packages/eclipse-ecf
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2014-0363

Browse Source
This commit is contained in:
caodongxia 2020-12-14 09:44:46 +08:00
parent 37806d2c9c
commit b5051220c6
2 changed files with 593 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

587
CVE-2014-0363.patch Normal file
View File

@ -0,0 +1,587 @@
From 689ed4135ea36bed8d420eb11ca389499fa4a440 Mon Sep 17 00:00:00 2001
From: caodongxia <315816521@qq.com>
Date: Sat, 12 Dec 2020 14:25:15 +0800
Subject: [PATCH] CVE-2014-0363.patch
Reference: https://src.fedoraproject.org/rpms/smack/blob/48915f05037f5c246878f9b6a6fab78bfcd6c86f/f/smack-3.2.2-CVE-2014-0363.patch
diff --git a/protocols/bundles/org.jivesoftware.smack/src/org/jivesoftware/smack/ConnectionConfiguration.java b/protocols/bundles/org.jivesoftware.smack/src/org/jivesoftware/smack/ConnectionConfiguration.java
index 9eb7bb9..5c52561 100644
--- a/protocols/bundles/org.jivesoftware.smack/src/org/jivesoftware/smack/ConnectionConfiguration.java
+++ b/protocols/bundles/org.jivesoftware.smack/src/org/jivesoftware/smack/ConnectionConfiguration.java
@@ -27,7 +27,6 @@ import org.jivesoftware.smack.util.dns.HostAddress;
import javax.net.SocketFactory;
import javax.net.ssl.SSLContext;
import javax.security.auth.callback.CallbackHandler;
-import java.io.File;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
@@ -54,17 +53,9 @@ public class ConnectionConfiguration implements Cloneable {
private int port;
protected List<HostAddress> hostAddresses;
- private String truststorePath;
- private String truststoreType;
- private String truststorePassword;
private String keystorePath;
private String keystoreType;
private String pkcs11Library;
- private boolean verifyChainEnabled = false;
- private boolean verifyRootCAEnabled = false;
- private boolean selfSignedCertificateEnabled = false;
- private boolean expiredCertificatesCheckEnabled = false;
- private boolean notMatchingDomainCheckEnabled = false;
private SSLContext customSSLContext;
private boolean compressionEnabled = false;
@@ -190,18 +181,6 @@ public class ConnectionConfiguration implements Cloneable {
this.serviceName = serviceName;
this.proxy = proxy;
- // Build the default path to the cacert truststore file. By default we are
- // going to use the file located in $JREHOME/lib/security/cacerts.
- String javaHome = System.getProperty("java.home");
- StringBuilder buffer = new StringBuilder();
- buffer.append(javaHome).append(File.separator).append("lib");
- buffer.append(File.separator).append("security");
- buffer.append(File.separator).append("cacerts");
- truststorePath = buffer.toString();
- // Set the default store type
- truststoreType = "jks";
- // Set the default password of the cacert file that is "changeit"
- truststorePassword = "changeit";
keystorePath = System.getProperty("javax.net.ssl.keyStore");
keystoreType = "jks";
pkcs11Library = "pkcs11.config";
@@ -274,66 +253,6 @@ public class ConnectionConfiguration implements Cloneable {
this.securityMode = securityMode;
}
- /**
- * Retuns the path to the trust store file. The trust store file contains the root
- * certificates of several well known CAs. By default, will attempt to use the
- * the file located in $JREHOME/lib/security/cacerts.
- *
- * @return the path to the truststore file.
- */
- public String getTruststorePath() {
- return truststorePath;
- }
-
- /**
- * Sets the path to the trust store file. The truststore file contains the root
- * certificates of several well?known CAs. By default Smack is going to use
- * the file located in $JREHOME/lib/security/cacerts.
- *
- * @param truststorePath the path to the truststore file.
- */
- public void setTruststorePath(String truststorePath) {
- this.truststorePath = truststorePath;
- }
-
- /**
- * Returns the trust store type, or <tt>null</tt> if it's not set.
- *
- * @return the trust store type.
- */
- public String getTruststoreType() {
- return truststoreType;
- }
-
- /**
- * Sets the trust store type.
- *
- * @param truststoreType the trust store type.
- */
- public void setTruststoreType(String truststoreType) {
- this.truststoreType = truststoreType;
- }
-
- /**
- * Returns the password to use to access the trust store file. It is assumed that all
- * certificates share the same password in the trust store.
