summaryrefslogtreecommitdiffstats
path: root/lib/libtls/tls_verify.c
diff options
context:
space:
mode:
authorbeck <beck@openbsd.org>2015-09-11 13:12:29 +0000
committerbeck <beck@openbsd.org>2015-09-11 13:12:29 +0000
commite6171fc492ae018e85da5fd26c508430e4d6fa36 (patch)
tree41fef00d8221abe64ff93c9d1122d6252c6d2787 /lib/libtls/tls_verify.c
parentregress test that we do not allow a wildcard match for ".openbsd.org" (diff)
downloadwireguard-openbsd-e6171fc492ae018e85da5fd26c508430e4d6fa36.tar.xz
wireguard-openbsd-e6171fc492ae018e85da5fd26c508430e4d6fa36.zip
Do not match a wildcard against a name with no host part.
ok jsing@
Diffstat (limited to 'lib/libtls/tls_verify.c')
-rw-r--r--lib/libtls/tls_verify.c5
1 files changed, 4 insertions, 1 deletions
diff --git a/lib/libtls/tls_verify.c b/lib/libtls/tls_verify.c
index c6f29c897d0..9a0f97eadaf 100644
--- a/lib/libtls/tls_verify.c
+++ b/lib/libtls/tls_verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_verify.c,v 1.12 2015/09/11 12:56:55 beck Exp $ */
+/* $OpenBSD: tls_verify.c,v 1.13 2015/09/11 13:12:29 beck Exp $ */
/*
* Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
*
@@ -69,6 +69,9 @@ tls_match_name(const char *cert_name, const char *name)
domain = strchr(name, '.');
+ /* No wildcard match against a name with no host part. */
+ if (name[0] == '.')
+ return -1;
/* No wildcard match against a name with no domain part. */
if (domain == NULL || strlen(domain) == 1)
return -1;