Reject certificates with embedded NULLs in the commonName field. This stops

author Magnus Hagander <magnus@hagander.net>

Wed, 9 Dec 2009 06:37:25 +0000 (06:37 +0000)

committer Magnus Hagander <magnus@hagander.net>

Wed, 9 Dec 2009 06:37:25 +0000 (06:37 +0000)
author Magnus Hagander <magnus@hagander.net>
Wed, 9 Dec 2009 06:37:25 +0000 (06:37 +0000)
committer Magnus Hagander <magnus@hagander.net>
Wed, 9 Dec 2009 06:37:25 +0000 (06:37 +0000)
diff --git a/src/backend/libpq/be-secure.c b/src/backend/libpq/be-secure.c

index b3d00746eb9c195b2815968bf3181ca5148aec76..e3a7abc205ec254fdfb3ee7020bae562876a6c51 100644 (file)
--- a/src/backend/libpq/be-secure.c
+++ b/src/backend/libpq/be-secure.c
@@ -11,7 +11,7 @@
   *
   *
   * IDENTIFICATION
- *       $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.83.2.1 2009/01/28 15:06:57 mha Exp $
+ *       $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.83.2.2 2009/12/09 06:37:25 mha Exp $
   *
   *       Since the server static private key ($DataDir/server.key)
   *       will normally be stored unencrypted so that the database
@@ -938,9 +938,29 @@ aloop:
                 X509_NAME_oneline(X509_get_subject_name(port->peer),
                                                   port->peer_dn, sizeof(port->peer_dn));
                 port->peer_dn[sizeof(port->peer_dn) - 1] = '\0';
-               X509_NAME_get_text_by_NID(X509_get_subject_name(port->peer),
+               r = X509_NAME_get_text_by_NID(X509_get_subject_name(port->peer),
                                            NID_commonName, port->peer_cn, sizeof(port->peer_cn));
                 port->peer_cn[sizeof(port->peer_cn) - 1] = '\0';
+               if (r == -1)
+               {
+                       /* Unable to get the CN, set it to blank so it can't be used */
+                       port->peer_cn[0] = '\0';
+               }
+               else
+               {
+                       /*
+                        * Reject embedded NULLs in certificate common name to prevent attacks like
+                        * CVE-2009-4034.
+                        */
+                       if (r != strlen(port->peer_cn))
+                       {
+                               ereport(COMMERROR,
+                                               (errcode(ERRCODE_PROTOCOL_VIOLATION),
+                                                errmsg("SSL certificate's common name contains embedded null")));
+                               close_SSL(port);
+                               return -1;
+                       }
+               }
         }
         ereport(DEBUG2,
                         (errmsg("SSL connection from \"%s\"", port->peer_cn)));
diff --git a/src/interfaces/libpq/fe-secure.c b/src/interfaces/libpq/fe-secure.c

index af919a8333e806cc2c62c2c08ebd1a9efb7fb9ae..a1aa046340720a791c7aef603fcd7dcecb9c8c09 100644 (file)
--- a/src/interfaces/libpq/fe-secure.c
+++ b/src/interfaces/libpq/fe-secure.c
@@ -11,7 +11,7 @@
   *
   *
   * IDENTIFICATION
- *       $PostgreSQL: pgsql/src/interfaces/libpq/fe-secure.c,v 1.102.2.1 2009/01/28 15:06:57 mha Exp $
+ *       $PostgreSQL: pgsql/src/interfaces/libpq/fe-secure.c,v 1.102.2.2 2009/12/09 06:37:25 mha Exp $
   *
   * NOTES
   *       [ Most of these notes are wrong/obsolete, but perhaps not all ]
@@ -1087,9 +1087,28 @@ open_client_SSL(PGconn *conn)
                                           conn->peer_dn, sizeof(conn->peer_dn));
         conn->peer_dn[sizeof(conn->peer_dn) - 1] = '\0';
  
-       X509_NAME_get_text_by_NID(X509_get_subject_name(conn->peer),
+       r = X509_NAME_get_text_by_NID(X509_get_subject_name(conn->peer),
                                                           NID_commonName, conn->peer_cn, SM_USER);
-       conn->peer_cn[SM_USER] = '\0';
+       conn->peer_cn[SM_USER] = '\0'; /* buffer is SM_USER+1 chars! */
+       if (r == -1)
+       {
+               /* Unable to get the CN, set it to blank so it can't be used */
+               conn->peer_cn[0] = '\0';
+       }
+       else
+       {
+               /*
+                * Reject embedded NULLs in certificate common name to prevent attacks like
+                * CVE-2009-4034.
+                */
+               if (r != strlen(conn->peer_cn))
+               {
+                       printfPQExpBuffer(&conn->errorMessage,
+                                                         libpq_gettext("SSL certificate's common name contains embedded null\n"));
+                       close_SSL(conn);
+                       return PGRES_POLLING_FAILED;
+               }
+       }
  
         /* verify that the common name resolves to peer */
author	Magnus Hagander <magnus@hagander.net>
	Wed, 9 Dec 2009 06:37:25 +0000 (06:37 +0000)
committer	Magnus Hagander <magnus@hagander.net>
	Wed, 9 Dec 2009 06:37:25 +0000 (06:37 +0000)
src/backend/libpq/be-secure.c		patch \| blob \| history
src/interfaces/libpq/fe-secure.c		patch \| blob \| history