- *
- * @return the password to use to access the truststore file.
- */
- public String getTruststorePassword() {
- return truststorePassword;
- }
-
- /**
- * Sets the password to use to access the trust store file. It is assumed that all
- * certificates share the same password in the trust store.
- *
- * @param truststorePassword the password to use to access the truststore file.
- */
- public void setTruststorePassword(String truststorePassword) {
- this.truststorePassword = truststorePassword;
- }
-
/**
* Retuns the path to the keystore file. The key store file contains the
* certificates that may be used to authenticate the client to the server,
@@ -395,110 +314,6 @@ public class ConnectionConfiguration implements Cloneable {
this.pkcs11Library = pkcs11Library;
}
- /**
- * Returns true if the whole chain of certificates presented by the server are going to
- * be checked. By default the certificate chain is not verified.
- *
- * @return true if the whole chaing of certificates presented by the server are going to
- * be checked.
- */
- public boolean isVerifyChainEnabled() {
- return verifyChainEnabled;
- }
-
- /**
- * Sets if the whole chain of certificates presented by the server are going to
- * be checked. By default the certificate chain is not verified.
- *
- * @param verifyChainEnabled if the whole chaing of certificates presented by the server
- * are going to be checked.
- */
- public void setVerifyChainEnabled(boolean verifyChainEnabled) {
- this.verifyChainEnabled = verifyChainEnabled;
- }
-
- /**
- * Returns true if root CA checking is going to be done. By default checking is disabled.
- *
- * @return true if root CA checking is going to be done.
- */
- public boolean isVerifyRootCAEnabled() {
- return verifyRootCAEnabled;
- }
-
- /**
- * Sets if root CA checking is going to be done. By default checking is disabled.
- *
- * @param verifyRootCAEnabled if root CA checking is going to be done.
- */
- public void setVerifyRootCAEnabled(boolean verifyRootCAEnabled) {
- this.verifyRootCAEnabled = verifyRootCAEnabled;
- }
-
- /**
- * Returns true if self-signed certificates are going to be accepted. By default
- * this option is disabled.
- *
- * @return true if self-signed certificates are going to be accepted.
- */
- public boolean isSelfSignedCertificateEnabled() {
- return selfSignedCertificateEnabled;
- }
-
- /**
- * Sets if self-signed certificates are going to be accepted. By default
- * this option is disabled.
- *
- * @param selfSignedCertificateEnabled if self-signed certificates are going to be accepted.
- */
- public void setSelfSignedCertificateEnabled(boolean selfSignedCertificateEnabled) {
- this.selfSignedCertificateEnabled = selfSignedCertificateEnabled;
- }
-
- /**
- * Returns true if certificates presented by the server are going to be checked for their
- * validity. By default certificates are not verified.
- *
- * @return true if certificates presented by the server are going to be checked for their
- * validity.
- */
- public boolean isExpiredCertificatesCheckEnabled() {
- return expiredCertificatesCheckEnabled;
- }
-
- /**
- * Sets if certificates presented by the server are going to be checked for their
- * validity. By default certificates are not verified.
- *
- * @param expiredCertificatesCheckEnabled if certificates presented by the server are going
- * to be checked for their validity.
- */
- public void setExpiredCertificatesCheckEnabled(boolean expiredCertificatesCheckEnabled) {
- this.expiredCertificatesCheckEnabled = expiredCertificatesCheckEnabled;
- }
-
- /**
- * Returns true if certificates presented by the server are going to be checked for their
- * domain. By default certificates are not verified.
- *
- * @return true if certificates presented by the server are going to be checked for their
- * domain.
- */
- public boolean isNotMatchingDomainCheckEnabled() {
- return notMatchingDomainCheckEnabled;
- }
-
- /**
- * Sets if certificates presented by the server are going to be checked for their
- * domain. By default certificates are not verified.
- *
- * @param notMatchingDomainCheckEnabled if certificates presented by the server are going
- * to be checked for their domain.
- */
- public void setNotMatchingDomainCheckEnabled(boolean notMatchingDomainCheckEnabled) {
- this.notMatchingDomainCheckEnabled = notMatchingDomainCheckEnabled;
- }
-
/**
* Gets the custom SSLContext for SSL sockets. This is null by default.
