Bring back r1.3, ok beck

Original commit message from beck:

Validate Subject Alternate Names when they are being added to certificates.

With this change we will reject adding SAN DNS, EMAIL, and IP addresses
that are malformed at certificate creation time.

ok jsing@ tb@

1 files changed, 47 insertions, 3 deletions

diff --git a/src/lib/libcrypto/x509/x509_alt.c b/src/lib/libcrypto/x509/x509_alt.c
index 891c7dd787..a7c1a8c6a1 100644
--- a/src/lib/libcrypto/x509/x509_alt.c
+++ b/src/lib/libcrypto/x509/x509_alt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_alt.c,v 1.4 2021/10/27 10:22:08 beck Exp $ */
+/* $OpenBSD: x509_alt.c,v 1.5 2021/10/28 10:58:23 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
@@ -63,6 +63,8 @@
 #include <openssl/err.h>
 #include <openssl/x509v3.h>
 
+#include "x509_internal.h"
+
 static GENERAL_NAMES *v2i_subject_alt(X509V3_EXT_METHOD *method,
     X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
 static GENERAL_NAMES *v2i_issuer_alt(X509V3_EXT_METHOD *method,
@@ -612,8 +614,11 @@ GENERAL_NAME *
 v2i_GENERAL_NAME_ex(GENERAL_NAME *out, const X509V3_EXT_METHOD *method,
     X509V3_CTX *ctx, CONF_VALUE *cnf, int is_nc)
 {
-        int type;
+        uint8_t *bytes = NULL;
         char *name, *value;
+        GENERAL_NAME *ret;
+        size_t len = 0;
+        int type;
 
         name = cnf->name;
         value = cnf->value;
@@ -643,7 +648,46 @@ v2i_GENERAL_NAME_ex(GENERAL_NAME *out, const X509V3_EXT_METHOD *method,
                 return NULL;
         }
 
-        return a2i_GENERAL_NAME(out, method, ctx, type, value, is_nc);
+        ret = a2i_GENERAL_NAME(out, method, ctx, type, value, is_nc);
+
+        /* Validate what we have for sanity */
+        type = x509_constraints_general_to_bytes(ret, &bytes, &len);
+        switch(type) {
+        case GEN_DNS:
+                if (!x509_constraints_valid_sandns(bytes, len)) {
+                        X509V3error(X509V3_R_BAD_OBJECT);
+                        ERR_asprintf_error_data("name=%s value='%s'", name, bytes);
+                        goto err;
+                }
+                break;
+        case GEN_URI:
+                if (!x509_constraints_uri_host(bytes, len, NULL)) {
+                        X509V3error(X509V3_R_BAD_OBJECT);
+                        ERR_asprintf_error_data("name=%s value='%s'", name, bytes);
+                        goto err;
+                }
+                break;
+        case GEN_EMAIL:
+                if (!x509_constraints_parse_mailbox(bytes, len, NULL)) {
+                        X509V3error(X509V3_R_BAD_OBJECT);
+                        ERR_asprintf_error_data("name=%s value='%s'", name, bytes);
+                        goto err;
+                }
+                break;
+        case GEN_IPADD:
+                if (len != 4 && len != 16) {
+                        X509V3error(X509V3_R_BAD_IP_ADDRESS);
+                        ERR_asprintf_error_data("name=%s len=%zu", name, len);
+                        goto err;
+                }
+                break;
+        default:
+                break;
+        }
+        return ret;
+ err:
+        GENERAL_NAME_free(ret);
+        return NULL;
 }
 
 static int