moparisthebest/wget
1
0
Fork 0
mirror of https://github.com/moparisthebest/wget synced 2024-07-03 16:38:41 -04:00
Code Issues Releases Wiki Activity

Only warn of attack if the hostname would have matched.

Browse Source
This commit is contained in:
Micah Cowan 2009-08-19 01:15:27 -07:00
parent 61a4b1f77a
commit 57c9e17e6c
2 changed files with 43 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/ChangeLog
View File

@ -1,3 +1,9 @@
2009-08-19 Micah Cowan <micah@cowan.name>
* openssl.c (ssl_check_certificate): Only warn about an attack if
the hostname would otherwise have matched. Also some formatting
cleanup.
2009-08-19 Joao Ferreira <joao@joaoff.com> 2009-08-19 Joao Ferreira <joao@joaoff.com>
* openssl.c (ssl_check_certificate): Detect embedded NUL * openssl.c (ssl_check_certificate): Detect embedded NUL

63
src/openssl.c
View File

@ -571,32 +571,8 @@ ssl_check_certificate (int fd, const char *host)
X509_NAME *xname = X509_get_subject_name(cert); X509_NAME *xname = X509_get_subject_name(cert);
common_name[0] = '\0'; common_name[0] = '\0';
X509_NAME_get_text_by_NID (xname, X509_NAME_get_text_by_NID (xname, NID_commonName, common_name,
NID_commonName, common_name, sizeof (common_name)); sizeof (common_name));
/* We now determine the length of the ASN1 string. If it differs from
* common_name's length, then there is a \0 before the string terminates.
* This can be an instance of a null-prefix attack [0].
*
* [0] https://www.blackhat.com/html/bh-usa-09/bh-usa-09-archives.html#Marlinspike
* */
int i=-1,j;
if(xname) {
for(;(j=X509_NAME_get_index_by_NID (xname, NID_commonName, i))!=-1;i=j);
}
X509_NAME_ENTRY *xentry = X509_NAME_get_entry(xname,i);
ASN1_STRING *sdata = X509_NAME_ENTRY_get_data(xentry);
if (strlen(common_name) != ASN1_STRING_length(sdata))
{
logprintf (LOG_NOTQUIET, _("\
%s: certificate common name is invalid. It is possible that someone is \
eavesdropping on you (man-in-the-middle attack)!\n"),
severity);
success = false;
}
if (!pattern_match (common_name, host)) if (!pattern_match (common_name, host))
{ {
@ -605,6 +581,41 @@ eavesdropping on you (man-in-the-middle attack)!\n"),
severity, quote (common_name), quote (host)); severity, quote (common_name), quote (host));
success = false; success = false;
} }
else
{
/* We now determine the length of the ASN1 string. If it differs from
* common_name's length, then there is a \0 before the string terminates.
* This can be an instance of a null-prefix attack.
*
* https://www.blackhat.com/html/bh-usa-09/bh-usa-09-archives.html#Marlinspike
* */
int i = -1, j;
X509_NAME_ENTRY *xentry;
ASN1_STRING *sdata;
if (xname) {
for (;;)
{
j = X509_NAME_get_index_by_NID (xname, NID_commonName, i);
if (j == -1) break;
i = j;
}
}
xentry = X509_NAME_get_entry(xname,i);
sdata = X509_NAME_ENTRY_get_data(xentry);
if (strlen (common_name) != ASN1_STRING_length (sdata))
{
logprintf (LOG_NOTQUIET, _("\
%s: certificate common name is invalid (contains a NUL character).\n\
This may be an indication that the host is not who it claims to be\n\
(that is, it is not the real %s).\n"),
severity, quote (host));
success = false;
}
}
if (success) if (success)
DEBUGP (("X509 certificate successfully verified and matches host %s\n", DEBUGP (("X509 certificate successfully verified and matches host %s\n",