[openssl-commits] [openssl] OpenSSL_1_0_2-stable update

[Emilia Kasper]

The branch OpenSSL_1_0_2-stable has been updated
       via  95929797a01eb4ad42694f1f848bdbb9decbcefe (commit)
      from  bcfaa4eeee5bbb2ddf9545e41b62cbfc10ad60b0 (commit)


- Log -----------------------------------------------------------------
commit 95929797a01eb4ad42694f1f848bdbb9decbcefe
Author: Emilia Kasper <emilia at openssl.org>
Date:   Thu Feb 5 16:38:54 2015 +0100

    Fix hostname validation in the command-line tool to honour negative return values.
    
    Specifically, an ASN.1 NumericString in the certificate CN will fail UTF-8 conversion
    and result in a negative return value, which the "x509 -checkhost" command-line option
    incorrectly interpreted as success.
    
    Also update X509_check_host docs to reflect reality.
    
    Thanks to Sean Burford (Google) for reporting this issue.
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    (cherry picked from commit 0923e7df9eafec6db9c75405d7085ec8581f01bd)

-----------------------------------------------------------------------

Summary of changes:
 apps/apps.c                    |    2 +-
 crypto/x509v3/v3_utl.c         |    7 ++++++-
 doc/crypto/X509_check_host.pod |    7 +++++--
 3 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/apps/apps.c b/apps/apps.c
index e6bb48f..ef5d087 100644
--- a/apps/apps.c
+++ b/apps/apps.c
@@ -2775,7 +2775,7 @@ void print_cert_checks(BIO *bio, X509 *x,
         return;
     if (checkhost) {
         BIO_printf(bio, "Hostname %s does%s match certificate\n",
-                   checkhost, X509_check_host(x, checkhost, 0, 0, NULL)
+                   checkhost, X509_check_host(x, checkhost, 0, 0, NULL) == 1
                    ? "" : " NOT");
     }
 
diff --git a/crypto/x509v3/v3_utl.c b/crypto/x509v3/v3_utl.c
index f65323b..ed6099e 100644
--- a/crypto/x509v3/v3_utl.c
+++ b/crypto/x509v3/v3_utl.c
@@ -901,8 +901,13 @@ static int do_check_string(ASN1_STRING *a, int cmp_type, equal_fn equal,
         int astrlen;
         unsigned char *astr;
         astrlen = ASN1_STRING_to_UTF8(&astr, a);
-        if (astrlen < 0)
+        if (astrlen < 0) {
+            /*
+             * -1 could be an internal malloc failure or a decoding error from
+             * malformed input; we can't distinguish.
+             */
             return -1;
+        }
         rv = equal(astr, astrlen, (unsigned char *)b, blen, flags);
         if (rv > 0 && peername)
             *peername = BUF_strndup((char *)astr, astrlen);
diff --git a/doc/crypto/X509_check_host.pod b/doc/crypto/X509_check_host.pod
index f8b530d..0def17a 100644
--- a/doc/crypto/X509_check_host.pod
+++ b/doc/crypto/X509_check_host.pod
@@ -109,9 +109,12 @@ but would not match a peer certificate with a DNS name of
 =head1 RETURN VALUES
 
 The functions return 1 for a successful match, 0 for a failed match
-and -1 for an internal error: typically a memory allocation failure.
+and -1 for an internal error: typically a memory allocation failure
+or an ASN.1 decoding error.
 
-X509_check_ip_asc() can also return -2 if the IP address string is malformed.
+All functions can also return -2 if the input is malformed. For example,
+X509_check_host() returns -2 if the provided B<name> contains embedded
+NULs.
 
 =head1 NOTES