diff options
author | David Woodhouse <dwmw2@infradead.org> | 2020-05-11 19:28:03 +0100 |
---|---|---|
committer | Tomas Mraz <tmraz@fedoraproject.org> | 2020-08-03 17:15:36 +0200 |
commit | 892a9e4c99f13e295f6146b41e72b92b91899a12 (patch) | |
tree | 8b489cf82bad1b4bcb6b66083c78739c83125584 | |
parent | 396e72096589593cb00412c85170c7ec87d13b89 (diff) |
Disallow setting more than one IP address with SSL_add1_host()
The X509_VERIFY_PARAM can only take a single IP address, although it can
have multiple hostnames. When SSL_add1_host() is given an IP address,
don't accept it if there is already one configured.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/9201)
-rw-r--r-- | ssl/ssl_lib.c | 23 |
1 files changed, 21 insertions, 2 deletions
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index a31d2dd2ff..3f621d5677 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -967,8 +967,27 @@ int SSL_add1_host(SSL *s, const char *hostname) { /* If a hostname is provided and parses as an IP address, * treat it as such. */ - if (hostname && X509_VERIFY_PARAM_set1_ip_asc(s->param, hostname) == 1) - return 1; + if (hostname) + { + ASN1_OCTET_STRING *ip; + char *old_ip; + + ip = a2i_IPADDRESS(hostname); + if (ip) { + /* We didn't want it; only to check if it *is* an IP address */ + ASN1_OCTET_STRING_free(ip); + + old_ip = X509_VERIFY_PARAM_get1_ip_asc(s->param); + if (old_ip) + { + free(old_ip); + /* There can be only one IP address */ + return 0; + } + + return X509_VERIFY_PARAM_set1_ip_asc(s->param, hostname); + } + } return X509_VERIFY_PARAM_add1_host(s->param, hostname, 0); } |