| #
1.8 |
|
28-May-2023 |
beck |
Refactor tls_check_common_name to use lower level API.
X509_NAME_get_text_by_NID is kind of a bad interface that
we wish to make safer, and does not give us the visibility
we really want here to detect hostile things.
Instead call the lower level functions to do some better
checking that should be done by X509_NAME_get_text_by_NID,
but is not in the OpenSSL version. Specifically we will treat
the input as hostile and fail if:
1) The certificate contains more than one CN in the subject.
2) The CN does not decode as UTF-8
3) The CN is of invalid length (must be between 1 and 64 bytes)
4) The CN contains a 0 byte
4) matches the existing logic, 1 and 2, and 3 are new checks.
ok tb@
|
|
Revision tags: OPENBSD_6_2_BASE OPENBSD_6_3_BASE OPENBSD_6_4_BASE OPENBSD_6_5_BASE OPENBSD_6_6_BASE OPENBSD_6_7_BASE OPENBSD_6_8_BASE OPENBSD_6_9_BASE OPENBSD_7_0_BASE OPENBSD_7_1_BASE OPENBSD_7_2_BASE OPENBSD_7_3_BASE
|
|
| #
1.7 |
|
30-Apr-2017 |
jsing |
Add missing tls_init() and tls_free() calls.
|
| #
1.6 |
|
10-Apr-2017 |
jsing |
Rework and significantly extend TLS name verification tests to match
changes in libtls.
|
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE OPENBSD_6_1_BASE
|
|
| #
1.5 |
|
11-Sep-2015 |
beck |
regress test that we do not allow a wildcard match for ".openbsd.org"
against a wildcard of "*.openbsd.org"
|
| #
1.4 |
|
11-Sep-2015 |
beck |
fix verify to allow for servername->name
ok jsing@
|
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE
|
|
| #
1.3 |
|
22-Feb-2015 |
jsing |
Update for recent verify related naming changes.
|
| #
1.2 |
|
07-Dec-2014 |
bcook |
Allow specific libtls hostname validation errors to propagate.
Remove direct calls to printf from the tls_check_hostname() path. This allows
NUL byte error messages to bubble up to the caller, to be logged in a
program-appropriate way. It also removes non-portable calls to getprogname().
ok jsing@
|
| #
1.1 |
|
01-Nov-2014 |
jsing |
Initial regress for libtls hostname verification.
|
|
Revision tags: OPENBSD_6_2_BASE
|
|
| #
1.7 |
|
30-Apr-2017 |
jsing |
Add missing tls_init() and tls_free() calls.
|
| #
1.6 |
|
10-Apr-2017 |
jsing |
Rework and significantly extend TLS name verification tests to match
changes in libtls.
|
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE OPENBSD_6_1_BASE
|
|
| #
1.5 |
|
11-Sep-2015 |
beck |
regress test that we do not allow a wildcard match for ".openbsd.org"
against a wildcard of "*.openbsd.org"
|
| #
1.4 |
|
11-Sep-2015 |
beck |
fix verify to allow for servername->name
ok jsing@
|
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE
|
|
| #
1.3 |
|
22-Feb-2015 |
jsing |
Update for recent verify related naming changes.
|
| #
1.2 |
|
07-Dec-2014 |
bcook |
Allow specific libtls hostname validation errors to propagate.
Remove direct calls to printf from the tls_check_hostname() path. This allows
NUL byte error messages to bubble up to the caller, to be logged in a
program-appropriate way. It also removes non-portable calls to getprogname().
ok jsing@
|
| #
1.1 |
|
01-Nov-2014 |
jsing |
Initial regress for libtls hostname verification.
|