Skip to content

Commit df3141f

Browse files
mhdawsonkumarak
authored andcommitted
src: add cve reverts and associated tests
Signed-off-by: Michael Dawson <mdawson@devrus.com> Co-authored-by: Akshay K <iit.akshay@gmail.com> Backport-PR-URL: nodejs-private/node-private#303 PR-URL: nodejs-private/node-private#300 Reviewed-By: Michael Dawson <midawson@redhat.com> Reviewed-By: Rich Trott <rtrott@gmail.com>
1 parent 1f7fdff commit df3141f

File tree

6 files changed

+515
-3
lines changed

6 files changed

+515
-3
lines changed

lib/tls.js

Lines changed: 19 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -60,6 +60,7 @@ const net = require('net');
6060
const { getOptionValue } = require('internal/options');
6161
const { getRootCertificates, getSSLCiphers } = internalBinding('crypto');
6262
const { Buffer } = require('buffer');
63+
const { URL } = require('internal/url'); // Only used for Security Revert
6364
const { canonicalizeIP } = internalBinding('cares_wrap');
6465
const _tls_common = require('_tls_common');
6566
const _tls_wrap = require('_tls_wrap');
@@ -274,6 +275,7 @@ exports.checkServerIdentity = function checkServerIdentity(hostname, cert) {
274275
const subject = cert.subject;
275276
const altNames = cert.subjectaltname;
276277
const dnsNames = [];
278+
const uriNames = [];
277279
const ips = [];
278280

279281
hostname = '' + hostname;
@@ -285,6 +287,12 @@ exports.checkServerIdentity = function checkServerIdentity(hostname, cert) {
285287
ArrayPrototypeForEach(splitAltNames, (name) => {
286288
if (StringPrototypeStartsWith(name, 'DNS:')) {
287289
ArrayPrototypePush(dnsNames, StringPrototypeSlice(name, 4));
290+
} else if (process.REVERT_CVE_2021_44531 &&
291+
StringPrototypeStartsWith(name, 'URI:')) {
292+
const uri = new URL(StringPrototypeSlice(name, 4));
293+
294+
// TODO(bnoordhuis) Also use scheme.
295+
ArrayPrototypePush(uriNames, uri.hostname);
288296
} else if (StringPrototypeStartsWith(name, 'IP Address:')) {
289297
ArrayPrototypePush(ips, canonicalizeIP(StringPrototypeSlice(name, 11)));
290298
}
@@ -294,19 +302,27 @@ exports.checkServerIdentity = function checkServerIdentity(hostname, cert) {
294302
let valid = false;
295303
let reason = 'Unknown reason';
296304

305+
const hasAltNames =
306+
dnsNames.length > 0 || ips.length > 0 || uriNames.length > 0;
307+
297308
hostname = unfqdn(hostname); // Remove trailing dot for error messages.
298309

299310
if (net.isIP(hostname)) {
300311
valid = ArrayPrototypeIncludes(ips, canonicalizeIP(hostname));
301312
if (!valid)
302313
reason = `IP: ${hostname} is not in the cert's list: ` +
303314
ArrayPrototypeJoin(ips, ', ');
304-
} else if (dnsNames.length > 0 || subject?.CN) {
315+
// TODO(bnoordhuis) Also check URI SANs that are IP addresses.
316+
} else if ((process.REVERT_CVE_2021_44531 && (hasAltNames || subject)) ||
317+
(dnsNames.length > 0 || subject?.CN)) {
305318
const hostParts = splitHost(hostname);
306319
const wildcard = (pattern) => check(hostParts, pattern, true);
307320

308-
if (dnsNames.length > 0) {
309-
valid = ArrayPrototypeSome(dnsNames, wildcard);
321+
if ((process.REVERT_CVE_2021_44531 && hasAltNames) ||
322+
(dnsNames.length > 0)) {
323+
const noWildcard = (pattern) => check(hostParts, pattern, false);
324+
valid = ArrayPrototypeSome(dnsNames, wildcard) ||
325+
ArrayPrototypeSome(uriNames, noWildcard);
310326
if (!valid)
311327
reason =
312328
`Host: ${hostname}. is not in the cert's altnames: ${altNames}`;

src/crypto/crypto_common.cc

Lines changed: 47 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@
66
#include "crypto/crypto_common.h"
77
#include "node.h"
88
#include "node_internals.h"
9+
#include "node_revert.h"
910
#include "node_url.h"
1011
#include "string_bytes.h"
1112
#include "memory_tracker-inl.h"
@@ -620,6 +621,44 @@ MaybeLocal<Value> GetValidFrom(
620621
return ToV8Value(env, bio);
621622
}
622623

