From: Jonathan Rose Date: Wed, 8 Apr 2015 16:11:53 +0000 (+0000) Subject: Security/tcptls: MitM Attack potential from certificate with NULL byte in CN. X-Git-Tag: 11.18.0-rc1~66 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f69e1b4a17f52a15c3e90229c8e34655d2c8d154;p=thirdparty%2Fasterisk.git Security/tcptls: MitM Attack potential from certificate with NULL byte in CN. When registering to a SIP server with TLS, Asterisk will accept CA signed certificates with a common name that was signed for a domain other than the one requested if it contains a null character in the common name portion of the cert. This patch fixes that by checking that the common name length matches the the length of the content we actually read from the common name segment. Some certificate authorities automatically sign CA requests when the requesting CN isn't already taken, so an attacker could potentially register a CN with something like www.google.com\x00www.secretlyevil.net and have their certificate signed and Asterisk would accept that certificate as though it had been for www.google.com - this is a security fix and is noted in AST-2015-003. ASTERISK-24847 #close Reported by: Maciej Szmigiero Patches: asterisk-null-in-cn.patch submitted by mhej (license 6085) ........ Merged revisions 434337 from http://svn.asterisk.org/svn/asterisk/branches/1.8 git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/11@434338 65c4cc65-6c06-0410-ace0-fbb531ad65f3 --- diff --git a/main/tcptls.c b/main/tcptls.c index a1d1ef72cf..9d9aefc0ba 100644 --- a/main/tcptls.c +++ b/main/tcptls.c @@ -639,9 +639,15 @@ static void *handle_tcptls_connection(void *data) break; } str = X509_NAME_ENTRY_get_data(X509_NAME_get_entry(name, pos)); - ASN1_STRING_to_UTF8(&str2, str); + ret = ASN1_STRING_to_UTF8(&str2, str); + if (ret < 0) { + continue; + } + if (str2) { - if (!strcasecmp(tcptls_session->parent->hostname, (char *) str2)) { + if (strlen((char *) str2) != ret) { + ast_log(LOG_WARNING, "Invalid certificate common name length (contains NULL bytes?)\n"); + } else if (!strcasecmp(tcptls_session->parent->hostname, (char *) str2)) { found = 1; } ast_debug(3, "SSL Common Name compare s1='%s' s2='%s'\n", tcptls_session->parent->hostname, str2);