diff options
| author | Theo Buehler <tb@cvs.openbsd.org> | 2022-02-11 17:41:56 +0000 |
|---|---|---|
| committer | Theo Buehler <tb@cvs.openbsd.org> | 2022-02-11 17:41:56 +0000 |
| commit | f79be63d6ce95a7d4c7ecab94a385948a6a7b197 (patch) | |
| tree | 613f04e8fa227e44bcb6384534c0dda8bf71dad4 /lib/libcrypto | |
| parent | 27bf6a2f2cc0ffac7a65a7e91fde522780032876 (diff) | |
Fix length check of IP addresses for name constraints
An IP address in a name constraint is actually an IP address concatenated
with a netmask, so it is twice as long as usual.
This fixes a third bug introduced in r1.3 and reported by Volker Schlecht
ok jsing
Diffstat (limited to 'lib/libcrypto')
| -rw-r--r-- | lib/libcrypto/x509/x509_alt.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/lib/libcrypto/x509/x509_alt.c b/lib/libcrypto/x509/x509_alt.c index 52d30f91e8b..4de6a09101e 100644 --- a/lib/libcrypto/x509/x509_alt.c +++ b/lib/libcrypto/x509/x509_alt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_alt.c,v 1.7 2022/02/11 17:39:36 tb Exp $ */ +/* $OpenBSD: x509_alt.c,v 1.8 2022/02/11 17:41:55 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project. */ @@ -677,7 +677,8 @@ v2i_GENERAL_NAME_ex(GENERAL_NAME *out, const X509V3_EXT_METHOD *method, } break; case GEN_IPADD: - if (len != 4 && len != 16) { + if ((!is_nc && len != 4 && len != 16) || + (is_nc && len != 8 && len != 32)) { X509V3error(X509V3_R_BAD_IP_ADDRESS); ERR_asprintf_error_data("name=%s len=%zu", name, len); goto err; |