From da51b25b748f1cb20948e7a26ec55a63ac4fdd3f Mon Sep 17 00:00:00 2001 From: doug Date: Wed, 29 Apr 2015 00:24:31 +0000 Subject: [PATCH] Reject dNSName of " " for subjectAltName extension. RFC 5280 says " " must not be used as a dNSName. ok jsing@ jca@ --- lib/libtls/tls_verify.c | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/lib/libtls/tls_verify.c b/lib/libtls/tls_verify.c index c1a5387829b..6a569e17613 100644 --- a/lib/libtls/tls_verify.c +++ b/lib/libtls/tls_verify.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_verify.c,v 1.7 2015/02/11 06:46:33 jsing Exp $ */ +/* $OpenBSD: tls_verify.c,v 1.8 2015/04/29 00:24:31 doug Exp $ */ /* * Copyright (c) 2014 Jeremie Courreges-Anglas * @@ -79,6 +79,7 @@ tls_match_name(const char *cert_name, const char *name) return -1; } +/* See RFC 5280 section 4.2.1.6 for SubjectAltName details. */ int tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *name) { @@ -132,6 +133,20 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *name) break; } + /* + * Per RFC 5280 section 4.2.1.6: + * " " is a legal domain name, but that + * dNSName must be rejected. + */ + if (strcmp(data, " ") == 0) { + tls_set_error(ctx, + "error verifying name '%s': " + "a dNSName of \" \" must not be " + "used", name); + rv = -2; + break; + } + if (tls_match_name(data, name) == 0) { rv = 0; break; @@ -159,6 +174,10 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *name) break; } + /* + * Per RFC 5280 section 4.2.1.6: + * IPv4 must use 4 octets and IPv6 must use 16 octets. + */ if (datalen == addrlen && memcmp(data, &addrbuf, addrlen) == 0) { rv = 0; -- 2.20.1