summaryrefslogtreecommitdiff
path: root/lib/libssl
diff options
context:
space:
mode:
authorTheo Buehler <tb@cvs.openbsd.org>2020-05-24 15:13:23 +0000
committerTheo Buehler <tb@cvs.openbsd.org>2020-05-24 15:13:23 +0000
commit8028ef169eb5c90707882110920b90b301c7a0d4 (patch)
tree131e5ebcbcff9a603f8801df355b606ca1bb1e04 /lib/libssl
parent7b6dbbd7ff370a2466fbe950c496721aeac3fff3 (diff)
Fix some stylistic nits from jsing.
ok jsing
Diffstat (limited to 'lib/libssl')
-rw-r--r--lib/libssl/ssl_tlsext.c19
1 files changed, 11 insertions, 8 deletions
diff --git a/lib/libssl/ssl_tlsext.c b/lib/libssl/ssl_tlsext.c
index 2184e65a2c0..e6e0e7a92d6 100644
--- a/lib/libssl/ssl_tlsext.c
+++ b/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.72 2020/05/23 17:13:24 beck Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.73 2020/05/24 15:13:22 tb Exp $ */
/*
* Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
* Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -17,9 +17,10 @@
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
-#include <openssl/ocsp.h>
#include <ctype.h>
+#include <openssl/ocsp.h>
+
#include "ssl_locl.h"
#include "bytestring.h"
@@ -674,8 +675,8 @@ tlsext_sni_client_build(SSL *s, CBB *cbb)
}
/*
- * Does the CBS contain only of a hostname consisting of RFC 5890
- * compliant A-labels? (see RFC 6066 section 3). Not a complete check
+ * Validate that the CBS contains only a hostname consisting of RFC 5890
+ * compliant A-labels (see RFC 6066 section 3). Not a complete check
* since we don't parse punycode to verify its validity but limits to
* correct structure and character set.
*/
@@ -686,10 +687,11 @@ tlsext_sni_is_valid_hostname(CBS *cbs)
int component = 0;
CBS hostname;
- if (CBS_len(cbs) > TLSEXT_MAXLEN_host_name)
+ CBS_dup(cbs, &hostname);
+
+ if (CBS_len(&hostname) > TLSEXT_MAXLEN_host_name)
return 0;
- CBS_dup(cbs, &hostname);
while(CBS_len(&hostname) > 0) {
prev = c;
if (!CBS_get_u8(&hostname, &c))
@@ -698,7 +700,7 @@ tlsext_sni_is_valid_hostname(CBS *cbs)
if (!isascii(c) || c == '\0')
return 0;
/* It must be alphanumeric, a '-', or a '.' */
- if (!(isalnum(c) || c == '-' || c == '.'))
+ if (!isalnum(c) && c != '-' && c != '.')
return 0;
/* '-' and '.' must not start a component or be at the end. */
if (component == 0 || CBS_len(&hostname) == 0) {
@@ -717,6 +719,7 @@ tlsext_sni_is_valid_hostname(CBS *cbs)
if (++component > 63)
return 0;
}
+
return 1;
}
@@ -748,7 +751,7 @@ tlsext_sni_server_parse(SSL *s, CBS *cbs, int *alert)
* RFC 6066 section 3 specifies a host name must be at least 1 byte
* so 0 length is a decode error.
*/
- if (CBS_len(&host_name) == 0)
+ if (CBS_len(&host_name) < 1)
goto err;
if (!tlsext_sni_is_valid_hostname(&host_name)) {