summaryrefslogtreecommitdiff
path: root/src/lib
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib')
-rw-r--r--src/lib/libcrypto/x509/x509_constraints.c31
-rw-r--r--src/lib/libcrypto/x509/x509_internal.h4
2 files changed, 20 insertions, 15 deletions
diff --git a/src/lib/libcrypto/x509/x509_constraints.c b/src/lib/libcrypto/x509/x509_constraints.c
index 346cab0a40..0773d2ba71 100644
--- a/src/lib/libcrypto/x509/x509_constraints.c
+++ b/src/lib/libcrypto/x509/x509_constraints.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: x509_constraints.c,v 1.31 2022/12/26 07:18:53 jmc Exp $ */ 1/* $OpenBSD: x509_constraints.c,v 1.32 2023/09/29 15:53:59 beck Exp $ */
2/* 2/*
3 * Copyright (c) 2020 Bob Beck <beck@openbsd.org> 3 * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
4 * 4 *
@@ -38,23 +38,23 @@
38#define MAX_IP_ADDRESS_LENGTH (size_t)46 38#define MAX_IP_ADDRESS_LENGTH (size_t)46
39 39
40static int 40static int
41cbs_is_ip_address(CBS *cbs) 41cbs_is_ip_address(CBS *cbs, int *is_ip)
42{ 42{
43 struct sockaddr_in6 sin6; 43 struct sockaddr_in6 sin6;
44 struct sockaddr_in sin4; 44 struct sockaddr_in sin4;
45 char *name = NULL; 45 char *name = NULL;
46 int ret = 0;
47 46
47 *is_ip = 0;
48 if (CBS_len(cbs) > MAX_IP_ADDRESS_LENGTH) 48 if (CBS_len(cbs) > MAX_IP_ADDRESS_LENGTH)
49 return 0; 49 return 1;
50 if (!CBS_strdup(cbs, &name)) 50 if (!CBS_strdup(cbs, &name))
51 return 0; 51 return 0;
52 if (inet_pton(AF_INET, name, &sin4) == 1 || 52 if (inet_pton(AF_INET, name, &sin4) == 1 ||
53 inet_pton(AF_INET6, name, &sin6) == 1) 53 inet_pton(AF_INET6, name, &sin6) == 1)
54 ret = 1; 54 *is_ip = 1;
55 55
56 free(name); 56 free(name);
57 return ret; 57 return 1;
58} 58}
59 59
60struct x509_constraints_name * 60struct x509_constraints_name *
@@ -264,16 +264,21 @@ x509_constraints_valid_domain_internal(CBS *cbs, int wildcards)
264} 264}
265 265
266int 266int
267x509_constraints_valid_host(CBS *cbs) 267x509_constraints_valid_host(CBS *cbs, int permit_ip)
268{ 268{
269 uint8_t first; 269 uint8_t first;
270 int is_ip;
270 271
271 if (!CBS_peek_u8(cbs, &first)) 272 if (!CBS_peek_u8(cbs, &first))
272 return 0; 273 return 0;
273 if (first == '.') 274 if (first == '.')
274 return 0; /* leading . not allowed in a host name */ 275 return 0; /* leading . not allowed in a host name or IP */
275 if (cbs_is_ip_address(cbs)) 276 if (!permit_ip) {
276 return 0; 277 if (!cbs_is_ip_address(cbs, &is_ip))
278 return 0;
279 if (is_ip)
280 return 0;
281 }
277 282
278 return x509_constraints_valid_domain_internal(cbs, 0); 283 return x509_constraints_valid_domain_internal(cbs, 0);
279} 284}
@@ -441,7 +446,7 @@ x509_constraints_parse_mailbox(CBS *candidate,
441 if (candidate_local == NULL || candidate_domain == NULL) 446 if (candidate_local == NULL || candidate_domain == NULL)
442 goto bad; 447 goto bad;
443 CBS_init(&domain_cbs, candidate_domain, strlen(candidate_domain)); 448 CBS_init(&domain_cbs, candidate_domain, strlen(candidate_domain));
444 if (!x509_constraints_valid_host(&domain_cbs)) 449 if (!x509_constraints_valid_host(&domain_cbs, 0))
445 goto bad; 450 goto bad;
446 451
447 if (name != NULL) { 452 if (name != NULL) {
@@ -558,7 +563,7 @@ x509_constraints_uri_host(uint8_t *uri, size_t len, char **hostpart)
558 if (host == NULL) 563 if (host == NULL)
559 host = authority; 564 host = authority;
560 CBS_init(&host_cbs, host, hostlen); 565 CBS_init(&host_cbs, host, hostlen);
561 if (!x509_constraints_valid_host(&host_cbs)) 566 if (!x509_constraints_valid_host(&host_cbs, 1))
562 return 0; 567 return 0;
563 if (hostpart != NULL && !CBS_strdup(&host_cbs, hostpart)) 568 if (hostpart != NULL && !CBS_strdup(&host_cbs, hostpart))
564 return 0; 569 return 0;
@@ -924,7 +929,7 @@ x509_constraints_extract_names(struct x509_constraints_names *names,
924 goto err; 929 goto err;
925 } 930 }
926 CBS_init(&cbs, aname->data, aname->length); 931 CBS_init(&cbs, aname->data, aname->length);
927 if (!x509_constraints_valid_host(&cbs)) 932 if (!x509_constraints_valid_host(&cbs, 0))
928 continue; /* ignore it if not a hostname */ 933 continue; /* ignore it if not a hostname */
929 if ((vname = x509_constraints_name_new()) == NULL) { 934 if ((vname = x509_constraints_name_new()) == NULL) {
930 *error = X509_V_ERR_OUT_OF_MEM; 935 *error = X509_V_ERR_OUT_OF_MEM;
diff --git a/src/lib/libcrypto/x509/x509_internal.h b/src/lib/libcrypto/x509/x509_internal.h
index c4222bcfe5..15efff6097 100644
--- a/src/lib/libcrypto/x509/x509_internal.h
+++ b/src/lib/libcrypto/x509/x509_internal.h
@@ -1,4 +1,4 @@
1/* $OpenBSD: x509_internal.h,v 1.25 2023/01/28 19:08:09 tb Exp $ */ 1/* $OpenBSD: x509_internal.h,v 1.26 2023/09/29 15:53:59 beck Exp $ */
2/* 2/*
3 * Copyright (c) 2020 Bob Beck <beck@openbsd.org> 3 * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
4 * 4 *
@@ -111,7 +111,7 @@ struct x509_constraints_names *x509_constraints_names_new(size_t names_max);
111int x509_constraints_general_to_bytes(GENERAL_NAME *name, uint8_t **bytes, 111int x509_constraints_general_to_bytes(GENERAL_NAME *name, uint8_t **bytes,
112 size_t *len); 112 size_t *len);
113void x509_constraints_names_free(struct x509_constraints_names *names); 113void x509_constraints_names_free(struct x509_constraints_names *names);
114int x509_constraints_valid_host(CBS *cbs); 114int x509_constraints_valid_host(CBS *cbs, int permit_ip);
115int x509_constraints_valid_sandns(CBS *cbs); 115int x509_constraints_valid_sandns(CBS *cbs);
116int x509_constraints_domain(char *domain, size_t dlen, char *constraint, 116int x509_constraints_domain(char *domain, size_t dlen, char *constraint,
117 size_t len); 117 size_t len);
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-25 14:26:56 +0000