624+
// deprecated, only used for security revert
625+
bool SafeX509ExtPrint(const BIOPointer& out, X509_EXTENSION* ext) {
626+
const X509V3_EXT_METHOD* method = X509V3_EXT_get(ext);
627+
628+
if (method != X509V3_EXT_get_nid(NID_subject_alt_name))
629+
return false;
630+
631+
GENERAL_NAMES* names = static_cast<GENERAL_NAMES*>(X509V3_EXT_d2i(ext));
632+
if (names == nullptr)
633+
return false;
634+
635+
for (int i = 0; i < sk_GENERAL_NAME_num(names); i++) {
636+
GENERAL_NAME* gen = sk_GENERAL_NAME_value(names, i);
637+
638+
if (i != 0)
639+
BIO_write(out.get(), ", ", 2);
640+
641+
if (gen->type == GEN_DNS) {
642+
ASN1_IA5STRING* name = gen->d.dNSName;
643+
644+
BIO_write(out.get(), "DNS:", 4);
645+
BIO_write(out.get(), name->data, name->length);
646+
} else {
647+
STACK_OF(CONF_VALUE)* nval = i2v_GENERAL_NAME(
648+
const_cast<X509V3_EXT_METHOD*>(method), gen, nullptr);
649+
if (nval == nullptr) {
650+
sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free);
651+
return false;
652+
}
653+
X509V3_EXT_val_prn(out.get(), nval, 0, 0);
654+
sk_CONF_VALUE_pop_free(nval, X509V3_conf_free);
655+
}
656+
}
657+
sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free);
658+
659+
return true;
660+
}
661+
623662
static inline bool IsSafeAltName(const char* name, size_t length, bool utf8) {
624663
for (size_t i = 0; i < length; i++) {
625664
char c = name[i];
@@ -844,6 +883,10 @@ bool SafeX509SubjectAltNamePrint(const BIOPointer& out, X509_EXTENSION* ext) {
844883
const X509V3_EXT_METHOD* method = X509V3_EXT_get(ext);
845884
CHECK(method == X509V3_EXT_get_nid(NID_subject_alt_name));
846885

886+
if (IsReverted(SECURITY_REVERT_CVE_2021_44532)) {
887+
return SafeX509ExtPrint(out, ext);
888+
}
889+
847890
GENERAL_NAMES* names = static_cast<GENERAL_NAMES*>(X509V3_EXT_d2i(ext));
848891
if (names == nullptr)
849892
return false;
@@ -869,6 +912,10 @@ bool SafeX509InfoAccessPrint(const BIOPointer& out, X509_EXTENSION* ext) {
869912
const X509V3_EXT_METHOD* method = X509V3_EXT_get(ext);
870913
CHECK(method == X509V3_EXT_get_nid(NID_info_access));
871914

915+
if (IsReverted(SECURITY_REVERT_CVE_2021_44532)) {
916+
return (X509V3_EXT_print(out.get(), ext, 0, 0) == 1);
917+
}
918+
872919
AUTHORITY_INFO_ACCESS* descs =
873920
static_cast<AUTHORITY_INFO_ACCESS*>(X509V3_EXT_d2i(ext));
874921
if (descs == nullptr)

src/node_revert.h

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,8 @@
1616
namespace node {
1717

1818
#define SECURITY_REVERSIONS(XX) \
19+
XX(CVE_2021_44531, "CVE-2021-44531", "Cert Verif Bypass via URI SAN") \
20+
XX(CVE_2021_44532, "CVE-2021-44532", "Cert Verif Bypass via Str Inject") \
1921
// XX(CVE_2016_PEND, "CVE-2016-PEND", "Vulnerability Title")
2022

