
309+ { "f*o.example.com", "bar.example.com", FALSE },
310+ { "foo.e*.com", "foo.example.com", FALSE },
311+ { "foo.*e.com", "foo.example.com", FALSE },
312+ { "foo.e*e.com", "foo.example.com", FALSE },
313+ { "foo.example.com", "foo.example.com.", TRUE }, /* trailing dot */
314+ { "*.example.com", "foo.example.com.", TRUE },
315+ { "foo", "foo.", TRUE },
316+ { "foo.example.com.", "foo.example.com", FALSE },
317+ { "*.example.com.", "foo.example.com", FALSE },
318+ { "foo.", "foo", FALSE },
319+ { "foo.example.com", "foo.example.com..", FALSE },
320+ { "*.example.com", "foo.example.com..", FALSE },
321+ { "foo", "foo..", FALSE },
322+ { "foo.example.com..", "foo.example.com", FALSE },
323+ { "*.example.com..", "foo.example.com", FALSE },
324+ { "foo..", "foo", FALSE },
325+ { NULL }
326+};
327+
328+static svn_error_t *
329+test_cert_match_dns_identity(apr_pool_t *pool)
330+{
331+ return run_cert_match_dns_tests(cert_match_dns_tests, pool);
332+}
333+
334+/* This test table implements results that should happen if we supported
335+ * RFC 6125 s. 6.4.3 Rule 3. We don't so it's expected to fail for now. */
336+static struct cert_match_dns_test rule3_tests[] = {
337+ { "baz*.example.net", "baz1.example.net", TRUE },
338+ { "*baz.example.net", "foobaz.example.net", TRUE },
339+ { "b*z.example.net", "buuz.example.net", TRUE },
340+ { "b*z.example.net", "bz.example.net", FALSE }, /* presume wildcard can't
341+ match nothing */
342+ { "baz*.example.net", "baz.example.net", FALSE },
343+ { "*baz.example.net", "baz.example.net", FALSE },
344+ { "b*z.example.net", "buuzuuz.example.net", TRUE }, /* presume wildcard
345+ should be greedy */
346+ { NULL }
347+};
348+
349+static svn_error_t *
350+test_rule3(apr_pool_t *pool)
351+{
352+ return run_cert_match_dns_tests(rule3_tests, pool);
353+}
354+
355
356 /* The test table. */
357
358@@ -1699,5 +1839,7 @@ struct svn_test_descriptor_t test_funcs[] =
359 SVN_TEST_PASS(test_uri_local_style),
360 SVN_TEST_PASS(test_dirent_internal_style),
361 SVN_TEST_PASS(test_uri_internal_style),
362+ SVN_TEST_PASS(test_cert_match_dns_identity),
363+ SVN_TEST_XFAIL(test_rule3),
364 SVN_TEST_NULL
365 };
366diff --git a/subversion/include/private/svn_cert.h b/subversion/include/private/svn_cert.h
367new file mode 100644
368index 0000000..32e32a0
369--- /dev/null
370+++ b/subversion/include/private/svn_cert.h
371@@ -0,0 +1,68 @@
372+/**
373+ * @copyright
374+ * ====================================================================
375+ * Licensed to the Apache Software Foundation (ASF) under one
376+ * or more contributor license agreements. See the NOTICE file
377+ * distributed with this work for additional information
378+ * regarding copyright ownership. The ASF licenses this file
379+ * to you under the Apache License, Version 2.0 (the
380+ * "License"); you may not use this file except in compliance
381+ * with the License. You may obtain a copy of the License at
382+ *
383+ * http://www.apache.org/licenses/LICENSE-2.0
384+ *
385+ * Unless required by applicable law or agreed to in writing,
386+ * software distributed under the License is distributed on an
387+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
388+ * KIND, either express or implied. See the License for the
389+ * specific language governing permissions and limitations
390+ * under the License.
