Skip to content
Permalink
Browse files Browse the repository at this point in the history
supply proper input buffer to X509_check_host
CVE-2020-7042 use of uninitialized memory in X509_check_host is fixed with
this commit

the uninitialized buffer common_name was passed as argument to X509_check_host
which prevented proper host name validation when openssl >= 1.0.2 was in use.
This came in with #282 which went into openfortivpn 1.7.1.
Unfortunately, this problem has stayed unnoticed because the return value
was not properly checked either (which is a separate issue, with CVE-2020-7041,
and which has been fixed by the previous commit)
  • Loading branch information
mrbaseman authored and adrienverge committed Feb 26, 2020
1 parent 60660e0 commit 9eee997
Showing 1 changed file with 5 additions and 3 deletions.
8 changes: 5 additions & 3 deletions src/tunnel.c
Expand Up @@ -652,7 +652,6 @@ static int ssl_verify_cert(struct tunnel *tunnel)
char *line;
int i;
X509_NAME *subj;
char common_name[FIELD_SIZE + 1];

SSL_set_verify(tunnel->ssl_handle, SSL_VERIFY_PEER, NULL);

Expand All @@ -666,10 +665,13 @@ static int ssl_verify_cert(struct tunnel *tunnel)

#ifdef HAVE_X509_CHECK_HOST
// Use OpenSSL native host validation if v >= 1.0.2.
// correctly check return value of X509_check_host
if (X509_check_host(cert, common_name, FIELD_SIZE, 0, NULL) == 1)
// compare against gateway_host and correctly check return value
// to fix piror Incorrect use of X509_check_host
if (X509_check_host(cert, tunnel->config->gateway_host,
0, 0, NULL) == 1)
cert_valid = 1;
#else
char common_name[FIELD_SIZE + 1];
// Use explicit Common Name check if native validation not available.
// Note: this will ignore Subject Alternative Name fields.
if (subj
Expand Down

0 comments on commit 9eee997

Please sign in to comment.