Re: (ITS#6239) ldap_pvt_tls_check_hostname() may be vulnerable - openldap-bugs

30 Jul 2009


      hyc@OpenLDAP.org wrote:
...
Full_Name: Howard Chu
Version: any
OS:
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (76.91.220.157)
Submitted by: hyc
Our chkhost implementation for OpenSSL does a simple strcasecmp on the name
obtained from the certificate CN; if the CN has an embedded NUL it is possible
for this check to be spoofed. This is now fixed in HEAD.
Our chkhost implementation for GnuTLS is not vulnerable.
We didn't write a chkhost implementation for MozNSS, we just use the default one
they provide. Inspecting their code shows that their default checker is also
vulnerable. I will be writing a replacement for libldap shortly.
All fixed in HEAD/RE24. Surprisingly, the GnuTLS API got this one right. So 
did OpenSSL (we just botched our use of their APIs). But the MozNSS APIs all 
discard the length info of the data instead of returning it, so we had to 
reimplement some of their basic name-handling code in libldap. Probably should 
have just done all of this using DER and liblber too, like the other cert 
parsing code.
-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/