generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Fix hostname validation in the command-line tool to honour negative return values.

Browse Source 
Specifically, an ASN.1 NumericString in the certificate CN will fail UTF-8 conversion
and result in a negative return value, which the "x509 -checkhost" command-line option
incorrectly interpreted as success.

Also update X509_check_host docs to reflect reality.

Thanks to Sean Burford (Google) for reporting this issue.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 0923e7df9e)
This commit is contained in:
Emilia Kasper
2015-02-05 16:38:54 +01:00
parent bcfaa4eeee
commit 95929797a0
3 changed files with 12 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
doc/crypto/X509_check_host.pod
View File

@@ -109,9 +109,12 @@ but would not match a peer certificate with a DNS name of
=head1 RETURN VALUES
The functions return 1 for a successful match, 0 for a failed match
and -1 for an internal error: typically a memory allocation failure.
and -1 for an internal error: typically a memory allocation failure
or an ASN.1 decoding error.
X509_check_ip_asc() can also return -2 if the IP address string is malformed.
All functions can also return -2 if the input is malformed. For example,
X509_check_host() returns -2 if the provided B<name> contains embedded
NULs.
=head1 NOTES