diff options
| author | bluhm <> | 2020-01-07 17:36:04 +0000 |
|---|---|---|
| committer | bluhm <> | 2020-01-07 17:36:04 +0000 |
| commit | 1141f885583b175ef90db0a4a8118118946b803b (patch) | |
| tree | 342a1c3e2994083f59d67bc7c58aa52b131ec65f /src | |
| parent | 2742398e709c477a05b8c4178bcb8f68184c4699 (diff) | |
| download | openbsd-1141f885583b175ef90db0a4a8118118946b803b.tar.gz openbsd-1141f885583b175ef90db0a4a8118118946b803b.tar.bz2 openbsd-1141f885583b175ef90db0a4a8118118946b803b.zip | |
If the client provides a TLS certificate and the user specifies a
hash value on the nc(1) server command line, the netcat server must
use the TLS context of the accepted socket for verification. As
the listening socket was used instead, the verification was always
successful.
If the peer provides a certificate, there must be a hash. Make the
hash verification fail safe.
OK tb@
Diffstat (limited to 'src')
| -rw-r--r-- | src/usr.bin/nc/netcat.c | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/src/usr.bin/nc/netcat.c b/src/usr.bin/nc/netcat.c index a9e2910089..dec23305a7 100644 --- a/src/usr.bin/nc/netcat.c +++ b/src/usr.bin/nc/netcat.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: netcat.c,v 1.214 2020/01/06 19:39:58 bluhm Exp $ */ | 1 | /* $OpenBSD: netcat.c,v 1.215 2020/01/07 17:36:04 bluhm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2001 Eric Jackson <ericj@monkey.org> | 3 | * Copyright (c) 2001 Eric Jackson <ericj@monkey.org> |
| 4 | * Copyright (c) 2015 Bob Beck. All rights reserved. | 4 | * Copyright (c) 2015 Bob Beck. All rights reserved. |
| @@ -835,8 +835,8 @@ tls_setup_client(struct tls *tls_ctx, int s, char *host) | |||
| 835 | } | 835 | } |
| 836 | if (vflag) | 836 | if (vflag) |
| 837 | report_tls(tls_ctx, host); | 837 | report_tls(tls_ctx, host); |
| 838 | if (tls_expecthash && tls_peer_cert_hash(tls_ctx) && | 838 | if (tls_expecthash && (tls_peer_cert_hash(tls_ctx) == NULL || |
| 839 | strcmp(tls_expecthash, tls_peer_cert_hash(tls_ctx)) != 0) | 839 | strcmp(tls_expecthash, tls_peer_cert_hash(tls_ctx)) != 0)) |
| 840 | errx(1, "peer certificate is not %s", tls_expecthash); | 840 | errx(1, "peer certificate is not %s", tls_expecthash); |
| 841 | if (Zflag) { | 841 | if (Zflag) { |
| 842 | save_peer_cert(tls_ctx, Zflag); | 842 | save_peer_cert(tls_ctx, Zflag); |
| @@ -864,8 +864,9 @@ tls_setup_server(struct tls *tls_ctx, int connfd, char *host) | |||
| 864 | report_tls(tls_cctx, host); | 864 | report_tls(tls_cctx, host); |
| 865 | if ((TLSopt & TLS_CCERT) && !gotcert) | 865 | if ((TLSopt & TLS_CCERT) && !gotcert) |
| 866 | warnx("No client certificate provided"); | 866 | warnx("No client certificate provided"); |
| 867 | else if (gotcert && tls_peer_cert_hash(tls_ctx) && tls_expecthash && | 867 | else if (gotcert && tls_expecthash && |
| 868 | strcmp(tls_expecthash, tls_peer_cert_hash(tls_ctx)) != 0) | 868 | (tls_peer_cert_hash(tls_cctx) == NULL || |
| 869 | strcmp(tls_expecthash, tls_peer_cert_hash(tls_cctx)) != 0)) | ||
| 869 | warnx("peer certificate is not %s", tls_expecthash); | 870 | warnx("peer certificate is not %s", tls_expecthash); |
| 870 | else if (gotcert && tls_expectname && | 871 | else if (gotcert && tls_expectname && |
| 871 | (!tls_peer_cert_contains_name(tls_cctx, tls_expectname))) | 872 | (!tls_peer_cert_contains_name(tls_cctx, tls_expectname))) |