[Openswan dev] potential authentication bug in strongSwan/Openswan
thomas at unproved.org
Wed Jun 16 15:36:44 CEST 2004
It looks like there is an authentication bug in strongSwan/Openswan.
(I've not verified the issue on a running system, yet.)
If an attacker sends a his (fake) CA certificate with issuer A and
subject B and user certificate with issuer B and subject B signed by his
CA wrapped in PKCS#7 as certificate payload the following happens:
1 decode_cert() lets parse_pkcs7_cert() parse the certificate payload
and passes the result to store_x509certs().
2.1 store_x509certs() walks through the CA certificate(s), ensures
that it is no root CA (subject /= issuer) and enters it to the CA
certificate storage. => The attacker's CA certificate makes it way
into the CA certificate storage.
2.2 store_x509certs() walks through all certificates and adds their
public key and identity to the key storage _if_ they can be
verify_x509cert() checks whether the user certificate is in its
validity period, gets the issuer's certificate and checks the
user certificate's signature. => The attacker gets his user
certificate verified, because he already got his CA certificate
If the user certificates issuer and subject are the same,
verify_x509cert() returns TRUE indicating successful certificate
verification, otherwise the issuer certificate is checked. =>
In the attacker's user certificate subject = issuer, ...
With a carefully crafted certificate payload anyone can "authenticate"
What do you think? Have I missed something substantial?
BTW: Sorry for posting you mailing lists. I didn't found any security
More information about the Dev