From 480b13c7e6d83543a82b2974a3af0c8864d7b6a7 Mon Sep 17 00:00:00 2001 From: Matthias Andree Date: Fri, 27 Aug 2010 21:08:14 +0200 Subject: Disallow X.509 wildcard matches in domain literals. --- NEWS | 13 ++++++++++--- socket.c | 18 +++++++++++++++++- 2 files changed, 27 insertions(+), 4 deletions(-) diff --git a/NEWS b/NEWS index 9f429a22..a63a3d9c 100644 --- a/NEWS +++ b/NEWS @@ -54,6 +54,16 @@ removed from a 6.4.0 or newer release.) fetchmail-6.3.18 (not yet released): +# SECURITY IMPROVEMENTS TO DEFANG X.509 CERTIFICATE ABUSE +* Fetchmail now only accepts wildcard certificate common names and subject + alternative names if they start with "*.". Previous versions would accept + wildcards even if no period followed immediately. +* Fetchmail now disallows wildcards in certificates to match domain literals + (such as 10.9.8.7), or wildcards in domain literals ("*.168.23.23"). + The test is overly picky and triggers if the pattern (after skipping the + initial wildcard "*") or domain consist solely of digits and dots and matches + more than needed. + # BUG FIXES * Fetchmail would warn about insecure SSL/TLS connections even if a matching --sslfingerprint was specified. This is an omission from an SSL usability @@ -78,9 +88,6 @@ fetchmail-6.3.18 (not yet released): credentials. This avoids getting servers such as Exchange 2007 wedged if GSSAPI authentication fails. Reported by Patrick Rynhart, Debian Bug #568455, and Alan Murrell, to the fetchmail-users list. -* Fetchmail now only accepts wildcard certificate common names and subject - alternative names if they start with "*.". Previous versions would accept - wildcards even if no period followed immediately. # CHANGES * When encountering incorrect headers, fetchmail will refer to the bad-header diff --git a/socket.c b/socket.c index 59b0112e..d3cf90d7 100644 --- a/socket.c +++ b/socket.c @@ -600,7 +600,23 @@ SSL *SSLGetContext( int sock ) * The only place where a wildcard is allowed is in the leftmost * position of p1. */ static int name_match(const char *p1, const char *p2) { - if (p1[0] == '*' && p1[1] == '.') { + const char *const dom = "0123456789."; + int wildcard_ok = 1; + + /* blank patterns never match */ + if (p1[0] == '\0') + return 0; + + /* disallow wildcards in certificates for domain literals + * (10.9.8.7-like) */ + if (strspn(p1+(*p1 == '*' ? 1 : 0), dom) == strlen(p1)) + wildcard_ok = 0; + + /* disallow wildcards for domain literals */ + if (strspn(p2, dom) == strlen(p2)) + wildcard_ok = 0; + + if (wildcard_ok && p1[0] == '*' && p1[1] == '.') { size_t l1, l2; ++p1; -- cgit v1.2.3