poison for X509_VERIFY_PARAM's

Tighten up checks for various X509_VERIFY_PARAM functions, and allow for the verify param to be poisoned (preculding future successful cert validation) if the setting of host, ip, or email for certificate validation fails. (since many callers do not check the return code in the wild and blunder along anyway) Inspired by some discussions with Adam Langley. ok jsing@
author: beck <> 2018-04-06 07:08:20 +0000
committer: beck <> 2018-04-06 07:08:20 +0000
commit: cbd1d6a8808038e6f357e956a343f70ecaf110f4 (patch)
tree: 3f536dd9c6701ce8c8c9a5fa0d5c883caa5222e2 /src/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3
parent: a0522cf10ae4b806e95c44e85e22fae53f9228d6 (diff)
download: openbsd-cbd1d6a8808038e6f357e956a343f70ecaf110f4.tar.gz
openbsd-cbd1d6a8808038e6f357e956a343f70ecaf110f4.tar.bz2
openbsd-cbd1d6a8808038e6f357e956a343f70ecaf110f4.zip
1 files changed, 53 insertions, 14 deletions
diff --git a/src/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3 b/src/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3
index 4f3261c975..9c0150700d 100644
--- a/src/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3
+++ b/src/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_VERIFY_PARAM_set_flags.3,v 1.12 2018/03/23 14:26:40 schwarze Exp $
+.\" $OpenBSD: X509_VERIFY_PARAM_set_flags.3,v 1.13 2018/04/06 07:08:20 beck Exp $
 .\" full merge up to: OpenSSL d33def66 Feb 9 14:17:13 2016 -0500
 .\" selective merge up to: OpenSSL 48e5119a Jan 19 10:49:22 2018 +0100
 .\"
@@ -68,7 +68,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 23 2018 $
+.Dd $Mdocdate: April 6 2018 $
 .Dt X509_VERIFY_PARAM_SET_FLAGS 3
 .Os
 .Sh NAME
@@ -344,14 +344,14 @@ is
 .Dv NULL
 or empty, the list of hostnames is cleared, and name checks are not
 performed on the peer certificate.
-If
+.Fa namelen
+should be set to the length of
+.Fa name .
+For historical compatibility, if 
 .Fa name
 is NUL-terminated,
 .Fa namelen
-may be zero, otherwise
+may be specified as zero.
-.Fa namelen
-must be set to the length of
-.Fa name .
 When a hostname is specified, certificate verification automatically
 invokes
 .Xr X509_check_host 3
@@ -360,6 +360,10 @@ with flags equal to the
 argument given to
 .Fn X509_VERIFY_PARAM_set_hostflags
 (default zero).
+.Fn X509_VERIFY_PARAM_set1_host
+will fail if
+.Fa name
+contains any embedded 0 bytes.
 .Pp
 .Fn X509_VERIFY_PARAM_add1_host
 adds
@@ -376,6 +380,18 @@ No change is made if
 is
 .Dv NULL
 or empty.
+.Fa namelen
+should be set to the length of
+.Fa name .
+For historical compatibility, if 
+.Fa name
+is NUL-terminated,
+.Fa namelen
+may be specified as zero.
+.Fn X509_VERIFY_PARAM_add1_host
+will fail if
+.Fa name
+contains any embedded 0 bytes.
 When multiple names are configured, the peer is considered verified when
 any name matches.
 .Pp
@@ -390,14 +406,18 @@ identifier respectively.
 .Fn X509_VERIFY_PARAM_set1_email
 sets the expected RFC822 email address to
 .Fa email .
-If
+.Fa emaillen
+should be set to the length of
+.Fa email .
+For historical compatibility, if 
 .Fa email
 is NUL-terminated,
 .Fa emaillen
-may be zero, otherwise
+may be specified as zero,
-.Fa emaillen
+.Fn X509_VERIFY_PARAM_set1_email
-must be set to the length of
+will fail if
-.Fa email .
+.Fa email
+is NULL, an empty string, or contains embedded 0 bytes.
 When an email address is specified, certificate verification
 automatically invokes
 .Xr X509_check_email 3 .
@@ -410,6 +430,12 @@ The
 argument is in binary format, in network byte-order, and
 .Fa iplen
 must be set to 4 for IPv4 and 16 for IPv6.
+.Fn X509_VERIFY_PARAM_set1_ip
+will fail if 
+.Fa ip
+is NULL or if
+.Fa iplen
+is not 4 or 16.
 When an IP address is specified,
 certificate verification automatically invokes
 .Xr X509_check_ip 3 .
@@ -422,6 +448,10 @@ The
 argument is a NUL-terminal ASCII string:
 dotted decimal quad for IPv4 and colon-separated hexadecimal for IPv6.
 The condensed "::" notation is supported for IPv6 addresses.
+.Fn X509_VERIFY_PARAM_set1_ip_asc
+will fail if
+.Fa ipasc
+is unparsable.
 .Pp
 .Fn X509_VERIFY_PARAM_add0_table
 adds
@@ -476,14 +506,23 @@ on allocation failure.
