diff options
| author | doug <> | 2015-04-29 00:24:31 +0000 |
|---|---|---|
| committer | doug <> | 2015-04-29 00:24:31 +0000 |
| commit | 0f00fd11c521724cc0763feed192676c04edcbed (patch) | |
| tree | 0fca393d669e322e74118681366789dc496a1a5b | |
| parent | 843c114d1987e49ba9785f455dad7c1709177bb2 (diff) | |
| download | openbsd-0f00fd11c521724cc0763feed192676c04edcbed.tar.gz openbsd-0f00fd11c521724cc0763feed192676c04edcbed.tar.bz2 openbsd-0f00fd11c521724cc0763feed192676c04edcbed.zip | |
Reject dNSName of " " for subjectAltName extension.
RFC 5280 says " " must not be used as a dNSName.
ok jsing@ jca@
| -rw-r--r-- | src/lib/libtls/tls_verify.c | 21 |
1 files changed, 20 insertions, 1 deletions
diff --git a/src/lib/libtls/tls_verify.c b/src/lib/libtls/tls_verify.c index c1a5387829..6a569e1761 100644 --- a/src/lib/libtls/tls_verify.c +++ b/src/lib/libtls/tls_verify.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls_verify.c,v 1.7 2015/02/11 06:46:33 jsing Exp $ */ | 1 | /* $OpenBSD: tls_verify.c,v 1.8 2015/04/29 00:24:31 doug Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> | 3 | * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> |
| 4 | * | 4 | * |
| @@ -79,6 +79,7 @@ tls_match_name(const char *cert_name, const char *name) | |||
| 79 | return -1; | 79 | return -1; |
| 80 | } | 80 | } |
| 81 | 81 | ||
| 82 | /* See RFC 5280 section 4.2.1.6 for SubjectAltName details. */ | ||
| 82 | int | 83 | int |
| 83 | tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *name) | 84 | tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *name) |
| 84 | { | 85 | { |
| @@ -132,6 +133,20 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *name) | |||
| 132 | break; | 133 | break; |
| 133 | } | 134 | } |
| 134 | 135 | ||
| 136 | /* | ||
| 137 | * Per RFC 5280 section 4.2.1.6: | ||
| 138 | * " " is a legal domain name, but that | ||
| 139 | * dNSName must be rejected. | ||
| 140 | */ | ||
| 141 | if (strcmp(data, " ") == 0) { | ||
| 142 | tls_set_error(ctx, | ||
| 143 | "error verifying name '%s': " | ||
| 144 | "a dNSName of \" \" must not be " | ||
| 145 | "used", name); | ||
| 146 | rv = -2; | ||
| 147 | break; | ||
| 148 | } | ||
| 149 | |||
| 135 | if (tls_match_name(data, name) == 0) { | 150 | if (tls_match_name(data, name) == 0) { |
| 136 | rv = 0; | 151 | rv = 0; |
| 137 | break; | 152 | break; |
| @@ -159,6 +174,10 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *name) | |||
| 159 | break; | 174 | break; |
| 160 | } | 175 | } |
| 161 | 176 | ||
| 177 | /* | ||
| 178 | * Per RFC 5280 section 4.2.1.6: | ||
| 179 | * IPv4 must use 4 octets and IPv6 must use 16 octets. | ||
| 180 | */ | ||
| 162 | if (datalen == addrlen && | 181 | if (datalen == addrlen && |
| 163 | memcmp(data, &addrbuf, addrlen) == 0) { | 182 | memcmp(data, &addrbuf, addrlen) == 0) { |
| 164 | rv = 0; | 183 | rv = 0; |