3 files changed, 61 insertions, 9 deletions

diff --git a/src/lib/libcrypto/x509/x509_alt.c b/src/lib/libcrypto/x509/x509_alt.c
index 5b9f490bae..02a4a3a377 100644
--- a/src/lib/libcrypto/x509/x509_alt.c
+++ b/src/lib/libcrypto/x509/x509_alt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_alt.c,v 1.2 2021/08/24 15:23:03 tb Exp $ */
+/* $OpenBSD: x509_alt.c,v 1.3 2021/10/26 09:09:53 beck Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
@@ -63,6 +63,8 @@
 #include <openssl/err.h>
 #include <openssl/x509v3.h>
 
+#include "x509_internal.h"
+
 static GENERAL_NAMES *v2i_subject_alt(X509V3_EXT_METHOD *method,
     X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
 static GENERAL_NAMES *v2i_issuer_alt(X509V3_EXT_METHOD *method,
@@ -612,8 +614,11 @@ GENERAL_NAME *
 v2i_GENERAL_NAME_ex(GENERAL_NAME *out, const X509V3_EXT_METHOD *method,
     X509V3_CTX *ctx, CONF_VALUE *cnf, int is_nc)
 {
-        int type;
+        uint8_t *bytes = NULL;
         char *name, *value;
+        GENERAL_NAME *ret;
+        size_t len = 0;
+        int type;
 
         name = cnf->name;
         value = cnf->value;
@@ -643,7 +648,46 @@ v2i_GENERAL_NAME_ex(GENERAL_NAME *out, const X509V3_EXT_METHOD *method,
                 return NULL;
         }
 
-        return a2i_GENERAL_NAME(out, method, ctx, type, value, is_nc);
+        ret = a2i_GENERAL_NAME(out, method, ctx, type, value, is_nc);
+
+        /* Validate what we have for sanity */
+        type = x509_constraints_general_to_bytes(ret, &bytes, &len);
+        switch(type) {
+        case GEN_DNS:
+                if (!x509_constraints_valid_sandns(bytes, len)) {
+                        X509V3error(X509V3_R_BAD_OBJECT);
+                        ERR_asprintf_error_data("name=%s value='%s'", name, bytes);
+                        goto err;
+                }
+                break;
+        case GEN_URI:
+                if (!x509_constraints_uri_host(bytes, len, NULL)) {
+                        X509V3error(X509V3_R_BAD_OBJECT);
+                        ERR_asprintf_error_data("name=%s value='%s'", name, bytes);
+                        goto err;
+                }
+                break;
+        case GEN_EMAIL:
+                if (!x509_constraints_parse_mailbox(bytes, len, NULL)) {
+                        X509V3error(X509V3_R_BAD_OBJECT);
+                        ERR_asprintf_error_data("name=%s value='%s'", name, bytes);
+                        goto err;
+                }
+                break;
+        case GEN_IPADD:
+                if (len != 4 && len != 16) {
+                        X509V3error(X509V3_R_BAD_IP_ADDRESS);
+                        ERR_asprintf_error_data("name=%s len=%zu", name, len);
+                        goto err;
+                }
+                break;
+        default:
+                break;
+        }
+        return ret;
+ err:
+        GENERAL_NAME_free(ret);
+        return NULL;
 }
 
 static int
diff --git a/src/lib/libcrypto/x509/x509_constraints.c b/src/lib/libcrypto/x509/x509_constraints.c
index db33bf1aa4..f5e1050bb1 100644
--- a/src/lib/libcrypto/x509/x509_constraints.c
+++ b/src/lib/libcrypto/x509/x509_constraints.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_constraints.c,v 1.17 2021/09/23 15:49:48 jsing Exp $ */
+/* $OpenBSD: x509_constraints.c,v 1.18 2021/10/26 09:09:53 beck Exp $ */
 /*
  * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
  *
@@ -424,9 +424,14 @@ x509_constraints_parse_mailbox(uint8_t *candidate, size_t len,
             strlen(candidate_domain)))
                 goto bad;
 
-        name->local = candidate_local;
-        name->name = candidate_domain;
-        name->type = GEN_EMAIL;
+        if (name != NULL) {
+                name->local = candidate_local;
+                name->name = candidate_domain;
+                name->type = GEN_EMAIL;
+        } else {
+                free(candidate_local);
+                free(candidate_domain);
+        }
         return 1;
  bad:
         free(candidate_local);
@@ -511,7 +516,8 @@ x509_constraints_uri_host(uint8_t *uri, size_t len, char **hostpart)
                 host = authority;
         if (!x509_constraints_valid_host(host, hostlen))
                 return 0;
-        *hostpart = strndup(host, hostlen);
+        if (hostpart != NULL)
+                *hostpart = strndup(host, hostlen);
         return 1;
 }
 
diff --git a/src/lib/libcrypto/x509/x509_internal.h b/src/lib/libcrypto/x509/x509_internal.h
index 8891aecb13..90fafccae0 100644
--- a/src/lib/libcrypto/x509/x509_internal.h
+++ b/src/lib/libcrypto/x509/x509_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_internal.h,v 1.12 2021/09/03 08:58:53 beck Exp $ */
+/* $OpenBSD: x509_internal.h,v 1.13 2021/10/26 09:09:53 beck Exp $ */
 /*
  * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
  *
@@ -106,6 +106,8 @@ struct x509_constraints_names *x509_constraints_names_dup(
     struct x509_constraints_names *names);
 void x509_constraints_names_clear(struct x509_constraints_names *names);
 struct x509_constraints_names *x509_constraints_names_new(size_t names_max);
+int x509_constraints_general_to_bytes(GENERAL_NAME *name, uint8_t **bytes,
+    size_t *len);
 void x509_constraints_names_free(struct x509_constraints_names *names);
 int x509_constraints_valid_host(uint8_t *name, size_t len);
 int x509_constraints_valid_sandns(uint8_t *name, size_t len);