[Openswan dev] potential authentication bug in strongSwan/Openswan

[Thomas Walpuski]

It looks like there is an authentication bug in strongSwan/Openswan.
(I've not verified the issue on a running system, yet.)

If an attacker sends a his (fake) CA certificate with issuer A and
subject B and user certificate with issuer B and subject B signed by his
CA wrapped in PKCS#7 as certificate payload the following happens:

  0 ...
  1 decode_cert() lets parse_pkcs7_cert() parse the certificate payload
    and passes the result to store_x509certs().
  2.1 store_x509certs() walks through the CA certificate(s), ensures
      that it is no root CA (subject /= issuer) and enters it to the CA
      certificate storage. => The attacker's CA certificate makes it way
      into the CA certificate storage.
  2.2 store_x509certs() walks through all certificates and adds their
      public key and identity to the key storage _if_ they can be
      verified:

        verify_x509cert() checks whether the user certificate is in its
	validity period, gets the issuer's certificate and checks the
	user certificate's signature. => The attacker gets his user
	certificate verified, because he already got his CA certificate
	in.
	If the user certificates issuer and subject are the same,
	verify_x509cert() returns TRUE indicating successful certificate
	verification, otherwise the issuer certificate is checked. =>
	In the attacker's user certificate subject = issuer, ...

With a carefully crafted certificate payload anyone can "authenticate"
against strongSwan/Openswan.

What do you think? Have I missed something substantial?

BTW: Sorry for posting you mailing lists. I didn't found any security
contact information.

Thomas Walpuski