2123
enum reversion {
Lines changed: 50 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,50 @@
1+
// Flags: --security-revert=CVE-2021-44531
2+
'use strict';
3+
const common = require('../common');
4+
5+
if (!common.hasCrypto)
6+
common.skip('missing crypto');
7+
8+
const assert = require('assert');
9+
const util = require('util');
10+
11+
const tls = require('tls');
12+
13+
const tests = [
14+
// Likewise for "URI:" Subject Alternative Names.
15+
// See also https://github.com/nodejs/node/issues/8108.
16+
{
17+
host: '8.8.8.8',
18+
cert: { subject: { CN: '8.8.8.8' }, subjectaltname: 'URI:http://8.8.8.8/' },
19+
error: 'IP: 8.8.8.8 is not in the cert\'s list: '
20+
},
21+
// Empty Subject w/URI name
22+
{
23+
host: 'a.b.a.com', cert: {
24+
subjectaltname: 'URI:http://a.b.a.com/',
25+
}
26+
},
27+
// URI names
28+
{
29+
host: 'a.b.a.com', cert: {
30+
subjectaltname: 'URI:http://a.b.a.com/',
31+
subject: {}
32+
}
33+
},
34+
{
35+
host: 'a.b.a.com', cert: {
36+
subjectaltname: 'URI:http://*.b.a.com/',
37+
subject: {}
38+
},
39+
error: 'Host: a.b.a.com. is not in the cert\'s altnames: ' +
40+
'URI:http://*.b.a.com/'
41+
},
42+
];
43+
44+
tests.forEach(function(test, i) {
45+
const err = tls.checkServerIdentity(test.host, test.cert);
46+
assert.strictEqual(err && err.reason,
47+
test.error,
48+
`Test# ${i} failed: ${util.inspect(test)} \n` +
49+
`${test.error} != ${(err && err.reason)}`);
50+
});
Lines changed: 54 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,54 @@
1+
// Copyright Joyent, Inc. and other Node contributors.
2+
//
3+
// Permission is hereby granted, free of charge, to any person obtaining a
4+
// copy of this software and associated documentation files (the
5+
// "Software"), to deal in the Software without restriction, including
6+
// without limitation the rights to use, copy, modify, merge, publish,
7+
// distribute, sublicense, and/or sell copies of the Software, and to permit
8+
// persons to whom the Software is furnished to do so, subject to the
9+
// following conditions:
10+
//
11+
// The above copyright notice and this permission notice shall be included
12+
// in all copies or substantial portions of the Software.
13+
//
14+
// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
15+
// OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
16+
// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
17+
// NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
18+
// DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
19+
// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
20+
// USE OR OTHER DEALINGS IN THE SOFTWARE.
21+
// Flags: --security-revert=CVE-2021-44532
22+
'use strict';
23+
const common = require('../common');
24+
if (!common.hasCrypto)
25+
common.skip('missing crypto');
26+
27+
// Check getPeerCertificate can properly handle '\0' for fix CVE-2009-2408.
28+
29+
const assert = require('assert');
30+
const tls = require('tls');
31+
const fixtures = require('../common/fixtures');
32+
33+
const server = tls.createServer({
34+
key: fixtures.readSync(['0-dns', '0-dns-key.pem']),
35+
cert: fixtures.readSync(['0-dns', '0-dns-cert.pem'])
36+
}, common.mustCall((c) => {
37+
c.once('data', common.mustCall(() => {
38+
c.destroy();
39+
server.close();
40+
}));
41+
})).listen(0, common.mustCall(() => {
42+
const c = tls.connect(server.address().port, {
43+
rejectUnauthorized: false
44+
}, common.mustCall(() => {
45+
const cert = c.getPeerCertificate();
46+
assert.strictEqual(cert.subjectaltname,
47+
'DNS:good.example.org\0.evil.example.com, ' +
48+
'DNS:just-another.example.com, ' +
49+
'IP Address:8.8.8.8, ' +
50+
'IP Address:8.8.4.4, ' +
51+
'DNS:last.example.com');
52+
c.write('ok');
53+
}));
54+
}));

0 commit comments

Comments
 (0)