391+ * ====================================================================
392+ * @endcopyright
393+ *
394+ * @file svn_cert.h
395+ * @brief Implementation of certificate validation functions
396+ */
397+
398+#ifndef SVN_CERT_H
399+#define SVN_CERT_H
400+
401+#include <apr.h>
402+
403+#include "svn_types.h"
404+#include "svn_string.h"
405+
406+#ifdef __cplusplus
407+extern "C" {
408+#endif /* __cplusplus */
409+
410+
411+/* Return TRUE iff @a pattern matches @a hostname as defined
412+ * by the matching rules of RFC 6125. In the context of RFC
413+ * 6125 the pattern is the domain name portion of the presented
414+ * identifier (which comes from the Common Name or a DNSName
415+ * portion of the subjectAltName of an X.509 certificate) and
416+ * the hostname is the source domain (i.e. the host portion
417+ * of the URI the user entered).
418+ *
419+ * @note With respect to wildcards we only support matching
420+ * wildcards in the left-most label and as the only character
421+ * in the left-most label (i.e. we support RFC 6125 ยง 6.4.3
422+ * Rule 1 and 2 but not the optional Rule 3). This may change
423+ * in the future.
424+ *
425+ * @note Subversion does not at current support internationalized
426+ * domain names. Both values are presumed to be in NR-LDH label
427+ * or A-label form (see RFC 5890 for the definition).
428+ *
429+ * @since New in 1.9.
430+ */
431+svn_boolean_t
432+svn_cert__match_dns_identity(svn_string_t *pattern, svn_string_t *hostname);
433+
434+
435+#ifdef __cplusplus
436+}
437+#endif /* __cplusplus */
438+
439+#endif /* SVN_CERT_H */
diff --git a/meta/recipes-devtools/subversion/subversion_1.6.15.bb b/meta/recipes-devtools/subversion/subversion_1.6.15.bb
index 1bc637473b..6680ab6d34 100644
--- a/meta/recipes-devtools/subversion/subversion_1.6.15.bb
+++ b/meta/recipes-devtools/subversion/subversion_1.6.15.bb
@@ -17,7 +17,9 @@ SRC_URI = "http://subversion.tigris.org/downloads/${BPN}-${PV}.tar.bz2 \
17 file://subversion-CVE-2013-4505.patch \ 17 file://subversion-CVE-2013-4505.patch \
18 file://subversion-CVE-2013-1845.patch \ 18 file://subversion-CVE-2013-1845.patch \
19 file://subversion-CVE-2013-1847-CVE-2013-1846.patch \ 19 file://subversion-CVE-2013-1847-CVE-2013-1846.patch \
20 file://subversion-CVE-2013-4277.patch" 20 file://subversion-CVE-2013-4277.patch \
21 file://subversion-CVE-2014-3522.patch \
22"
21 23
22SRC_URI[md5sum] = "113fca1d9e4aa389d7dc2b210010fa69" 24SRC_URI[md5sum] = "113fca1d9e4aa389d7dc2b210010fa69"
23SRC_URI[sha256sum] = "b2919d603a5f3c19f42e3265c4b930e2376c43b3969b90ef9c42b2f72d5aaa45" 25SRC_URI[sha256sum] = "b2919d603a5f3c19f42e3265c4b930e2376c43b3969b90ef9c42b2f72d5aaa45"
diff --git a/meta/recipes-devtools/subversion/subversion_1.8.9.bb b/meta/recipes-devtools/subversion/subversion_1.8.9.bb
index d134a5352c..e1ab945896 100644
--- a/meta/recipes-devtools/subversion/subversion_1.8.9.bb
+++ b/meta/recipes-devtools/subversion/subversion_1.8.9.bb
@@ -12,6 +12,7 @@ inherit gettext
12SRC_URI = "${APACHE_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \ 12SRC_URI = "${APACHE_MIRROR}/${BPN}/${BPN}-${PV}.tar.bz2 \
13 file://libtool2.patch \ 13 file://libtool2.patch \
14 file://disable_macos.patch \ 14 file://disable_macos.patch \
15 file://subversion-CVE-2014-3522.patch;striplevel=0 \
15" 16"
16SRC_URI[md5sum] = "bd495517a760ddd764ce449a891971db" 17SRC_URI[md5sum] = "bd495517a760ddd764ce449a891971db"
17SRC_URI[sha256sum] = "45d708a5c3ffbef4b2a1044c4716a053e680763743d1f7ba99d0369f6da49e33" 18SRC_URI[sha256sum] = "45d708a5c3ffbef4b2a1044c4716a053e680763743d1f7ba99d0369f6da49e33"
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-10-26 22:52:20 +0000