diff options
author | joe <joe@61a7d7f5-40b7-0310-9c16-bb0ea8cb1845> | 2010-09-28 12:00:48 +0000 |
---|---|---|
committer | joe <joe@61a7d7f5-40b7-0310-9c16-bb0ea8cb1845> | 2010-09-28 12:00:48 +0000 |
commit | 4c66fd938cbc714d1935a22825d69ae8e497bf67 (patch) | |
tree | bdceeb6aa394e732ffcbbf701e1b264c706cf138 | |
parent | a2490fe173a6d6236e96047076ad8703ec687744 (diff) | |
download | neon-4c66fd938cbc714d1935a22825d69ae8e497bf67.tar.gz |
Merge r1811 from trunk:
* src/ne_session.c (ne__ssl_match_hostname): Deny a wildcard match
against anything which parses as an IP address.
* test/ssl.c (fail_wildcard_ip): Add test case.
* test/makekeys.sh: Generate test wildcard IP cert.
git-svn-id: http://svn.webdav.org/repos/projects/neon/branches/0.29.x@1813 61a7d7f5-40b7-0310-9c16-bb0ea8cb1845
-rw-r--r-- | src/ne_session.c | 19 | ||||
-rwxr-xr-x | test/makekeys.sh | 5 | ||||
-rw-r--r-- | test/ssl.c | 7 |
3 files changed, 30 insertions, 1 deletions
diff --git a/src/ne_session.c b/src/ne_session.c index 41f50fd..1502140 100644 --- a/src/ne_session.c +++ b/src/ne_session.c @@ -583,6 +583,25 @@ int ne__ssl_match_hostname(const char *cn, size_t cnlen, const char *hostname) if (strncmp(cn, "*.", 2) == 0 && cnlen > 2 && (dot = strchr(hostname, '.')) != NULL) { + ne_inet_addr *ia; + + /* Prevent wildcard CN matches against anything which can be + * parsed as an IP address (i.e. a CN of "*.1.1.1" should not + * be match 8.1.1.1). draft-saintandre-tls-server-id-check + * will require some more significant changes to cert ID + * verification which will probably obviate this check, but + * this is a desirable policy tightening in the mean time. */ + ia = ne_iaddr_parse(hostname, ne_iaddr_ipv4); + if (ia == NULL) + ia = ne_iaddr_parse(hostname, ne_iaddr_ipv6); + + if (ia) { + NE_DEBUG(NE_DBG_SSL, "ssl: Denying wildcard match for numeric " + "IP address.\n"); + ne_iaddr_free(ia); + return 0; + } + hostname = dot + 1; cn += 2; cnlen -= 2; diff --git a/test/makekeys.sh b/test/makekeys.sh index 4e9b39a..1389195 100755 --- a/test/makekeys.sh +++ b/test/makekeys.sh @@ -154,6 +154,9 @@ cat ca/cert.pem ca[1234].pem > calist.pem csr_fields "Wildcard Cert Dept" "*.example.com" | \ ${REQ} -new -key ${srcdir}/server.key -out wildcard.csr +csr_fields "Wildcard IP Cert" "*.0.0.1" | \ +${REQ} -new -key ${srcdir}/server.key -out wildip.csr + csr_fields "Neon Client Cert" ignored.example.com | \ ${REQ} -new -key client.key -out client.csr @@ -184,7 +187,7 @@ First OU Dept" | ${REQ} -new -key ${srcdir}/server.key -out twoou.csr for f in server client clientdsa twocn caseless cnfirst \ t61subj bmpsubj utf8subj \ - missingcn justmail twoou wildcard wrongcn; do + missingcn justmail twoou wildcard wildip wrongcn; do ${CA} -days 900 -in ${f}.csr -out ${f}.cert done @@ -960,6 +960,12 @@ static int fail_wildcard(void) "subjaltname not honored", NE_SSL_IDMISMATCH); } +static int fail_wildcard_ip(void) +{ + return fail_ssl_request("wildip.cert", CA_CERT, "127.0.0.1", + "wildcard IP", NE_SSL_IDMISMATCH); +} + static int fail_ca_expired(void) { return fail_ssl_request_with_error("ca1server.cert", "ca1/cert.pem", @@ -1891,6 +1897,7 @@ ne_test tests[] = { T(fail_bad_ipaltname), T(fail_bad_urialtname), T(fail_wildcard), + T(fail_wildcard_ip), T(fail_ca_notyetvalid), T(fail_ca_expired), |