Use OpenSSL X509_check_host() and X509_check_ip() correctly.

These functions return 1 for a successful match, 0 for a failed match,
-1 for an internal error, or -2 if the certificate is malformed.

OpenConnect has been treating any value other than zero as a success,
meaning that an attacker who could get a trusted CA to issue an invalid
certificate (on which the ASN.1 decoder fails, for example), could use
that to assume *any* identity.

This is CVE-2020-12105.

https://gitlab.com/openconnect/openconnect/-/merge_requests/96

Signed-off-by: Jordy Zomer <jordy@simplyhacker.com>

diff --git a/openssl.c b/openssl.c
index 392dd86b448f363d4bd9bac37086ab0bdd4b5ff1..b15f2f6f25c794964b36d8b1d3b238d03ce43a7a 100644 (file)
--- a/openssl.c
+++ b/openssl.c
@@ -1383,7 +1383,7 @@ static int match_cert_hostname(struct openconnect_info *vpninfo, X509 *peer_cert
 {
        char *matched = NULL;
 
-       if (ipaddrlen && X509_check_ip(peer_cert, ipaddr, ipaddrlen, 0)) {
+       if (ipaddrlen && X509_check_ip(peer_cert, ipaddr, ipaddrlen, 0) == 1) {
                if (vpninfo->verbose >= PRG_DEBUG) {
                        char host[80];
                        int family;
@@ -1402,7 +1402,7 @@ static int match_cert_hostname(struct openconnect_info *vpninfo, X509 *peer_cert
                }
                return 0;
        }
-       if (X509_check_host(peer_cert, vpninfo->hostname, 0, 0, &matched)) {
+       if (X509_check_host(peer_cert, vpninfo->hostname, 0, 0, &matched) == 1) {
                vpn_progress(vpninfo, PRG_DEBUG,
                             _("Matched peer certificate subject name '%s'\n"),
                             matched);

diff --git a/www/changelog.xml b/www/changelog.xml
index 3475ac64a46d06f6297f9184560941296e16d7c6..1b2b6c58c5d4279dcd74ec69556ce68116d646b0 100644 (file)
--- a/www/changelog.xml
+++ b/www/changelog.xml
@@ -18,6 +18,7 @@
        <li>Add bash completion support.</li>
        <li>Give more helpful error in case of Pulse servers asking for TNCC.</li>
        <li>Sanitize non-canonical Legacy IP network addresses (<a href="https://gitlab.com/openconnect/openconnect/merge_requests/97">!97</a>)</li>
+       <li>Fix OpenSSL validation for trusted but invalid certificates (CVE-2020-12105).</li>
      </ul><br/>
   </li>
   <li><b><a href="ftp://ftp.infradead.org/pub/openconnect/openconnect-8.08.tar.gz">OpenConnect v8.08</a></b>