Author: jrose
Date: Wed Apr  8 12:15:07 2015
New Revision: 434393

URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=434393
Log:
Security/tcptls: MitM Attack potential from certificate with NULL byte in CN.

When registering to a SIP server with TLS, Asterisk will accept CA signed
certificates with a common name that was signed for a domain other than the
one requested if it contains a null character in the common name portion of
the cert. This patch fixes that by checking that the common name length
matches the the length of the content we actually read from the common name
segment. Some certificate authorities automatically sign CA requests when
the requesting CN isn't already taken, so an attacker could potentially
register a CN with something like www.google.com\x00www.secretlyevil.net
and have their certificate signed and Asterisk would accept that certificate
as though it had been for www.google.com - this is a security fix and is
noted in AST-2015-003.

ASTERISK-24847 #close
Reported by: Maciej Szmigiero
Patches:
 asterisk-null-in-cn.patch submitted by mhej (license 6085)
........

Merged revisions 434337 from http://svn.asterisk.org/svn/asterisk/branches/1.8
........

Merged revisions 434338 from http://svn.asterisk.org/svn/asterisk/branches/11

Modified:
    certified/branches/11.6/   (props changed)
    certified/branches/11.6/main/tcptls.c

Propchange: certified/branches/11.6/
            ('branch-1.8-blocked' removed)

Propchange: certified/branches/11.6/
            ('branch-1.8-merged' removed)

Propchange: certified/branches/11.6/
------------------------------------------------------------------------------
Binary property 'branch-11-merged' - no diff available.

Modified: certified/branches/11.6/main/tcptls.c
URL: 
http://svnview.digium.com/svn/asterisk/certified/branches/11.6/main/tcptls.c?view=diff&rev=434393&r1=434392&r2=434393
==============================================================================
--- certified/branches/11.6/main/tcptls.c (original)
+++ certified/branches/11.6/main/tcptls.c Wed Apr  8 12:15:07 2015
@@ -634,9 +634,15 @@
                                                        break;
                                                }
                                                str = 
X509_NAME_ENTRY_get_data(X509_NAME_get_entry(name, pos));
-                                               ASN1_STRING_to_UTF8(&str2, str);
+                                               ret = 
ASN1_STRING_to_UTF8(&str2, str);
+                                               if (ret < 0) {
+                                                       continue;
+                                               }
+
                                                if (str2) {
-                                                       if 
(!strcasecmp(tcptls_session->parent->hostname, (char *) str2)) {
+                                                       if (strlen((char *) 
str2) != ret) {
+                                                               
ast_log(LOG_WARNING, "Invalid certificate common name length (contains NULL 
bytes?)\n");
+                                                       } else if 
(!strcasecmp(tcptls_session->parent->hostname, (char *) str2)) {
                                                                found = 1;
                                                        }
                                                        ast_debug(3, "SSL 
Common Name compare s1='%s' s2='%s'\n", tcptls_session->parent->hostname, str2);


-- 
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

svn-commits mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/svn-commits

Reply via email to