mirror/openssl
2
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2025-03-19 19:50:42 +08:00
Code Issues Packages Projects Releases Wiki Activity

apps/cmp.c: Fix TLS hostname checking in case -server provides more than hostname

Browse Source 
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14889)
This commit is contained in:
Dr. David von Oheimb 2021-04-15 15:44:41 +02:00 committed by Dr. David von Oheimb
parent cd69b4bd7c
commit 44c75ba67d
1 changed files with 10 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
apps/cmp.c
View File

@ -673,7 +673,7 @@ static X509_REQ *load_csr_autofmt(const char *infile, const char *desc)
}
/* set expected host name/IP addr and clears the email addr in the given ts */
static int truststore_set_host_etc(X509_STORE *ts, char *host)
static int truststore_set_host_etc(X509_STORE *ts, const char *host)
{
X509_VERIFY_PARAM *ts_vpm = X509_STORE_get0_param(ts);
@ -1181,7 +1181,8 @@ static int setup_verification_ctx(OSSL_CMP_CTX *ctx)
* set up ssl_ctx for the OSSL_CMP_CTX based on options from config file/CLI.
* Returns pointer on success, NULL on error
*/
static SSL_CTX *setup_ssl_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
static SSL_CTX *setup_ssl_ctx(OSSL_CMP_CTX *ctx, const char *host,
ENGINE *engine)
{
STACK_OF(X509) *untrusted = OSSL_CMP_CTX_get0_untrusted(ctx);
EVP_PKEY *pkey = NULL;
@ -1313,8 +1314,7 @@ static SSL_CTX *setup_ssl_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
if (opt_tls_trusted != NULL) {
/* enable and parameterize server hostname/IP address check */
if (!truststore_set_host_etc(trust_store,
opt_tls_host != NULL ?
opt_tls_host : opt_server))
opt_tls_host != NULL ? opt_tls_host : host))
/* TODO: is the server host name correct for TLS via proxy? */
goto err;
SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, NULL);
@ -1767,7 +1767,7 @@ static int handle_opt_geninfo(OSSL_CMP_CTX *ctx)
static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
{
int ret = 0;
char *server = NULL, *port = NULL, *path = NULL, *used_path;
char *host = NULL, *port = NULL, *path = NULL, *used_path;
int portnum, ssl;
char server_buf[200] = { '\0' };
char proxy_buf[200] = { '\0' };
@ -1778,7 +1778,7 @@ static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
CMP_err("missing -server option");
goto err;
}
if (!OSSL_HTTP_parse_url(opt_server, &ssl, NULL /* user */, &server, &port,
if (!OSSL_HTTP_parse_url(opt_server, &ssl, NULL /* user */, &host, &port,
&portnum, &path, NULL /* q */, NULL /* frag */)) {
CMP_err1("cannot parse -server URL: %s", opt_server);
goto err;
@ -1789,7 +1789,7 @@ static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
}
BIO_snprintf(server_port, sizeof(server_port), "%s", port);
used_path = opt_path != NULL ? opt_path : path;
if (!OSSL_CMP_CTX_set1_server(ctx, server)
if (!OSSL_CMP_CTX_set1_server(ctx, host)
|| !OSSL_CMP_CTX_set_serverPort(ctx, portnum)
|| !OSSL_CMP_CTX_set1_serverPath(ctx, used_path))
goto oom;
@ -1798,7 +1798,7 @@ static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
if (opt_no_proxy != NULL && !OSSL_CMP_CTX_set1_no_proxy(ctx, opt_no_proxy))
goto oom;
(void)BIO_snprintf(server_buf, sizeof(server_buf), "http%s://%s:%s/%s",
opt_tls_used ? "s" : "", server, port,
opt_tls_used ? "s" : "", host, port,
*used_path == '/' ? used_path + 1 : used_path);
if (opt_proxy != NULL)
@ -1869,7 +1869,7 @@ static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
info->port = server_port;
info->use_proxy = opt_proxy != NULL;
info->timeout = OSSL_CMP_CTX_get_option(ctx, OSSL_CMP_OPT_MSG_TIMEOUT);
info->ssl_ctx = setup_ssl_ctx(ctx, engine);
info->ssl_ctx = setup_ssl_ctx(ctx, host, engine);
if (info->ssl_ctx == NULL)
goto err;
(void)OSSL_CMP_CTX_set_http_cb(ctx, app_http_tls_cb);
@ -1896,7 +1896,7 @@ static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
ret = 1;
err:
OPENSSL_free(server);
OPENSSL_free(host);
OPENSSL_free(port);
OPENSSL_free(path);
OPENSSL_free(proxy_host);