Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

X509 verify non-DNS SANs #3554

Merged
merged 4 commits into from
Aug 14, 2020
Merged

X509 verify non-DNS SANs #3554

merged 4 commits into from
Aug 14, 2020

Conversation

mpg
Copy link
Contributor

@mpg mpg commented Aug 11, 2020
edited
Loading

Description

Fixes #3498 - only the bug part.

The other part of #3498 was a feature request, already addressed in #2906 - which will need to be rebased on this PR, or on development after this PR is merged.

Status

READY

Requires Backporting

Partial: the bug was introduced in 2.18.0, so it's not present in the LTS branches, but let's backport the new test just to be extra sure.

mpg added 4 commits August 11, 2020 10:23
@mpg
Add test: DNS names should not match IP addresses
7d2a4d8 
Signed-off-by: Manuel Pégourié-Gonnard <[email protected]>
@mpg
Fix comparison between different name types
f3e4bd8 
Signed-off-by: Manuel Pégourié-Gonnard <[email protected]>
@mpg
Improve documentation of cn in x509_crt_verify()
f58e5cc 
Mention explicitly that only DNS names are supported so far, and while at it
explain where the name is searched.

Signed-off-by: Manuel Pégourié-Gonnard <[email protected]>
@mpg
Add ChangeLog entry for X.509 CN-type vulnerability
204e054 
Signed-off-by: Manuel Pégourié-Gonnard <[email protected]>
@mpg mpg added bug mbed TLS team needs-review Every commit must be reviewed by at least two team members, needs-backports Backports are missing or are pending review and approval. component-x509 needs-ci Needs to pass CI tests labels Aug 11, 2020
@mpg mpg self-assigned this Aug 11, 2020
@mpg mpg changed the title X509 verify non dns san dev X509 verify non-DNS SANs Aug 11, 2020
This was referenced Aug 11, 2020
Merged
Merged
@gilles-peskine-arm gilles-peskine-arm removed the needs-ci Needs to pass CI tests label Aug 12, 2020
@mpg mpg mentioned this pull request Aug 13, 2020
Closed
3 tasks
@hanno-becker hanno-becker removed the needs-review Every commit must be reviewed by at least two team members, label Aug 14, 2020
@mpg
Copy link
Contributor Author

mpg commented Aug 14, 2020

@gilles-peskine-arm @hanno-arm Do you think I should mention in the ChangeLog entry that the bug was introduced in 2.18.0? We don't usually include that kind of information, but in that case it could be useful to explain why there is no corresponding ChangeLog entry in the LTS branches. Wdyt?

@mpg
Copy link
Contributor Author

mpg commented Aug 14, 2020

Exceptionally merging before the backports are approved, in order to unblock external contribution in #2906.

@mpg mpg merged commit 8ca03a7 into Mbed-TLS:development Aug 14, 2020
@gilles-peskine-arm
Copy link
Contributor

I don't think it's particularly useful. It wouldn't be the first time we fix a bug that was introduced after the last LTS. There are precedents where we say this, but I'm sure there are precedents where we don't. If someone is concerned about this, they can look at the comments on the pull request. Since this is merged, let's let it be.

@mpg mpg deleted the x509-verify-non-dns-san-dev branch August 17, 2020 07:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gilles-peskine-arm gilles-peskine-arm gilles-peskine-arm approved these changes

@hanno-becker hanno-becker hanno-becker approved these changes

Assignees

@mpg mpg

Labels
bug component-x509 needs-backports Backports are missing or are pending review and approval.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Erroneous handling of IP address SANs
3 participants
@mpg @gilles-peskine-arm @hanno-becker