The branch master has been updated via 37d898df348b87a423133afdbb828383be22fda7 (commit) via 892a9e4c99f13e295f6146b41e72b92b91899a12 (commit) via 396e72096589593cb00412c85170c7ec87d13b89 (commit) via c832840e899091948bb7f5e9af63f929e6a18f95 (commit) from a677190779705d243cca88ae04f2105dee52672d (commit)
- Log ----------------------------------------------------------------- commit 37d898df348b87a423133afdbb828383be22fda7 Author: David Woodhouse <dw...@infradead.org> Date: Tue May 19 11:51:14 2020 +0100 Add CHANGES.md entry for SSL_set1_host()/SSL_add1_host() taking IP literals Reviewed-by: Viktor Dukhovni <vik...@openssl.org> Reviewed-by: Tomas Mraz <tm...@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/9201) commit 892a9e4c99f13e295f6146b41e72b92b91899a12 Author: David Woodhouse <dw...@infradead.org> Date: Mon May 11 19:28:03 2020 +0100 Disallow setting more than one IP address with SSL_add1_host() The X509_VERIFY_PARAM can only take a single IP address, although it can have multiple hostnames. When SSL_add1_host() is given an IP address, don't accept it if there is already one configured. Reviewed-by: Viktor Dukhovni <vik...@openssl.org> Reviewed-by: Tomas Mraz <tm...@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/9201) commit 396e72096589593cb00412c85170c7ec87d13b89 Author: David Woodhouse <dw...@infradead.org> Date: Thu Jun 20 21:39:38 2019 +0100 Fix certificate validation for IPv6 literals in sconnect demo Instead of naïvely trying to truncate at the first colon, use BIO_get_conn_hostname(). That handles IPv6 literals correctly, even stripping the [] from around them. Reviewed-by: Viktor Dukhovni <vik...@openssl.org> Reviewed-by: Tomas Mraz <tm...@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/9201) commit c832840e899091948bb7f5e9af63f929e6a18f95 Author: David Woodhouse <dw...@infradead.org> Date: Mon Oct 14 10:46:07 2019 +0100 Make SSL_set1_host() and SSL_add1_host() take IP addresses There is a slight mismatch here because X509_VERIFY_PARAM copes only with a single IP address, and doesn't let it be cleared once it's set. But this fixes up the major use case, making things easier for users to get it right. The sconnect demo now works for Legacy IP literals; for IPv6 it needs to fix up the way it tries to split the host:port string, which will happen in a subsequent patch. Reviewed-by: Viktor Dukhovni <vik...@openssl.org> Reviewed-by: Tomas Mraz <tm...@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/9201) ----------------------------------------------------------------------- Summary of changes: CHANGES.md | 5 +++++ demos/bio/sconnect.c | 15 +++++++-------- ssl/ssl_lib.c | 29 +++++++++++++++++++++++++++++ 3 files changed, 41 insertions(+), 8 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index 14694739ae..75ecfc22f4 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -23,6 +23,11 @@ OpenSSL 3.0 ### Changes between 1.1.1 and 3.0 [xx XXX xxxx] + * Allow SSL_set1_host() and SSL_add1_host() to take IP literal addresses + as well as actual hostnames. + + *David Woodhouse* + * The 'MinProtocol' and 'MaxProtocol' configuration commands now silently ignore TLS protocol version bounds when configuring DTLS-based contexts, and conversely, silently ignore DTLS protocol version bounds when configuring diff --git a/demos/bio/sconnect.c b/demos/bio/sconnect.c index 7e46bf0ad8..19f8ee78de 100644 --- a/demos/bio/sconnect.c +++ b/demos/bio/sconnect.c @@ -29,7 +29,7 @@ int main(int argc, char *argv[]) { const char *hostport = HOSTPORT; const char *CAfile = CAFILE; - char *hostname; + const char *hostname; char *cp; BIO *out = NULL; char buf[1024 * 10], *p; @@ -43,10 +43,6 @@ int main(int argc, char *argv[]) if (argc > 2) CAfile = argv[2]; - hostname = OPENSSL_strdup(hostport); - if ((cp = strchr(hostname, ':')) != NULL) - *cp = 0; - #ifdef WATT32 dbug_init(); sock_init(); @@ -62,9 +58,6 @@ int main(int argc, char *argv[]) ssl = SSL_new(ssl_ctx); SSL_set_connect_state(ssl); - /* Enable peername verification */ - if (SSL_set1_host(ssl, hostname) <= 0) - goto err; /* Use it inside an SSL BIO */ ssl_bio = BIO_new(BIO_f_ssl()); @@ -73,6 +66,12 @@ int main(int argc, char *argv[]) /* Lets use a connect BIO under the SSL BIO */ out = BIO_new(BIO_s_connect()); BIO_set_conn_hostname(out, hostport); + + /* The BIO has parsed the host:port and even IPv6 literals in [] */ + hostname = BIO_get_conn_hostname(out); + if (!hostname || SSL_set1_host(ssl, hostname) <= 0) + goto err; + BIO_set_nbio(out, 1); out = BIO_push(ssl_bio, out); diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 871606cfc1..3f621d5677 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -955,11 +955,40 @@ int SSL_set_trust(SSL *s, int trust) int SSL_set1_host(SSL *s, const char *hostname) { + /* If a hostname is provided and parses as an IP address, + * treat it as such. */ + if (hostname && X509_VERIFY_PARAM_set1_ip_asc(s->param, hostname) == 1) + return 1; + return X509_VERIFY_PARAM_set1_host(s->param, hostname, 0); } int SSL_add1_host(SSL *s, const char *hostname) { + /* If a hostname is provided and parses as an IP address, + * treat it as such. */ + if (hostname) + { + ASN1_OCTET_STRING *ip; + char *old_ip; + + ip = a2i_IPADDRESS(hostname); + if (ip) { + /* We didn't want it; only to check if it *is* an IP address */ + ASN1_OCTET_STRING_free(ip); + + old_ip = X509_VERIFY_PARAM_get1_ip_asc(s->param); + if (old_ip) + { + free(old_ip); + /* There can be only one IP address */ + return 0; + } + + return X509_VERIFY_PARAM_set1_ip_asc(s->param, hostname); + } + } + return X509_VERIFY_PARAM_add1_host(s->param, hostname, 0); }