cURL
Haxx ad
libcurl

curl's project page on SourceForge.net

Sponsors:
Haxx

cURL > Mailing List > Monthly Index > Single Mail

curl-tracker Archives

[curl:bugs] #1289 ASN1_STRING string validation in ssluse.c

From: Jeffrey Walton <noloader_at_users.sf.net>
Date: Sun, 13 Oct 2013 20:43:05 +0000

> The verification fails due to the embedded zero, what else do you say we should do?

If I am reading it correctly, that particular entry is skipped and the attempt to match continues.

A certificate is untrusted input since it can be under the attacker's control. 'Untrusted' is a bit of a misnomer - its actually high risk since it came from somewhere on the Internet.

In this case, I tend to take a very defensive posture and fail processing immediately because there's no reason to encounter an embedded NULL in the field except when under attack.

I guess all this comes down to philosophy. I rejected Jon Postel's law a long time ago because it aggravates problems with sloppy code (I'm not implying Curl suffers that). Postel's law was OK in a benign environment, but its dangerous in a toxic or hostile environment like the Internet.

---
** [bugs:#1289] ASN1_STRING string validation in ssluse.c**
**Status:** open
**Created:** Sun Oct 13, 2013 09:00 AM UTC by Jeffrey Walton
**Last Updated:** Sun Oct 13, 2013 09:12 AM UTC
**Owner:** Daniel Stenberg
        // From ssluse.c, around line 1095
        const char *altptr = (char *)ASN1_STRING_data(check->d.ia5);
        size_t altlen = (size_t) ASN1_STRING_length(check->d.ia5);
        switch(target) {
        case GEN_DNS: /* name/pattern comparison */
          /* The OpenSSL man page explicitly says: "In general it cannot be
             assumed that the data returned by ASN1_STRING_data() is null
             terminated or does not contain embedded nulls." But also that
             "The actual format of the data will depend on the actual string
             type itself: for example for and IA5String the data will be ASCII"
             Gisle researched the OpenSSL sources:
             "I checked the 0.9.6 and 0.9.8 sources before my patch and
             it always 0-terminates an IA5String."
          */
          if((altlen == strlen(altptr)) &&
             /* if this isn't true, there was an embedded zero in the name
                string and we cannot match it. */
             Curl_cert_hostcheck(altptr, conn->host.name))
            matched = 1;
          else
            ...
The check above on the ASN1_STRING length is weak at best. If a certificate is encountered in the field such that `altlen != strlen(altptr)`, then you are probably dealing with malicious input, and the attacker's input should simply be rejected. Don't process it anymore.
"Breaking SSL with null characters" and "More Tricks For Defeating SSL".
---
Sent from sourceforge.net because curl-tracker@cool.haxx.se is subscribed to https://sourceforge.net/p/curl/bugs/
To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/curl/admin/bugs/options.  Or, if this is a mailing list, you can unsubscribe from the mailing list.
Received on 2013-10-13

These mail archives are generated by hypermail.

donate! Page updated May 06, 2013.
web site info

File upload with ASP.NET