Author: bebuild Date: Wed Apr 8 11:53:07 2015 New Revision: 434386 URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=434386 Log: Merge changes for AST-2015-003
Modified: tags/1.8.32.3/ (props changed) tags/1.8.32.3/ChangeLog tags/1.8.32.3/main/tcptls.c Propchange: tags/1.8.32.3/ ------------------------------------------------------------------------------ --- svn:mergeinfo (original) +++ svn:mergeinfo Wed Apr 8 11:53:07 2015 @@ -1,2 +1,2 @@ -/branches/1.8:427380,428331,428402,431324 +/branches/1.8:427380,428331,428402,431324,434337 /trunk:394552,394567 Modified: tags/1.8.32.3/ChangeLog URL: http://svnview.digium.com/svn/asterisk/tags/1.8.32.3/ChangeLog?view=diff&rev=434386&r1=434385&r2=434386 ============================================================================== --- tags/1.8.32.3/ChangeLog (original) +++ tags/1.8.32.3/ChangeLog Wed Apr 8 11:53:07 2015 @@ -1,3 +1,28 @@ +2015-04-08 Asterisk Development Team <asteriskt...@digium.com> + + * Asterisk 1.8.32.3 Released. + + * Mitigate MitM attack potential from certificate with NULL byte in CN. + + When registering to a SIP server with TLS, Asterisk will accept CA + signed certificates with a common name that was signed for a domain + other than the one requested if it contains a null character in the + common name portion of the cert. This patch fixes that by checking + that the common name length matches the the length of the content we + actually read from the common name segment. Some certificate + authorities automatically sign CA requests when the requesting CN + isn't already taken, so an attacker could potentially register a CN + with something like www.google.com\x00www.secretlyevil.net and have + their certificate signed and Asterisk would accept that certificate + as though it had been for www.google.com. + + ASTERISK-24847 #close + Reported by: Maciej Szmigiero + patches: + asterisk-null-in-cn.patch uploaded by mhej (license 6085) + + AST-2015-003 + 2015-01-28 Asterisk Development Team <asteriskt...@digium.com> * Asterisk 1.8.32.2 Released. Modified: tags/1.8.32.3/main/tcptls.c URL: http://svnview.digium.com/svn/asterisk/tags/1.8.32.3/main/tcptls.c?view=diff&rev=434386&r1=434385&r2=434386 ============================================================================== --- tags/1.8.32.3/main/tcptls.c (original) +++ tags/1.8.32.3/main/tcptls.c Wed Apr 8 11:53:07 2015 @@ -638,10 +638,17 @@ if (pos < 0) break; str = X509_NAME_ENTRY_get_data(X509_NAME_get_entry(name, pos)); - ASN1_STRING_to_UTF8(&str2, str); + ret = ASN1_STRING_to_UTF8(&str2, str); + if (ret < 0) { + continue; + } + if (str2) { - if (!strcasecmp(tcptls_session->parent->hostname, (char *) str2)) + if (strlen((char *) str2) != ret) { + ast_log(LOG_WARNING, "Invalid certificate common name length (contains NULL bytes?)\n"); + } else if (!strcasecmp(tcptls_session->parent->hostname, (char *) str2)) { found = 1; + } ast_debug(3, "SSL Common Name compare s1='%s' s2='%s'\n", tcptls_session->parent->hostname, str2); OPENSSL_free(str2); } -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- svn-commits mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/svn-commits