diff options
| -rw-r--r-- | src/lib/libcrypto/x509/x509_alt.c | 11 | ||||
| -rw-r--r-- | src/lib/libcrypto/x509/x509_constraints.c | 26 |
2 files changed, 25 insertions, 12 deletions
diff --git a/src/lib/libcrypto/x509/x509_alt.c b/src/lib/libcrypto/x509/x509_alt.c index 845ab1364f..8656df82b3 100644 --- a/src/lib/libcrypto/x509/x509_alt.c +++ b/src/lib/libcrypto/x509/x509_alt.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: x509_alt.c,v 1.11 2022/03/14 21:15:49 tb Exp $ */ | 1 | /* $OpenBSD: x509_alt.c,v 1.12 2022/03/26 16:34:21 tb Exp $ */ |
| 2 | /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL | 2 | /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL |
| 3 | * project. | 3 | * project. |
| 4 | */ | 4 | */ |
| @@ -673,21 +673,24 @@ v2i_GENERAL_NAME_ex(GENERAL_NAME *out, const X509V3_EXT_METHOD *method, | |||
| 673 | case GEN_DNS: | 673 | case GEN_DNS: |
| 674 | if (!x509_constraints_valid_sandns(bytes, len)) { | 674 | if (!x509_constraints_valid_sandns(bytes, len)) { |
| 675 | X509V3error(X509V3_R_BAD_OBJECT); | 675 | X509V3error(X509V3_R_BAD_OBJECT); |
| 676 | ERR_asprintf_error_data("name=%s value='%s'", name, bytes); | 676 | ERR_asprintf_error_data("name=%s value='%.*s'", name, |
| 677 | (int)len, bytes); | ||
| 677 | goto err; | 678 | goto err; |
| 678 | } | 679 | } |
| 679 | break; | 680 | break; |
| 680 | case GEN_URI: | 681 | case GEN_URI: |
| 681 | if (!x509_constraints_uri_host(bytes, len, NULL)) { | 682 | if (!x509_constraints_uri_host(bytes, len, NULL)) { |
| 682 | X509V3error(X509V3_R_BAD_OBJECT); | 683 | X509V3error(X509V3_R_BAD_OBJECT); |
| 683 | ERR_asprintf_error_data("name=%s value='%s'", name, bytes); | 684 | ERR_asprintf_error_data("name=%s value='%.*s'", name, |
| 685 | (int)len, bytes); | ||
| 684 | goto err; | 686 | goto err; |
| 685 | } | 687 | } |
| 686 | break; | 688 | break; |
| 687 | case GEN_EMAIL: | 689 | case GEN_EMAIL: |
| 688 | if (!x509_constraints_parse_mailbox(bytes, len, NULL)) { | 690 | if (!x509_constraints_parse_mailbox(bytes, len, NULL)) { |
| 689 | X509V3error(X509V3_R_BAD_OBJECT); | 691 | X509V3error(X509V3_R_BAD_OBJECT); |
| 690 | ERR_asprintf_error_data("name=%s value='%s'", name, bytes); | 692 | ERR_asprintf_error_data("name=%s value='%.*s'", name, |
| 693 | (int)len, bytes); | ||
| 691 | goto err; | 694 | goto err; |
| 692 | } | 695 | } |
| 693 | break; | 696 | break; |
diff --git a/src/lib/libcrypto/x509/x509_constraints.c b/src/lib/libcrypto/x509/x509_constraints.c index 4f24277918..533bbbf4ca 100644 --- a/src/lib/libcrypto/x509/x509_constraints.c +++ b/src/lib/libcrypto/x509/x509_constraints.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: x509_constraints.c,v 1.25 2022/03/14 21:29:46 tb Exp $ */ | 1 | /* $OpenBSD: x509_constraints.c,v 1.26 2022/03/26 16:34:21 tb Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2020 Bob Beck <beck@openbsd.org> | 3 | * Copyright (c) 2020 Bob Beck <beck@openbsd.org> |
| 4 | * | 4 | * |
| @@ -657,35 +657,45 @@ x509_constraints_general_to_bytes(GENERAL_NAME *name, uint8_t **bytes, | |||
| 657 | 657 | ||
| 658 | if (name->type == GEN_DNS) { | 658 | if (name->type == GEN_DNS) { |
| 659 | ASN1_IA5STRING *aname = name->d.dNSName; | 659 | ASN1_IA5STRING *aname = name->d.dNSName; |
| 660 | |||
| 660 | *bytes = aname->data; | 661 | *bytes = aname->data; |
| 661 | *len = strlen(aname->data); | 662 | *len = aname->length; |
| 663 | |||
| 662 | return name->type; | 664 | return name->type; |
| 663 | } | 665 | } |
| 664 | if (name->type == GEN_EMAIL) { | 666 | if (name->type == GEN_EMAIL) { |
| 665 | ASN1_IA5STRING *aname = name->d.rfc822Name; | 667 | ASN1_IA5STRING *aname = name->d.rfc822Name; |
| 668 | |||
| 666 | *bytes = aname->data; | 669 | *bytes = aname->data; |
