diff options
| author | beck <> | 2021-04-27 03:35:29 +0000 |
|---|---|---|
| committer | beck <> | 2021-04-27 03:35:29 +0000 |
| commit | 05d12eaff3684c531b3d36e69fa663830294b6bd (patch) | |
| tree | 4a1f8797d9eb5049de6166919597895e05f86d6c /src/regress/lib/libcrypto/x509/constraints.c | |
| parent | ebe128ca73ce7d178a186b93684c8bf8577f3b80 (diff) | |
| download | openbsd-05d12eaff3684c531b3d36e69fa663830294b6bd.tar.gz openbsd-05d12eaff3684c531b3d36e69fa663830294b6bd.tar.bz2 openbsd-05d12eaff3684c531b3d36e69fa663830294b6bd.zip | |
Relax SAN DNSname validation and constraints to permit non leading *
wildcards. While we may choose not to support them the standards
appear to permit them optionally so we can't declare a certificate
containing them invalid. Noticed by jeremy@, and Steffan Ulrich
and others. Modify the regression tests to test these cases and
not check the SAN DNSnames as "hostnames" anymore (which don't support
wildcards).
ok jsing@, tb@
Diffstat (limited to 'src/regress/lib/libcrypto/x509/constraints.c')
| -rw-r--r-- | src/regress/lib/libcrypto/x509/constraints.c | 12 |
1 files changed, 4 insertions, 8 deletions
diff --git a/src/regress/lib/libcrypto/x509/constraints.c b/src/regress/lib/libcrypto/x509/constraints.c index 7eef55d591..c4dedeb1fa 100644 --- a/src/regress/lib/libcrypto/x509/constraints.c +++ b/src/regress/lib/libcrypto/x509/constraints.c | |||
| @@ -49,6 +49,8 @@ unsigned char *valid_hostnames[] = { | |||
| 49 | unsigned char *valid_sandns_names[] = { | 49 | unsigned char *valid_sandns_names[] = { |
| 50 | "*.ca", | 50 | "*.ca", |
| 51 | "*.op3nbsd.org", | 51 | "*.op3nbsd.org", |
| 52 | "c*.openbsd.org", | ||
| 53 | "foo.*.d*.c*.openbsd.org", | ||
| 52 | NULL, | 54 | NULL, |
| 53 | }; | 55 | }; |
| 54 | 56 | ||
| @@ -96,6 +98,7 @@ unsigned char *invalid_hostnames[] = { | |||
| 96 | "openbsd\n.org", | 98 | "openbsd\n.org", |
| 97 | "open\178bsd.org", | 99 | "open\178bsd.org", |
| 98 | "open\255bsd.org", | 100 | "open\255bsd.org", |
| 101 | "*.openbsd.org", | ||
| 99 | NULL, | 102 | NULL, |
| 100 | }; | 103 | }; |
| 101 | 104 | ||
| @@ -110,10 +113,10 @@ unsigned char *invalid_sandns_names[] = { | |||
| 110 | "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." | 113 | "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." |
| 111 | "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.a", | 114 | "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.a", |
| 112 | "*.-p3nbsd.org", | 115 | "*.-p3nbsd.org", |
| 113 | "a*.openbsd.org", | ||
| 114 | "*.*..openbsd.org", | 116 | "*.*..openbsd.org", |
| 115 | "*..openbsd.org", | 117 | "*..openbsd.org", |
| 116 | ".openbsd.org", | 118 | ".openbsd.org", |
| 119 | "c*c.openbsd.org", | ||
| 117 | NULL, | 120 | NULL, |
| 118 | }; | 121 | }; |
| 119 | 122 | ||
| @@ -254,13 +257,6 @@ test_invalid_hostnames(void) | |||
| 254 | failure = 1; | 257 | failure = 1; |
| 255 | goto done; | 258 | goto done; |
| 256 | } | 259 | } |
| 257 | if (x509_constraints_valid_sandns(invalid_hostnames[i], | ||
| 258 | strlen(invalid_hostnames[i]))) { | ||
| 259 | FAIL("Invalid sandns '%s' accepted\n", | ||
| 260 | invalid_hostnames[i]); | ||
| 261 | failure = 1; | ||
| 262 | goto done; | ||
| 263 | } | ||
| 264 | } | 260 | } |
| 265 | if (x509_constraints_valid_host(nulhost, | 261 | if (x509_constraints_valid_host(nulhost, |
| 266 | strlen(nulhost) + 1)) { | 262 | strlen(nulhost) + 1)) { |