mirror/openssl
2
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2025-02-17 14:32:04 +08:00
Code Issues Packages Projects Releases Wiki Activity

Disallow setting more than one IP address with SSL_add1_host()

Browse Source 
The X509_VERIFY_PARAM can only take a single IP address, although it can
have multiple hostnames. When SSL_add1_host() is given an IP address,
don't accept it if there is already one configured.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/9201)
This commit is contained in:
David Woodhouse 2020-05-11 19:28:03 +01:00 committed by Tomas Mraz
parent 396e720965
commit 892a9e4c99
1 changed files with 21 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
ssl/ssl_lib.c
View File

@ -967,8 +967,27 @@ int SSL_add1_host(SSL *s, const char *hostname)
{
/* If a hostname is provided and parses as an IP address,
* treat it as such. */
if (hostname && X509_VERIFY_PARAM_set1_ip_asc(s->param, hostname) == 1)
return 1;
if (hostname)
{
ASN1_OCTET_STRING *ip;
char *old_ip;
ip = a2i_IPADDRESS(hostname);
if (ip) {
/* We didn't want it; only to check if it *is* an IP address */
ASN1_OCTET_STRING_free(ip);
old_ip = X509_VERIFY_PARAM_get1_ip_asc(s->param);
if (old_ip)
{
free(old_ip);
/* There can be only one IP address */
return 0;
}
return X509_VERIFY_PARAM_set1_ip_asc(s->param, hostname);
}
}
return X509_VERIFY_PARAM_add1_host(s->param, hostname, 0);
}