diff options
| author | beck <> | 2023-09-29 15:53:59 +0000 |
|---|---|---|
| committer | beck <> | 2023-09-29 15:53:59 +0000 |
| commit | 266a46fc156d909c580ce8946cc574da9a2ee5b4 (patch) | |
| tree | 9289b67644f1ef47e15e9b80e3105d2ff11da1d2 /src/lib | |
| parent | f4f0e4daf1dec6165cb0996274d1ce8cd63b6dc6 (diff) | |
| download | openbsd-266a46fc156d909c580ce8946cc574da9a2ee5b4.tar.gz openbsd-266a46fc156d909c580ce8946cc574da9a2ee5b4.tar.bz2 openbsd-266a46fc156d909c580ce8946cc574da9a2ee5b4.zip | |
Allow IP addresses to be specified in a URI.
Our checking here was a bit too aggressive, and did not permit an
IP address in a URI. IP's in a URI are allowed for things like CRLdp's
AIA, SAN URI's etc.). The check for this was also slightly flawed as
we would permit an IP if memory allocation failed while checking for
an IP.
Correct both issues.
ok tb@
Diffstat (limited to 'src/lib')
| -rw-r--r-- | src/lib/libcrypto/x509/x509_constraints.c | 31 | ||||
| -rw-r--r-- | src/lib/libcrypto/x509/x509_internal.h | 4 |
2 files changed, 20 insertions, 15 deletions
diff --git a/src/lib/libcrypto/x509/x509_constraints.c b/src/lib/libcrypto/x509/x509_constraints.c index 346cab0a40..0773d2ba71 100644 --- a/src/lib/libcrypto/x509/x509_constraints.c +++ b/src/lib/libcrypto/x509/x509_constraints.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: x509_constraints.c,v 1.31 2022/12/26 07:18:53 jmc Exp $ */ | 1 | /* $OpenBSD: x509_constraints.c,v 1.32 2023/09/29 15:53:59 beck Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2020 Bob Beck <beck@openbsd.org> | 3 | * Copyright (c) 2020 Bob Beck <beck@openbsd.org> |
| 4 | * | 4 | * |
| @@ -38,23 +38,23 @@ | |||
| 38 | #define MAX_IP_ADDRESS_LENGTH (size_t)46 | 38 | #define MAX_IP_ADDRESS_LENGTH (size_t)46 |
| 39 | 39 | ||
| 40 | static int | 40 | static int |
| 41 | cbs_is_ip_address(CBS *cbs) | 41 | cbs_is_ip_address(CBS *cbs, int *is_ip) |
| 42 | { | 42 | { |
| 43 | struct sockaddr_in6 sin6; | 43 | struct sockaddr_in6 sin6; |
| 44 | struct sockaddr_in sin4; | 44 | struct sockaddr_in sin4; |
| 45 | char *name = NULL; | 45 | char *name = NULL; |
| 46 | int ret = 0; | ||
| 47 | 46 | ||
| 47 | *is_ip = 0; | ||
| 48 | if (CBS_len(cbs) > MAX_IP_ADDRESS_LENGTH) | 48 | if (CBS_len(cbs) > MAX_IP_ADDRESS_LENGTH) |
| 49 | return 0; | 49 | return 1; |
| 50 | if (!CBS_strdup(cbs, &name)) | 50 | if (!CBS_strdup(cbs, &name)) |
| 51 | return 0; | 51 | return 0; |
| 52 | if (inet_pton(AF_INET, name, &sin4) == 1 || | 52 | if (inet_pton(AF_INET, name, &sin4) == 1 || |
| 53 | inet_pton(AF_INET6, name, &sin6) == 1) | 53 | inet_pton(AF_INET6, name, &sin6) == 1) |
| 54 | ret = 1; | 54 | *is_ip = 1; |
| 55 | 55 | ||
| 56 | free(name); | 56 | free(name); |
| 57 | return ret; | 57 | return 1; |
| 58 | } | 58 | } |
| 59 | 59 | ||
| 60 | struct x509_constraints_name * | 60 | struct x509_constraints_name * |
| @@ -264,16 +264,21 @@ x509_constraints_valid_domain_internal(CBS *cbs, int wildcards) | |||
| 264 | } | 264 | } |
| 265 | 265 | ||
| 266 | int | 266 | int |
| 267 | x509_constraints_valid_host(CBS *cbs) | 267 | x509_constraints_valid_host(CBS *cbs, int permit_ip) |
| 268 | { | 268 | { |
| 269 | uint8_t first; | 269 | uint8_t first; |
| 270 | int is_ip; | ||
| 270 | 271 | ||
| 271 | if (!CBS_peek_u8(cbs, &first)) | 272 | if (!CBS_peek_u8(cbs, &first)) |
| 272 | return 0; | 273 | return 0; |
| 273 | if (first == '.') | 274 | if (first == '.') |
| 274 | return 0; /* leading . not allowed in a host name */ | 275 | return 0; /* leading . not allowed in a host name or IP */ |
| 275 | if (cbs_is_ip_address(cbs)) | 276 | if (!permit_ip) { |
| 276 | return 0; | 277 | if (!cbs_is_ip_address(cbs, &is_ip)) |
