CVSROOT: /cvs Module name: src Changes by: t...@cvs.openbsd.org 2022/12/17 06:53:38
Modified files: usr.sbin/acme-client: revokeproc.c Log message: acme-client: fix SAN-handling insanity The revoke process, which does a lot more than revoking a cert, wants to know the SANs in the cert to be revoked or renewed and check them against the ones configured in the config file. To find out which ones are, it prints the SAN extension to a BIO using X509V3_EXT_print(), slurps that into a buffer, tokenizes the undocumented output string and plucks out the "DNS:" names. This is reminiscent of node's hilarious CVE-2021-44532 and on about the same level of crazy, but fortunately not security relevant. Get the SAN extension as a GENERAL_NAMES from libcrypto, then we have an actual data structure to work with, which allows us to access the DNS names without problems. This simplifies things quite a bit, but the actual logic in this file remains unmodified. Be careful about ASN1_IA5STRINGs and do not assume they are C strings. Tested by florian, millert, Renaud Allard, thanks! ok florian jsing