*
diff --git a/protocols/bundles/org.jivesoftware.smack/src/org/jivesoftware/smack/ServerTrustManager.java b/protocols/bundles/org.jivesoftware.smack/src/org/jivesoftware/smack/ServerTrustManager.java
deleted file mode 100644
index afc4e23..0000000
--- a/protocols/bundles/org.jivesoftware.smack/src/org/jivesoftware/smack/ServerTrustManager.java
+++ /dev/null
@@ -1,330 +0,0 @@
-/**
- * $RCSfile$
- * $Revision$
- * $Date$
- *
- * Copyright 2003-2005 Jive Software.
- *
- * All rights reserved. Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.jivesoftware.smack;
-
-import javax.net.ssl.X509TrustManager;
-import java.io.FileInputStream;
-import java.io.InputStream;
-import java.io.IOException;
-import java.security.*;
-import java.security.cert.CertificateException;
-import java.security.cert.CertificateParsingException;
-import java.security.cert.X509Certificate;
-import java.util.*;
-import java.util.regex.Matcher;
-import java.util.regex.Pattern;
-
-/**
- * Trust manager that checks all certificates presented by the server. This class
- * is used during TLS negotiation. It is possible to disable/enable some or all checkings
- * by configuring the {@link ConnectionConfiguration}. The truststore file that contains
- * knows and trusted CA root certificates can also be configure in {@link ConnectionConfiguration}.
- *
- * @author Gaston Dombiak
- */
-class ServerTrustManager implements X509TrustManager {
-
- private static Pattern cnPattern = Pattern.compile("(?i)(cn=)([^,]*)");
-
- private ConnectionConfiguration configuration;
-
- /**
- * Holds the domain of the remote server we are trying to connect
- */
- private String server;
- private KeyStore trustStore;
-
- private static Map<KeyStoreOptions, KeyStore> stores = new HashMap<KeyStoreOptions, KeyStore>();
-
- public ServerTrustManager(String server, ConnectionConfiguration configuration) {
- this.configuration = configuration;
- this.server = server;
-
- InputStream in = null;
- synchronized (stores) {
- KeyStoreOptions options = new KeyStoreOptions(configuration.getTruststoreType(),
- configuration.getTruststorePath(), configuration.getTruststorePassword());
- if (stores.containsKey(options)) {
- trustStore = stores.get(options);
- } else {
- try {
- trustStore = KeyStore.getInstance(options.getType());
- in = new FileInputStream(options.getPath());
- trustStore.load(in, options.getPassword().toCharArray());
- } catch (Exception e) {
- trustStore = null;
- e.printStackTrace();
- } finally {
- if (in != null) {
- try {
- in.close();
- } catch (IOException ioe) {
- // Ignore.
- }
- }
- }
- stores.put(options, trustStore);
- }
- if (trustStore == null)
- // Disable root CA checking
- configuration.setVerifyRootCAEnabled(false);
- }
- }
-
- public X509Certificate[] getAcceptedIssuers() {
- return new X509Certificate[0];
- }
-
- public void checkClientTrusted(X509Certificate[] arg0, String arg1)
- throws CertificateException {
- }
-
- public void checkServerTrusted(X509Certificate[] x509Certificates, String arg1)
- throws CertificateException {
-
- int nSize = x509Certificates.length;
-
- List<String> peerIdentities = getPeerIdentity(x509Certificates[0]);
-
- if (configuration.isVerifyChainEnabled()) {
- // Working down the chain, for every certificate in the chain,
- // verify that the subject of the certificate is the issuer of the
- // next certificate in the chain.
- Principal principalLast = null;
- for (int i = nSize -1; i >= 0 ; i--) {
- X509Certificate x509certificate = x509Certificates[i];
- Principal principalIssuer = x509certificate.getIssuerDN();
- Principal principalSubject = x509certificate.getSubjectDN();
- if (principalLast != null) {
- if (principalIssuer.equals(principalLast)) {
- try {
- PublicKey publickey =
- x509Certificates[i + 1].getPublicKey();
- x509Certificates[i].verify(publickey);
- }
- catch (GeneralSecurityException generalsecurityexception) {
- throw new CertificateException(
- "signature verification failed of " + peerIdentities);
- }
- }
- else {
- throw new CertificateException(
- "subject/issuer verification failed of " + peerIdentities);
- }
- }
- principalLast = principalSubject;
- }
- }
-
- if (configuration.isVerifyRootCAEnabled()) {
- // Verify that the the last certificate in the chain was issued
- // by a third-party that the client trusts.
