[openssl] master update
tmraz at fedoraproject.org
tmraz at fedoraproject.org
Mon Aug 3 15:18:37 UTC 2020
The branch master has been updated
via 37d898df348b87a423133afdbb828383be22fda7 (commit)
via 892a9e4c99f13e295f6146b41e72b92b91899a12 (commit)
via 396e72096589593cb00412c85170c7ec87d13b89 (commit)
via c832840e899091948bb7f5e9af63f929e6a18f95 (commit)
from a677190779705d243cca88ae04f2105dee52672d (commit)
- Log -----------------------------------------------------------------
commit 37d898df348b87a423133afdbb828383be22fda7
Author: David Woodhouse <dwmw2 at infradead.org>
Date: Tue May 19 11:51:14 2020 +0100
Add CHANGES.md entry for SSL_set1_host()/SSL_add1_host() taking IP literals
Reviewed-by: Viktor Dukhovni <viktor at openssl.org>
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/9201)
commit 892a9e4c99f13e295f6146b41e72b92b91899a12
Author: David Woodhouse <dwmw2 at infradead.org>
Date: Mon May 11 19:28:03 2020 +0100
Disallow setting more than one IP address with SSL_add1_host()
The X509_VERIFY_PARAM can only take a single IP address, although it can
have multiple hostnames. When SSL_add1_host() is given an IP address,
don't accept it if there is already one configured.
Reviewed-by: Viktor Dukhovni <viktor at openssl.org>
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/9201)
commit 396e72096589593cb00412c85170c7ec87d13b89
Author: David Woodhouse <dwmw2 at infradead.org>
Date: Thu Jun 20 21:39:38 2019 +0100
Fix certificate validation for IPv6 literals in sconnect demo
Instead of naïvely trying to truncate at the first colon, use
BIO_get_conn_hostname(). That handles IPv6 literals correctly, even
stripping the [] from around them.
Reviewed-by: Viktor Dukhovni <viktor at openssl.org>
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/9201)
commit c832840e899091948bb7f5e9af63f929e6a18f95
Author: David Woodhouse <dwmw2 at infradead.org>
Date: Mon Oct 14 10:46:07 2019 +0100
Make SSL_set1_host() and SSL_add1_host() take IP addresses
There is a slight mismatch here because X509_VERIFY_PARAM copes only
with a single IP address, and doesn't let it be cleared once it's set.
But this fixes up the major use case, making things easier for users to
get it right.
The sconnect demo now works for Legacy IP literals; for IPv6 it needs to
fix up the way it tries to split the host:port string, which will happen
in a subsequent patch.
Reviewed-by: Viktor Dukhovni <viktor at openssl.org>
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/9201)
-----------------------------------------------------------------------
Summary of changes:
CHANGES.md | 5 +++++
demos/bio/sconnect.c | 15 +++++++--------
ssl/ssl_lib.c | 29 +++++++++++++++++++++++++++++
3 files changed, 41 insertions(+), 8 deletions(-)
diff --git a/CHANGES.md b/CHANGES.md
index 14694739ae..75ecfc22f4 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -23,6 +23,11 @@ OpenSSL 3.0
### Changes between 1.1.1 and 3.0 [xx XXX xxxx]
+ * Allow SSL_set1_host() and SSL_add1_host() to take IP literal addresses
+ as well as actual hostnames.
+
+ *David Woodhouse*
+
* The 'MinProtocol' and 'MaxProtocol' configuration commands now silently
ignore TLS protocol version bounds when configuring DTLS-based contexts, and
conversely, silently ignore DTLS protocol version bounds when configuring
diff --git a/demos/bio/sconnect.c b/demos/bio/sconnect.c
index 7e46bf0ad8..19f8ee78de 100644
--- a/demos/bio/sconnect.c
+++ b/demos/bio/sconnect.c
@@ -29,7 +29,7 @@ int main(int argc, char *argv[])
{
const char *hostport = HOSTPORT;
const char *CAfile = CAFILE;
- char *hostname;
+ const char *hostname;
char *cp;
BIO *out = NULL;
char buf[1024 * 10], *p;
@@ -43,10 +43,6 @@ int main(int argc, char *argv[])
if (argc > 2)
CAfile = argv[2];
- hostname = OPENSSL_strdup(hostport);
- if ((cp = strchr(hostname, ':')) != NULL)
- *cp = 0;
-
#ifdef WATT32
dbug_init();
sock_init();
@@ -62,9 +58,6 @@ int main(int argc, char *argv[])
ssl = SSL_new(ssl_ctx);
SSL_set_connect_state(ssl);
- /* Enable peername verification */
- if (SSL_set1_host(ssl, hostname) <= 0)
- goto err;
/* Use it inside an SSL BIO */
ssl_bio = BIO_new(BIO_f_ssl());
@@ -73,6 +66,12 @@ int main(int argc, char *argv[])
/* Lets use a connect BIO under the SSL BIO */
out = BIO_new(BIO_s_connect());
BIO_set_conn_hostname(out, hostport);
+
+ /* The BIO has parsed the host:port and even IPv6 literals in [] */
+ hostname = BIO_get_conn_hostname(out);
+ if (!hostname || SSL_set1_host(ssl, hostname) <= 0)
+ goto err;
+
BIO_set_nbio(out, 1);
out = BIO_push(ssl_bio, out);
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 871606cfc1..3f621d5677 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -955,11 +955,40 @@ int SSL_set_trust(SSL *s, int trust)
int SSL_set1_host(SSL *s, const char *hostname)
{
+ /* If a hostname is provided and parses as an IP address,
+ * treat it as such. */
+ if (hostname && X509_VERIFY_PARAM_set1_ip_asc(s->param, hostname) == 1)
+ return 1;
+
return X509_VERIFY_PARAM_set1_host(s->param, hostname, 0);
}
int SSL_add1_host(SSL *s, const char *hostname)
{
+ /* If a hostname is provided and parses as an IP address,
+ * treat it as such. */
+ if (hostname)
+ {
+ ASN1_OCTET_STRING *ip;
+ char *old_ip;
+
+ ip = a2i_IPADDRESS(hostname);
+ if (ip) {
+ /* We didn't want it; only to check if it *is* an IP address */
+ ASN1_OCTET_STRING_free(ip);
+
+ old_ip = X509_VERIFY_PARAM_get1_ip_asc(s->param);
+ if (old_ip)
+ {
+ free(old_ip);
+ /* There can be only one IP address */
+ return 0;
+ }
+
+ return X509_VERIFY_PARAM_set1_ip_asc(s->param, hostname);
+ }
+ }
+
return X509_VERIFY_PARAM_add1_host(s->param, hostname, 0);
}
More information about the openssl-commits
mailing list