diff options
| author | tb <> | 2022-03-13 16:48:49 +0000 |
|---|---|---|
| committer | tb <> | 2022-03-13 16:48:49 +0000 |
| commit | 7bdf8508440bb6ad889ebb6210b36e2e45db8c79 (patch) | |
| tree | 5986b435064314080bd34bdb3b8bb0ffef936677 /src | |
| parent | 6a05251669a841118ef2afb995c9fdf4ec6f7abf (diff) | |
| download | openbsd-7bdf8508440bb6ad889ebb6210b36e2e45db8c79.tar.gz openbsd-7bdf8508440bb6ad889ebb6210b36e2e45db8c79.tar.bz2 openbsd-7bdf8508440bb6ad889ebb6210b36e2e45db8c79.zip | |
Check name constraints using the proper API
The previous versions were too strict and disallowed leading dots.
From Alex Wilson
ok jsing
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/libcrypto/x509/x509_alt.c | 25 |
1 files changed, 21 insertions, 4 deletions
diff --git a/src/lib/libcrypto/x509/x509_alt.c b/src/lib/libcrypto/x509/x509_alt.c index addf300a2a..35aae6f185 100644 --- a/src/lib/libcrypto/x509/x509_alt.c +++ b/src/lib/libcrypto/x509/x509_alt.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: x509_alt.c,v 1.9 2022/03/13 16:30:31 tb Exp $ */ | 1 | /* $OpenBSD: x509_alt.c,v 1.10 2022/03/13 16:48:49 tb Exp $ */ |
| 2 | /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL | 2 | /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL |
| 3 | * project. | 3 | * project. |
| 4 | */ | 4 | */ |
| @@ -652,7 +652,25 @@ v2i_GENERAL_NAME_ex(GENERAL_NAME *out, const X509V3_EXT_METHOD *method, | |||
| 652 | if (ret == NULL) | 652 | if (ret == NULL) |
| 653 | return NULL; | 653 | return NULL; |
| 654 | 654 | ||
| 655 | /* Validate what we have for sanity */ | 655 | /* |
| 656 | * Validate what we have for sanity. | ||
| 657 | */ | ||
| 658 | |||
| 659 | if (is_nc) { | ||
| 660 | struct x509_constraints_name constraints_name; | ||
| 661 | int error = 0; | ||
| 662 | |||
| 663 | memset(&constraints_name, 0, sizeof(constraints_name)); | ||
| 664 | type = x509_constraints_validate(ret, &constraints_name, &error); | ||
| 665 | if (type == 0 || error != 0) { | ||
| 666 | X509V3error(X509V3_R_BAD_OBJECT); | ||
| 667 | ERR_asprintf_error_data("name=%s", name); | ||
| 668 | goto err; | ||
| 669 | } | ||
| 670 | x509_constraints_name_clear(&constraints_name); | ||
| 671 | return ret; | ||
| 672 | } | ||
| 673 | |||
| 656 | type = x509_constraints_general_to_bytes(ret, &bytes, &len); | 674 | type = x509_constraints_general_to_bytes(ret, &bytes, &len); |
| 657 | switch (type) { | 675 | switch (type) { |
| 658 | case GEN_DNS: | 676 | case GEN_DNS: |
| @@ -677,8 +695,7 @@ v2i_GENERAL_NAME_ex(GENERAL_NAME *out, const X509V3_EXT_METHOD *method, | |||
| 677 | } | 695 | } |
| 678 | break; | 696 | break; |
| 679 | case GEN_IPADD: | 697 | case GEN_IPADD: |
| 680 | if ((!is_nc && len != 4 && len != 16) || | 698 | if (len != 4 && len != 16) { |
| 681 | (is_nc && len != 8 && len != 32)) { | ||
| 682 | X509V3error(X509V3_R_BAD_IP_ADDRESS); | 699 | X509V3error(X509V3_R_BAD_IP_ADDRESS); |
| 683 | ERR_asprintf_error_data("name=%s len=%zu", name, len); | 700 | ERR_asprintf_error_data("name=%s len=%zu", name, len); |
| 684 | goto err; | 701 | goto err; |