[svn-commits] bebuild: tag certified-13.1-cert2 r434420 - in /certified/tags/13.1-cert2: ./...

SVN commits to the Digium repositories svn-commits at lists.digium.com
Wed Apr 8 12:30:13 CDT 2015 

Author: bebuild
Date: Wed Apr  8 12:30:11 2015
New Revision: 434420

URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=434420
Log:
Merge changes for AST-2015-003

Modified:
    certified/tags/13.1-cert2/   (props changed)
    certified/tags/13.1-cert2/ChangeLog
    certified/tags/13.1-cert2/main/tcptls.c

Propchange: certified/tags/13.1-cert2/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Wed Apr  8 12:30:11 2015
@@ -1,1 +1,2 @@
 /branches/13:429273,431153
+/certified/branches/13.1:434418

Modified: certified/tags/13.1-cert2/ChangeLog
URL: http://svnview.digium.com/svn/asterisk/certified/tags/13.1-cert2/ChangeLog?view=diff&rev=434420&r1=434419&r2=434420
==============================================================================
--- certified/tags/13.1-cert2/ChangeLog (original)
+++ certified/tags/13.1-cert2/ChangeLog Wed Apr  8 12:30:11 2015
@@ -1,3 +1,28 @@
+2015-04-08  Asterisk Development Team <asteriskteam at digium.com>
+
+	* Certified Asterisk 13.1-cert2 Released.
+
+	* Mitigate MitM attack potential from certificate with NULL byte in CN.
+
+	  When registering to a SIP server with TLS, Asterisk will accept CA
+	  signed certificates with a common name that was signed for a domain
+	  other	than the one requested if it contains a null character in the
+	  common name portion of the cert. This patch fixes that by checking
+	  that the common name length matches the the length of the content we
+	  actually read from the common	name segment. Some certificate
+	  authorities automatically sign CA requests when the requesting CN
+	  isn't already taken, so an attacker could potentially register a CN
+	  with something like www.google.com\x00www.secretlyevil.net and have
+	  their certificate signed and Asterisk would accept that certificate
+	  as though it had been for www.google.com.
+
+	  ASTERISK-24847 #close
+	  Reported by: Maciej Szmigiero
+	  patches:
+	    asterisk-null-in-cn.patch uploaded by mhej (license 6085)
+
+	  AST-2015-003
+
 2015-01-30  Asterisk Development Team <asteriskteam at digium.com>
 
 	* Certified Asterisk 13.1-cert1 Released.

Modified: certified/tags/13.1-cert2/main/tcptls.c
URL: http://svnview.digium.com/svn/asterisk/certified/tags/13.1-cert2/main/tcptls.c?view=diff&rev=434420&r1=434419&r2=434420
==============================================================================
--- certified/tags/13.1-cert2/main/tcptls.c (original)
+++ certified/tags/13.1-cert2/main/tcptls.c Wed Apr  8 12:30:11 2015
@@ -640,9 +640,15 @@
 							break;
 						}
 						str = X509_NAME_ENTRY_get_data(X509_NAME_get_entry(name, pos));
-						ASN1_STRING_to_UTF8(&str2, str);
+						ret = ASN1_STRING_to_UTF8(&str2, str);
+						if (ret < 0) {
+							continue;
+						}
+
 						if (str2) {
-							if (!strcasecmp(tcptls_session->parent->hostname, (char *) str2)) {
+							if (strlen((char *) str2) != ret) {
+								ast_log(LOG_WARNING, "Invalid certificate common name length (contains NULL bytes?)\n");
+							} else if (!strcasecmp(tcptls_session->parent->hostname, (char *) str2)) {
 								found = 1;
 							}
 							ast_debug(3, "SSL Common Name compare s1='%s' s2='%s'\n", tcptls_session->parent->hostname, str2);

More information about the svn-commits mailing list