name constraints: be more careful with NULs

An IA5STRING is a Pascal string that can have embedded NULs and is not NUL terminated (except that for legacy reasons it happens to be). Instead of taking the strlen(), use the already known ASN.1 length and use strndup() instead of strdup() to generate NUL terminated strings after some existing code has checked that there are no embedded NULs. In v2i_GENERAL_NAME_ex() use %.*s to print the bytes. This is not optimal and might be switched to using strvis() later. ok beck inoguchi jsing
author: tb <> 2022-03-26 16:34:21 +0000
committer: tb <> 2022-03-26 16:34:21 +0000
commit: 62e5583bb1b862560432775b3c0765db00173fc6 (patch)
tree: b479f5e5efe3b6b03f82d771d623f8ae686fc6d0 /src/lib/libcrypto/x509/x509_constraints.c
parent: 2ce3af26514a8bfe23e0605aa5b31dc0ab865be1 (diff)
download: openbsd-62e5583bb1b862560432775b3c0765db00173fc6.tar.gz
openbsd-62e5583bb1b862560432775b3c0765db00173fc6.tar.bz2
openbsd-62e5583bb1b862560432775b3c0765db00173fc6.zip
1 files changed, 18 insertions, 8 deletions
diff --git a/src/lib/libcrypto/x509/x509_constraints.c b/src/lib/libcrypto/x509/x509_constraints.c
index 4f24277918..533bbbf4ca 100644
--- a/src/lib/libcrypto/x509/x509_constraints.c
+++ b/src/lib/libcrypto/x509/x509_constraints.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_constraints.c,v 1.25 2022/03/14 21:29:46 tb Exp $ */
+/* $OpenBSD: x509_constraints.c,v 1.26 2022/03/26 16:34:21 tb Exp $ */
 /*
 * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
 *
@@ -657,35 +657,45 @@ x509_constraints_general_to_bytes(GENERAL_NAME *name, uint8_t **bytes,
        if (name->type == GEN_DNS) {
                ASN1_IA5STRING *aname = name->d.dNSName;
                *bytes = aname->data;
-                *len = strlen(aname->data);
+                *len = aname->length;
                return name->type;
        }
        if (name->type == GEN_EMAIL) {
                ASN1_IA5STRING *aname = name->d.rfc822Name;
                *bytes = aname->data;
-                *len = strlen(aname->data);
+                *len = aname->length;
                return name->type;
        }
        if (name->type == GEN_URI) {
                ASN1_IA5STRING *aname = name->d.uniformResourceIdentifier;
                *bytes = aname->data;
-                *len = strlen(aname->data);
+                *len = aname->length;
                return name->type;
        }
        if (name->type == GEN_DIRNAME) {
                X509_NAME *dname = name->d.directoryName;
                if (!dname->modified || i2d_X509_NAME(dname, NULL) >= 0) {
                        *bytes = dname->canon_enc;
                        *len = dname->canon_enclen;
                        return name->type;
                }
        }
        if (name->type == GEN_IPADD) {
                *bytes = name->d.ip->data;
                *len = name->d.ip->length;
                return name->type;
        }
        return 0;
 }
@@ -723,7 +733,7 @@ x509_constraints_extract_names(struct x509_constraints_names *names,
                                *error = X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
                                goto err;
                        }
-                        if ((vname->name = strdup(bytes)) == NULL) {
+                        if ((vname->name = strndup(bytes, len)) == NULL) {
                                *error = X509_V_ERR_OUT_OF_MEM;
                                goto err;
                        }
@@ -931,7 +941,7 @@ x509_constraints_validate(GENERAL_NAME *constraint,
        case GEN_DNS:
                if (!x509_constraints_valid_domain_constraint(bytes, len))
                        goto err;
-                if ((name->name = strdup(bytes)) == NULL) {
+                if ((name->name = strndup(bytes, len)) == NULL) {
                        error = X509_V_ERR_OUT_OF_MEM;
                        goto err;
                }
@@ -953,7 +963,7 @@ x509_constraints_validate(GENERAL_NAME *constraint,
                }
                if (!x509_constraints_valid_domain_constraint(bytes, len))
                        goto err;
-                if ((name->name = strdup(bytes)) == NULL) {
+                if ((name->name = strndup(bytes, len)) == NULL) {
                        error = X509_V_ERR_OUT_OF_MEM;
                        goto err;
                }
@@ -973,7 +983,7 @@ x509_constraints_validate(GENERAL_NAME *constraint,
        case GEN_URI:
                if (!x509_constraints_valid_domain_constraint(bytes, len))
                        goto err;
-                if ((name->name = strdup(bytes)) == NULL) {
+                if ((name->name = strndup(bytes, len)) == NULL) {
                        error = X509_V_ERR_OUT_OF_MEM;
                        goto err;
                }
author	tb <>	2022-03-26 16:34:21 +0000