| 667 | *len = strlen(aname->data); | 670 | *len = aname->length; |
| 671 | |||
| 668 | return name->type; | 672 | return name->type; |
| 669 | } | 673 | } |
| 670 | if (name->type == GEN_URI) { | 674 | if (name->type == GEN_URI) { |
| 671 | ASN1_IA5STRING *aname = name->d.uniformResourceIdentifier; | 675 | ASN1_IA5STRING *aname = name->d.uniformResourceIdentifier; |
| 676 | |||
| 672 | *bytes = aname->data; | 677 | *bytes = aname->data; |
| 673 | *len = strlen(aname->data); | 678 | *len = aname->length; |
| 679 | |||
| 674 | return name->type; | 680 | return name->type; |
| 675 | } | 681 | } |
| 676 | if (name->type == GEN_DIRNAME) { | 682 | if (name->type == GEN_DIRNAME) { |
| 677 | X509_NAME *dname = name->d.directoryName; | 683 | X509_NAME *dname = name->d.directoryName; |
| 684 | |||
| 678 | if (!dname->modified || i2d_X509_NAME(dname, NULL) >= 0) { | 685 | if (!dname->modified || i2d_X509_NAME(dname, NULL) >= 0) { |
| 679 | *bytes = dname->canon_enc; | 686 | *bytes = dname->canon_enc; |
| 680 | *len = dname->canon_enclen; | 687 | *len = dname->canon_enclen; |
| 688 | |||
| 681 | return name->type; | 689 | return name->type; |
| 682 | } | 690 | } |
| 683 | } | 691 | } |
| 684 | if (name->type == GEN_IPADD) { | 692 | if (name->type == GEN_IPADD) { |
| 685 | *bytes = name->d.ip->data; | 693 | *bytes = name->d.ip->data; |
| 686 | *len = name->d.ip->length; | 694 | *len = name->d.ip->length; |
| 695 | |||
| 687 | return name->type; | 696 | return name->type; |
| 688 | } | 697 | } |
| 698 | |||
| 689 | return 0; | 699 | return 0; |
| 690 | } | 700 | } |
| 691 | 701 | ||
| @@ -723,7 +733,7 @@ x509_constraints_extract_names(struct x509_constraints_names *names, | |||
| 723 | *error = X509_V_ERR_UNSUPPORTED_NAME_SYNTAX; | 733 | *error = X509_V_ERR_UNSUPPORTED_NAME_SYNTAX; |
| 724 | goto err; | 734 | goto err; |
| 725 | } | 735 | } |
| 726 | if ((vname->name = strdup(bytes)) == NULL) { | 736 | if ((vname->name = strndup(bytes, len)) == NULL) { |
| 727 | *error = X509_V_ERR_OUT_OF_MEM; | 737 | *error = X509_V_ERR_OUT_OF_MEM; |
| 728 | goto err; | 738 | goto err; |
| 729 | } | 739 | } |
| @@ -931,7 +941,7 @@ x509_constraints_validate(GENERAL_NAME *constraint, | |||
| 931 | case GEN_DNS: | 941 | case GEN_DNS: |
| 932 | if (!x509_constraints_valid_domain_constraint(bytes, len)) | 942 | if (!x509_constraints_valid_domain_constraint(bytes, len)) |
| 933 | goto err; | 943 | goto err; |
| 934 | if ((name->name = strdup(bytes)) == NULL) { | 944 | if ((name->name = strndup(bytes, len)) == NULL) { |
| 935 | error = X509_V_ERR_OUT_OF_MEM; | 945 | error = X509_V_ERR_OUT_OF_MEM; |
| 936 | goto err; | 946 | goto err; |
| 937 | } | 947 | } |
| @@ -953,7 +963,7 @@ x509_constraints_validate(GENERAL_NAME *constraint, | |||
| 953 | } | 963 | } |
| 954 | if (!x509_constraints_valid_domain_constraint(bytes, len)) | 964 | if (!x509_constraints_valid_domain_constraint(bytes, len)) |
| 955 | goto err; | 965 | goto err; |
| 956 | if ((name->name = strdup(bytes)) == NULL) { | 966 | if ((name->name = strndup(bytes, len)) == NULL) { |
| 957 | error = X509_V_ERR_OUT_OF_MEM; | 967 | error = X509_V_ERR_OUT_OF_MEM; |
| 958 | goto err; | 968 | goto err; |
| 959 | } | 969 | } |
| @@ -973,7 +983,7 @@ x509_constraints_validate(GENERAL_NAME *constraint, | |||
| 973 | case GEN_URI: | 983 | case GEN_URI: |
| 974 | if (!x509_constraints_valid_domain_constraint(bytes, len)) | 984 | if (!x509_constraints_valid_domain_constraint(bytes, len)) |
| 975 | goto err; | 985 | goto err; |
| 976 | if ((name->name = strdup(bytes)) == NULL) { | 986 | if ((name->name = strndup(bytes, len)) == NULL) { |
| 977 | error = X509_V_ERR_OUT_OF_MEM; | 987 | error = X509_V_ERR_OUT_OF_MEM; |
| 978 | goto err; | 988 | goto err; |
| 979 | } | 989 | } |