[openssl-dev] [openssl.org #4003] OpenSSL Bug report / Patch submission - wildcard_match in host verification

Sekwon Choi via RT rt at openssl.org
Tue Aug 11 18:53:29 UTC 2015 

Hi openssl team,

I would like to report a bug as below and patch for the fix.

[ Version affected ] :
1.0.2d (latest) and below (basically, all versions of openssl)

[ Operating system ] :
All

[ Bug description ] :
When we want to perform a host verification using openssl's APIs that use
X509_check_host, host URL that includes specific characters such as '_' or
'~' will be failing when CN from the certificate contains wildcard
character.

The reason is that, wildcard_match function in
openssl-version/crypto/x509v3/v3_utils.c is not handling '_' and '~' while
those are allowed character for URL.

(patch attached separately)

--- ./openssl-1.0.2d/crypto/x509v3/v3_utl.c 2015-07-09 04:57:15.000000000
-0700
+++ ../OpenSSL/openssl-1.0.2d/crypto/x509v3/v3_utl.c 2015-08-11
10:15:19.905814872 -0700
@@ -787,7 +787,7 @@
         if (!(('0' <= *p && *p <= '9') ||
               ('A' <= *p && *p <= 'Z') ||
               ('a' <= *p && *p <= 'z') ||
-              *p == '-' || (allow_multi && *p == '.')))
+              *p == '-' || *p == '_' || *p == '~' || (allow_multi && *p ==
'.')))
             return 0;
     return 1;

[ FYI ] :
RFC 3986 (Uniform Resource Identifier (URI): Generic Syntax)

https://tools.ietf.org/html/rfc3986#section-2.1

2.3.  Unreserved Characters

   Characters that are allowed in a URI but do not have a reserved
   purpose are called unreserved.  These include uppercase and lowercase
   letters, decimal digits, hyphen, period, underscore, and tilde.

      unreserved  = ALPHA / DIGIT / "-" / "." / "_" / "~"

Suggested fix:
We propose to include '_' and '~' in wildcard_match function so that
hostname including those characters can be evaluated correctly.


Thanks

Sekwon Choi
senior software engineer
Netflix

-------------- next part --------------
A non-text attachment was scrubbed...
Name: wildcard_match.patch
Type: text/x-patch
Size: 499 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150811/9279313d/attachment.bin>
-------------- next part --------------
_______________________________________________
openssl-bugs-mod mailing list
openssl-bugs-mod at openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod

More information about the openssl-dev mailing list