 .Fn X509_VERIFY_PARAM_set_trust ,
 .Fn X509_VERIFY_PARAM_add0_policy ,
 .Fn X509_VERIFY_PARAM_set1_policies ,
+and
+.Fn X509_VERIFY_PARAM_add0_table
+return 1 for success or 0 for failure.
+.Pp
 .Fn X509_VERIFY_PARAM_set1_host ,
 .Fn X509_VERIFY_PARAM_add1_host ,
 .Fn X509_VERIFY_PARAM_set1_email ,
 .Fn X509_VERIFY_PARAM_set1_ip ,
-.Fn X509_VERIFY_PARAM_set1_ip_asc ,
 and
-.Fn X509_VERIFY_PARAM_add0_table
+.Fn X509_VERIFY_PARAM_set1_ip_asc ,
 return 1 for success or 0 for failure.
+A failure from these routines will poison
+the
+.Vt X509_VERIFY_PARAM
+object so that future calls to
+.Xr X509_verify_cert
+using the poisoned object will fail. 
 .Pp
 .Fn X509_VERIFY_PARAM_get_flags
 returns the current verification flags.
author	beck <>	2018-04-06 07:08:20 +0000
committer	beck <>	2018-04-06 07:08:20 +0000
commit	cbd1d6a8808038e6f357e956a343f70ecaf110f4 (patch)
tree	3f536dd9c6701ce8c8c9a5fa0d5c883caa5222e2 /src/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3
parent	a0522cf10ae4b806e95c44e85e22fae53f9228d6 (diff)
download	openbsd-cbd1d6a8808038e6f357e956a343f70ecaf110f4.tar.gz openbsd-cbd1d6a8808038e6f357e956a343f70ecaf110f4.tar.bz2 openbsd-cbd1d6a8808038e6f357e956a343f70ecaf110f4.zip

diff --git a/src/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3 b/src/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3 index 4f3261c975..9c0150700d 100644 --- a/src/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3 +++ b/src/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: X509_VERIFY_PARAM_set_flags.3,v 1.12 2018/03/23 14:26:40 schwarze Exp $	1	.\" $OpenBSD: X509_VERIFY_PARAM_set_flags.3,v 1.13 2018/04/06 07:08:20 beck Exp $
2	.\" full merge up to: OpenSSL d33def66 Feb 9 14:17:13 2016 -0500	2	.\" full merge up to: OpenSSL d33def66 Feb 9 14:17:13 2016 -0500
3	.\" selective merge up to: OpenSSL 48e5119a Jan 19 10:49:22 2018 +0100	3	.\" selective merge up to: OpenSSL 48e5119a Jan 19 10:49:22 2018 +0100
4	.\"	4	.\"
@@ -68,7 +68,7 @@
68	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED	68	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
69	.\" OF THE POSSIBILITY OF SUCH DAMAGE.	69	.\" OF THE POSSIBILITY OF SUCH DAMAGE.
70	.\"	70	.\"
71	.Dd $Mdocdate: March 23 2018 $	71	.Dd $Mdocdate: April 6 2018 $
72	.Dt X509_VERIFY_PARAM_SET_FLAGS 3	72	.Dt X509_VERIFY_PARAM_SET_FLAGS 3
73	.Os	73	.Os
74	.Sh NAME	74	.Sh NAME
@@ -344,14 +344,14 @@ is
344	.Dv NULL	344	.Dv NULL
345	or empty, the list of hostnames is cleared, and name checks are not	345	or empty, the list of hostnames is cleared, and name checks are not
346	performed on the peer certificate.	346	performed on the peer certificate.
347	If	347	.Fa namelen
		348	should be set to the length of
		349	.Fa name .
		350	For historical compatibility, if
348	.Fa name	351	.Fa name
349	is NUL-terminated,	352	is NUL-terminated,
350	.Fa namelen	353	.Fa namelen
351	may be zero, otherwise	354	may be specified as zero.
352	.Fa namelen
353	must be set to the length of
354	.Fa name .
355	When a hostname is specified, certificate verification automatically	355	When a hostname is specified, certificate verification automatically
356	invokes	356	invokes
357	.Xr X509_check_host 3	357	.Xr X509_check_host 3
@@ -360,6 +360,10 @@ with flags equal to the
360	argument given to	360	argument given to
361	.Fn X509_VERIFY_PARAM_set_hostflags	361	.Fn X509_VERIFY_PARAM_set_hostflags
362	(default zero).	362	(default zero).
		363	.Fn X509_VERIFY_PARAM_set1_host
		364	will fail if
		365	.Fa name
		366	contains any embedded 0 bytes.
363	.Pp	367	.Pp
364	.Fn X509_VERIFY_PARAM_add1_host	368	.Fn X509_VERIFY_PARAM_add1_host
365	adds	369	adds
@@ -376,6 +380,18 @@ No change is made if
376	is	380	is
377	.Dv NULL	381	.Dv NULL
378	or empty.	382	or empty.
		383	.Fa namelen
		384	should be set to the length of
		385	.Fa name .
