OpenSSL server could be crashed by client cert with IPv6 address in SubjectAltname

This commit is contained in:
Gerhard Rieger 2021-10-26 19:26:18 +02:00
parent e9c055b750
commit 1477334905
3 changed files with 72 additions and 9 deletions

View file

@ -13,6 +13,13 @@ Corrections:
A VSOCK warning message was generated with all listening addresses
instead of only with VSOCK-LISTEN
When an OPENSSL-CONNECT client presented a certificate with IPv6
subject alternate name and the OPENSSL-LISTEN server had no commonname
option, the server crashed with SIGSEGV in xioip6_pton().
Test: OPENSSL_CLIENT_IP6_CN
Red Hat bug 1981308
Thanks to Vlad Slepukhin for reporting this issue and providing a patch
Testing:
Prevent the TIMESTAMP tests from sporadically failing due do seconds
overflow

54
test.sh
View file

@ -15040,6 +15040,60 @@ PORT=$((PORT+1))
N=$((N+1))
# Bug fix, OpenSSL server could be crashed by client cert with IPv6 address in SubjectAltname
NAME=OPENSSL_CLIENT_IP6_CN
case "$TESTS" in
*%$N%*|*%functions%*|*%bugs%*|*%openssl%*|*%ip6%*|*%socket%*|*%$NAME%*)
TEST="$NAME: Test if OpenSSL server may be crashed by client cert with IPv6 address"
# Socat 1.7.4.1 had a bug that caused OpenSSL server to crash with SIGSEGV when
# it checked a client certificate containing IPv6 address in SubjectAltName and
# no openssl-commonname option was given
if ! eval $NUMCOND; then :;
elif ! testfeats openssl >/dev/null; then
$PRINTF "test $F_n $TEST... ${YELLOW}OPENSSL not available${NORMAL}\n" $N
numCANT=$((numCANT+1))
listCANT="$listCANT $N"
elif ! testfeats tcp ip4 >/dev/null || ! runsip4 >/dev/null; then
$PRINTF "test $F_n $TEST... ${YELLOW}TCP/IPv4 not available${NORMAL}\n" $N
numCANT=$((numCANT+1))
listCANT="$listCANT $N"
else
gentestcert testsrv
gentestaltcert testalt
tf="$td/test$N.stdout"
te="$td/test$N.stderr"
tdiff="$td/test$N.diff"
da="test$N $(date) $RANDOM"
CMD0="$TRACE $SOCAT $opts -u OPENSSL-LISTEN:$PORT,reuseaddr,cert=./testsrv.pem,cafile=./testalt.crt -"
CMD1="$TRACE $SOCAT $opts -u - OPENSSL-CONNECT:localhost:$PORT,cafile=testsrv.crt,cert=testalt.pem,verify=0"
printf "test $F_n $TEST... " $N
$CMD0 >/dev/null >"${tf}0" 2>"${te}0" &
pid0=$!
waittcp4port $PORT 1
echo "$da" |$CMD1 2>"${te}1"
rc1=$?
kill $pid0 2>/dev/null; wait
if [ $rc1 -eq 0 ] && echo "$da" |diff - "${tf}0" >$tdiff; then
$PRINTF "$OK\n"
numOK=$((numOK+1))
else
$PRINTF "$FAILED\n"
echo "$CMD0 &" >&2
cat "${te}0" >&2
echo "$CMD1" >&2
cat "${te}1" >&2
numFAIL=$((numFAIL+1))
listFAIL="$listFAIL $N"
fi
fi # NUMCOND
;;
esac
PORT=$((PORT+1))
N=$((N+1))
# end of common tests
##################################################################################
#=================================================================================
# here come tests that might affect your systems integrity. Put normal tests

View file

@ -1775,6 +1775,7 @@ static int openssl_handle_peer_certificate(struct single *xfd,
#if WITH_IP6
case 16: /* IPv6 */
inet_ntop(AF_INET6, data, aBuffer, sizeof(aBuffer));
if (peername != NULL) {
xioip6_pton(peername, &ip6bin);
if (memcmp(data, &ip6bin, sizeof(ip6bin)) == 0) {
Debug2("subjectAltName \"%s\" matches peername \"%s\"",
@ -1784,6 +1785,7 @@ static int openssl_handle_peer_certificate(struct single *xfd,
Info2("subjectAltName \"%s\" does not match peername \"%s\"",
aBuffer, peername);
}
}
break;
#endif
}