committer	tb <>	2022-03-26 16:34:21 +0000
commit	62e5583bb1b862560432775b3c0765db00173fc6 (patch)
tree	b479f5e5efe3b6b03f82d771d623f8ae686fc6d0 /src/lib/libcrypto/x509/x509_constraints.c
parent	2ce3af26514a8bfe23e0605aa5b31dc0ab865be1 (diff)
download	openbsd-62e5583bb1b862560432775b3c0765db00173fc6.tar.gz openbsd-62e5583bb1b862560432775b3c0765db00173fc6.tar.bz2 openbsd-62e5583bb1b862560432775b3c0765db00173fc6.zip

diff --git a/src/lib/libcrypto/x509/x509_constraints.c b/src/lib/libcrypto/x509/x509_constraints.c index 4f24277918..533bbbf4ca 100644 --- a/src/lib/libcrypto/x509/x509_constraints.c +++ b/src/lib/libcrypto/x509/x509_constraints.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: x509_constraints.c,v 1.25 2022/03/14 21:29:46 tb Exp $ */	1	/* $OpenBSD: x509_constraints.c,v 1.26 2022/03/26 16:34:21 tb Exp $ */
2	/*	2	/*
3	* Copyright (c) 2020 Bob Beck <beck@openbsd.org>	3	* Copyright (c) 2020 Bob Beck <beck@openbsd.org>
4	*	4	*
@@ -657,35 +657,45 @@ x509_constraints_general_to_bytes(GENERAL_NAME name, uint8_t *bytes,
657		657
658	if (name->type == GEN_DNS) {	658	if (name->type == GEN_DNS) {
659	ASN1_IA5STRING *aname = name->d.dNSName;	659	ASN1_IA5STRING *aname = name->d.dNSName;
		660
660	*bytes = aname->data;	661	*bytes = aname->data;
661	*len = strlen(aname->data);	662	*len = aname->length;
		663
662	return name->type;	664	return name->type;
663	}	665	}
664	if (name->type == GEN_EMAIL) {	666	if (name->type == GEN_EMAIL) {
665	ASN1_IA5STRING *aname = name->d.rfc822Name;	667	ASN1_IA5STRING *aname = name->d.rfc822Name;
		668
666	*bytes = aname->data;	669	*bytes = aname->data;
667	*len = strlen(aname->data);	670	*len = aname->length;
		671
668	return name->type;	672	return name->type;
669	}	673	}
670	if (name->type == GEN_URI) {	674	if (name->type == GEN_URI) {
671	ASN1_IA5STRING *aname = name->d.uniformResourceIdentifier;	675	ASN1_IA5STRING *aname = name->d.uniformResourceIdentifier;
		676
672	*bytes = aname->data;	677	*bytes = aname->data;
673	*len = strlen(aname->data);	678	*len = aname->length;
		679
674	return name->type;	680	return name->type;
675	}	681	}
676	if (name->type == GEN_DIRNAME) {	682	if (name->type == GEN_DIRNAME) {
677	X509_NAME *dname = name->d.directoryName;	683	X509_NAME *dname = name->d.directoryName;
		684
678	if (!dname->modified \|\| i2d_X509_NAME(dname, NULL) >= 0) {	685	if (!dname->modified \|\| i2d_X509_NAME(dname, NULL) >= 0) {
679	*bytes = dname->canon_enc;	686	*bytes = dname->canon_enc;
680	*len = dname->canon_enclen;	687	*len = dname->canon_enclen;
		688
681	return name->type;	689	return name->type;
682	}	690	}
683	}	691	}
684	if (name->type == GEN_IPADD) {	692	if (name->type == GEN_IPADD) {
685	*bytes = name->d.ip->data;	693	*bytes = name->d.ip->data;
686	*len = name->d.ip->length;	694	*len = name->d.ip->length;
		695
687	return name->type;	696	return name->type;
688	}	697	}
		698
689	return 0;	699	return 0;
690	}	700	}
691		701
@@ -723,7 +733,7 @@ x509_constraints_extract_names(struct x509_constraints_names *names,
723	*error = X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;	733	*error = X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
724	goto err;	734	goto err;
725	}	735	}
726	if ((vname->name = strdup(bytes)) == NULL) {	736	if ((vname->name = strndup(bytes, len)) == NULL) {
727	*error = X509_V_ERR_OUT_OF_MEM;	737	*error = X509_V_ERR_OUT_OF_MEM;
728	goto err;	738	goto err;
729	}	739	}
@@ -931,7 +941,7 @@ x509_constraints_validate(GENERAL_NAME *constraint,
931	case GEN_DNS:	941	case GEN_DNS:
932	if (!x509_constraints_valid_domain_constraint(bytes, len))	942	if (!x509_constraints_valid_domain_constraint(bytes, len))
933	goto err;	943	goto err;
934	if ((name->name = strdup(bytes)) == NULL) {	944	if ((name->name = strndup(bytes, len)) == NULL) {
935	error = X509_V_ERR_OUT_OF_MEM;	945	error = X509_V_ERR_OUT_OF_MEM;
936	goto err;	946	goto err;
937	}	947	}
@@ -953,7 +963,7 @@ x509_constraints_validate(GENERAL_NAME *constraint,
953	}	963	}
954	if (!x509_constraints_valid_domain_constraint(bytes, len))	964	if (!x509_constraints_valid_domain_constraint(bytes, len))
955	goto err;	965	goto err;
956	if ((name->name = strdup(bytes)) == NULL) {	966	if ((name->name = strndup(bytes, len)) == NULL) {
957	error = X509_V_ERR_OUT_OF_MEM;	967	error = X509_V_ERR_OUT_OF_MEM;
958	goto err;	968	goto err;
959	}	969	}
@@ -973,7 +983,7 @@ x509_constraints_validate(GENERAL_NAME *constraint,
973	case GEN_URI:	983	case GEN_URI:
974	if (!x509_constraints_valid_domain_constraint(bytes, len))	984	if (!x509_constraints_valid_domain_constraint(bytes, len))
975	goto err;	985	goto err;
976	if ((name->name = strdup(bytes)) == NULL) {	986	if ((name->name = strndup(bytes, len)) == NULL) {
977	error = X509_V_ERR_OUT_OF_MEM;	987	error = X509_V_ERR_OUT_OF_MEM;
978	goto err;	988	goto err;
979	}	989	}