Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Use OpenSSL X509_check_host() and X509_check_ip() correctly.
These functions return 1 for a successful match, 0 for a failed match,
-1 for an internal error, or -2 if the certificate is malformed.

OpenConnect has been treating any value other than zero as a success,
meaning that an attacker who could get a trusted CA to issue an invalid
certificate (on which the ASN.1 decoder fails, for example), could use
that to assume *any* identity.

This is CVE-2020-12105.

https://gitlab.com/openconnect/openconnect/-/merge_requests/96

Signed-off-by: Jordy Zomer <jordy@simplyhacker.com>
  • Loading branch information
JordyZomer authored and dwmw2 committed Apr 28, 2020
1 parent e49e49e commit f07242d
Show file tree
Hide file tree
Showing 2 changed files with 3 additions and 2 deletions.
4 changes: 2 additions & 2 deletions openssl.c
Expand Up @@ -1383,7 +1383,7 @@ static int match_cert_hostname(struct openconnect_info *vpninfo, X509 *peer_cert
{
char *matched = NULL;

if (ipaddrlen && X509_check_ip(peer_cert, ipaddr, ipaddrlen, 0)) {
if (ipaddrlen && X509_check_ip(peer_cert, ipaddr, ipaddrlen, 0) == 1) {
if (vpninfo->verbose >= PRG_DEBUG) {
char host[80];
int family;
Expand All @@ -1402,7 +1402,7 @@ static int match_cert_hostname(struct openconnect_info *vpninfo, X509 *peer_cert
}
return 0;
}
if (X509_check_host(peer_cert, vpninfo->hostname, 0, 0, &matched)) {
if (X509_check_host(peer_cert, vpninfo->hostname, 0, 0, &matched) == 1) {
vpn_progress(vpninfo, PRG_DEBUG,
_("Matched peer certificate subject name '%s'\n"),
matched);
Expand Down
1 change: 1 addition & 0 deletions www/changelog.xml
Expand Up @@ -18,6 +18,7 @@
<li>Add bash completion support.</li>
<li>Give more helpful error in case of Pulse servers asking for TNCC.</li>
<li>Sanitize non-canonical Legacy IP network addresses (<a href="https://gitlab.com/openconnect/openconnect/merge_requests/97">!97</a>)</li>
<li>Fix OpenSSL validation for trusted but invalid certificates (CVE-2020-12105).</li>
</ul><br/>
</li>
<li><b><a href="ftp://ftp.infradead.org/pub/openconnect/openconnect-8.08.tar.gz">OpenConnect v8.08</a></b>
Expand Down

0 comments on commit f07242d

Please sign in to comment.