| 278 | return 0; | ||
| 279 | if (is_ip) | ||
| 280 | return 0; | ||
| 281 | } | ||
| 277 | 282 | ||
| 278 | return x509_constraints_valid_domain_internal(cbs, 0); | 283 | return x509_constraints_valid_domain_internal(cbs, 0); |
| 279 | } | 284 | } |
| @@ -441,7 +446,7 @@ x509_constraints_parse_mailbox(CBS *candidate, | |||
| 441 | if (candidate_local == NULL || candidate_domain == NULL) | 446 | if (candidate_local == NULL || candidate_domain == NULL) |
| 442 | goto bad; | 447 | goto bad; |
| 443 | CBS_init(&domain_cbs, candidate_domain, strlen(candidate_domain)); | 448 | CBS_init(&domain_cbs, candidate_domain, strlen(candidate_domain)); |
| 444 | if (!x509_constraints_valid_host(&domain_cbs)) | 449 | if (!x509_constraints_valid_host(&domain_cbs, 0)) |
| 445 | goto bad; | 450 | goto bad; |
| 446 | 451 | ||
| 447 | if (name != NULL) { | 452 | if (name != NULL) { |
| @@ -558,7 +563,7 @@ x509_constraints_uri_host(uint8_t *uri, size_t len, char **hostpart) | |||
| 558 | if (host == NULL) | 563 | if (host == NULL) |
| 559 | host = authority; | 564 | host = authority; |
| 560 | CBS_init(&host_cbs, host, hostlen); | 565 | CBS_init(&host_cbs, host, hostlen); |
| 561 | if (!x509_constraints_valid_host(&host_cbs)) | 566 | if (!x509_constraints_valid_host(&host_cbs, 1)) |
| 562 | return 0; | 567 | return 0; |
| 563 | if (hostpart != NULL && !CBS_strdup(&host_cbs, hostpart)) | 568 | if (hostpart != NULL && !CBS_strdup(&host_cbs, hostpart)) |
| 564 | return 0; | 569 | return 0; |
| @@ -924,7 +929,7 @@ x509_constraints_extract_names(struct x509_constraints_names *names, | |||
| 924 | goto err; | 929 | goto err; |
| 925 | } | 930 | } |
| 926 | CBS_init(&cbs, aname->data, aname->length); | 931 | CBS_init(&cbs, aname->data, aname->length); |
| 927 | if (!x509_constraints_valid_host(&cbs)) | 932 | if (!x509_constraints_valid_host(&cbs, 0)) |
| 928 | continue; /* ignore it if not a hostname */ | 933 | continue; /* ignore it if not a hostname */ |
| 929 | if ((vname = x509_constraints_name_new()) == NULL) { | 934 | if ((vname = x509_constraints_name_new()) == NULL) { |
| 930 | *error = X509_V_ERR_OUT_OF_MEM; | 935 | *error = X509_V_ERR_OUT_OF_MEM; |
diff --git a/src/lib/libcrypto/x509/x509_internal.h b/src/lib/libcrypto/x509/x509_internal.h index c4222bcfe5..15efff6097 100644 --- a/src/lib/libcrypto/x509/x509_internal.h +++ b/src/lib/libcrypto/x509/x509_internal.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: x509_internal.h,v 1.25 2023/01/28 19:08:09 tb Exp $ */ | 1 | /* $OpenBSD: x509_internal.h,v 1.26 2023/09/29 15:53:59 beck Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2020 Bob Beck <beck@openbsd.org> | 3 | * Copyright (c) 2020 Bob Beck <beck@openbsd.org> |
| 4 | * | 4 | * |
| @@ -111,7 +111,7 @@ struct x509_constraints_names *x509_constraints_names_new(size_t names_max); | |||
| 111 | int x509_constraints_general_to_bytes(GENERAL_NAME *name, uint8_t **bytes, | 111 | int x509_constraints_general_to_bytes(GENERAL_NAME *name, uint8_t **bytes, |
| 112 | size_t *len); | 112 | size_t *len); |
| 113 | void x509_constraints_names_free(struct x509_constraints_names *names); | 113 | void x509_constraints_names_free(struct x509_constraints_names *names); |
| 114 | int x509_constraints_valid_host(CBS *cbs); | 114 | int x509_constraints_valid_host(CBS *cbs, int permit_ip); |
| 115 | int x509_constraints_valid_sandns(CBS *cbs); | 115 | int x509_constraints_valid_sandns(CBS *cbs); |
| 116 | int x509_constraints_domain(char *domain, size_t dlen, char *constraint, | 116 | int x509_constraints_domain(char *domain, size_t dlen, char *constraint, |
| 117 | size_t len); | 117 | size_t len); |