From 05d12eaff3684c531b3d36e69fa663830294b6bd Mon Sep 17 00:00:00 2001 From: beck <> Date: Tue, 27 Apr 2021 03:35:29 +0000 Subject: Relax SAN DNSname validation and constraints to permit non leading * wildcards. While we may choose not to support them the standards appear to permit them optionally so we can't declare a certificate containing them invalid. Noticed by jeremy@, and Steffan Ulrich and others. Modify the regression tests to test these cases and not check the SAN DNSnames as "hostnames" anymore (which don't support wildcards). ok jsing@, tb@ --- src/regress/lib/libcrypto/x509/constraints.c | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) (limited to 'src/regress/lib/libcrypto/x509/constraints.c') diff --git a/src/regress/lib/libcrypto/x509/constraints.c b/src/regress/lib/libcrypto/x509/constraints.c index 7eef55d591..c4dedeb1fa 100644 --- a/src/regress/lib/libcrypto/x509/constraints.c +++ b/src/regress/lib/libcrypto/x509/constraints.c @@ -49,6 +49,8 @@ unsigned char *valid_hostnames[] = { unsigned char *valid_sandns_names[] = { "*.ca", "*.op3nbsd.org", + "c*.openbsd.org", + "foo.*.d*.c*.openbsd.org", NULL, }; @@ -96,6 +98,7 @@ unsigned char *invalid_hostnames[] = { "openbsd\n.org", "open\178bsd.org", "open\255bsd.org", + "*.openbsd.org", NULL, }; @@ -110,10 +113,10 @@ unsigned char *invalid_sandns_names[] = { "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.a", "*.-p3nbsd.org", - "a*.openbsd.org", "*.*..openbsd.org", "*..openbsd.org", ".openbsd.org", + "c*c.openbsd.org", NULL, }; @@ -254,13 +257,6 @@ test_invalid_hostnames(void) failure = 1; goto done; } - if (x509_constraints_valid_sandns(invalid_hostnames[i], - strlen(invalid_hostnames[i]))) { - FAIL("Invalid sandns '%s' accepted\n", - invalid_hostnames[i]); - failure = 1; - goto done; - } } if (x509_constraints_valid_host(nulhost, strlen(nulhost) + 1)) { -- cgit v1.2.3-55-g6feb