[asterisk-commits] bebuild: tag certified-1.8.28-cert5 r434394 - in /certified/tags/1.8.28-cert5...
SVN commits to the Asterisk project
asterisk-commits at lists.digium.com
Wed Apr 8 12:16:07 CDT 2015
Author: bebuild
Date: Wed Apr 8 12:16:05 2015
New Revision: 434394
URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=434394
Log:
Merge changes for AST-2015-003
Modified:
certified/tags/1.8.28-cert5/ (props changed)
certified/tags/1.8.28-cert5/ChangeLog
certified/tags/1.8.28-cert5/main/tcptls.c
Propchange: certified/tags/1.8.28-cert5/
('branch-1.6.2-blocked' removed)
Propchange: certified/tags/1.8.28-cert5/
('branch-1.6.2-merged' removed)
Propchange: certified/tags/1.8.28-cert5/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Wed Apr 8 12:16:05 2015
@@ -1,3 +1,3 @@
/certified/branches/1.8.15:370667,418367
-/certified/branches/1.8.28:426052,428393,428430,431325
+/certified/branches/1.8.28:426052,428393,428430,431325,434391
/trunk:394552,394567
Modified: certified/tags/1.8.28-cert5/ChangeLog
URL: http://svnview.digium.com/svn/asterisk/certified/tags/1.8.28-cert5/ChangeLog?view=diff&rev=434394&r1=434393&r2=434394
==============================================================================
--- certified/tags/1.8.28-cert5/ChangeLog (original)
+++ certified/tags/1.8.28-cert5/ChangeLog Wed Apr 8 12:16:05 2015
@@ -1,3 +1,28 @@
+2015-04-08 Asterisk Development Team <asteriskteam at digium.com>
+
+ * Certified Asterisk 1.8.28-cert5 Released.
+
+ * Mitigate MitM attack potential from certificate with NULL byte in CN.
+
+ When registering to a SIP server with TLS, Asterisk will accept CA
+ signed certificates with a common name that was signed for a domain
+ other than the one requested if it contains a null character in the
+ common name portion of the cert. This patch fixes that by checking
+ that the common name length matches the the length of the content we
+ actually read from the common name segment. Some certificate
+ authorities automatically sign CA requests when the requesting CN
+ isn't already taken, so an attacker could potentially register a CN
+ with something like www.google.com\x00www.secretlyevil.net and have
+ their certificate signed and Asterisk would accept that certificate
+ as though it had been for www.google.com.
+
+ ASTERISK-24847 #close
+ Reported by: Maciej Szmigiero
+ patches:
+ asterisk-null-in-cn.patch uploaded by mhej (license 6085)
+
+ AST-2015-003
+
2015-01-28 Asterisk Development Team <asteriskteam at digium.com>
* Certified Asterisk 1.8.28-cert4 Released.
Modified: certified/tags/1.8.28-cert5/main/tcptls.c
URL: http://svnview.digium.com/svn/asterisk/certified/tags/1.8.28-cert5/main/tcptls.c?view=diff&rev=434394&r1=434393&r2=434394
==============================================================================
--- certified/tags/1.8.28-cert5/main/tcptls.c (original)
+++ certified/tags/1.8.28-cert5/main/tcptls.c Wed Apr 8 12:16:05 2015
@@ -633,10 +633,17 @@
if (pos < 0)
break;
str = X509_NAME_ENTRY_get_data(X509_NAME_get_entry(name, pos));
- ASN1_STRING_to_UTF8(&str2, str);
+ ret = ASN1_STRING_to_UTF8(&str2, str);
+ if (ret < 0) {
+ continue;
+ }
+
if (str2) {
- if (!strcasecmp(tcptls_session->parent->hostname, (char *) str2))
+ if (strlen((char *) str2) != ret) {
+ ast_log(LOG_WARNING, "Invalid certificate common name length (contains NULL bytes?)\n");
+ } else if (!strcasecmp(tcptls_session->parent->hostname, (char *) str2)) {
found = 1;
+ }
ast_debug(3, "SSL Common Name compare s1='%s' s2='%s'\n", tcptls_session->parent->hostname, str2);
OPENSSL_free(str2);
}
More information about the asterisk-commits
mailing list