Reject certificates with embedded NULLs in the commonName field. This stops

author Magnus Hagander <magnus@hagander.net>

Wed, 9 Dec 2009 06:37:09 +0000 (06:37 +0000)

committer Magnus Hagander <magnus@hagander.net>

Wed, 9 Dec 2009 06:37:09 +0000 (06:37 +0000)
author Magnus Hagander <magnus@hagander.net>
Wed, 9 Dec 2009 06:37:09 +0000 (06:37 +0000)
committer Magnus Hagander <magnus@hagander.net>
Wed, 9 Dec 2009 06:37:09 +0000 (06:37 +0000)
diff --git a/src/backend/libpq/be-secure.c b/src/backend/libpq/be-secure.c

index b854d4337c7d191b0f7f1b6296eac064898f16dc..589424c6dd4e515c1a44602f10b5eacdba59848d 100644 (file)
--- a/src/backend/libpq/be-secure.c
+++ b/src/backend/libpq/be-secure.c
@@ -11,7 +11,7 @@
   *
   *
   * IDENTIFICATION
- *       $Header: /cvsroot/pgsql/src/backend/libpq/be-secure.c,v 1.43.2.5 2009/01/28 15:06:48 mha Exp $
+ *       $Header: /cvsroot/pgsql/src/backend/libpq/be-secure.c,v 1.43.2.6 2009/12/09 06:37:09 mha Exp $
   *
   *       Since the server static private key ($DataDir/server.key)
   *       will normally be stored unencrypted so that the database
@@ -801,12 +801,34 @@ open_server_SSL(Port *port)
         }
         else
         {
+               int r;
+
                 X509_NAME_oneline(X509_get_subject_name(port->peer),
                                                   port->peer_dn, sizeof(port->peer_dn));
                 port->peer_dn[sizeof(port->peer_dn) - 1] = '\0';
-               X509_NAME_get_text_by_NID(X509_get_subject_name(port->peer),
+               r = X509_NAME_get_text_by_NID(X509_get_subject_name(port->peer),
                                    NID_commonName, port->peer_cn, sizeof(port->peer_cn));
                 port->peer_cn[sizeof(port->peer_cn) - 1] = '\0';
+               if (r == -1)
+               {
+                       /* Unable to get the CN, set it to blank so it can't be used */
+                       port->peer_cn[0] = '\0';
+               }
+               else
+               {
+                       /*
+                        * Reject embedded NULLs in certificate common name to prevent attacks like
+                        * CVE-2009-4034.
+                        */
+                       if (r != strlen(port->peer_cn))
+                       {
+                               ereport(COMMERROR,
+                                               (errcode(ERRCODE_PROTOCOL_VIOLATION),
+                                                errmsg("SSL certificate's common name contains embedded null")));
+                               close_SSL(port);
+                               return -1;
+                       }
+               }
         }
         ereport(DEBUG2,
                         (errmsg("SSL connection from \"%s\"", port->peer_cn)));
diff --git a/src/interfaces/libpq/fe-secure.c b/src/interfaces/libpq/fe-secure.c

index 3a445b780d030aa1ba80e501800bc2987d65ca50..ed85c452d450408d2863daeb15d845990eb97c54 100644 (file)
--- a/src/interfaces/libpq/fe-secure.c
+++ b/src/interfaces/libpq/fe-secure.c
@@ -11,7 +11,7 @@
   *
   *
   * IDENTIFICATION
- *       $Header: /cvsroot/pgsql/src/interfaces/libpq/fe-secure.c,v 1.32.2.2 2009/01/28 15:06:48 mha Exp $
+ *       $Header: /cvsroot/pgsql/src/interfaces/libpq/fe-secure.c,v 1.32.2.3 2009/12/09 06:37:09 mha Exp $
   *
   * NOTES
   *       The client *requires* a valid server certificate.  Since
@@ -967,9 +967,28 @@ open_client_SSL(PGconn *conn)
                                           conn->peer_dn, sizeof(conn->peer_dn));
         conn->peer_dn[sizeof(conn->peer_dn) - 1] = '\0';
  
-       X509_NAME_get_text_by_NID(X509_get_subject_name(conn->peer),
+       r = X509_NAME_get_text_by_NID(X509_get_subject_name(conn->peer),
                                                           NID_commonName, conn->peer_cn, SM_USER);
-       conn->peer_cn[SM_USER] = '\0';
+       conn->peer_cn[SM_USER] = '\0'; /* buffer is SM_USER+1 chars! */
+       if (r == -1)
+       {
+               /* Unable to get the CN, set it to blank so it can't be used */
+               conn->peer_cn[0] = '\0';
+       }
+       else
+       {
+               /*
+                * Reject embedded NULLs in certificate common name to prevent attacks like
+                * CVE-2009-4034.
+                */
+               if (r != strlen(conn->peer_cn))
+               {
+                       printfPQExpBuffer(&conn->errorMessage,
+                                                         libpq_gettext("SSL certificate's common name contains embedded null\n"));
+                       close_SSL(conn);
+                       return PGRES_POLLING_FAILED;
+               }
+       }
  
         /* verify that the common name resolves to peer */
author	Magnus Hagander <magnus@hagander.net>
	Wed, 9 Dec 2009 06:37:09 +0000 (06:37 +0000)
committer	Magnus Hagander <magnus@hagander.net>
	Wed, 9 Dec 2009 06:37:09 +0000 (06:37 +0000)
src/backend/libpq/be-secure.c		patch \| blob \| history
src/interfaces/libpq/fe-secure.c		patch \| blob \| history