diff options
| author | jca <> | 2014-10-06 11:53:18 +0000 |
|---|---|---|
| committer | jca <> | 2014-10-06 11:53:18 +0000 |
| commit | d2eb62ff43d96ad0684a0683817df2b84e342097 (patch) | |
| tree | a93e0542934f34e24eebf21fd1a970c541c8bd21 /src/lib | |
| parent | 49188c3cbd6d5b685ae672d1413d71756fcfe5ae (diff) | |
| download | openbsd-d2eb62ff43d96ad0684a0683817df2b84e342097.tar.gz openbsd-d2eb62ff43d96ad0684a0683817df2b84e342097.tar.bz2 openbsd-d2eb62ff43d96ad0684a0683817df2b84e342097.zip | |
If we have to match against a wildcard in a cert, verify that it contains
at least a domain label before the tld, as in *.example.org.
Suggested by Richard Moore (rich@kde)
ok tedu@
Diffstat (limited to 'src/lib')
| -rw-r--r-- | src/lib/libressl/ressl_verify.c | 26 |
1 files changed, 23 insertions, 3 deletions
diff --git a/src/lib/libressl/ressl_verify.c b/src/lib/libressl/ressl_verify.c index 9dfadedfb8..9511ad2ff2 100644 --- a/src/lib/libressl/ressl_verify.c +++ b/src/lib/libressl/ressl_verify.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ressl_verify.c,v 1.3 2014/08/05 12:46:16 jsing Exp $ */ | 1 | /* $OpenBSD: ressl_verify.c,v 1.4 2014/10/06 11:53:18 jca Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> | 3 | * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> |
| 4 | * | 4 | * |
| @@ -33,17 +33,37 @@ int ressl_check_common_name(X509 *cert, const char *host); | |||
| 33 | int | 33 | int |
| 34 | ressl_match_hostname(const char *cert_hostname, const char *hostname) | 34 | ressl_match_hostname(const char *cert_hostname, const char *hostname) |
| 35 | { | 35 | { |
| 36 | const char *cert_domain, *domain; | 36 | const char *cert_domain, *domain, *next_dot; |
| 37 | 37 | ||
| 38 | if (strcasecmp(cert_hostname, hostname) == 0) | 38 | if (strcasecmp(cert_hostname, hostname) == 0) |
| 39 | return 0; | 39 | return 0; |
| 40 | 40 | ||
| 41 | /* Wildcard match? */ | 41 | /* Wildcard match? */ |
| 42 | if (cert_hostname[0] == '*') { | 42 | if (cert_hostname[0] == '*') { |
| 43 | /* | ||
| 44 | * Valid wildcards: | ||
| 45 | * - "*.domain.tld" | ||
| 46 | * - "*.sub.domain.tld" | ||
| 47 | * - etc. | ||
| 48 | * Reject "*.tld". | ||
| 49 | * No attempt to prevent the use of eg. "*.co.uk". | ||
| 50 | */ | ||
| 43 | cert_domain = &cert_hostname[1]; | 51 | cert_domain = &cert_hostname[1]; |
| 52 | /* Disallow "*" */ | ||
| 53 | if (cert_domain[0] == '\0') | ||
| 54 | return -1; | ||
| 55 | /* Disallow "*foo" */ | ||
| 44 | if (cert_domain[0] != '.') | 56 | if (cert_domain[0] != '.') |
| 45 | return -1; | 57 | return -1; |
| 46 | if (strlen(cert_domain) == 1) | 58 | /* Disallow "*.." */ |
| 59 | if (cert_domain[1] == '.') | ||
| 60 | return -1; | ||
| 61 | next_dot = strchr(&cert_domain[1], '.'); | ||
| 62 | /* Disallow "*.bar" */ | ||
| 63 | if (next_dot == NULL) | ||
| 64 | return -1; | ||
| 65 | /* Disallow "*.bar.." */ | ||
| 66 | if (next_dot[1] == '.') | ||
| 47 | return -1; | 67 | return -1; |
| 48 | 68 | ||
| 49 | domain = strchr(hostname, '.'); | 69 | domain = strchr(hostname, '.'); |