Bug#961756: glib-networking: CVE-2020-13645: GTlsClientConnection silently ignores unset server identity

Tue Jul 7 10:25:03 BST 2020

On Thu, 28 May 2020 at 22:41:19 +0200, Salvatore Bonaccorso wrote:
> CVE-2020-13645[0]:
> | In GNOME glib-networking through 2.64.2, the implementation of
> | GTlsClientConnection skips hostname verification of the server's TLS
> | certificate if the application fails to specify the expected server
> | identity. This is in contrast to its intended documented behavior, to
> | fail the certificate verification. Applications that fail to provide
> | the server identity, including Balsa before 2.5.11 and 2.6.x before
> | 2.6.1, accept a TLS certificate if the certificate is valid for any
> | host.

A reproducer is available from
https://gitlab.gnome.org/GNOME/balsa/-/issues/34 (look for
test-tls.tar.xz).

Preconditions:
* Compile the test program from test-tls.tar.xz (attached)
* Have a test server with two names, and no valid cert for one of them.
  people.debian.org works: it has a valid cert for people.debian.org,
  but not for paradis.debian.org. (Check this with a browser first,
  in case SNI gets added later.)

Bad result: connecting without specifying a server identity succeeds.

$ sudo apt-get install glib-networking=2.58.0-2
$ ./test_server_valid people.debian.org:443 0
** Message: 09:16:43.133: set remote server_identity: no
** Message: 09:16:43.534: g_tls_connection_handshake(): OK (no error)
$ ./test_server_valid people.debian.org:443 1
** Message: 09:16:02.406: set remote server_identity: yes
** Message: 09:16:02.779: g_tls_connection_handshake(): OK (no error)
$ ./test_server_valid paradis.debian.org:443 0
** Message: 09:18:36.097: set remote server_identity: no
** Message: 09:18:36.495: g_tls_connection_handshake(): OK (no error)
$ ./test_server_valid paradis.debian.org:443 1
** Message: 09:18:37.722: set remote server_identity: yes
** Message: 09:18:38.132: cert_accept_cb: conn=0x561d080d8150, cert=0x7fdbcc005eb0 for 'people.debian.org', error=0x2
** Message: 09:18:38.132: g_tls_connection_handshake(): ERROR (Unacceptable TLS certificate)

Good result: the only way to avoid G_TLS_CERTIFICATE_BAD_IDENTITY is to
specify the server's name in the form that appears in its certificate.

$ sudo dpkg -i glib-networking_2.58.0-2+deb10u1_amd64.deb
$ ./test_server_valid people.debian.org:443 0
** Message: 09:20:01.640: set remote server_identity: no
** Message: 09:20:02.045: cert_accept_cb: conn=0x55afead25150, cert=0x7f1f3c005eb0 for 'people.debian.org', error=0x2
** Message: 09:20:02.045: g_tls_connection_handshake(): ERROR (Unacceptable TLS certificate)
$ ./test_server_valid people.debian.org:443 1
** Message: 09:20:03.338: set remote server_identity: yes
** Message: 09:20:03.737: g_tls_connection_handshake(): OK (no error)
$ ./test_server_valid paradis.debian.org:443 0 
** Message: 09:20:08.924: set remote server_identity: no
** Message: 09:20:09.332: cert_accept_cb: conn=0x5620d607a150, cert=0x7f38500066b0 for 'people.debian.org', error=0x2
** Message: 09:20:09.332: g_tls_connection_handshake(): ERROR (Unacceptable TLS certificate)
$ ./test_server_valid paradis.debian.org:443 1
** Message: 09:20:10.552: set remote server_identity: yes
** Message: 09:20:10.954: cert_accept_cb: conn=0x560a74e26150, cert=0x7f88e8005eb0 for 'people.debian.org', error=0x2
** Message: 09:20:10.955: g_tls_connection_handshake(): ERROR (Unacceptable TLS certificate)

(0x2 is G_TLS_CERTIFICATE_BAD_IDENTITY.)

    smcv
-------------- next part --------------
A non-text attachment was scrubbed...
Name: test_server_valid.c
Type: text/x-csrc
Size: 2441 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnome-maintainers/attachments/20200707/b2515a8b/attachment.c>