NotificationsYou must be signed in to change notification settings
Fork5
Star26

Commitabf23ee

committed

Reject certificates with embedded NULLs in the commonName field. This stops

attacks where an attacker would put <attack>\0<propername> in the field andtrick the validation code that the certificate was for <attack>.This is a very low risk attack since it reuqires the attacker to trick theCA into issuing a certificate with an incorrect field, and the commonPostgreSQL deployments are with private CAs, and not external ones. Also,default mode in 8.4 does not do any name validation, and is thus also notvulnerable - but the higher security modes are.Backpatch all the way. Even though versions 8.3.x and before didn't havecertificate name validation support, they still exposed this field forthe user to perform the validation in the application code, and thereis no way to detect this problem through that API.Security:CVE-2009-4034

1 parent65ed203 commitabf23eeCopy full SHA for abf23ee

File tree

2 files changed

+44

-5

lines changed

src
- backend/libpq
  - be-secure.c
- interfaces/libpq
  - fe-secure.c

2 files changed

+44

-5

lines changed

`‎src/backend/libpq/be-secure.c`

Lines changed: 22 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -11,7 +11,7 @@`
`11`	`11`	`*`
`12`	`12`	`*`
`13`	`13`	`* IDENTIFICATION`
`14`		`- * $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.92 2009/06/11 14:48:58 momjian Exp $`
	`14`	`+ * $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.93 2009/12/09 06:37:06 mha Exp $`
`15`	`15`	`*`
`16`	`16`	`* Since the server static private key ($DataDir/server.key)`
`17`	`17`	`* will normally be stored unencrypted so that the database`
`@@ -953,9 +953,29 @@ open_server_SSL(Port *port)`
`953`	`953`	`X509_NAME_oneline(X509_get_subject_name(port->peer),`
`954`	`954`	`port->peer_dn,sizeof(port->peer_dn));`
`955`	`955`	`port->peer_dn[sizeof(port->peer_dn)-1]='\0';`
`956`		`-X509_NAME_get_text_by_NID(X509_get_subject_name(port->peer),`
	`956`	`+r=X509_NAME_get_text_by_NID(X509_get_subject_name(port->peer),`
`957`	`957`	`NID_commonName,port->peer_cn,sizeof(port->peer_cn));`
`958`	`958`	`port->peer_cn[sizeof(port->peer_cn)-1]='\0';`
	`959`	`+if (r==-1)`
	`960`	`+{`
	`961`	`+/* Unable to get the CN, set it to blank so it can't be used */`
	`962`	`+port->peer_cn[0]='\0';`
	`963`	`+}`
	`964`	`+else`
	`965`	`+{`
	`966`	`+/*`
	`967`	`+ * Reject embedded NULLs in certificate common name to prevent attacks like`
	`968`	`+ * CVE-2009-4034.`
	`969`	`+ */`
	`970`	`+if (r!=strlen(port->peer_cn))`
	`971`	`+{`
	`972`	`+ereport(COMMERROR,`
	`973`	`+(errcode(ERRCODE_PROTOCOL_VIOLATION),`
	`974`	`+errmsg("SSL certificate's common name contains embedded null")));`
	`975`	`+close_SSL(port);`
	`976`	`+return-1;`
	`977`	`+}`
	`978`	`+}`
`959`	`979`	`}`
`960`	`980`	`ereport(DEBUG2,`
`961`	`981`	`(errmsg("SSL connection from \"%s\"",port->peer_cn)));`

`‎src/interfaces/libpq/fe-secure.c`

Lines changed: 22 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -11,7 +11,7 @@`
`11`	`11`	`*`
`12`	`12`	`*`
`13`	`13`	`* IDENTIFICATION`
`14`		`- * $PostgreSQL: pgsql/src/interfaces/libpq/fe-secure.c,v 1.128 2009/07/24 17:58:31 tgl Exp $`
	`14`	`+ * $PostgreSQL: pgsql/src/interfaces/libpq/fe-secure.c,v 1.129 2009/12/09 06:37:06 mha Exp $`
`15`	`15`	`*`
`16`	`16`	`* NOTES`
`17`	`17`	`*`
`@@ -1265,9 +1265,28 @@ open_client_SSL(PGconn *conn)`
`1265`	`1265`	`conn->peer_dn,sizeof(conn->peer_dn));`
`1266`	`1266`	`conn->peer_dn[sizeof(conn->peer_dn)-1]='\0';`
`1267`	`1267`
`1268`		`-X509_NAME_get_text_by_NID(X509_get_subject_name(conn->peer),`
	`1268`	`+r=X509_NAME_get_text_by_NID(X509_get_subject_name(conn->peer),`
`1269`	`1269`	`NID_commonName,conn->peer_cn,SM_USER);`
`1270`		`-conn->peer_cn[SM_USER]='\0';`
	`1270`	`+conn->peer_cn[SM_USER]='\0';/* buffer is SM_USER+1 chars! */`
	`1271`	`+if (r==-1)`
	`1272`	`+{`
	`1273`	`+/* Unable to get the CN, set it to blank so it can't be used */`
	`1274`	`+conn->peer_cn[0]='\0';`
	`1275`	`+}`
	`1276`	`+else`
	`1277`	`+{`
	`1278`	`+/*`
	`1279`	`+ * Reject embedded NULLs in certificate common name to prevent attacks like`
	`1280`	`+ * CVE-2009-4034.`
	`1281`	`+ */`
	`1282`	`+if (r!=strlen(conn->peer_cn))`
	`1283`	`+{`
	`1284`	`+printfPQExpBuffer(&conn->errorMessage,`
	`1285`	`+libpq_gettext("SSL certificate's common name contains embedded null\n"));`
	`1286`	`+close_SSL(conn);`
	`1287`	`+returnPGRES_POLLING_FAILED;`
	`1288`	`+}`
	`1289`	`+}`
`1271`	`1290`
`1272`	`1291`	`if (!verify_peer_name_matches_certificate(conn))`
`1273`	`1292`	`{`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitabf23ee

File tree

2 files changed

2 files changed

`‎src/backend/libpq/be-secure.c`

`‎src/interfaces/libpq/fe-secure.c`

0 commit comments