Author: bebuild Date: Wed Apr 8 11:57:23 2015 New Revision: 434389 URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=434389 Log: Merge changes for AST-2015-003
Modified: tags/13.3.2/ (props changed) tags/13.3.2/ChangeLog tags/13.3.2/main/tcptls.c Propchange: tags/13.3.2/ ------------------------------------------------------------------------------ --- svn:mergeinfo (original) +++ svn:mergeinfo Wed Apr 8 11:57:23 2015 @@ -1,1 +1,1 @@ -/branches/13:433944 +/branches/13:433944,434384 Modified: tags/13.3.2/ChangeLog URL: http://svnview.digium.com/svn/asterisk/tags/13.3.2/ChangeLog?view=diff&rev=434389&r1=434388&r2=434389 ============================================================================== --- tags/13.3.2/ChangeLog (original) +++ tags/13.3.2/ChangeLog Wed Apr 8 11:57:23 2015 @@ -1,3 +1,28 @@ +2015-04-08 Asterisk Development Team <asteriskt...@digium.com> + + * Asterisk 13.3.2 Released. + + * Mitigate MitM attack potential from certificate with NULL byte in CN. + + When registering to a SIP server with TLS, Asterisk will accept CA + signed certificates with a common name that was signed for a domain + other than the one requested if it contains a null character in the + common name portion of the cert. This patch fixes that by checking + that the common name length matches the the length of the content we + actually read from the common name segment. Some certificate + authorities automatically sign CA requests when the requesting CN + isn't already taken, so an attacker could potentially register a CN + with something like www.google.com\x00www.secretlyevil.net and have + their certificate signed and Asterisk would accept that certificate + as though it had been for www.google.com. + + ASTERISK-24847 #close + Reported by: Maciej Szmigiero + patches: + asterisk-null-in-cn.patch uploaded by mhej (license 6085) + + AST-2015-003 + 2015-04-06 Asterisk Development Team <asteriskt...@digium.com> * Asterisk 13.3.1 Released. Modified: tags/13.3.2/main/tcptls.c URL: http://svnview.digium.com/svn/asterisk/tags/13.3.2/main/tcptls.c?view=diff&rev=434389&r1=434388&r2=434389 ============================================================================== --- tags/13.3.2/main/tcptls.c (original) +++ tags/13.3.2/main/tcptls.c Wed Apr 8 11:57:23 2015 @@ -640,9 +640,15 @@ break; } str = X509_NAME_ENTRY_get_data(X509_NAME_get_entry(name, pos)); - ASN1_STRING_to_UTF8(&str2, str); + ret = ASN1_STRING_to_UTF8(&str2, str); + if (ret < 0) { + continue; + } + if (str2) { - if (!strcasecmp(tcptls_session->parent->hostname, (char *) str2)) { + if (strlen((char *) str2) != ret) { + ast_log(LOG_WARNING, "Invalid certificate common name length (contains NULL bytes?)\n"); + } else if (!strcasecmp(tcptls_session->parent->hostname, (char *) str2)) { found = 1; } ast_debug(3, "SSL Common Name compare s1='%s' s2='%s'\n", tcptls_session->parent->hostname, str2); -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- svn-commits mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/svn-commits