[openssl] master update

tmraz at fedoraproject.org tmraz at fedoraproject.org
Mon Aug 3 15:18:37 UTC 2020


The branch master has been updated
       via  37d898df348b87a423133afdbb828383be22fda7 (commit)
       via  892a9e4c99f13e295f6146b41e72b92b91899a12 (commit)
       via  396e72096589593cb00412c85170c7ec87d13b89 (commit)
       via  c832840e899091948bb7f5e9af63f929e6a18f95 (commit)
      from  a677190779705d243cca88ae04f2105dee52672d (commit)


- Log -----------------------------------------------------------------
commit 37d898df348b87a423133afdbb828383be22fda7
Author: David Woodhouse <dwmw2 at infradead.org>
Date:   Tue May 19 11:51:14 2020 +0100

    Add CHANGES.md entry for SSL_set1_host()/SSL_add1_host() taking IP literals
    
    Reviewed-by: Viktor Dukhovni <viktor at openssl.org>
    Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
    (Merged from https://github.com/openssl/openssl/pull/9201)

commit 892a9e4c99f13e295f6146b41e72b92b91899a12
Author: David Woodhouse <dwmw2 at infradead.org>
Date:   Mon May 11 19:28:03 2020 +0100

    Disallow setting more than one IP address with SSL_add1_host()
    
    The X509_VERIFY_PARAM can only take a single IP address, although it can
    have multiple hostnames. When SSL_add1_host() is given an IP address,
    don't accept it if there is already one configured.
    
    Reviewed-by: Viktor Dukhovni <viktor at openssl.org>
    Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
    (Merged from https://github.com/openssl/openssl/pull/9201)

commit 396e72096589593cb00412c85170c7ec87d13b89
Author: David Woodhouse <dwmw2 at infradead.org>
Date:   Thu Jun 20 21:39:38 2019 +0100

    Fix certificate validation for IPv6 literals in sconnect demo
    
    Instead of naïvely trying to truncate at the first colon, use
    BIO_get_conn_hostname(). That handles IPv6 literals correctly, even
    stripping the [] from around them.
    
    Reviewed-by: Viktor Dukhovni <viktor at openssl.org>
    Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
    (Merged from https://github.com/openssl/openssl/pull/9201)

commit c832840e899091948bb7f5e9af63f929e6a18f95
Author: David Woodhouse <dwmw2 at infradead.org>
Date:   Mon Oct 14 10:46:07 2019 +0100

    Make SSL_set1_host() and SSL_add1_host() take IP addresses
    
    There is a slight mismatch here because X509_VERIFY_PARAM copes only
    with a single IP address, and doesn't let it be cleared once it's set.
    But this fixes up the major use case, making things easier for users to
    get it right.
    
    The sconnect demo now works for Legacy IP literals; for IPv6 it needs to
    fix up the way it tries to split the host:port string, which will happen
    in a subsequent patch.
    
    Reviewed-by: Viktor Dukhovni <viktor at openssl.org>
    Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
    (Merged from https://github.com/openssl/openssl/pull/9201)

-----------------------------------------------------------------------

Summary of changes:
 CHANGES.md           |  5 +++++
 demos/bio/sconnect.c | 15 +++++++--------
 ssl/ssl_lib.c        | 29 +++++++++++++++++++++++++++++
 3 files changed, 41 insertions(+), 8 deletions(-)

diff --git a/CHANGES.md b/CHANGES.md
index 14694739ae..75ecfc22f4 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -23,6 +23,11 @@ OpenSSL 3.0
 
 ### Changes between 1.1.1 and 3.0 [xx XXX xxxx]
 
+ * Allow SSL_set1_host() and SSL_add1_host() to take IP literal addresses
+   as well as actual hostnames.
+
+   *David Woodhouse*
+
  * The 'MinProtocol' and 'MaxProtocol' configuration commands now silently
    ignore TLS protocol version bounds when configuring DTLS-based contexts, and
    conversely, silently ignore DTLS protocol version bounds when configuring
diff --git a/demos/bio/sconnect.c b/demos/bio/sconnect.c
index 7e46bf0ad8..19f8ee78de 100644
--- a/demos/bio/sconnect.c
+++ b/demos/bio/sconnect.c
@@ -29,7 +29,7 @@ int main(int argc, char *argv[])
 {
     const char *hostport = HOSTPORT;
     const char *CAfile = CAFILE;
-    char *hostname;
+    const char *hostname;
     char *cp;
     BIO *out = NULL;
     char buf[1024 * 10], *p;
@@ -43,10 +43,6 @@ int main(int argc, char *argv[])
     if (argc > 2)
         CAfile = argv[2];
 
-    hostname = OPENSSL_strdup(hostport);
-    if ((cp = strchr(hostname, ':')) != NULL)
-        *cp = 0;
-
 #ifdef WATT32
     dbug_init();
     sock_init();
@@ -62,9 +58,6 @@ int main(int argc, char *argv[])
     ssl = SSL_new(ssl_ctx);
     SSL_set_connect_state(ssl);
 
-    /* Enable peername verification */
-    if (SSL_set1_host(ssl, hostname) <= 0)
-        goto err;
 
     /* Use it inside an SSL BIO */
     ssl_bio = BIO_new(BIO_f_ssl());
@@ -73,6 +66,12 @@ int main(int argc, char *argv[])
     /* Lets use a connect BIO under the SSL BIO */
     out = BIO_new(BIO_s_connect());
     BIO_set_conn_hostname(out, hostport);
+
+    /* The BIO has parsed the host:port and even IPv6 literals in [] */
+    hostname = BIO_get_conn_hostname(out);
+    if (!hostname || SSL_set1_host(ssl, hostname) <= 0)
+        goto err;
+
     BIO_set_nbio(out, 1);
     out = BIO_push(ssl_bio, out);
 
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 871606cfc1..3f621d5677 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -955,11 +955,40 @@ int SSL_set_trust(SSL *s, int trust)
 
 int SSL_set1_host(SSL *s, const char *hostname)
 {
+    /* If a hostname is provided and parses as an IP address,
+     * treat it as such. */
+    if (hostname && X509_VERIFY_PARAM_set1_ip_asc(s->param, hostname) == 1)
+        return 1;
+
     return X509_VERIFY_PARAM_set1_host(s->param, hostname, 0);
 }
 
 int SSL_add1_host(SSL *s, const char *hostname)
 {
+    /* If a hostname is provided and parses as an IP address,
+     * treat it as such. */
+    if (hostname)
+    {
+        ASN1_OCTET_STRING *ip;
+        char *old_ip;
+
+        ip = a2i_IPADDRESS(hostname);
+        if (ip) {
+            /* We didn't want it; only to check if it *is* an IP address */
+            ASN1_OCTET_STRING_free(ip);
+
+            old_ip = X509_VERIFY_PARAM_get1_ip_asc(s->param);
+            if (old_ip)
+            {
+                free(old_ip);
+                /* There can be only one IP address */
+                return 0;
+            }
+
+            return X509_VERIFY_PARAM_set1_ip_asc(s->param, hostname);
+        }
+    }
+
     return X509_VERIFY_PARAM_add1_host(s->param, hostname, 0);
 }
 


More information about the openssl-commits mailing list