Fix URI name constraints, allow for URI's with no host part.

Such uri's must be parsed and allowed, but then should fail if a name constraint is present. Adds regress testing for this same case. fixes https://github.com/libressl-portable/openbsd/issues/131 ok tb@
author: beck <> 2022-06-26 11:29:27 +0000
committer: beck <> 2022-06-26 11:29:27 +0000
commit: 04f7297a7faf857871e10ce5e829cddc1dbf3520 (patch)
tree: 659f220f36929b63f8bc5482faaa8908a2b22744 /src
parent: e22e2d01b34150cb73fe804f8eeacacdc7165c20 (diff)
download: openbsd-04f7297a7faf857871e10ce5e829cddc1dbf3520.tar.gz
openbsd-04f7297a7faf857871e10ce5e829cddc1dbf3520.tar.bz2
openbsd-04f7297a7faf857871e10ce5e829cddc1dbf3520.zip
2 files changed, 38 insertions, 3 deletions
diff --git a/src/lib/libcrypto/x509/x509_constraints.c b/src/lib/libcrypto/x509/x509_constraints.c
index 533bbbf4ca..c68f282a05 100644
--- a/src/lib/libcrypto/x509/x509_constraints.c
+++ b/src/lib/libcrypto/x509/x509_constraints.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_constraints.c,v 1.26 2022/03/26 16:34:21 tb Exp $ */
+/* $OpenBSD: x509_constraints.c,v 1.27 2022/06/26 11:29:27 beck Exp $ */
 /*
 * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
 *
@@ -489,8 +489,17 @@ x509_constraints_uri_host(uint8_t *uri, size_t len, char **hostpart)
                        break;
                }
        }
-        if (authority == NULL)
+        if (authority == NULL) {
-                return 0;
+                /*
+                 * There is no authority, so no host part in this
+                 * URI. This might be ok or might not, but it must
+                 * fail if we run into a name constraint later, so
+                 * we indicate that we have a URI with an empty
+                 * host part, and succeed.
+                 */
+                *hostpart = strdup("");
+                return 1;
+        }
        for (i = authority - uri; i < len; i++) {
                if (!isascii(uri[i]))
                        return 0;
diff --git a/src/regress/lib/libcrypto/x509/constraints.c b/src/regress/lib/libcrypto/x509/constraints.c
index b552f30989..d4867a362c 100644
--- a/src/regress/lib/libcrypto/x509/constraints.c
+++ b/src/regress/lib/libcrypto/x509/constraints.c
@@ -397,6 +397,10 @@ test_constraints1(void)
                "",
                NULL,
        };
+        unsigned char *noauthority[] = {
+                "urn:open62541.server.application",
+                NULL,
+        };
        for (i = 0; constraints[i] != NULL; i++) {
                char *constraint = constraints[i];
                size_t clen = strlen(constraints[i]);
@@ -442,6 +446,28 @@ test_constraints1(void)
                                goto done;
                        }
                }
+                for (j = 0; noauthority[j] != NULL; j++) {
+                        error = 0;
+                        char *hostpart = NULL;
+                        if (!x509_constraints_uri_host(noauthority[j],
+                                strlen(noauthority[j]), &hostpart)) {
+                                FAIL("name '%s' should parse as a URI",
+                                    noauthority[j]);
+                                failure = 1;
+                                free(hostpart);
+                                goto done;
+                        }
+                        free(hostpart);
+                        if (x509_constraints_uri(noauthority[j],
+                            strlen(noauthority[j]), constraint, clen, &error)) {
+                                FAIL("constraint '%s' should not have matched URI"
+                                    " '%s' (error %d)\n",
+                                    constraint, failinguri[j], error);
+                                failure = 1;
+                                goto done;
+                        }
+                }
        }
        c = ".openbsd.org";
        cl = strlen(".openbsd.org");
author	beck <>	2022-06-26 11:29:27 +0000
committer	beck <>	2022-06-26 11:29:27 +0000
commit	04f7297a7faf857871e10ce5e829cddc1dbf3520 (patch)
tree	659f220f36929b63f8bc5482faaa8908a2b22744 /src
parent	e22e2d01b34150cb73fe804f8eeacacdc7165c20 (diff)
download	openbsd-04f7297a7faf857871e10ce5e829cddc1dbf3520.tar.gz openbsd-04f7297a7faf857871e10ce5e829cddc1dbf3520.tar.bz2 openbsd-04f7297a7faf857871e10ce5e829cddc1dbf3520.zip

