From f07242df8ad6a0fb1a5b5a584ca086f1a429ee0b Mon Sep 17 00:00:00 2001 From: Jordy Zomer Date: Thu, 23 Apr 2020 13:28:12 +0200 Subject: [PATCH] Use OpenSSL X509_check_host() and X509_check_ip() correctly. These functions return 1 for a successful match, 0 for a failed match, -1 for an internal error, or -2 if the certificate is malformed. OpenConnect has been treating any value other than zero as a success, meaning that an attacker who could get a trusted CA to issue an invalid certificate (on which the ASN.1 decoder fails, for example), could use that to assume *any* identity. This is CVE-2020-12105. https://gitlab.com/openconnect/openconnect/-/merge_requests/96 Signed-off-by: Jordy Zomer --- openssl.c | 4 ++-- www/changelog.xml | 1 + 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/openssl.c b/openssl.c index 392dd86b..b15f2f6f 100644 --- a/openssl.c +++ b/openssl.c @@ -1383,7 +1383,7 @@ static int match_cert_hostname(struct openconnect_info *vpninfo, X509 *peer_cert { char *matched = NULL; - if (ipaddrlen && X509_check_ip(peer_cert, ipaddr, ipaddrlen, 0)) { + if (ipaddrlen && X509_check_ip(peer_cert, ipaddr, ipaddrlen, 0) == 1) { if (vpninfo->verbose >= PRG_DEBUG) { char host[80]; int family; @@ -1402,7 +1402,7 @@ static int match_cert_hostname(struct openconnect_info *vpninfo, X509 *peer_cert } return 0; } - if (X509_check_host(peer_cert, vpninfo->hostname, 0, 0, &matched)) { + if (X509_check_host(peer_cert, vpninfo->hostname, 0, 0, &matched) == 1) { vpn_progress(vpninfo, PRG_DEBUG, _("Matched peer certificate subject name '%s'\n"), matched); diff --git a/www/changelog.xml b/www/changelog.xml index 3475ac64..1b2b6c58 100644 --- a/www/changelog.xml +++ b/www/changelog.xml @@ -18,6 +18,7 @@
  • Add bash completion support.
  • Give more helpful error in case of Pulse servers asking for TNCC.
  • Sanitize non-canonical Legacy IP network addresses (!97)
    • +
  • Fix OpenSSL validation for trusted but invalid certificates (CVE-2020-12105).

  • OpenConnect v8.08 -- 2.50.1