CVSROOT: /cvs
Module name: src
Changes by: t...@cvs.openbsd.org 2022/12/17 06:53:38
Modified files:
usr.sbin/acme-client: revokeproc.c
Log message:
acme-client: fix SAN-handling insanity
The revoke process, which does a lot more than revoking a cert, wants to
know the SANs in the cert to be revoked or renewed and check them against
the ones configured in the config file.
To find out which ones are, it prints the SAN extension to a BIO using
X509V3_EXT_print(), slurps that into a buffer, tokenizes the undocumented
output string and plucks out the "DNS:" names. This is reminiscent of
node's hilarious CVE-2021-44532 and on about the same level of crazy, but
fortunately not security relevant.
Get the SAN extension as a GENERAL_NAMES from libcrypto, then we have an
actual data structure to work with, which allows us to access the DNS names
without problems. This simplifies things quite a bit, but the actual logic
in this file remains unmodified. Be careful about ASN1_IA5STRINGs and do
not assume they are C strings.
Tested by florian, millert, Renaud Allard, thanks!
ok florian jsing
