[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6239) ldap_pvt_tls_check_hostname() may be vulnerable

hyc@OpenLDAP.org wrote:
> Full_Name: Howard Chu
> Version: any
> OS:
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (
> Submitted by: hyc
> Our chkhost implementation for OpenSSL does a simple strcasecmp on the name
> obtained from the certificate CN; if the CN has an embedded NUL it is possible
> for this check to be spoofed. This is now fixed in HEAD.
> Our chkhost implementation for GnuTLS is not vulnerable.
> We didn't write a chkhost implementation for MozNSS, we just use the default one
> they provide. Inspecting their code shows that their default checker is also
> vulnerable. I will be writing a replacement for libldap shortly.

All fixed in HEAD/RE24. Surprisingly, the GnuTLS API got this one right. So 
did OpenSSL (we just botched our use of their APIs). But the MozNSS APIs all 
discard the length info of the data instead of returning it, so we had to 
reimplement some of their basic name-handling code in libldap. Probably should 
have just done all of this using DER and liblber too, like the other cert 
parsing code.

   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/