diff options
author | joe <joe@61a7d7f5-40b7-0310-9c16-bb0ea8cb1845> | 2009-08-18 13:12:29 +0000 |
---|---|---|
committer | joe <joe@61a7d7f5-40b7-0310-9c16-bb0ea8cb1845> | 2009-08-18 13:12:29 +0000 |
commit | fed1940e9136c0a799420e56e3ceefe0f3ab7f58 (patch) | |
tree | 71f2db258b17fc5048787ccbffd03bcf8028e460 /src/ne_gnutls.c | |
parent | 6f23b8be5b86ae97cf037585b828ddf5ec2470e0 (diff) | |
download | neon-fed1940e9136c0a799420e56e3ceefe0f3ab7f58.tar.gz |
Security fix for CVE-2009-2474, handling of "NUL" bytes in certificate
names:
* src/ne_private.h (ne__ssl_match_hostname): Take cn len, make cn
const.
* src/ne_session.c (ne__ssl_match_hostname): Drop handling of
unqualified hostnames; check CN length matches.
* src/ne_gnutls.c (check_identity): Adjust accordingly.
* src/ne_openssl.c (append_dirstring): Use a quoted append for ASCII
data. Check for embedded NUL bytes in UTF-8 data.
(dup_ia5string): Use quoted append.
* test/ssl.c (struct ssl_server_args): Add key field.
(ssl_server): Use key field from args.
(fail_ssl_request_with_error2): Rename from
fail_ssl_request_with_error, add host, fakehost
parameters.
(fail_ssl_request_with_error): Reimplement using
fail_ssl_request_with_error2.
(fail_nul_cn, fail_nul_san, nulcn_identity): New tests.
* test/nulca.pem, test/nulcn.pem, test/nulsan.pem, test/nulsrv.key:
Add test cases, thanks to Tomas Hoger <thoger redhat.com>.
git-svn-id: http://svn.webdav.org/repos/projects/neon/trunk@1681 61a7d7f5-40b7-0310-9c16-bb0ea8cb1845
Diffstat (limited to 'src/ne_gnutls.c')
-rw-r--r-- | src/ne_gnutls.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/src/ne_gnutls.c b/src/ne_gnutls.c index aa3f42b..e202b98 100644 --- a/src/ne_gnutls.c +++ b/src/ne_gnutls.c @@ -373,7 +373,7 @@ static int check_identity(const ne_uri *server, gnutls_x509_crt cert, case GNUTLS_SAN_DNSNAME: name[len] = '\0'; if (identity && !found) *identity = ne_strdup(name); - match = ne__ssl_match_hostname(name, hostname); + match = ne__ssl_match_hostname(name, len, hostname); found = 1; break; case GNUTLS_SAN_IPADDRESS: { @@ -442,7 +442,7 @@ static int check_identity(const ne_uri *server, gnutls_x509_crt cert, seq, 0, name, &len); if (ret == 0) { if (identity) *identity = ne_strdup(name); - match = ne__ssl_match_hostname(name, hostname); + match = ne__ssl_match_hostname(name, len, hostname); } } else { return -1; |