		386	For historical compatibility, if
		387	.Fa name
		388	is NUL-terminated,
		389	.Fa namelen
		390	may be specified as zero.
		391	.Fn X509_VERIFY_PARAM_add1_host
		392	will fail if
		393	.Fa name
		394	contains any embedded 0 bytes.
379	When multiple names are configured, the peer is considered verified when	395	When multiple names are configured, the peer is considered verified when
380	any name matches.	396	any name matches.
381	.Pp	397	.Pp
@@ -390,14 +406,18 @@ identifier respectively.
390	.Fn X509_VERIFY_PARAM_set1_email	406	.Fn X509_VERIFY_PARAM_set1_email
391	sets the expected RFC822 email address to	407	sets the expected RFC822 email address to
392	.Fa email .	408	.Fa email .
393	If	409	.Fa emaillen
		410	should be set to the length of
		411	.Fa email .
		412	For historical compatibility, if
394	.Fa email	413	.Fa email
395	is NUL-terminated,	414	is NUL-terminated,
396	.Fa emaillen	415	.Fa emaillen
397	may be zero, otherwise	416	may be specified as zero,
398	.Fa emaillen	417	.Fn X509_VERIFY_PARAM_set1_email
399	must be set to the length of	418	will fail if
400	.Fa email .	419	.Fa email
		420	is NULL, an empty string, or contains embedded 0 bytes.
401	When an email address is specified, certificate verification	421	When an email address is specified, certificate verification
402	automatically invokes	422	automatically invokes
403	.Xr X509_check_email 3 .	423	.Xr X509_check_email 3 .
@@ -410,6 +430,12 @@ The
410	argument is in binary format, in network byte-order, and	430	argument is in binary format, in network byte-order, and
411	.Fa iplen	431	.Fa iplen
412	must be set to 4 for IPv4 and 16 for IPv6.	432	must be set to 4 for IPv4 and 16 for IPv6.
		433	.Fn X509_VERIFY_PARAM_set1_ip
		434	will fail if
		435	.Fa ip
		436	is NULL or if
		437	.Fa iplen
		438	is not 4 or 16.
413	When an IP address is specified,	439	When an IP address is specified,
414	certificate verification automatically invokes	440	certificate verification automatically invokes
415	.Xr X509_check_ip 3 .	441	.Xr X509_check_ip 3 .
@@ -422,6 +448,10 @@ The
422	argument is a NUL-terminal ASCII string:	448	argument is a NUL-terminal ASCII string:
423	dotted decimal quad for IPv4 and colon-separated hexadecimal for IPv6.	449	dotted decimal quad for IPv4 and colon-separated hexadecimal for IPv6.
424	The condensed "::" notation is supported for IPv6 addresses.	450	The condensed "::" notation is supported for IPv6 addresses.
		451	.Fn X509_VERIFY_PARAM_set1_ip_asc
		452	will fail if
		453	.Fa ipasc
		454	is unparsable.
425	.Pp	455	.Pp
426	.Fn X509_VERIFY_PARAM_add0_table	456	.Fn X509_VERIFY_PARAM_add0_table
427	adds	457	adds
@@ -476,14 +506,23 @@ on allocation failure.
476	.Fn X509_VERIFY_PARAM_set_trust ,	506	.Fn X509_VERIFY_PARAM_set_trust ,
477	.Fn X509_VERIFY_PARAM_add0_policy ,	507	.Fn X509_VERIFY_PARAM_add0_policy ,
478	.Fn X509_VERIFY_PARAM_set1_policies ,	508	.Fn X509_VERIFY_PARAM_set1_policies ,
		509	and
		510	.Fn X509_VERIFY_PARAM_add0_table
		511	return 1 for success or 0 for failure.
		512	.Pp
479	.Fn X509_VERIFY_PARAM_set1_host ,	513	.Fn X509_VERIFY_PARAM_set1_host ,
480	.Fn X509_VERIFY_PARAM_add1_host ,	514	.Fn X509_VERIFY_PARAM_add1_host ,
481	.Fn X509_VERIFY_PARAM_set1_email ,	515	.Fn X509_VERIFY_PARAM_set1_email ,
482	.Fn X509_VERIFY_PARAM_set1_ip ,	516	.Fn X509_VERIFY_PARAM_set1_ip ,
483	.Fn X509_VERIFY_PARAM_set1_ip_asc ,
484	and	517	and
485	.Fn X509_VERIFY_PARAM_add0_table	518	.Fn X509_VERIFY_PARAM_set1_ip_asc ,
486	return 1 for success or 0 for failure.	519	return 1 for success or 0 for failure.
		520	A failure from these routines will poison
		521	the
		522	.Vt X509_VERIFY_PARAM
		523	object so that future calls to
		524	.Xr X509_verify_cert
		525	using the poisoned object will fail.
487	.Pp	526	.Pp
488	.Fn X509_VERIFY_PARAM_get_flags	527	.Fn X509_VERIFY_PARAM_get_flags
489	returns the current verification flags.	528	returns the current verification flags.