netcat cert hash validation broken

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

netcat cert hash validation broken

Alexander Bluhm
Hi,

When the netcat server should check the certificate hash of the
client, it always succeeds.  So nc -c -H -l is always successful,
no matter what certificate the client provides.

The bug is that the TLS context of the listen socket is used instead
of the accepted connection.

Also I would like to fail if the user wants to validate a hash, but
there is none.  The fail open logic prevented that the bug was
detected for a long time.

ok?

bluhm

Index: usr.bin/nc/netcat.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/usr.bin/nc/netcat.c,v
retrieving revision 1.214
diff -u -p -r1.214 netcat.c
--- usr.bin/nc/netcat.c 6 Jan 2020 19:39:58 -0000 1.214
+++ usr.bin/nc/netcat.c 7 Jan 2020 14:10:51 -0000
@@ -835,8 +835,8 @@ tls_setup_client(struct tls *tls_ctx, in
  }
  if (vflag)
  report_tls(tls_ctx, host);
- if (tls_expecthash && tls_peer_cert_hash(tls_ctx) &&
-    strcmp(tls_expecthash, tls_peer_cert_hash(tls_ctx)) != 0)
+ if (tls_expecthash && (tls_peer_cert_hash(tls_ctx) == NULL ||
+    strcmp(tls_expecthash, tls_peer_cert_hash(tls_ctx)) != 0))
  errx(1, "peer certificate is not %s", tls_expecthash);
  if (Zflag) {
  save_peer_cert(tls_ctx, Zflag);
@@ -864,8 +864,9 @@ tls_setup_server(struct tls *tls_ctx, in
  report_tls(tls_cctx, host);
  if ((TLSopt & TLS_CCERT) && !gotcert)
  warnx("No client certificate provided");
- else if (gotcert && tls_peer_cert_hash(tls_ctx) && tls_expecthash &&
-    strcmp(tls_expecthash, tls_peer_cert_hash(tls_ctx)) != 0)
+ else if (gotcert && tls_expecthash &&
+    (tls_peer_cert_hash(tls_cctx) == NULL ||
+    strcmp(tls_expecthash, tls_peer_cert_hash(tls_cctx)) != 0))
  warnx("peer certificate is not %s", tls_expecthash);
  else if (gotcert && tls_expectname &&
     (!tls_peer_cert_contains_name(tls_cctx, tls_expectname)))

Reply | Threaded
Open this post in threaded view
|

Re: netcat cert hash validation broken

Theo Buehler-3
On Tue, Jan 07, 2020 at 03:32:02PM +0100, Alexander Bluhm wrote:

> Hi,
>
> When the netcat server should check the certificate hash of the
> client, it always succeeds.  So nc -c -H -l is always successful,
> no matter what certificate the client provides.
>
> The bug is that the TLS context of the listen socket is used instead
> of the accepted connection.
>
> Also I would like to fail if the user wants to validate a hash, but
> there is none.  The fail open logic prevented that the bug was
> detected for a long time.
>
> ok?

ok tb