[openssl-commits] [openssl] master update
Viktor Dukhovni
viktor at openssl.org
Sat Jan 16 22:16:13 UTC 2016
The branch master has been updated
via 8d887efa2ebd8ceff261514efbd6460c262172b3 (commit)
via 0982ecaaee78a106c5db440317b0a8a9c0022bed (commit)
from ecdd0ff733985fb573d687fe85fa533f62f6cfd8 (commit)
- Log -----------------------------------------------------------------
commit 8d887efa2ebd8ceff261514efbd6460c262172b3
Author: Viktor Dukhovni <openssl-users at dukhovni.org>
Date: Sat Jan 16 13:25:17 2016 -0500
Better invalid SNI name error handling
Also report an SSL_dane_enable error when the basedomain is an
invalid SNI name. Avoid side-effects when such a name is valid
with X509_VERIFY_PARAM_set1_host(), as e.g. with an empty name, by
setting the SNI name first.
Reviewed-by: Rich Salz <rsalz at openssl.org>
commit 0982ecaaee78a106c5db440317b0a8a9c0022bed
Author: Viktor Dukhovni <openssl-users at dukhovni.org>
Date: Sat Jan 16 12:57:24 2016 -0500
Empty SNI names are not valid
While empty inputs to SSL_set1_host() clear the reference identifier
list.
Reviewed-by: Rich Salz <rsalz at openssl.org>
-----------------------------------------------------------------------
Summary of changes:
crypto/x509/x509_vpm.c | 4 ++--
ssl/s3_lib.c | 5 ++++-
ssl/ssl_lib.c | 18 ++++++++++++------
3 files changed, 18 insertions(+), 9 deletions(-)
diff --git a/crypto/x509/x509_vpm.c b/crypto/x509/x509_vpm.c
index 827360d..8826fec 100644
--- a/crypto/x509/x509_vpm.c
+++ b/crypto/x509/x509_vpm.c
@@ -92,11 +92,11 @@ static int int_x509_param_set_hosts(X509_VERIFY_PARAM *vpm, int mode,
* Refuse names with embedded NUL bytes, except perhaps as final byte.
* XXX: Do we need to push an error onto the error stack?
*/
- if (namelen == 0)
+ if (namelen == 0 || name == NULL)
namelen = name ? strlen(name) : 0;
else if (name && memchr(name, '\0', namelen > 1 ? namelen - 1 : namelen))
return 0;
- if (name && name[namelen - 1] == '\0')
+ if (namelen > 0 && name[namelen - 1] == '\0')
--namelen;
if (mode == SET_HOST) {
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index de8dae2..54b8eba 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -3534,13 +3534,16 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
#endif /* !OPENSSL_NO_EC */
case SSL_CTRL_SET_TLSEXT_HOSTNAME:
if (larg == TLSEXT_NAMETYPE_host_name) {
+ size_t len;
+
OPENSSL_free(s->tlsext_hostname);
s->tlsext_hostname = NULL;
ret = 1;
if (parg == NULL)
break;
- if (strlen((char *)parg) > TLSEXT_MAXLEN_host_name) {
+ len = strlen((char *)parg);
+ if (len == 0 || len > TLSEXT_MAXLEN_host_name) {
SSLerr(SSL_F_SSL3_CTRL, SSL_R_SSL3_EXT_INVALID_SERVERNAME);
return 0;
}
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 90de747..e922e3f 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -872,18 +872,24 @@ int SSL_dane_enable(SSL *s, const char *basedomain)
return 0;
}
+ /*
+ * Default SNI name. This rejects empty names, while set1_host below
+ * accepts them and disables host name checks. To avoid side-effects with
+ * invalid input, set the SNI name first.
+ */
+ if (s->tlsext_hostname == NULL) {
+ if (!SSL_set_tlsext_host_name(s, basedomain)) {
+ SSLerr(SSL_F_SSL_DANE_ENABLE, SSL_R_ERROR_SETTING_TLSA_BASE_DOMAIN);
+ return -1;
+ }
+ }
+
/* Primary RFC6125 reference identifier */
if (!X509_VERIFY_PARAM_set1_host(s->param, basedomain, 0)) {
SSLerr(SSL_F_SSL_DANE_ENABLE, SSL_R_ERROR_SETTING_TLSA_BASE_DOMAIN);
return -1;
}
- /* Default SNI name */
- if (s->tlsext_hostname == NULL) {
- if (!SSL_set_tlsext_host_name(s, basedomain))
- return -1;
- }
-
dane->mdpth = -1;
dane->pdpth = -1;
dane->dctx = &s->ctx->dane;
More information about the openssl-commits
mailing list