- boolean trusted = false;
- try {
- trusted = trustStore.getCertificateAlias(x509Certificates[nSize - 1]) != null;
- if (!trusted && nSize == 1 && configuration.isSelfSignedCertificateEnabled())
- {
- System.out.println("Accepting self-signed certificate of remote server: " +
- peerIdentities);
- trusted = true;
- }
- }
- catch (KeyStoreException e) {
- e.printStackTrace();
- }
- if (!trusted) {
- throw new CertificateException("root certificate not trusted of " + peerIdentities);
- }
- }
-
- if (configuration.isNotMatchingDomainCheckEnabled()) {
- // Verify that the first certificate in the chain corresponds to
- // the server we desire to authenticate.
- // Check if the certificate uses a wildcard indicating that subdomains are valid
- if (peerIdentities.size() == 1 && peerIdentities.get(0).startsWith("*.")) {
- // Remove the wildcard
- String peerIdentity = peerIdentities.get(0).replace("*.", "");
- // Check if the requested subdomain matches the certified domain
- if (!server.endsWith(peerIdentity)) {
- throw new CertificateException("target verification failed of " + peerIdentities);
- }
- }
- else if (!peerIdentities.contains(server)) {
- throw new CertificateException("target verification failed of " + peerIdentities);
- }
- }
-
- if (configuration.isExpiredCertificatesCheckEnabled()) {
- // For every certificate in the chain, verify that the certificate
- // is valid at the current time.
- Date date = new Date();
- for (int i = 0; i < nSize; i++) {
- try {
- x509Certificates[i].checkValidity(date);
- }
- catch (GeneralSecurityException generalsecurityexception) {
- throw new CertificateException("invalid date of " + server);
- }
- }
- }
-
- }
-
- /**
- * Returns the identity of the remote server as defined in the specified certificate. The
- * identity is defined in the subjectDN of the certificate and it can also be defined in
- * the subjectAltName extension of type "xmpp". When the extension is being used then the
- * identity defined in the extension in going to be returned. Otherwise, the value stored in
- * the subjectDN is returned.
- *
- * @param x509Certificate the certificate the holds the identity of the remote server.
- * @return the identity of the remote server as defined in the specified certificate.
- */
- public static List<String> getPeerIdentity(X509Certificate x509Certificate) {
- // Look the identity in the subjectAltName extension if available
- List<String> names = getSubjectAlternativeNames(x509Certificate);
- if (names.isEmpty()) {
- String name = x509Certificate.getSubjectDN().getName();
- Matcher matcher = cnPattern.matcher(name);
- if (matcher.find()) {
- name = matcher.group(2);
- }
- // Create an array with the unique identity
- names = new ArrayList<String>();
- names.add(name);
- }
- return names;
- }
-
- /**
- * Returns the JID representation of an XMPP entity contained as a SubjectAltName extension
- * in the certificate. If none was found then return <tt>null</tt>.
- *
- * @param certificate the certificate presented by the remote entity.
- * @return the JID representation of an XMPP entity contained as a SubjectAltName extension
- * in the certificate. If none was found then return <tt>null</tt>.