diff --git a/src/lib/libcrypto/x509/x509_constraints.c b/src/lib/libcrypto/x509/x509_constraints.c index 533bbbf4ca..c68f282a05 100644 --- a/src/lib/libcrypto/x509/x509_constraints.c +++ b/src/lib/libcrypto/x509/x509_constraints.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: x509_constraints.c,v 1.26 2022/03/26 16:34:21 tb Exp $ */	1	/* $OpenBSD: x509_constraints.c,v 1.27 2022/06/26 11:29:27 beck Exp $ */
2	/*	2	/*
3	* Copyright (c) 2020 Bob Beck <beck@openbsd.org>	3	* Copyright (c) 2020 Bob Beck <beck@openbsd.org>
4	*	4	*
@@ -489,8 +489,17 @@ x509_constraints_uri_host(uint8_t uri, size_t len, char *hostpart)
489	break;	489	break;
490	}	490	}
491	}	491	}
492	if (authority == NULL)	492	if (authority == NULL) {
493	return 0;	493	/*
		494	* There is no authority, so no host part in this
		495	* URI. This might be ok or might not, but it must
		496	* fail if we run into a name constraint later, so
		497	* we indicate that we have a URI with an empty
		498	* host part, and succeed.
		499	*/
		500	*hostpart = strdup("");
		501	return 1;
		502	}
494	for (i = authority - uri; i < len; i++) {	503	for (i = authority - uri; i < len; i++) {
495	if (!isascii(uri[i]))	504	if (!isascii(uri[i]))
496	return 0;	505	return 0;


diff --git a/src/regress/lib/libcrypto/x509/constraints.c b/src/regress/lib/libcrypto/x509/constraints.c index b552f30989..d4867a362c 100644 --- a/src/regress/lib/libcrypto/x509/constraints.c +++ b/src/regress/lib/libcrypto/x509/constraints.c
@@ -397,6 +397,10 @@ test_constraints1(void)
397	"",	397	"",
398	NULL,	398	NULL,
399	};	399	};
		400	unsigned char *noauthority[] = {
		401	"urn:open62541.server.application",
		402	NULL,
		403	};
400	for (i = 0; constraints[i] != NULL; i++) {	404	for (i = 0; constraints[i] != NULL; i++) {
401	char *constraint = constraints[i];	405	char *constraint = constraints[i];
402	size_t clen = strlen(constraints[i]);	406	size_t clen = strlen(constraints[i]);
@@ -442,6 +446,28 @@ test_constraints1(void)
442	goto done;	446	goto done;
443	}	447	}
444	}	448	}
		449	for (j = 0; noauthority[j] != NULL; j++) {
		450	error = 0;
		451	char *hostpart = NULL;
		452	if (!x509_constraints_uri_host(noauthority[j],
		453	strlen(noauthority[j]), &hostpart)) {
		454	FAIL("name '%s' should parse as a URI",
		455	noauthority[j]);
		456	failure = 1;
		457	free(hostpart);
		458	goto done;
		459	}
		460	free(hostpart);
		461
		462	if (x509_constraints_uri(noauthority[j],
		463	strlen(noauthority[j]), constraint, clen, &error)) {
		464	FAIL("constraint '%s' should not have matched URI"
		465	" '%s' (error %d)\n",
		466	constraint, failinguri[j], error);
		467	failure = 1;
		468	goto done;
		469	}
		470	}
445	}	471	}
446	c = ".openbsd.org";	472	c = ".openbsd.org";
447	cl = strlen(".openbsd.org");	473	cl = strlen(".openbsd.org");