- */
- private static List<String> getSubjectAlternativeNames(X509Certificate certificate) {
- List<String> identities = new ArrayList<String>();
- try {
- Collection<List<?>> altNames = certificate.getSubjectAlternativeNames();
- // Check that the certificate includes the SubjectAltName extension
- if (altNames == null) {
- return Collections.emptyList();
- }
- // Use the type OtherName to search for the certified server name
- /*for (List item : altNames) {
- Integer type = (Integer) item.get(0);
- if (type == 0) {
- // Type OtherName found so return the associated value
- try {
- // Value is encoded using ASN.1 so decode it to get the server's identity
- ASN1InputStream decoder = new ASN1InputStream((byte[]) item.toArray()[1]);
- DEREncodable encoded = decoder.readObject();
- encoded = ((DERSequence) encoded).getObjectAt(1);
- encoded = ((DERTaggedObject) encoded).getObject();
- encoded = ((DERTaggedObject) encoded).getObject();
- String identity = ((DERUTF8String) encoded).getString();
- // Add the decoded server name to the list of identities
- identities.add(identity);
- }
- catch (UnsupportedEncodingException e) {
- // Ignore
- }
- catch (IOException e) {
- // Ignore
- }
- catch (Exception e) {
- e.printStackTrace();
- }
- }
- // Other types are not good for XMPP so ignore them
- System.out.println("SubjectAltName of invalid type found: " + certificate);
- }*/
- }
- catch (CertificateParsingException e) {
- e.printStackTrace();
- }
- return identities;
- }
-
- private static class KeyStoreOptions {
- private final String type;
- private final String path;
- private final String password;
-
- public KeyStoreOptions(String type, String path, String password) {
- super();
- this.type = type;
- this.path = path;
- this.password = password;
- }
-
- public String getType() {
- return type;
- }
-
- public String getPath() {
- return path;
- }
-
- public String getPassword() {
- return password;
- }
-
- @Override
- public int hashCode() {
- final int prime = 31;
- int result = 1;
- result = prime * result + ((password == null) ? 0 : password.hashCode());
- result = prime * result + ((path == null) ? 0 : path.hashCode());
- result = prime * result + ((type == null) ? 0 : type.hashCode());
- return result;
- }
-
- @Override
- public boolean equals(Object obj) {
- if (this == obj)
- return true;
- if (obj == null)
- return false;
- if (getClass() != obj.getClass())
- return false;
- KeyStoreOptions other = (KeyStoreOptions) obj;
- if (password == null) {
- if (other.password != null)
- return false;
- } else if (!password.equals(other.password))
- return false;
- if (path == null) {
- if (other.path != null)
- return false;
- } else if (!path.equals(other.path))
- return false;
- if (type == null) {
- if (other.type != null)
- return false;
- } else if (!type.equals(other.type))
- return false;
- return true;
- }
- }
-}
diff --git a/protocols/bundles/org.jivesoftware.smack/src/org/jivesoftware/smack/XMPPConnection.java b/protocols/bundles/org.jivesoftware.smack/src/org/jivesoftware/smack/XMPPConnection.java
index 49d6c72..3ddd324 100644
--- a/protocols/bundles/org.jivesoftware.smack/src/org/jivesoftware/smack/XMPPConnection.java
+++ b/protocols/bundles/org.jivesoftware.smack/src/org/jivesoftware/smack/XMPPConnection.java
@@ -860,8 +860,7 @@ public class XMPPConnection extends Connection {
// Verify certificate presented by the server
if (context == null) {
context = SSLContext.getInstance("TLS");
- context.init(kms, new javax.net.ssl.TrustManager[] { new ServerTrustManager(getServiceName(), config) },
- new java.security.SecureRandom());
+ context.init(kms, null, new java.security.SecureRandom());
}
Socket plain = socket;
// Secure the plain connection
--
2.27.0

7
eclipse-ecf.spec
View File

@ -5,12 +5,13 @@
%bcond_with bootstrap
Name: eclipse-ecf
Version: 3.14.4
Release: 1
Release: 2
Summary: Eclipse Communication Framework (ECF) Eclipse plug-in
License: EPL-1.0 and ASL 2.0
URL: http://www.eclipse.org/ecf/
Source0: http://git.eclipse.org/c/ecf/org.eclipse.ecf.git/snapshot/org.eclipse.ecf-%{git_tag}.tar.xz
Patch0: eclipse-ecf-feature-deps.patch
Patch1: CVE-2014-0363.patch
BuildRequires: tycho tycho-extras maven-plugin-build-helper eclipse-license osgi-annotation
BuildRequires: xpp3-minimal httpcomponents-client httpcomponents-core apache-commons-codec
BuildRequires: apache-commons-logging
@ -52,6 +53,7 @@ Documentation and developer resources for the Eclipse Communication Framework
find . -type f -name "*.jar" -exec rm {} \;
find . -type f -name "*.class" -exec rm {} \;
%patch0
%patch1 -p1
%pom_xpath_remove "feature/plugin[@id='org.eclipse.ecf.presence']" releng/features/org.eclipse.ecf.core/feature.xml
sed -i -e '/org.objectweb.asm/s/7/8/' protocols/bundles/ch.ethz.iks.r_osgi.remote/META-INF/MANIFEST.MF
sed -i -e '/<module>examples/d' -e '/<module>tests/d' pom.xml
@ -188,5 +190,8 @@ popd
%endif
%changelog
* Sat Dec 12 2020 caodongxia <caodongxia@huawei.com> - 3.14.4-2
- Fix CVE-2014-0363.patch
* Thu Aug 27 2020 yanan li <liyanan032@huawei.com> - 3.14.4-1
- Package init